Get Started
Legal

Privacy Policy

How L1fe AI, Inc. (“Boxes”, “we”, “us”) collects, uses, discloses, and protects personal data — for visitors to boxes.sh and for users of the Boxes platform.

Last updated: 17 May 2026Effective: 17 May 2026
This template document was prepared in good faith and reflects industry best practice for SaaS productivity platforms. It is not legal advice. Please obtain final attorney review before publishing.

1. Scope of this policy

This Privacy Policy applies to L1fe AI, Inc. (“Boxes”, “we”, “us”, or “our”) and the websites, applications, and services we provide under the Boxes brand — including boxes.sh, my.boxes.sh, and the Boxes APIs (collectively, the “Services”).

It explains what personal data we collect, why, how we use it, how we share it, your rights regarding it, and the choices you have. It is intended to satisfy our obligations under the EU and UK General Data Protection Regulations (“GDPR”), the California Consumer Privacy Act and California Privacy Rights Act (“CCPA/CPRA”), Brazil's LGPD, and other applicable privacy laws.

2. Who controls your data

L1fe AI, Inc., a Delaware corporation headquartered at 548 Market Street, PMB, San Francisco, CA 94104, is the data controller for personal data collected when you visit our websites, sign up for an account, or otherwise interact with us directly.

For personal data contained within content you upload to the Services (e.g., emails, documents, calendar entries, files), our customer (your employer or you, as account-holder) is the data controller, and we act as the data processor. The terms governing that relationship are set out in our Data Processing Agreement.

3. What personal data we collect

3.1 Information you provide

  • Account information. Name, email, password (hashed, never stored in clear), profile photo, workspace name, billing address, payment-method tokenised reference.
  • Content data. Email messages, documents, files, calendar events, spreadsheets, slides, agent prompts and outputs, and other content you create, upload, or transmit through the Services.
  • Communications. Support requests, sales inquiries, feedback, survey responses, and other communications you send us.

3.2 Information collected automatically

  • Usage data. Features used, surfaces visited, agent actions taken, session length, performance metrics, error reports.
  • Device and connection data. IP address, user-agent string, browser and OS version, device type, language preference, time zone.
  • Cookies and similar technologies. Strictly-necessary, functional, analytics, and (where consented) marketing cookies as detailed in our Cookie Policy.
  • Agent provenance data. For every action taken by an AI agent under your account, we record the agent's identifier, the cryptographic signature, the timestamp, the action category, and the capability scope under which the action was authorised. This data is stored on a tamper-evident audit log for the retention period set out in §7.

3.3 Information from third parties

  • Identity providers. If you sign in via SSO (Google, Microsoft, Okta, SAML), we receive your basic profile data from that provider.
  • Payment processors. We receive transaction status and a tokenised reference to your payment method from Stripe; we do not store full card numbers.
  • Integration partners. If you import data from Google Workspace, Microsoft 365, or other services, we receive the data they share at your direction.

4. How we use personal data

We process personal data on the following legal bases under GDPR Article 6: (a) performance of a contract (Art. 6(1)(b)) for account, billing, and service delivery; (b) legitimate interests (Art. 6(1)(f)) for security, fraud prevention, product analytics, and direct marketing to existing customers; (c) consent (Art. 6(1)(a)) for marketing communications to prospects and for non-essential cookies; (d) legal obligation (Art. 6(1)(c)) for tax, accounting, and law-enforcement compliance.

Specifically, we use personal data to:

  • Provide, maintain, and improve the Services;
  • Authenticate, authorise, and secure your account;
  • Process payments, send invoices, and prevent fraud;
  • Communicate with you about service updates, security advisories, and (where you have opted-in) product news;
  • Provide customer support, troubleshoot issues, and respond to requests;
  • Analyse aggregate usage to improve product quality (using deidentified or aggregated data wherever possible);
  • Comply with applicable law, respond to legal process, and enforce our agreements.

5. AI, agents, and training

We do not train AI models on customer content. Ever. The content you and your team upload to Boxes — emails, documents, files, calendar events, agent prompts, agent outputs — is not used to train, fine-tune, or otherwise improve any model owned by us or by third parties. This commitment is contractually binding on us under your Terms of Service and our Data Processing Agreement.

When you use AI features in Boxes (drafts, summaries, agent actions), your content is transmitted to the model provider you have selected (which may be operated by us or by a third-party provider you choose). All providers we use are bound by zero-retention, no-training contractual terms. You may disable third-party inference per workspace in your admin settings.

Every action taken by an AI agent on your account is cryptographically signed with that agent's identity, recorded on a tamper-evident audit log, and bounded by the capability scopes you (or your administrator) have granted. You retain full control: you may revoke any agent's capabilities, delete any agent, and request the audit log of every action it ever took.

6. How we share personal data

We do not sell personal data. We share personal data only as described below:

  • Subprocessors. We engage third-party service providers (cloud infrastructure, payment processors, email delivery, observability) under written contracts that require them to safeguard personal data and process it only on our documented instructions. A complete list is maintained at /legal/subprocessors.
  • Customer-directed sharing. If you elect to share documents, emails, calendar invites, or files with recipients outside your workspace, we transmit that data as you direct.
  • Legal compliance. We may disclose personal data when required by law, in response to a valid subpoena or court order, or to investigate and prevent fraud, security incidents, or violations of our agreements. We will notify the affected customer where lawful and practicable.
  • Business transfers. If we are involved in a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred as part of that transaction. We will provide notice and continue to honour this Privacy Policy.
  • With your consent. We may share personal data for other purposes with your explicit consent.

7. Data retention

  • Account data: retained for the life of your account, plus 30 days after cancellation. After 30 days, account data is permanently deleted unless legal obligations require longer retention.
  • Content data: retained until you delete it or until 30 days after account cancellation.
  • Agent audit logs: retained for seven (7) years from the date of the action, to support accountability and audit obligations. Right-to-erasure requests under GDPR are reconciled with this retention period as set out in our DPA §14.
  • Billing records: retained for seven (7) years to satisfy tax and accounting obligations.
  • Backups: rolling 35-day backups of all production data, encrypted and access-controlled.

8. Your rights

Depending on your jurisdiction, you have one or more of the following rights with respect to your personal data:

  • Access. Request a copy of the personal data we hold about you.
  • Correction. Ask us to correct personal data that is inaccurate or incomplete.
  • Deletion. Ask us to delete personal data, subject to legal-retention obligations.
  • Portability. Receive a machine-readable copy of your personal data and transmit it to another controller.
  • Restriction. Ask us to restrict processing in specific circumstances.
  • Objection. Object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent. Withdraw any consent you previously gave (without affecting prior lawful processing).
  • Lodge a complaint. Lodge a complaint with your local supervisory authority (e.g., the Irish DPC for EU residents, the ICO for UK residents).
  • Non-discrimination (CCPA). We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, please email privacy@boxes.sh from the email address associated with your account. We respond within 30 days (90 days for complex requests).

9. International data transfers

Boxes is headquartered in the United States and operates infrastructure in multiple regions (US, EU, APAC). Personal data may be transferred to and processed in countries other than the country in which you reside. Where we transfer EEA or UK personal data outside the EEA/UK, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (Module 2, Controller-to-Processor; Module 3, Processor-to-Processor), the UK International Data Transfer Addendum, and a documented Transfer Impact Assessment.

Enterprise customers may elect EU-only data residency (Frankfurt + Paris); all customer content, backups, and audit logs are then stored exclusively within the EU. Self-hosted deployments place all data under the customer's own infrastructure and control.

10. How we secure personal data

We maintain technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls, multi-factor authentication for staff, regular vulnerability scanning, third-party penetration testing, SOC 2 Type II audited controls, and a documented incident-response programme. Full details are available in our Security Overview.

11. Children

The Services are not directed to children under 16, and we do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us at privacy@boxes.sh and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to account-holders at least 14 days before they take effect; non-material changes will be posted to this page with an updated "Last updated" date. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

13. Contact us

For any privacy-related question, request, or concern, please contact our Data Protection Officer at privacy@boxes.sh, or write to:

L1fe AI, Inc.
Attn: Data Protection Officer
548 Market Street, PMB
San Francisco, CA 94104, USA

EU representative (where required under GDPR Art. 27): to be appointed.
UK representative (where required under UK GDPR Art. 27): to be appointed.