Privacy Policy

Back to Home

1. Introduction

Welcome to Boxly. We are committed to protecting your privacy and being transparent about how we collect, use, and protect your information. This Privacy Policy explains what data we collect, why we collect it, and your rights regarding your data.

By using Boxly, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

• Username: Used to identify your account and personalize your experience
• Password: Encrypted using industry-standard Argon2id hashing (we cannot access your actual password)
• Session tokens: Securely generated tokens to keep you logged in across devices

2.2 Task Data

We store all information you enter about your tasks, including:

• Task titles and descriptions
• Due dates and estimated completion times
• Task priorities and categories
• Task positions on your visual workspace (artboard coordinates)
• Pomodoro session data (start/stop times, actual vs estimated duration)
• Task completion status and timestamps

2.3 Canvas LMS Integration (Optional)

If you choose to connect your Canvas LMS account:

• Canvas URL: Your institution's Canvas domain
• Canvas API Token: Encrypted using Fernet symmetric encryption before storage. We never store your token in plain text and cannot decrypt it for purposes other than syncing your assignments.
• Assignment Data: Course names, assignment titles, due dates, and descriptions pulled from Canvas (only assignments due within 7 days)
• Course Information: Course IDs and names you've selected for sync

2.4 Browsing Data (Focus Mode Only)

When you activate focus mode by starting a task:

• Website URLs: The addresses of websites you visit while a task is active
• Page Context: Page titles, video names, or article headlines to improve AI accuracy
• Blocking Decisions: Whether each website was allowed or blocked
• Timestamps: When you visited each site

Important: We only collect browsing data while you have an active task. When no task is running, we do not monitor your browsing.

2.5 Usage Analytics

• Number of tasks created and completed
• Total focus time and break time
• Feature usage patterns (which features you use most)
• Error logs and crash reports (to improve stability)

3. How We Use Your Information

3.1 Core Functionality

• Task Management: Store and sync your tasks across all your devices
• AI-Powered Blocking: Send website URLs and task context to our AI service to determine relevance
• Canvas Integration: Fetch your assignments from Canvas LMS and display them in Boxly
• Pomodoro Timer: Track your focus sessions and calculate break intervals
• Multi-Device Sync: Keep your data synchronized in real-time via WebSocket connections

3.2 Service Improvement

• Analyze usage patterns to improve features
• Identify and fix bugs
• Understand which features are most valuable
• Improve AI blocking accuracy

3.3 Communication

• Send important service updates (major bugs, security issues)
• Notify you of new features (only if you opt-in)

We will never send marketing emails without your explicit consent.

4. Third-Party Services

4.1 AI Processing (OpenRouter/OpenAI)

When you use the AI-powered blocking feature:

• Website URLs and page context are sent to OpenRouter's API
• OpenRouter processes this data using the Llama3 AI model
• The AI returns a decision (allow or block) based on task relevance
• OpenRouter may temporarily log requests for their own service monitoring

Data sent: Website URL, page title/context, task description
Data NOT sent: Your username, password, other tasks, or personal information

4.2 Canvas LMS

When you connect Canvas:

• We use your encrypted API token to fetch assignments directly from Canvas
• Canvas may log these API requests according to their own privacy policy
• We only access data you explicitly authorize (courses and assignments)

4.3 No Other Third Parties

We do not:

• ❌ Share your data with advertisers
• ❌ Sell your data to data brokers
• ❌ Use analytics trackers (Google Analytics, etc.)
• ❌ Share data with social media platforms

5. Data Storage and Security

5.1 Where We Store Data

• Backend Server: PostgreSQL database hosted on our secure servers
• Browser Extension: Minimal caching in Chrome's local storage for offline access
• Location: United States (with plans for regional data centers)

5.2 Security Measures

• Passwords: Hashed with Argon2id (industry-leading algorithm)
• Canvas Tokens: Encrypted with Fernet symmetric encryption (256-bit keys)
• Data in Transit: All communication encrypted with HTTPS/TLS
• Database Access: Restricted to authorized backend services only
• Session Tokens: Cryptographically secure random tokens with 30-day expiration
• Rate Limiting: Protection against brute-force attacks and abuse

5.3 Data Retention

• Active Accounts: Data retained indefinitely while your account is active
• Deleted Accounts: All personal data permanently deleted within 30 days
• Completed Tasks: Kept for analytics unless you delete them
• Browsing History: Retained for 90 days, then automatically purged
• Error Logs: Retained for 30 days for debugging purposes

6. Your Rights and Choices

6.1 Access Your Data

You can view all your data at any time within the extension:

• Tasks: Visible in your workspace
• Settings: Available in Settings panel
• Canvas Configuration: Visible in Canvas settings (token is masked for security)

6.2 Export Your Data

Request a complete export of your data in JSON format by contacting us at boxlydev@gmail.com. We'll provide your data within 30 days.

6.3 Delete Your Data

You have several deletion options:

• Individual Tasks: Delete any task by clicking the trash icon
• Canvas Connection: Disconnect Canvas in Settings → Canvas Integration → Delete Config
• All Tasks: Settings → Data Management → Clear All Tasks
• Entire Account: Settings → Account → Delete Account (irreversible)

6.4 Opt-Out of Features

• AI Blocking: Disable by not starting tasks (blocking only active when task is running)
• Canvas Sync: Disconnect Canvas in settings or don't connect it initially
• Analytics: Future version will include opt-out toggle

6.5 Download Extension Updates

You control when to update the extension. Updates are manual (not automatic) since we're not on the Chrome Web Store yet.

7. Children's Privacy

Boxly is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you are a parent and believe your child has provided us with personal information, please contact us and we will delete it immediately.

For users aged 13-18, we recommend parental guidance when using the extension.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via in-app message when you next open Boxly
• For major changes affecting your rights, we'll request your consent

Continued use of Boxly after policy updates constitutes acceptance of the new terms.

9. International Users

Boxly is based in the United States. If you are accessing Boxly from outside the U.S., please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.

By using Boxly, you consent to the transfer of your information to the United States and processing in accordance with this Privacy Policy.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request details about the personal information we collect
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of the sale of personal information (note: we do not sell personal information)
• Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, email us at boxlydev@gmail.com with "CCPA Request" in the subject line.

11. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

• Right to Access: Obtain confirmation of whether we process your data and access to it
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your personal data
• Right to Restrict Processing: Request limitation of how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing of your personal data
• Right to Withdraw Consent: Withdraw consent at any time (doesn't affect lawfulness of prior processing)

To exercise these rights, email us at boxlydev@gmail.com. We will respond within 30 days.

Legal Basis for Processing (GDPR)

We process your data based on:

• Consent: You explicitly agree to data collection (Canvas integration, AI blocking)
• Contract Performance: Processing necessary to provide Boxly's core services
• Legitimate Interests: Service improvement, security, and fraud prevention

12. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

• Notify you via email within 72 hours of discovering the breach
• Describe the nature of the breach and what data was affected
• Explain the steps we're taking to mitigate harm
• Provide guidance on protecting your account
• Notify relevant authorities as required by law

13. Third-Party Links

Boxly may contain links to third-party websites (e.g., Canvas LMS, documentation). We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal information.