Create a Box

Privacy Policy

How BoxForge collects, uses, and protects your personal information.

Last updated: 26 April 2026  ·  Jurisdiction: United Kingdom (UK GDPR & Data Protection Act 2018)

1. Who We Are

BoxForge ("we", "us", "our") operates the BoxForge website and tools available at this domain. We are the data controller responsible for your personal data. If you have any questions about this policy, please contact us.

2. What Data We Collect

We collect the following categories of personal data:

  • Account data — your name, email address, and password (stored as a secure hash) when you register.
  • Design data — box dimensions, styles, and saved designs you create while logged in.
  • Usage data — pages visited, features used, and general interaction patterns (anonymised).
  • Contact data — name, email, and message content when you submit the contact form.
  • Technical data — IP address, browser type, and device information collected automatically via server logs.

We do not collect payment information. We do not use advertising tracking cookies.

3. How We Use Your Data

We use your personal data for the following purposes and legal bases under UK GDPR:

  • To provide the service (contract) — account management, saving designs, and delivering the core BoxForge tools.
  • To respond to enquiries (legitimate interest) — processing contact form submissions.
  • To improve the service (legitimate interest) — analysing anonymised usage patterns to develop new features.
  • To comply with legal obligations (legal obligation) — retaining records as required by law.

4. Cookies

BoxForge uses only essential session cookies required for the site to function — specifically to keep you logged in during a session. We do not use advertising, analytics, or third-party tracking cookies. No cookie consent banner is required for strictly necessary cookies under UK PECR.

5. Sharing Your Data

We do not sell, rent, or trade your personal data. We may share data with:

  • Hosting providers — our web host processes data on our behalf under a data processing agreement.
  • Legal authorities — where required by law, court order, or to protect the rights of BoxForge or others.

6. Data Retention

We retain your account data for as long as your account is active. If you delete your account, your personal data is removed within 30 days. Server logs are retained for up to 90 days. Contact form submissions are retained for up to 12 months.

7. Your Rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Restriction — ask us to limit how we process your data in certain circumstances.
  • Portability — receive your data in a structured, commonly used format.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, please contact us. We will respond within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We take reasonable technical and organisational measures to protect your data, including HTTPS encryption, hashed password storage, and access controls. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Continued use of BoxForge after changes constitutes acceptance of the revised policy.

10. Contact

For any privacy-related questions or to exercise your rights, please use our contact form.