BoxArts

Collect. Curate. Create.

Privacy Policy

Effective 25 May 2026

This Privacy Policy explains how BoxArts ("we", "us", "our") — a New Zealand-based service — collects, uses, stores, and shares your personal information when you use the BoxArts service at boxarts.app.

BoxArts is committed to handling your information in line with the New Zealand Privacy Act 2020. If you are in another jurisdiction with additional rights (e.g. the EU's GDPR, the UK's UK GDPR, California's CCPA), we honour those rights to the extent they apply.

The short version: we collect the email address you sign up with, payment details handled by Stripe (we never see your card number), the box-art images and game data you upload, and basic technical logs. We share this with the cloud services we run on (Supabase, Cloudflare, Stripe, Fly.io, Sentry) so the product can function. We do not sell your data and never will.

1. What information we collect

1.1 Information you provide directly

  • Account details: email address and password (passwords are hashed and stored by Supabase Auth — we never see the plaintext).
  • Subscription information: billing details are collected and stored by Stripe. BoxArts receives only a customer reference (e.g. cus_...), the plan you're on, and whether your subscription is active. We do not receive or store your card number, CVV, or expiry date.
  • Content you upload: photos of game boxes, scanned cover art, DOS-game bundles, custom tags, dimension presets, and any other data you create in the app.
  • Communications: if you email hello@boxarts.app for support, we keep that correspondence so we can respond and reference it later.

1.2 Information collected automatically

  • Technical logs: IP address, browser user-agent, the URL you requested, response code, and a timestamp — the standard server-log fields any web service captures. Used for debugging and for the rate-limiting we apply to prevent abuse.
  • Error reports: if the application throws an unhandled exception while you're using it, our error-tracking service (Sentry) captures the stack trace, the URL, and a numeric user reference. We have deliberately disabled the "include user email/IP in error events" setting in Sentry to limit what gets shared.

1.3 Information we do not collect

  • Card numbers, CVV codes, or expiry dates — Stripe handles these directly.
  • Your location beyond what's inferable from your IP.
  • Browsing history outside BoxArts.
  • Data from other services unless you explicitly link them (we don't currently support third-party integrations).

2. How we use your information

  • To provide the service: serving the catalog, editor, 3D builder, and DOS playback features you signed up for.
  • To process payments: via Stripe, for subscription billing on the plan you chose.
  • To send essential service emails: account verification, password resets, billing receipts (sent by Stripe), and important service notices. We do not send marketing emails without your explicit opt-in.
  • To debug issues and improve reliability: the technical logs and error reports described above.
  • To enforce our Terms of Service: for example, applying the storage cap on your plan, or investigating reports of misuse.
  • To meet legal obligations: respond to lawful requests from authorities, when required.

3. Service providers we share information with

BoxArts is a small operation that runs on cloud infrastructure. The providers below process information on our behalf:

ProviderRoleData sharedRegion
Stripe Payment processing Card details (directly from you), customer reference, subscription state United States
Supabase Authentication, application database Email, password hash, all in-app data (games, tags, presets, etc.) Sydney, Australia
Cloudflare Object storage (R2), DNS, email routing Uploaded images and DOS bundles; inbound email to @boxarts.app Multi-region
Fly.io Application hosting All HTTP traffic to and from the service Sydney, Australia
Sentry Error tracking Stack traces, URL paths, numeric user reference (no email, no IP) United States
Google Fonts Font delivery IP address (when your browser requests a font file) Global CDN

Each of these providers operates under its own privacy practices. We choose them with care, but they are independent companies — we recommend reviewing their privacy policies if you want full detail.

4. International data transfers

Because we use international service providers, your information will be transferred outside New Zealand for processing and storage. Specifically:

  • Stripe and Sentry process data in the United States.
  • Supabase and Fly.io store data primarily in Sydney, Australia.
  • Cloudflare R2 may store data in any of Cloudflare's global regions.

These countries may have data protection standards different from New Zealand's. We rely on the contractual protections provided by these vendors, who all maintain compliance with international data-protection frameworks where relevant. By using BoxArts, you consent to these international transfers.

5. Cookies and local storage

BoxArts uses browser local storage (not traditional cookies) for two things:

  • Session management: after you sign in, Supabase Auth stores a short-lived access token in your browser so you don't have to re-enter your password on every page.
  • UI preferences: things like which theme you've chosen, which sort order you prefer, which game-name presets you've created.

We do not use third-party tracking cookies and we do not display advertising. We do not embed analytics scripts (no Google Analytics, no Plausible, no Mixpanel, etc.). If we ever decide to add analytics in future, we will update this policy and the service before doing so.

6. Data retention

  • Account data: kept while your account is active, and for up to 12 months after you delete your account or your subscription lapses, in case you ask us to restore.
  • Uploaded content: kept while your account is active. Deleted with your account.
  • Billing records: kept for at least 7 years after the relevant financial year, as required by New Zealand tax law.
  • Error reports in Sentry: retained for 90 days, then automatically purged.
  • Server access logs in Fly.io: retained for 30 days.

7. Your rights

Under the New Zealand Privacy Act 2020, you have the right to:

  • Access the personal information we hold about you.
  • Request correction of any information that is inaccurate or out-of-date.
  • Request deletion of your account and the personal information associated with it. (We can usually action this within 14 days. Billing records we are required to retain are an exception — see §6.)
  • Withdraw consent for non-essential processing at any time, by deleting your account.
  • Complain to the New Zealand Privacy Commissioner if you are not satisfied with how we handle your information. Their contact details are at privacy.org.nz.

To exercise any of these rights, email hello@boxarts.app from the address you registered with. We aim to respond within 14 days.

8. How we protect your information

We take security seriously but are pragmatic about the small scale we operate at. Concretely:

  • All traffic between you and BoxArts is encrypted using HTTPS (TLS 1.2 or higher).
  • Passwords are hashed by Supabase Auth using industry-standard methods. We never see or store plaintext passwords.
  • Sensitive credentials (database passwords, API keys, webhook secrets) are stored in Fly.io's encrypted secret store and are not present in the application's source code.
  • Access to production systems is restricted to the BoxArts operator and protected by 2-factor authentication on all service accounts.
  • Error tracking is configured to avoid capturing personally identifiable information (we have explicitly disabled Sentry's "send default PII" option).
  • We apply per-IP rate limiting to sensitive endpoints to defend against abuse and credential-stuffing attempts.

No system is perfectly secure. If a data breach affecting your information ever occurs, we will notify you within 72 hours of becoming aware of it, as required by the Privacy Act 2020.

9. Children's privacy

BoxArts is not directed at children under 13. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please email hello@boxarts.app and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced via email to your account address at least 14 days before they take effect. The "Effective" date at the top of this page always reflects the current version.

11. Contact

For any privacy-related question, please email hello@boxarts.app.

BoxArts is operated as a sole trader by Jono Smith, based in New Zealand.

Back to BoxArts  ·  Terms of Service  ·  hello@boxarts.app