Privacy Policy

Effective date: April 18, 2026 · Last updated: April 18, 2026

1. Who We Are

OBOX ("we," "us," "our") is a networking platform centered on real-world events, organizations, and human connections. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the OBOX iOS app and related services (collectively, "the Service").

Data Controller: OBOX
Contact email: privacy@obox.app
Support email: support@obox.app

2. Data We Collect

a) Account & Profile Information

When you create an account, we collect: your name, email address, and Apple user identifier (via Sign in with Apple). You may optionally provide a username, date of birth, phone number, bio, profile photo, location (city), website URL, and social media handles (Instagram, X/Twitter, LinkedIn, TikTok, YouTube).

b) Event & Social Data

We store your event RSVPs, ticket purchases, attendance records, connections with other users, direct messages, group chat messages, event album photos you upload, and organization memberships.

c) Payment Information

Payments for event tickets are processed by Stripe. We do not store your credit or debit card numbers. Stripe independently collects payment card details, billing addresses, and device/behavioral data for fraud prevention. We receive confirmation of successful transactions (amount, date, ticket type).

d) Device & Technical Data

With your permission, we collect your device push notification token (APNs) to send event reminders, messages, and connection requests. We do not collect device advertising identifiers (IDFA), GPS location, or browsing history.

e) Content Reports

If you report a user or message, we store the report reason, optional description, and your user ID for moderation purposes.

3. How and Why We Use Your Data

Under the EU General Data Protection Regulation (GDPR), we process your data on the following legal bases:

Purpose	Legal Basis
Account creation and authentication	Performance of contract (Art. 6(1)(b))
Event ticketing, RSVPs, and attendance	Performance of contract (Art. 6(1)(b))
Payment processing via Stripe	Performance of contract (Art. 6(1)(b))
Messaging between connected users	Performance of contract (Art. 6(1)(b))
Displaying your profile to other users	Performance of contract (Art. 6(1)(b))
Push notifications	Consent (Art. 6(1)(a))
Transactional emails (confirmations, invites)	Performance of contract (Art. 6(1)(b))
Content moderation (report/block)	Legitimate interest (Art. 6(1)(f))
Fraud prevention and security	Legitimate interest (Art. 6(1)(f))

4. Who We Share Your Data With

We share your data only with the service providers listed below, each of which provides protection of your data equal to or greater than this policy. We do not sell your personal data.

Supabase (data processor) — Authentication, database hosting, and file storage. Data is stored in Supabase-managed infrastructure with AES-256 encryption at rest and TLS in transit. See Supabase Privacy Policy.
Stripe (independent data controller for payment data) — Processes event ticket payments. Receives name, email, payment card details, and transaction amounts. Stripe independently collects device and behavioral data for fraud prevention. See Stripe Privacy Policy.
Apple (identity provider) — Receives your Apple user ID during Sign in with Apple. Apple does not track which apps you sign into. See Apple Privacy Policy.
Resend (data processor) — Sends transactional emails (ticket confirmations, event invitations). Receives email addresses and email content. See Resend Privacy Policy.
Apple Push Notification service (APNs) — Delivers push notifications to your device. Receives your device token and notification content.

5. International Data Transfers

Your data may be processed in the United States and the European Union. Where data is transferred outside the EU/EEA, we rely on EU Standard Contractual Clauses (SCCs) or adequacy decisions to ensure your data receives an equivalent level of protection. Stripe and Supabase maintain their own SCCs for transatlantic transfers.

6. Data Retention & Deletion

Active account: Your data is retained for as long as your account is active.
Account deletion: When you delete your account (Settings > Delete Account), your profile is anonymized immediately (name, bio, photo, and social links are removed). All personal data is permanently purged within 30 days.
Chat messages: Messages you sent to other users may remain visible to them under the sender name "Deleted User" until the recipient also deletes the conversation.
Financial records: Transaction records may be retained for up to 7 years as required by tax and accounting regulations.
Content reports: Reports you submitted are retained for moderation purposes and are not linked to your identity after account deletion.

7. Your Rights

Depending on your location, you have the following rights regarding your personal data:

Under the GDPR (EU/EEA users)

Access (Art. 15) — Request a copy of all personal data we hold about you.
Rectification (Art. 16) — Correct inaccurate or incomplete data.
Erasure (Art. 17) — Request deletion of your data ("right to be forgotten"). You can do this directly via Settings > Delete Account.
Restriction of Processing (Art. 18) — Request that we limit how your data is used.
Data Portability (Art. 20) — Receive your data in a structured, machine-readable format.
Object (Art. 21) — Object to processing based on legitimate interests.
Withdraw Consent (Art. 7(3)) — Withdraw consent at any time (e.g., for push notifications via iOS Settings). Withdrawal does not affect the lawfulness of processing before withdrawal.
Lodge a Complaint — File a complaint with a supervisory authority. For Sweden: Integritetsskyddsmyndigheten (IMY).
Automated Decision-Making (Art. 22) — We do not use automated profiling or decision-making that produces legal or similarly significant effects.

Under the CCPA (California users)

Right to Know — What personal data we collect and how we use it.
Right to Delete — Request deletion of your personal data.
Right to Correct — Correct inaccurate personal data.
Right to Opt-Out — We do not sell personal data. No opt-out is necessary.
Right to Non-Discrimination — We will not discriminate against you for exercising your rights.

To exercise any of these rights, email privacy@obox.app or use the in-app account deletion feature. We will respond within 30 days.

8. Data Security

We protect your data using industry-standard measures including:

TLS/HTTPS encryption for all data in transit
AES-256 encryption at rest (Supabase-managed infrastructure)
Row-level security (RLS) policies ensuring users can only access their own data
Secure token-based authentication (Sign in with Apple, JWT tokens)
Passwords are never stored in plain text (hashed by Supabase Auth)

9. Cookies and Tracking

The OBOX iOS app does not use cookies, advertising identifiers (IDFA), or tracking pixels. We do not track you across other apps or websites. No third-party analytics or advertising SDKs are integrated into the app.

The OBOX website (obox.app) uses only essential cookies required for the site to function. No analytics or marketing cookies are used.

10. Children's Privacy

OBOX is not intended for anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, contact us at privacy@obox.app and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via push notification or email before the changes take effect. The "Last updated" date at the top reflects the most recent revision. Continued use of the Service after notification constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise your rights, contact us at:

Privacy inquiries: privacy@obox.app
General support: support@obox.app

EU Supervisory Authority: Integritetsskyddsmyndigheten (IMY), Sweden — imy.se