Privacy Policy

Last updated: June 2026

BoxPlayer (“we,” “us,” or “our”) values your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information. Please read it carefully before using BoxPlayer.

1. Data Controller

The data controller for the service is BoxPlayer Team. Privacy, data-rights, and security requests can be sent to [email protected]. We have not appointed a separate Data Protection Officer; this email address is the primary channel for privacy requests.

2. Information We Collect

BoxPlayer is a local-first media player. We only collect the following information where necessary:

  • Account information: When you register a BoxPlayer account, we collect your email address and encrypted password for authentication and cross-device sync.
  • Sync data: Playback progress, favorites, and playback settings are synced across your devices and stored on our servers.
  • Device information: Device model, OS version, and app version for compatibility support and troubleshooting.
  • Crash and diagnostic data: When the app crashes, we collect crash logs to improve stability. You can disable this in Settings at any time.
  • Payment and subscription information: Order IDs, plan type, transaction amount, payment status, subscription status, and refund status. Full card numbers and card verification data are processed by Waffo Pancake and are not stored on our servers.
  • Support and ticket information: Contact details, issue descriptions, attachments, and communications you send through email, website tickets, or feedback channels.
  • Service logs: IP address, browser type, request time, error logs, and security audit logs for security, fraud prevention, troubleshooting, and compliance.

3. Information We Do NOT Collect

To protect your privacy, BoxPlayer explicitly does not collect:

  • Your media file content or detailed playback history
  • Your cloud drive file listings or file contents
  • Your NAS, SMB, NFS, or WebDAV connection credentials (stored locally only)
  • Your network traffic data
  • Your location information

4. How We Use Information

The information we collect is used solely for:

  • Providing cross-device sync functionality
  • Authenticating accounts and processing subscriptions, payments, refunds, and billing notices
  • Improving product stability and user experience
  • Responding to user feedback and support requests
  • Security, fraud prevention, abuse detection, and service auditing
  • Complying with legal obligations

For users in the EU/UK, our legal bases include performance of a contract, legitimate interests, legal obligations, and your consent where required, such as for optional marketing communications.

5. Cookies and Tracking Technologies

We may use strictly necessary cookies or local storage to maintain login sessions, language preferences, and security state. We do not sell personal information and do not use payment card data for marketing profiles. If we later add analytics or marketing tools, we will identify them in this policy and provide opt-out controls where required by law.

6. Storage and Security

We employ industry-standard security measures to protect your personal information, including transport encryption (TLS/HTTPS), storage encryption, and access controls. Your media library metadata and cloud drive credentials are stored only on your local device and are never uploaded to our servers.

If a security incident affects your rights, we will notify affected users and relevant regulators within 72 hours of discovery or within the timeframe required by applicable law.

7. Information Sharing

We do not sell, trade, or rent your personal information to third parties, including a “sale” as defined under applicable privacy laws. We may share information only:

  • With your explicit consent
  • With necessary service providers such as hosting, authentication, payment, support, email, and security vendors, subject to confidentiality and data protection obligations
  • Payment card data is processed exclusively by our PCI-DSS compliant payment processor, Waffo Pancake, and is not stored on our servers
  • When required by law, regulation, or government authority
  • To protect BoxPlayer's legitimate rights and interests

8. Data Retention

  • Account information: retained while the account is active; usually deleted or anonymized 90 days after closure or termination unless longer retention is legally required
  • Transaction and billing records: usually retained for 7 years for tax, accounting, dispute, and compliance purposes
  • Support and ticket records: usually retained for 2 years for historical support and quality improvement
  • Security audit and error logs: usually retained for 12 months; logs related to security incidents may be kept longer as required by law

9. Your Rights

You have the right to access, correct, and delete your personal information, restrict or object to processing, request data portability, withdraw consent-based processing, and delete your account. We usually respond to verifiable requests within 30 calendar days. You can manage your data preferences in the app Settings at any time, or contact us at [email protected].

If you believe we have not handled your privacy request properly, you may complain to your local data protection authority.

10. Marketing Communications and Opt-Out

With your consent, we may send product updates, promotions, or surveys. You may opt out through unsubscribe links, account settings, or by contacting us. Opting out of marketing does not affect necessary notices such as billing, security, or service change messages.

11. International Data Transfers

Our servers, payment processor, and service providers may be located outside your country or region, including the United States, Singapore, or other jurisdictions. Where personal information is transferred internationally, we use contracts, Standard Contractual Clauses (SCCs), or other applicable safeguards.

12. Children's Privacy

BoxPlayer is intended for users aged 13 and above. We do not knowingly collect personal information from children under 13. If you believe a child has provided information to us, contact us and we will delete it as soon as reasonably possible.

13. Third-Party Links and Services

BoxPlayer may include links to, or integrations with, third-party services such as cloud drives, media servers, AI models, payment, and authentication providers. This policy applies only to information we collect directly; third-party services are governed by their own policies.

14. Policy Updates

We may update this Privacy Policy from time to time. Material changes will be communicated at least 15 days in advance via in-app notification, website notice, or email, and we will update the Last Updated date above.

15. Contact Us

If you have questions about this Privacy Policy, data rights, or security, please contact us at [email protected].