Privacy Policy
Effective 25 May 2026
This Privacy Policy explains how BoxArts ("we", "us", "our") — a
New Zealand-based service — collects, uses, stores, and shares your personal
information when you use the BoxArts service at
boxarts.app.
BoxArts is committed to handling your information in line with the
New Zealand Privacy Act 2020. If you are in another jurisdiction with
additional rights (e.g. the EU's GDPR, the UK's UK GDPR, California's CCPA), we honour
those rights to the extent they apply.
The short version: we collect the email address you sign up with, payment
details handled by Stripe (we never see your card number), the box-art images and game
data you upload, and basic technical logs. We share this with the cloud services we run on
(Supabase, Cloudflare, Stripe, Fly.io, Sentry) so the product can function. We do not sell
your data and never will.
1. What information we collect
1.1 Information you provide directly
- Account details: email address and password (passwords are hashed and
stored by Supabase Auth — we never see the plaintext).
- Subscription information: billing details are collected and stored by
Stripe. BoxArts receives only a customer reference (e.g. cus_...),
the plan you're on, and whether your subscription is active. We do not receive or
store your card number, CVV, or expiry date.
- Content you upload: photos of game boxes, scanned cover art,
DOS-game bundles, custom tags, dimension presets, and any other data you create in
the app.
- Communications: if you email hello@boxarts.app
for support, we keep that correspondence so we can respond and reference it later.
1.2 Information collected automatically
- Technical logs: IP address, browser user-agent, the URL you requested,
response code, and a timestamp — the standard server-log fields any web service
captures. Used for debugging and for the rate-limiting we apply to prevent abuse.
- Error reports: if the application throws an unhandled exception while
you're using it, our error-tracking service (Sentry) captures the stack trace, the
URL, and a numeric user reference. We have deliberately disabled the "include user
email/IP in error events" setting in Sentry to limit what gets shared.
1.3 Information we do not collect
- Card numbers, CVV codes, or expiry dates — Stripe handles these directly.
- Your location beyond what's inferable from your IP.
- Browsing history outside BoxArts.
- Data from other services unless you explicitly link them (we don't currently support
third-party integrations).
2. How we use your information
- To provide the service: serving the catalog, editor, 3D builder, and
DOS playback features you signed up for.
- To process payments: via Stripe, for subscription billing on the
plan you chose.
- To send essential service emails: account verification, password
resets, billing receipts (sent by Stripe), and important service notices. We do
not send marketing emails without your explicit opt-in.
- To debug issues and improve reliability: the technical logs and
error reports described above.
- To enforce our Terms of Service: for example, applying the storage
cap on your plan, or investigating reports of misuse.
- To meet legal obligations: respond to lawful requests from
authorities, when required.
3. Service providers we share information with
BoxArts is a small operation that runs on cloud infrastructure. The providers below
process information on our behalf:
| Provider | Role | Data shared | Region |
| Stripe |
Payment processing |
Card details (directly from you), customer reference, subscription state |
United States |
| Supabase |
Authentication, application database |
Email, password hash, all in-app data (games, tags, presets, etc.) |
Sydney, Australia |
| Cloudflare |
Object storage (R2), DNS, email routing |
Uploaded images and DOS bundles; inbound email to @boxarts.app |
Multi-region |
| Fly.io |
Application hosting |
All HTTP traffic to and from the service |
Sydney, Australia |
| Sentry |
Error tracking |
Stack traces, URL paths, numeric user reference (no email, no IP) |
United States |
| Google Fonts |
Font delivery |
IP address (when your browser requests a font file) |
Global CDN |
Each of these providers operates under its own privacy practices. We choose them with
care, but they are independent companies — we recommend reviewing their privacy policies
if you want full detail.
4. International data transfers
Because we use international service providers, your information will be transferred
outside New Zealand for processing and storage. Specifically:
- Stripe and Sentry process data in the United States.
- Supabase and Fly.io store data primarily in Sydney, Australia.
- Cloudflare R2 may store data in any of Cloudflare's global regions.
These countries may have data protection standards different from New Zealand's. We
rely on the contractual protections provided by these vendors, who all maintain
compliance with international data-protection frameworks where relevant. By using
BoxArts, you consent to these international transfers.
5. Cookies and local storage
BoxArts uses browser local storage (not traditional cookies) for two things:
- Session management: after you sign in, Supabase Auth stores a
short-lived access token in your browser so you don't have to re-enter your password
on every page.
- UI preferences: things like which theme you've chosen, which sort
order you prefer, which game-name presets you've created.
We do not use third-party tracking cookies and we do not display advertising. We do
not embed analytics scripts (no Google Analytics, no Plausible, no Mixpanel, etc.).
If we ever decide to add analytics in future, we will update this policy and the
service before doing so.
6. Data retention
- Account data: kept while your account is active, and for up to
12 months after you delete your account or your subscription lapses, in case you
ask us to restore.
- Uploaded content: kept while your account is active. Deleted with
your account.
- Billing records: kept for at least 7 years after the relevant
financial year, as required by New Zealand tax law.
- Error reports in Sentry: retained for 90 days, then automatically
purged.
- Server access logs in Fly.io: retained for 30 days.
7. Your rights
Under the New Zealand Privacy Act 2020, you have the right to:
- Access the personal information we hold about you.
- Request correction of any information that is inaccurate or
out-of-date.
- Request deletion of your account and the personal information
associated with it. (We can usually action this within 14 days. Billing records
we are required to retain are an exception — see §6.)
- Withdraw consent for non-essential processing at any time, by
deleting your account.
- Complain to the New Zealand Privacy Commissioner if you are not
satisfied with how we handle your information. Their contact details are at
privacy.org.nz.
To exercise any of these rights, email hello@boxarts.app
from the address you registered with. We aim to respond within 14 days.
8. How we protect your information
We take security seriously but are pragmatic about the small scale we operate at.
Concretely:
- All traffic between you and BoxArts is encrypted using HTTPS (TLS 1.2 or higher).
- Passwords are hashed by Supabase Auth using industry-standard methods. We never see
or store plaintext passwords.
- Sensitive credentials (database passwords, API keys, webhook secrets) are stored in
Fly.io's encrypted secret store and are not present in the application's source code.
- Access to production systems is restricted to the BoxArts operator and
protected by 2-factor authentication on all service accounts.
- Error tracking is configured to avoid capturing personally identifiable information
(we have explicitly disabled Sentry's "send default PII" option).
- We apply per-IP rate limiting to sensitive endpoints to defend against abuse and
credential-stuffing attempts.
No system is perfectly secure. If a data breach affecting your information ever
occurs, we will notify you within 72 hours of becoming aware of it, as required by
the Privacy Act 2020.
9. Children's privacy
BoxArts is not directed at children under 13. We do not knowingly collect personal
information from children. If you are a parent or guardian and believe your child
has provided us with personal information, please email
hello@boxarts.app and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be
announced via email to your account address at least 14 days before they take
effect. The "Effective" date at the top of this page always reflects the current
version.
11. Contact
For any privacy-related question, please email hello@boxarts.app.
BoxArts is operated as a sole trader by Jono Smith, based in
New Zealand.