BOXIA Privacy Policy — DRAFT
⚠️ DRAFT STATUS — this is a technically-structured first draft based on GDPR mandatory content requirements + industry best-practice (Apple, Stripe, Signal). Lawyer review is required before publication. In particular, the following items must be clarified before going live:
- Controller: Legal form + complete address + contact channels ([PLACEHOLDER below])
- Data Processing Agreements (DPA): With Google (Firebase + Vertex AI), confirm the GCP standard contract is active
- Third-country transfers: Vertex AI in
europe-west3(EU) is privacy-friendly, but Apple Sign-In and possibly Crashlytics involve US servers → SCCs (Standard Contractual Clauses) must be verified- Languages: This is the English version. The German version (
privacy-policy-draft.md) should be the legally-binding one for users in DACH; this English version covers the remaining 8 supported locales- Hosting URL: Decide whether
boxia.app/privacyor a subpathStatus: 2026-05-02 (Draft v1, English mirror of DE Draft v1 from 2026-04-29)
1. Who is responsible
Controller for data processing within the meaning of GDPR Art. 4 (7) is:
[NAME / COMPANY HERE]
[STREET + NUMBER]
[POSTAL CODE + CITY]
Germany
Email: [CONTACT EMAIL HERE, e.g. privacy@boxia.app]
For privacy questions or to exercise your rights (see Section 7), please contact the email address above.
2. What BOXIA does — and why we need data
BOXIA is an iOS app that shows vending machines (snack, drink, coffee machines, etc.) on a map, with real-time inventory and photos. You can:
- Find vending machines near you
- Scan product barcodes to check which machine carries the product
- Submit new vending machines yourself, with photo and location
- Leave ratings and save favourites
To make this work, we need certain data. This policy tells you transparently which data, for what purpose, and on which legal basis.
3. Which data we process
3.1 Account data (authentication)
| Data type | When collected | Purpose |
|---|---|---|
| Pseudonymous user ID (UID) | Every app session | Unique attribution of your contributions (submissions, favourites, ratings) to your account |
| Email address (optional) | If you sign up via email link | Sign-in, account recovery |
| Apple ID hash (optional) | If you use Sign-in with Apple | Sign-in without separate password |
| Anonymous token | Default — you can use BOXIA without an account | Local persistence (favourites, hydration goal) without identity binding |
Legal basis: GDPR Art. 6 (1) (b) (contract performance — providing the app service).
Note on Anonymous Auth: If you use BOXIA without an account, we only receive a technical pseudonymisation ID (Firebase Anonymous UID). This is NOT linked to your identity. When you later sign in, you can migrate your existing favourites/contributions to an account.
3.2 Location data
| Data type | When collected | Purpose |
|---|---|---|
| GPS coordinates (precise) | Only "while-in-use" — when the app is active | Centre the map on your location, show nearby vending machines |
| Reverse-geocoding result (address) | When submitting a new machine | Suggest an address for the machine submission |
Legal basis: GDPR Art. 6 (1) (a) (your explicit consent) — you grant the location permission via the standard iOS permission dialog. You can revoke the permission at any time in iOS Settings.
Retention: Location is not stored persistently. We use it only for the current session to centre the map and query nearby machines. Exception: when you submit a machine, we store the machine's location coordinates permanently (part of the submission record) — but not your position at the time of submission.
3.3 Photo uploads
| Data type | When collected | Purpose |
|---|---|---|
| Photos of vending machines | When you submit a machine | Documentation of the machine for other users |
| Photos of products | When you use the scanner | Visual verification of the scanned barcode content |
Legal basis: GDPR Art. 6 (1) (b) (contract performance — submission service).
Important notes:
- We automatically remove EXIF metadata (especially GPS coordinates and capture time) from your photos before storage.
- Before sending, you can still change or discard the photo.
- Submissions go through a moderation process by BOXIA staff before publication.
3.4 AI photo analysis (Vertex AI Gemini 2.5 Flash)
When you submit a vending machine, we send your photo to Vertex AI Gemini 2.5 Flash (Google Cloud, region europe-west3 in Frankfurt) for automatic classification.
What the AI does:
- Detects the machine type (snack/drink/coffee/combo/etc.)
- Suggests expected product categories
- Reads visible brand cues
What the AI does NOT do:
- No automatic publication. The AI only pre-fills your submission form — you manually confirm what is correct.
- No person recognition. We explicitly discard photos in which people are clearly identifiable (see §4.5 AI pre-filter).
- No automated decision-making within the meaning of GDPR Art. 22.
Where the data is processed:
- Vertex AI Gemini 2.5 Flash service in the EU region
europe-west3(Frankfurt, Germany) - Photo data does NOT leave the EU for analysis
- After analysis, input tokens (= your photo) are not used for model training per Google's Vertex AI Data Governance Policy and are deleted within 24 hours
Legal basis: GDPR Art. 6 (1) (b) (contract performance — convenience function for submission pre-fill) + Art. 6 (1) (f) (legitimate interest — faster and more accurate submissions).
You can bypass the AI analysis by filling in your submission form manually — the AI is a convenience function, not a mandatory element.
3.5 Contributions (UGC — User Generated Content)
| Data type | When collected | Purpose |
|---|---|---|
| Machine submissions (location, type, photo, notes) | When submitting a new machine | Other users benefit from your contribution |
| Ratings (1-5 stars + optional comment) | When rating a machine | Quality signal for other users |
| Favourites (machine IDs) | When marking as favourite | Quick access to your preferred machines |
Legal basis: GDPR Art. 6 (1) (b) (contract performance).
Publication: Submissions and ratings are shown to all other app users after moderation review. Your username does not appear — UGC is displayed anonymously.
3.6 Technical data
| Data type | When collected | Purpose |
|---|---|---|
| App version, iOS version, device model | At every app start | Crash diagnosis, compatibility safeguarding |
| Crash reports (stack traces, anonymised) | On app crashes | Bug fixing |
| App Check token | On every backend call | Bot/spam protection, no personal reference |
Legal basis: GDPR Art. 6 (1) (f) (legitimate interest — app stability and bot protection).
Crashlytics: We use Firebase Crashlytics by Google. Crash reports are anonymised and contain no personal data or UGC.
4. Who has access — data recipients
4.1 Google Firebase / Google Cloud (USA, EU hosting)
BOXIA uses Firebase as backend platform:
- Firebase Authentication — account management (USA + configurable EU hosting)
- Cloud Firestore — database (hosted in EU region
europe-west3) - Firebase Cloud Storage — photo storage (hosted in EU region
europe-west3) - Cloud Functions — backend logic (hosted in EU region
europe-west3) - Firebase App Check — bot protection (US-based, no PII)
- Firebase Crashlytics — crash reporting (US-based, anonymised)
- Vertex AI — AI photo analysis (hosted in EU region
europe-west3)
Data Processing Agreement (DPA): A standard DPA (Google Cloud Data Processing Addendum) is in place with Google. Standard Contractual Clauses per GDPR Art. 46 are active for third-country transfers.
Legal basis: GDPR Art. 28 (processing on behalf).
4.2 Apple (USA)
When you use Sign-in with Apple, Apple receives information about your Apple ID login (pseudonym, no email to us if you activate "Hide my Email").
Legal basis: GDPR Art. 6 (1) (a) (your consent at the sign-in dialogue). Apple's privacy practice: https://www.apple.com/legal/privacy/.
4.3 No advertising trackers, no profiling
BOXIA contains no advertising trackers, no App Tracking Transparency (ATT) framework, no third-party analytics, no cookies, and no cross-app profiling. Your behaviour in the app is not evaluated for marketing purposes.
5. How long we store your data
| Data type | Retention period |
|---|---|
| Account data (UID, email) | Until you delete your account |
| Location | Not persistent (session only) |
| Photo uploads (submissions) | Until you delete your account — afterwards see §6.3 on UGC anonymisation |
| AI analysis input (photo to Vertex AI) | Maximum 24 hours at Google, then automatic deletion |
| Crash reports | 90 days (Firebase Crashlytics default) |
| App Check tokens | Session duration (max 1 hour) |
6. Account deletion
You can delete your account at any time via Profile → Delete Account. The following happens:
6.1 What is fully deleted
- Your Firebase Auth record (you can no longer sign in)
- Your profile record (
/users/{uid}) - All your private subcollections (hydration logs, pending email state)
- All your photo uploads in Storage under
users/{uid}/ - Pending or rejected submissions (= submissions that did not become public)
6.2 What remains as anonymised contribution
⚠️ Note: This applies only after the anonymisation logic is implemented (see ADR-0018). Current state: on account deletion, ALL data is fully deleted. If the anonymisation feature is not implemented, this section must be removed.
Approved submissions (= machine submissions already publicly visible on the map) remain anonymised in the database:
- The link to your identity is severed (your UID is replaced with the sentinel value
"deleted") - EXIF metadata of photos is fully removed (already happens at upload time)
- Content-wise, the contribution (location, type, photo) remains visible to other users
Why: UGC contributions that help other users (e.g. "There is a vending machine here") should not be destroyed by account deletions — this matches the practice of Google Maps, Yelp, Reddit, Wikipedia, and TripAdvisor.
Legal basis: GDPR Art. 17 (3) (d) (processing for tasks carried out in the public interest — anonymised UGC retention) + GDPR Recital 26 (anonymised data falls outside the protective scope).
6.3 What is fully deleted on request
If you also want your approved submissions fully deleted (not just anonymised), please contact us at [CONTACT EMAIL] with a corresponding request. We process such requests within 30 days per GDPR Art. 17 (1).
7. Your rights
You have the following GDPR rights against us:
| Right | Meaning | How to exercise |
|---|---|---|
| Access (Art. 15) | What data we have stored about you | Email to [CONTACT EMAIL] with subject "Access Request" |
| Rectification (Art. 16) | Correction of incorrect data | Directly in the app (profile settings) or via email |
| Erasure (Art. 17) | "Right to be forgotten" | In-app: Profile → Delete Account. For full deletion incl. UGC: email request |
| Restriction (Art. 18) | Blocking of processing | Email to [CONTACT EMAIL] |
| Data portability (Art. 20) | Export of your data in machine-readable format | Email request. We deliver within 30 days. |
| Objection (Art. 21) | Objection to processing based on legitimate interests | Email to [CONTACT EMAIL] |
| Withdrawal of consent | Where processing is based on consent (location, push notifications) | Directly in iOS Settings → BOXIA → revoke permission |
Response time: We confirm receipt within 1 week and process within 30 days (GDPR Art. 12 (3)).
8. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority (GDPR Art. 77). For users in Germany, the responsible authority depends on the federal state of the controller. For example, for a controller in Berlin:
[DEPENDENT ON FEDERAL STATE OF THE CONTROLLER — e.g., for Berlin:]
Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219
10969 Berlin, Germany
Phone: +49 30 13889-0
Email: mailbox@datenschutz-berlin.de
A complete overview of German data protection supervisory authorities can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information (BfDI): https://www.bfdi.bund.de.
For users outside Germany within the EU/EEA, you can also lodge a complaint with the supervisory authority in your country of residence.
9. Security of your data
We implement technical and organisational measures to protect your data:
- Encryption in transit: All connections to our servers use HTTPS (TLS 1.3)
- Encryption at rest: All data stored in Firebase / Google Cloud is encrypted server-side (AES-256)
- App Check: We verify the authenticity of app calls via Apple App Attest to prevent bot access
- Security Rules: Firestore database access is secured by declarative security rules — users can only read/write their own data (except for explicitly public content like approved submissions)
- Cloud Function audit: Sensitive operations (account deletion, inventory updates) run via Cloud Functions with audit trail
Despite all care, the internet is not a 100% secure medium. If you suspect account compromise, contact us immediately.
10. Children and minors
BOXIA is intended for persons aged 16 and older (GDPR Art. 8 (1)). If you are under 16, you need the consent of your legal guardians to use the app. We do not actively verify age at account creation.
If we become aware that an account was created by a person under 16 without consent of the legal guardians, we will delete the account.
11. Push notifications (future, from v1.1)
Currently, BOXIA does not send push notifications. In future versions (v1.1 and later), we may send you push notifications for:
- Inventory updates for favourite machines ("Your favourite machine is restocked")
- Status of your submitted submissions ("Your report has been confirmed")
- General BOXIA news
Legal basis: GDPR Art. 6 (1) (a) (your explicit consent via the iOS permission dialogue).
You can disable push notifications at any time per category in app settings or completely in iOS settings.
12. Changes to this privacy policy
We may adapt this policy when features change or legal requirements demand it.
- Minor changes (e.g. new recipient addresses, clarifications) take effect without separate notification but are visible in the version history at the end of this page
- Material changes (new data types, new purposes, new recipients) will be shown in the app before taking effect — where required, we ask for renewed consent
Current status: 2026-05-02 (Draft v1, English mirror)
13. Contact
For questions, concerns, or privacy requests, contact:
[CONTACT EMAIL HERE — recommended: privacy@boxia.app or support@boxia.app]
We respond within 1 week and process privacy requests per GDPR within 30 days.
Version history
| Version | Date | Change |
|---|---|---|
| Draft v1 (EN) | 2026-05-02 | Initial English mirror of DE Draft v1 (2026-04-29) |
Appendix A — notes for lawyer review
The following items need professional legal review:
- Controller (§1): Complete address, legal form, email — all placeholders, to be entered by the controller
- Data Processing Agreement (§4.1): Confirm GCP DPA + SCCs are active. Possibly additional TIA (Transfer Impact Assessment) for US-based sub-services
- §6.2 UGC anonymisation: Currently NOT implemented in the app. ADR-0018 is a roadmap stub, hard-blocked by exactly this Privacy Policy. If the anonymisation feature is delivered only after public launch, §6.2 must be worded DIFFERENTLY for now — namely "On account deletion, all your data is fully deleted including UGC". Only when anonymisation is implemented can the wording switch to the current form — and then the policy needs a version update with notice to users
- §4.3 advertising trackers: Confirm that the final build truly contains NO ATT framework and no advertising SDKs — Apple PrivacyInfo.xcprivacy as technical source of truth
- §10 children: 16 years is the GDPR default for Germany. Other EU countries have different lower limits (e.g. 13 in Denmark) — if the app is offered in multiple countries, differentiate regionally or use conservative 16 for all
- §11 push notifications: Roadmap-level (ADR-0017 not yet implemented). Before the first push send, the policy must be updated and re-noticed to users
- Locale coverage: This English version covers EN/FR/IT/ES/PT/NL/PL/TR users. The German version (
privacy-policy-draft.md) is legally binding for DE/AT/CH. For other EU jurisdictions, consider whether local supervisory authority references are needed in §8 - Hosting:
boxia.app/privacyas final URL to be confirmed (apex DNS not yet hosted, see ARCHITECTURE.md §14) - Cookie banner: Not relevant for pure native iOS app (no cookies). Becomes relevant when platform/portal arrives — then a separate web privacy policy
Appendix B — cross-refs for implementation
- ADR-0018: UGC anonymisation on account delete — referenced in §6.2
- ADR-0017: Push notifications strategy — referenced in §11
- Pre-Production Activation Checklist §5: Privacy Policy as hard-blocker for public launch
- Ultimate Audit 2026-04-29 §3 P0.1: Privacy Policy as critical P0 item
- DE version:
docs/legal/privacy-policy-draft.md(legally-binding for DACH)