Legal

Privacy Policy

Last updated: March 7, 2026

Our Commitment

Box Box is built for racing fans who care about privacy. We collect only what's necessary to provide our service, and we never sell your data to third parties.

Information We Collect

Account Information

When you sign in with Apple, we receive your email address (which you can choose to hide) and a unique identifier. We use this to create and manage your account.

Game Data

Your team selections, league memberships, and fantasy scores. This data is essential for the game to function.

Usage Information

We use PostHog (hosted in the European Union) to collect anonymous product analytics — such as features used and session duration — to help us improve the app. This data is not tied to your identity and contains no personally identifiable information. You can opt out of analytics at any time in Settings > Privacy & Data.

Error & Performance Data

We use Sentry to collect crash reports and performance diagnostics. All reports are automatically scrubbed of personally identifiable information before transmission. This data helps us identify and fix bugs quickly.

Subscription Information

If you subscribe to Box Box Pro, we store your subscription tier (free or pro), subscription expiry date, and a transaction identifier provided by Apple. We do not store your payment method, credit card details, or billing address — all payment processing is handled entirely by Apple through the App Store. Your subscription status is used to determine feature access (such as league size limits).

How We Use Your Information

  • To provide and operate the Box Box fantasy game
  • To sync your teams and scores across devices
  • To enable social features like leagues and leaderboards
  • To send important updates about the game (you can opt out)
  • To improve the app based on usage patterns
  • To manage your subscription status and provide access to Pro features

We never sell your personal data. Ever.

Data Security

Your data is protected using industry-standard security measures:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Secure authentication via Apple Sign In
  • Row-level security for data isolation

Data Retention

We retain your data for as long as your account is active. When you delete your account, all your personal data is permanently removed within 30 days.

Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and all associated data
  • Export your data in a standard format
  • Opt out of non-essential communications
  • Withdraw consent for product analytics at any time (Settings > Privacy & Data)

Withdrawing analytics consent is as easy as granting it, in accordance with GDPR Article 7(3) and PIPEDA Principle 4.3.8.

You can exercise these rights directly in the app (Settings > Privacy & Data) or by contacting us.

Third-Party Services

Box Box uses the following third-party services:

  • Supabase — Database and authentication (SOC 2 Type II compliant)
  • Apple Sign In — Authentication (Apple's privacy practices apply)
  • Apple In-App Purchases — Subscription payment processing (Apple handles all payment data; we only receive a transaction identifier and subscription status)
  • PostHog — Anonymous product analytics, hosted in the European Union (EU data residency). No personally identifiable information is collected. You can opt out at any time in Settings.
  • Sentry — Error tracking and performance monitoring. All reports are automatically scrubbed of personally identifiable information via beforeSend filtering before transmission.

Data Processing & International Transfers

Your data is processed by the following service providers:

  • Supabase — Database hosting (United States, SOC 2 Type II)
  • PostHog — Product analytics (European Union — Frankfurt, DE)
  • Sentry — Error monitoring (United States, SOC 2 Type II)

All service providers are contractually bound to protect your data and process it only on our behalf. Box Box is operated from Ontario, Canada and governed by PIPEDA. Where data is transferred outside Canada, we ensure comparable levels of protection are maintained.

Children's Privacy

Box Box is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us.

Changes to This Policy

We may update this policy from time to time. We'll notify you of significant changes via email or in-app notification.

Contact

Questions about this policy? Contact us at support@boxboxfantasy.com