Skip to main content

Legal

Privacy Policy

Last updated: April 21, 2026

We Do Not Sell Your Personal Information

KybaBox does not sell, rent, or trade your personal information to third parties for advertising or marketing. Your box contents, photos, and account information are used only to provide and improve the service.

Children's Privacy

KybaBox is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us through the Help contact form and we will delete it promptly.

Information We Collect

We collect the following information when you use KybaBox:

  • Account data: Email address (and password for email/password accounts), stored securely via Supabase Auth.
  • Multi-factor authentication: If you enable two-factor authentication (2FA), second-factor verification (for example, via an authenticator app) is processed through Supabase Auth. KybaBox does not receive your one-time codes; only Supabase validates them for sign-in.
  • Box data: Box titles, room names, inventory items, and flags (for example, fragile or heavy).
  • Photos: Box photos you upload, stored in your private storage. We do not store location or other metadata (such as EXIF) from photos—only the image content itself.
  • Voice recordings: When AI Mode is on, voice recordings may be sent for transcription and analysis
  • Help and contact: If you use the Help contact form (on the marketing site or while signed in), we receive the email address and message you send. Messages are delivered to our support inbox by email (via Resend) so we can respond; we do not store contact form submissions in the KybaBox application database.

How We Use Your Information

We use your information to operate the app: storing your boxes, authenticating your account, and when AI Mode is enabled, analyzing photos and voice to suggest inventory items. Your data is isolated to your account and is not shared with other users.

Google Sign-In

When you choose "Continue with Google," we use Google's sign-in service and Supabase Auth to verify who you are and sign you into KybaBox.

Data received: In the KybaBox app we request the openid and email scopes. Even with those scopes, Google may still return your email address, full name, and profile picture URL as part of sign-in. Supabase (our authentication provider) stores that information as part of your login profile.

How we use it

  • Identification: We use your email as your account identifier and to associate your boxes and inventory with your account.
  • Communication: We use your email for essential messages about your account or the service (for example, password resets or important notices).
  • Privacy: We do not sell your personal information. We do not use Google sign-in data for unsolicited marketing or automated decision-making about you.

Third-Party Processing: Sign-in is provided by Google and processed through Supabase. See the Supabase Privacy Policy and Google Privacy Policy.

AI Mode and Third-Party Processing

When AI Mode is on, photos and voice recordings are sent to Google Cloud Vertex AI to generate suggestions for box contents, titles, and rooms. Google does not use this data to train its models; it may retain data for up to 30 days for abuse monitoring only.

Third-Party Services

We use the following services to operate KybaBox:

  • Supabase: Authentication, database, and file storage. Data is stored in the United States. Supabase provides a Data Processing Addendum and supports Standard Contractual Clauses for international transfers. Supabase Privacy Policy
  • Google: Sign-in authentication (when you use "Continue with Google"); AI processing via Vertex AI when AI Mode is on; and typography via Google Fonts (font files are loaded from Google's servers). Google Privacy Policy
  • Stripe: Payment processing and subscription management. KybaBox does not store your credit card information; all transactions are handled via the Stripe Customer Portal. Stripe Privacy Policy
  • Resend: Transactional email delivery for authentication, account-related emails (e.g., password resets, signup confirmation, account deletion), and help/contact form messages (including confirmation emails to you). Resend Privacy Policy
  • Upstash: Rate limiting and abuse prevention for API routes using Upstash Redis. Limited technical data (such as identifiers used to enforce limits) may be processed for short periods. Upstash Privacy Policy
  • Cloudflare Turnstile: Bot verification on sign up, sign in, and the Help contact form. Cloudflare Privacy Policy
  • Vercel: Hosting, deployment, and analytics. We use Vercel Analytics to understand how the app is used. It collects anonymized, aggregated data such as page views, referrers, countries, and device types. Vercel Analytics is privacy-first and cookieless, ensuring no personal data is stored or tracked across sessions. Vercel Privacy Policy

Data Location and International Transfers

Your data—including account information, box contents, and photos—is stored in the United States. We use Supabase, which hosts our database and file storage on servers located in the U.S.

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, please note that your personal data will be transferred to and processed in the United States. We rely on appropriate safeguards for such transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-U.S. Data Privacy Framework. Supabase processes data on our behalf under a Data Processing Addendum that incorporates these safeguards.

This service is not intended for regulated industries or for data that must remain in a specific jurisdiction by law or contract.

Data Security

Your data is encrypted in transit. We use row-level security so each user can only access their own boxes and photos. Passwords (for email/password accounts) are hashed and never stored in plain text.

Data Retention After Subscription Expiry

If your subscription expires, you will lose access to the app. We retain your account and box data for 30 days to allow you to renew and regain access. After 30 days, we permanently delete your data. You may request earlier deletion at any time.

Account Deletion

You can delete your account and all associated data at any time. Go to Settings → Delete account. You will be asked to enter your password and type DELETE to confirm (or, for Google sign-in users, use the link sent to your email and type DELETE to confirm).

When you delete your account: all of your photos, box contents, and account data are permanently and immediately removed from our servers. We cannot recover your data after deletion. If you have an active subscription, it will be cancelled immediately. You will not be charged again, but you will forfeit any remaining time on your current billing cycle.

Inactive Free Accounts

If your account is on KybaBox's free plan (no paid subscription), we may delete your account and all associated data—including box contents and photos—if you do not sign in for eighteen (18) consecutive months. We use your last sign-in time to measure inactivity.

This deletion helps us keep only data we need to run the service. Paid subscribers and other non–free plans are not subject to this automatic deletion based solely on inactivity; different retention rules may apply if your subscription ends, as described elsewhere in this policy.

We may send you email notice before deletion when we have a valid email on file. After deletion, we cannot recover your data. You can avoid deletion by signing in before the end of the inactive period, or by deleting your account yourself at any time (see Account Deletion above).

Your Rights

You can access and correct your data through the app. To delete your account, use the in-app deletion flow described above. We process deletion requests immediately. For requests from the EEA, UK, or Switzerland, we comply with applicable law including the right to erasure ("right to be forgotten").

If you are in the EEA, UK, or Switzerland, you also have the right to: access your personal data; rectify inaccurate data; request erasure ("right to be forgotten"); restrict or object to processing; data portability (where applicable); and lodge a complaint with your local data protection authority.

Contact

If you have questions about this Privacy Policy, please use the Help contact form.

Data Controller: KybaBox, LLC 5900 Balcones Dr #29996 Austin, TX 78731