Skip to main content

Legal

Privacy Policy

Last updated: May 18, 2026

We Do Not Sell Your Personal Information

KybaBox does not sell, rent, or trade your personal information to third parties for advertising or marketing. Your box contents, photos, and account information are used only to provide and improve the service.

Children's Privacy

KybaBox is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us through the Help contact form and we will delete it promptly.

Information We Collect

We collect the following information when you use KybaBox:

  • Account data: Email address (and password for email/password accounts), stored securely via Supabase Auth.
  • Multi-factor authentication: If you enable two-factor authentication (2FA), second-factor verification (for example, via an authenticator app) is processed through Supabase Auth. KybaBox does not receive your one-time codes; only Supabase validates them for sign-in.
  • Box data: Box titles, room names, inventory items, and flags (for example, fragile or heavy).
  • Photos: Box photos you upload, stored in your private storage. We do not store location or other metadata (such as EXIF) from photos—only the image content itself.
  • Voice recordings: When AI Mode is on, voice recordings may be sent for transcription and analysis
  • Help and contact: If you use the Help contact form (on the marketing site or while signed in), we receive the email address and message you send. Messages are delivered to our support inbox by email (via Resend) so we can respond; we do not store contact form submissions in the KybaBox application database.

How We Use Your Information

We use your information to operate the app: storing your boxes, authenticating your account, and when AI Mode is enabled, analyzing photos and voice to suggest inventory items. Your data is isolated to your account and is not shared with other users.

Google Sign-In

When you choose "Continue with Google," we use Google's sign-in service and Supabase Auth to verify who you are and sign you into KybaBox.

Data received: In the KybaBox app we request the openid and email scopes. Even with those scopes, Google may still return your email address, full name, and profile picture URL as part of sign-in. Supabase (our authentication provider) stores that information as part of your login profile.

How we use it

  • Identification: We use your email as your account identifier and to associate your boxes and inventory with your account.
  • Communication: We use your email for essential messages about your account or the service (for example, password resets or important notices).
  • Privacy: We do not sell your personal information. We do not use Google sign-in data for unsolicited marketing or automated decision-making about you.

Third-Party Processing: Sign-in is provided by Google and processed through Supabase. See the Supabase Privacy Policy and Google Privacy Policy.

AI Mode and Third-Party Processing

When AI Mode is on, photos and voice recordings are sent to Google's Gemini Enterprise Agent Platform on Google Cloud to generate suggestions for box contents, titles, and rooms. Google does not use this data to train its models; it may retain data for up to 30 days for abuse monitoring only.

Third-Party Services

We use the following services to operate KybaBox:

  • Supabase: Authentication, database, and file storage. Data is stored in the United States. Supabase provides a Data Processing Addendum and supports Standard Contractual Clauses for international transfers. Supabase Privacy Policy
  • Google: Sign-in authentication (when you use "Continue with Google"); AI processing via Google Gemini Enterprise when AI Mode is on; and typography via Google Fonts (font files are loaded from Google's servers). Google Privacy Policy
  • Stripe: Payment processing and subscription management. KybaBox does not store your credit card information; all transactions are handled via the Stripe Customer Portal. Stripe Privacy Policy
  • Resend: Transactional email delivery for authentication, account-related emails (e.g., password resets, signup confirmation, account deletion), and help/contact form messages (including confirmation emails to you). Resend Privacy Policy
  • Upstash: Rate limiting and abuse prevention for API routes using Upstash Redis. Limited technical data (such as identifiers used to enforce limits) may be processed for short periods. Upstash Privacy Policy
  • Cloudflare Turnstile: Bot verification on sign up, sign in, and the Help contact form. Cloudflare Privacy Policy
  • Vercel: Hosting, deployment, and analytics. We use Vercel Analytics to understand how the app is used. It collects anonymized, aggregated data such as page views, referrers, countries, and device types. Vercel Analytics is privacy-first and cookieless, ensuring no personal data is stored or tracked across sessions. Vercel Privacy Policy

Data Location, AI Processing, and International Transfers

Regional Availability: KybaBox is available exclusively to users located in the United States, European Union (EU member states), and United Kingdom (including Crown Dependencies).

Data Storage: Your primary account data—including account information, box contents, and photos—is stored and hosted in the United States using Supabase infrastructure.

AI Processing Routing: When AI Mode is enabled, photos and voice recordings are analyzed via Google Cloud's Gemini Enterprise infrastructure. To respect regional data preferences, processing is dynamically routed based on your location:

  • U.S. Users: Inputs are processed within Google's US multi-region infrastructure.
  • EU and UK Users: Inputs are processed strictly within Google's EU multi-region infrastructure.

Note: As detailed in our AI Mode section, Google may retain these inputs for up to 30 days solely for abuse monitoring and does not use your data to train its models.

International Transfers & Safeguards: If you are located in the EU or UK, your personal data will be transferred to and stored in the United States. We rely on legally approved mechanisms for these transfers, including Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework. Our primary processors maintain a Data Processing Addendum (DPA) incorporating these standard safeguards.

Jurisdictional Notice: KybaBox is designed for general organizational use. It is not intended for regulated industries or for data that is contractually or legally required to remain strictly within a specific geographic jurisdiction.

Data Security

Your data is encrypted in transit. We use row-level security so each user can only access their own boxes and photos. Passwords (for email/password accounts) are hashed and never stored in plain text.

Data Retention After Subscription Expiry

If your subscription expires, you will lose access to the app. We retain your account and box data for 30 days to allow you to renew and regain access. After 30 days, we permanently delete your data. You may request earlier deletion at any time.

Account Deletion

You can delete your account and all associated data at any time. Visit our Delete Account page for steps, or, after logging in, go to Settings → Delete Account.

  • If you use email/password sign-in, you will be asked to enter your password and confirm your intent by typing DELETE.
  • If you use Google or other OAuth sign-in, you will be required to confirm through a verification link sent to your registered email address.

When your deletion request is confirmed:

  • Access is revoked immediately. Your account is locked and sign-in is blocked while deletion is pending.
  • Subscription auto-renewal is turned off. If you have an active paid subscription, it will not renew after the current billing period.
  • Unused time is forfeited. You will not receive a refund or credit for unused time in the current billing period.
  • 30-day purge. Your account data (including box details and uploaded photos) is scheduled for permanent deletion and is removed from our systems after a 30-day "cooling-off" period. Once completed, data recovery is impossible.

Data Retention Exceptions:
For security, fraud prevention, and legal compliance, we retain a limited deletion audit record for up to 18 months, which may include a one-way hashed account identifier, a truncated IP network (for example, IPv4 /24), and request/completion timestamps. Additionally, we do not delete records our payment processor (Stripe) is legally required to maintain for tax and accounting purposes.

Inactive Free Accounts

If your account is on KybaBox's free plan (no paid subscription), we may delete your account and all associated data—including box contents and photos—if you do not sign in for eighteen (18) consecutive months. We use your last sign-in time to measure inactivity.

This deletion helps us keep only data we need to run the service. Paid subscribers and other non–free plans are not subject to this automatic deletion based solely on inactivity; different retention rules may apply if your subscription ends, as described elsewhere in this policy.

We may send you email notice before deletion when we have a valid email on file. After deletion, we cannot recover your data. You can avoid deletion by signing in before the end of the inactive period, or by deleting your account yourself at any time (see Account Deletion above).

Your Rights

You can access and correct your data through the app. To delete your account, use the deletion flow described above. We process deletion requests promptly by locking access immediately and scheduling permanent deletion after a 30-day "cooling-off" period.

For requests from the EEA, UK, or Switzerland, we comply with applicable law, including the right to erasure ("right to be forgotten"). Where retention is required by law (for example, tax/accounting records maintained by payment processors), those records may be retained for the legally required period.

We retain limited account-deletion audit records for up to 18 months for security, fraud prevention, and legal compliance.

If you are in the EEA, UK, or Switzerland, you also have the right to: access your personal data; rectify inaccurate data; request erasure ("right to be forgotten"); restrict or object to processing; data portability (where applicable); and lodge a complaint with your local data protection authority.

Contact

If you have questions about this Privacy Policy, please use the Help contact form.

Data Controller: KybaBox, LLC 5900 Balcones Dr #29996 Austin, TX 78731