Privacy Policy

Last updated: February 2025

We Do Not Sell Your Personal Information

KybaBox does not sell, rent, or trade your personal information to third parties for advertising or marketing. Your box contents, photos, and account information are used only to provide and improve the service.

Information We Collect

We collect the following information when you use KybaBox:

  • Account data: Email address and password (stored securely via Supabase Auth)
  • Box data: Box titles, room names, inventory items, and flags (fragile, heavy, etc.)
  • Photos: Box photos you upload, stored in your private storage. We do not store location or other metadata (such as EXIF) from photos—only the image content itself.
  • Voice recordings: When AI Mode is on, voice recordings may be sent for transcription and analysis

How We Use Your Information

We use your information to operate the app: storing your boxes, authenticating your account, and when AI Mode is enabled, analyzing photos and voice to suggest inventory items. Your data is isolated to your account and is not shared with other users.

AI Mode and Third-Party Processing

When AI Mode is on, photos and voice recordings are sent to Google Cloud Vertex AI to generate suggestions for box contents, titles, and rooms. Google does not use this data to train its models; it may retain data for up to 55 days for abuse monitoring only. On some devices (e.g., Safari), voice may use the browser's built-in speech recognition, which processes audio on-device.

Third-Party Services

We use the following services to operate KybaBox:

  • Supabase: Authentication, database, and file storage. Data is stored in the United States. Supabase provides a Data Processing Addendum and supports Standard Contractual Clauses for international transfers. Privacy Policy
  • Google Cloud Vertex AI: AI processing when AI Mode is on. Google Privacy Policy
  • Cloudflare Turnstile: Bot verification on sign up. Cloudflare Privacy Policy
  • Vercel: Hosting, deployment, and analytics. We use Vercel Analytics to understand how the app is used. It collects anonymized, aggregated data such as page views, referrers, countries, and device types. Vercel Analytics does not use cookies and does not track you across other sites for advertising. Vercel Privacy Policy

Data Location and International Transfers

Your data—including account information, box contents, and photos—is stored in the United States. We use Supabase, which hosts our database and file storage on servers located in the U.S.

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, please note that your personal data will be transferred to and processed in the United States. We rely on appropriate safeguards for such transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-U.S. Data Privacy Framework. Supabase processes data on our behalf under a Data Processing Addendum that incorporates these safeguards.

This service is not intended for regulated industries or for data that must remain in a specific jurisdiction by law or contract.

Data Security

Your data is encrypted in transit. We use row-level security so each user can only access their own boxes and photos. Passwords are hashed and never stored in plain text.

Data Retention After Subscription Expiry

If your subscription expires, you will lose access to the app. We retain your account and box data for 30 days to allow you to renew and regain access. After 30 days, we permanently delete your data. You may request earlier deletion at any time.

Your Rights

You can access, correct, or delete your data through the app. To delete your account and all associated data (including photos and box contents), contact us. We will process deletion requests within 30 days (or one month for requests from the EEA, UK, or Switzerland, as required by applicable law).

If you are in the EEA, UK, or Switzerland, you also have the right to: access your personal data; rectify inaccurate data; request erasure ("right to be forgotten"); restrict or object to processing; data portability (where applicable); and lodge a complaint with your local data protection authority.

Contact

If you have questions about this Privacy Policy, please contact us through the app or at the contact information provided in the app settings.