BOXIA Privacy Policy
Status: 2026-05-13
This policy explains which personal data BOXIA collects, for which purposes it is processed and which rights you have. It follows GDPR requirements and industry best-practice (Apple, Stripe, Signal). The policy is updated alongside new features and legal requirements — see the version history at the end. The German version is legally binding for users in DACH; this English version covers the remaining supported locales.
1. Who is responsible
Controller for data processing within the meaning of GDPR Art. 4 (7) is:
Enes Saribal
Boxia
Domagkstr. 16
51063 Köln
Germany
Email: info@boxia.app
For privacy questions or to exercise your rights (see Section 7), please contact the email address above.
2. What BOXIA does — and why we need data
BOXIA is an iOS app that shows vending machines (snack, drink, coffee machines, etc.) on a map, with real-time inventory and photos. You can:
- Find vending machines near you
- Scan product barcodes to check which machine carries the product
- Submit new vending machines yourself, with photo and location
- Leave ratings and save favourites
To make this work, we need certain data. This policy tells you transparently which data, for what purpose, and on which legal basis.
3. Which data we process
3.1 Account data (authentication)
| Data type | When collected | Purpose |
|---|---|---|
| Pseudonymous user ID (UID) | Every app session | Unique attribution of your contributions (submissions, favourites, ratings) to your account |
| Email address (optional) | If you sign up via email link | Sign-in, account recovery |
| Apple ID hash (optional) | If you use Sign-in with Apple | Sign-in without separate password |
| Anonymous token | Default — you can use BOXIA without an account | Local persistence (favourites, hydration goal) without identity binding |
Legal basis: GDPR Art. 6 (1) (b) (contract performance — providing the app service).
Note on Anonymous Auth: If you use BOXIA without an account, we only receive a technical pseudonymisation ID (Firebase Anonymous UID). This is NOT linked to your identity. When you later sign in, you can migrate your existing favourites/contributions to an account.
3.2 Location data
| Data type | When collected | Purpose |
|---|---|---|
| GPS coordinates (precise) | Only "while-in-use" — when the app is active | Centre the map on your location, show nearby vending machines |
| Reverse-geocoding result (address) | When submitting a new machine | Suggest an address for the machine submission |
Legal basis: GDPR Art. 6 (1) (a) (your explicit consent) — you grant the location permission via the standard iOS permission dialog. You can revoke the permission at any time in iOS Settings.
Retention: Location is not stored persistently. We use it only for the current session to centre the map and query nearby machines. Exception: when you submit a machine, we store the machine's location coordinates permanently (part of the submission record) — but not your position at the time of submission.
3.3 Photo uploads
| Data type | When collected | Purpose |
|---|---|---|
| Photos of vending machines | When you submit a machine | Documentation of the machine for other users |
| Photos of products | When you use the scanner | Visual verification of the scanned barcode content |
Legal basis: GDPR Art. 6 (1) (b) (contract performance — submission service).
Important notes:
- We automatically remove EXIF metadata (especially GPS coordinates and capture time) from your photos before storage.
- Before sending, you can still change or discard the photo.
- Submissions go through a moderation process by BOXIA staff before publication.
3.4 AI photo analysis (Vertex AI Gemini 2.5 Flash)
When you submit a vending machine, we send your photo to Vertex AI Gemini 2.5 Flash (Google Cloud, region europe-west3 in Frankfurt) for automatic classification.
What the AI does:
- Detects the machine type (snack/drink/coffee/combo/etc.)
- Suggests expected product categories
- Reads visible brand cues
What the AI does NOT do:
- No automatic publication. The AI only pre-fills your submission form — you manually confirm what is correct.
- No person recognition. We explicitly discard photos in which people are clearly identifiable (see §4.5 AI pre-filter).
- No automated decision-making within the meaning of GDPR Art. 22.
Where the data is processed:
- Vertex AI Gemini 2.5 Flash service in the EU region
europe-west3(Frankfurt, Germany) - Photo data does NOT leave the EU for analysis
- After analysis, input tokens (= your photo) are not used for model training per Google's Vertex AI Data Governance Policy and are deleted within 24 hours
Legal basis: GDPR Art. 6 (1) (b) (contract performance — convenience function for submission pre-fill) + Art. 6 (1) (f) (legitimate interest — faster and more accurate submissions).
You can bypass the AI analysis by filling in your submission form manually — the AI is a convenience function, not a mandatory element.
3.5 Contributions (UGC — User Generated Content)
| Data type | When collected | Purpose |
|---|---|---|
| Machine submissions (location, type, photo, notes) | When submitting a new machine | Other users benefit from your contribution |
| Ratings (1-5 stars + optional comment) | When rating a machine | Quality signal for other users |
| Favourites (machine IDs) | When marking as favourite | Quick access to your preferred machines |
Legal basis: GDPR Art. 6 (1) (b) (contract performance).
Publication: Submissions and ratings are shown to all other app users after moderation review. Your username does not appear — UGC is displayed anonymously.
3.6 Technical data
| Data type | When collected | Purpose |
|---|---|---|
| App version, iOS version, device model | At every app start | Crash diagnosis, compatibility safeguarding |
| Crash reports (stack traces, anonymised) | On app crashes | Bug fixing |
| App Check token | On every backend call | Bot/spam protection, no personal reference |
Legal basis: GDPR Art. 6 (1) (f) (legitimate interest — app stability and bot protection).
Crashlytics: We use Firebase Crashlytics by Google. Crash reports are anonymised and contain no personal data or UGC.
4. Who has access — data recipients
4.1 Google Firebase / Google Cloud (USA, EU hosting)
BOXIA uses Firebase as backend platform:
- Firebase Authentication — account management (USA + configurable EU hosting)
- Cloud Firestore — database (hosted in EU region
europe-west3) - Firebase Cloud Storage — photo storage (hosted in EU region
europe-west3) - Cloud Functions — backend logic (hosted in EU region
europe-west3) - Firebase App Check — bot protection (US-based, no PII)
- Firebase Crashlytics — crash reporting (US-based, anonymised)
- Vertex AI — AI photo analysis (hosted in EU region
europe-west3)
Data Processing Agreement (DPA): A standard DPA (Google Cloud Data Processing Addendum) is in place with Google. Standard Contractual Clauses per GDPR Art. 46 are active for third-country transfers.
Legal basis: GDPR Art. 28 (processing on behalf).
4.2 Apple (USA)
When you use Sign-in with Apple, Apple receives information about your Apple ID login (pseudonym, no email to us if you activate "Hide my Email").
Legal basis: GDPR Art. 6 (1) (a) (your consent at the sign-in dialogue). Apple's privacy practice: https://www.apple.com/legal/privacy/.
4.3 Cloudflare (USA, EU edge hosting)
When you access the web portal connect.boxia.app (BOXIA Connect) in a browser, Cloudflare Turnstile is used as the App Check provider to protect against bot and spam access. Cloudflare receives:
- Browser/device tokens (privacy-preserving attestation, no user login)
- IP address (for token issuance, not persistently stored)
Cloudflare uses this data exclusively for authenticity verification and not for tracking, profiling, or advertising. Turnstile is cookie-free and CAPTCHA-free (no cross-session re-identification risk).
Data Processing Agreement (DPA): A Cloudflare DPA is in place. Standard Contractual Clauses pursuant to GDPR Art. 46 are active for third-country transfers. Cloudflare edge processing occurs in the EU.
Legal basis: GDPR Art. 6 (1) (f) (legitimate interest — protecting the operator portal against bot/spam access) and Art. 28 GDPR (data processing on our behalf).
Note: The iOS app uses Apple App Attest as its App Check provider (Apple-native verification, no Cloudflare involvement). Cloudflare is only used in the web browser context.
Cloudflare's privacy practice: https://www.cloudflare.com/privacypolicy/.
4.4 No advertising trackers, no profiling
BOXIA contains no advertising trackers, no App Tracking Transparency (ATT) framework, no third-party analytics, no cookies, and no cross-app profiling. Your behaviour in the app is not evaluated for marketing purposes.
5. How long we store your data
| Data type | Retention period |
|---|---|
| Account data (UID, email) | Until you delete your account |
| Location | Not persistent (session only) |
| Photo uploads (submissions) | Until you delete your account — afterwards see §6.3 on UGC anonymisation |
| AI analysis input (photo to Vertex AI) | Maximum 24 hours at Google, then automatic deletion |
| Crash reports | 90 days (Firebase Crashlytics default) |
| App Check tokens | Session duration (max 1 hour) |
6. Account deletion
You can delete your account at any time via Profile → Delete Account. The following happens:
6.1 What is fully deleted
- Your Firebase Auth record (you can no longer sign in)
- Your profile record (
/users/{uid}) - All your private subcollections (hydration logs, pending email state)
- All your photo uploads in Storage under
users/{uid}/ - Pending or rejected submissions (= submissions that did not become public)
6.2 What remains as anonymised contribution
⚠️ Note: This applies only after the anonymisation logic is implemented (see ADR-0018). Current state: on account deletion, ALL data is fully deleted. If the anonymisation feature is not implemented, this section must be removed.
Approved submissions (= machine submissions already publicly visible on the map) remain anonymised in the database:
- The link to your identity is severed (your UID is replaced with the sentinel value
"deleted") - EXIF metadata of photos is fully removed (already happens at upload time)
- Content-wise, the contribution (location, type, photo) remains visible to other users
Why: UGC contributions that help other users (e.g. "There is a vending machine here") should not be destroyed by account deletions — this matches the practice of Google Maps, Yelp, Reddit, Wikipedia, and TripAdvisor.
Legal basis: GDPR Art. 17 (3) (d) (processing for tasks carried out in the public interest — anonymised UGC retention) + GDPR Recital 26 (anonymised data falls outside the protective scope).
6.3 What is fully deleted on request
If you also want your approved submissions fully deleted (not just anonymised), please contact us at info@boxia.app with a corresponding request. We process such requests within 30 days per GDPR Art. 17 (1).
7. Your rights
You have the following GDPR rights against us:
| Right | Meaning | How to exercise |
|---|---|---|
| Access (Art. 15) | What data we have stored about you | Email to info@boxia.app with subject "Access Request" |
| Rectification (Art. 16) | Correction of incorrect data | Directly in the app (profile settings) or via email |
| Erasure (Art. 17) | "Right to be forgotten" | In-app: Profile → Delete Account. For full deletion incl. UGC: email request |
| Restriction (Art. 18) | Blocking of processing | Email to info@boxia.app |
| Data portability (Art. 20) | Export of your data in machine-readable format | Email request. We deliver within 30 days. |
| Objection (Art. 21) | Objection to processing based on legitimate interests | Email to info@boxia.app |
| Withdrawal of consent | Where processing is based on consent (location, push notifications) | Directly in iOS Settings → BOXIA → revoke permission |
Response time: We confirm receipt within 1 week and process within 30 days (GDPR Art. 12 (3)).
8. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority (GDPR Art. 77). The competent authority for the controller (based in Köln / North Rhine-Westphalia, Germany) is:
State Commissioner for Data Protection and Freedom of Information
of North Rhine-Westphalia (LDI NRW)
Kavalleriestr. 2–4
40213 Düsseldorf, Germany
Phone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
Web: https://www.ldi.nrw.de
A complete overview of German data protection supervisory authorities can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information (BfDI): https://www.bfdi.bund.de.
For users outside Germany within the EU/EEA, you can also lodge a complaint with the supervisory authority in your country of residence.
9. Security of your data
We implement technical and organisational measures to protect your data:
- Encryption in transit: All connections to our servers use HTTPS (TLS 1.3)
- Encryption at rest: All data stored in Firebase / Google Cloud is encrypted server-side (AES-256)
- App Check: We verify the authenticity of app calls via Apple App Attest (iOS app) and Cloudflare Turnstile (web portal
connect.boxia.app) to prevent bot access. For Cloudflare as a processor, see §4.3. - Security Rules: Firestore database access is secured by declarative security rules — users can only read/write their own data (except for explicitly public content like approved submissions)
- Cloud Function audit: Sensitive operations (account deletion, inventory updates) run via Cloud Functions with audit trail
Despite all care, the internet is not a 100% secure medium. If you suspect account compromise, contact us immediately.
10. Children and minors
BOXIA is intended for persons aged 16 and older (GDPR Art. 8 (1)). If you are under 16, you need the consent of your legal guardians to use the app. We do not actively verify age at account creation.
If we become aware that an account was created by a person under 16 without consent of the legal guardians, we will delete the account.
11. Push notifications (future, from v1.1)
Currently, BOXIA does not send push notifications. In future versions (v1.1 and later), we may send you push notifications for:
- Inventory updates for favourite machines ("Your favourite machine is restocked")
- Status of your submitted submissions ("Your report has been confirmed")
- General BOXIA news
Legal basis: GDPR Art. 6 (1) (a) (your explicit consent via the iOS permission dialogue).
You can disable push notifications at any time per category in app settings or completely in iOS settings.
12. Changes to this privacy policy
We may adapt this policy when features change or legal requirements demand it.
- Minor changes (e.g. new recipient addresses, clarifications) take effect without separate notification but are visible in the version history at the end of this page
- Material changes (new data types, new purposes, new recipients) will be shown in the app before taking effect — where required, we ask for renewed consent
Current status: 2026-05-13
13. Contact
For questions, concerns, or privacy requests, contact:
Enes Saribal
Boxia
Domagkstr. 16
51063 Köln
Germany
Email: info@boxia.app
We respond within 1 week and process privacy requests per GDPR within 30 days.
See also the Imprint (§5 TMG).
Version history
| Version | Date | Change |
|---|---|---|
| 1.0 (EN) | 2026-05-13 | Controller + contact details + NRW supervisory authority filled in, live publication |
| Draft v1 (EN) | 2026-05-02 | Initial English mirror of DE Draft v1 (2026-04-29) |