DMBox Privacy Policy
Last updated: 2026-05-12
1. Who we are
DMBox ("the Service") is operated by Gad1001 ("we", "us"). For GDPR purposes we act as the data controller for account data and as the data processor for campaign Content that customers upload.
2. What we collect
Account data (you provide this directly):
- email address
- account name / display name
- authentication credentials (hashed; we do not store plaintext passwords)
- billing identifiers (Stripe customer ID; we do not store full card numbers)
Service data (generated when you use the Service):
- campaign Content you upload (notes, characters, audio, etc.)
- transcripts and AI-generated output derived from your inputs
- usage counters (transcription minutes, AI tokens consumed) for quota enforcement
Technical data (collected automatically):
- IP address (used for rate limiting, fraud prevention, and approximate geolocation; not used for advertising)
- browser user-agent
- request logs (URL, status, latency) retained for up to 30 days for operational debugging
- error reports (via Sentry) including stack traces and request context
3. Why we process it (legal basis under GDPR Art. 6)
- Performing our contract with you — to deliver the Service you signed up for (account data, Service data).
- Legitimate interests — to secure the Service, prevent abuse, and debug errors (technical data). You may object to this processing at any time.
- Consent — for any optional features that require it (e.g., email marketing); you may withdraw consent at any time.
- Legal obligation — to retain billing records for tax/accounting purposes.
4. Subprocessors
We share data with the following third parties strictly as necessary to operate the Service. Each subprocessor receives only the categories of data listed and is bound by a data-processing agreement that restricts use to the stated purpose.
| Subprocessor | Purpose | Data categories shared | Transfer mechanism | Region |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, fraud screening | name, email, billing address, Stripe customer ID, transaction metadata | SCCs + DPF | US / EU |
| Anthropic, PBC | AI inference (Claude) | prompt content you submit, system context, model selection | SCCs + zero-retention API config | US |
| OpenAI, L.L.C. | Optional AI inference / Whisper transcription | prompt content or audio you submit, model selection | SCCs + zero-retention API config | US |
| Resend, Inc. | Transactional email delivery | email address, message subject and body | SCCs | EU / US |
| Functional Software, Inc. (Sentry) | Error monitoring | error context, request URL, user ID, browser metadata | SCCs | EU (data residency: EU) |
| Hosting provider (configurable per deployment) | Compute, storage, networking | all of the above at rest | SCCs + region selection | configurable |
| PostgreSQL operator (managed DB) | Primary data store | all account and Service data at rest | SCCs + region selection | configurable |
| Object storage operator | Audio and large-file storage | uploaded audio, exports, archived sessions | SCCs + region selection | configurable |
"SCCs" means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914). "DPF" means the EU–US Data Privacy Framework certification of the receiving entity, where applicable. Where neither applies for a transfer, we rely on the derogations of GDPR Art. 49 only where lawful and as a last resort.
A current list of subprocessors is maintained at /legal/subprocessors and updated when changes occur; material additions are announced at least 30 days in advance.
5. International transfers
Where data is transferred outside your jurisdiction (for example to US-based AI providers), we rely on Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework, as applicable. A copy of our SCCs is available on request.
6. Retention
| Data category | Retention period | Trigger for deletion |
|---|---|---|
| Account profile (email, display name, hashed credentials) | Life of account | Account closure + 30 days |
| Billing records (Stripe customer ID, invoices, tax data) | 7 years from issue | Statutory tax-retention period expiry |
| Campaign Content (notes, characters, audio, transcripts) | Until you delete it, or 30 days after account closure | Explicit user deletion or account closure |
| AI prompt/response history (per-session) | 90 days, or until session deletion | Session deletion or window expiry |
| Usage counters (transcription minutes, AI tokens) | 13 months rolling | Window expiry |
| Request logs (URL, status, latency, IP) | 30 days | Window expiry |
| Error reports (Sentry) | 90 days | Window expiry |
| Audit logs (admin actions, security events) | 12 months | Window expiry |
| Backups (encrypted) | 35-day rolling window | Backup rotation |
| Support tickets and correspondence | 2 years from ticket closure | Window expiry |
Deletion from primary storage is immediate on user request or scheduled purge. Deleted records age out of rolling backups within the backup window (typically 35 days). Where statutory retention applies (billing, tax), the record is retained in a restricted-access archive and is not used for any other purpose.
7. Your rights
7.1 If you are in the EEA (GDPR)
- Access (Art. 15) — obtain a copy of the personal data we hold about you and information about how it is processed.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17) — request deletion ("right to be forgotten"), subject to exceptions for legal obligations.
- Restriction (Art. 18) — limit how we process your data while a dispute is resolved.
- Portability (Art. 20) — receive your data in a structured, machine-readable format (we provide JSON exports).
- Object (Art. 21) — object to processing based on legitimate interests, including for direct marketing.
- Withdraw consent (Art. 7) — for processing based on consent, with no effect on processing already carried out.
- Lodge a complaint with your local supervisory authority (a list is available at edpb.europa.eu).
7.2 If you are in the United Kingdom (UK GDPR)
You have the same rights as listed in §7.1. You may lodge a complaint with the Information Commissioner's Office (ico.org.uk).
7.3 If you are in California (CCPA / CPRA)
- Right to know what categories of personal information we have collected, the sources, the purpose, and the categories of third parties with whom we share it.
- Right to access a copy of your personal information.
- Right to delete your personal information, subject to statutory exceptions.
- Right to correct inaccurate personal information.
- Right to limit use of sensitive personal information.
- Right to opt out of sale or sharing — we do not sell or share personal information as those terms are defined under the CPRA.
- Right to non-discrimination for exercising your rights.
To exercise rights, email privacy@dmbox.org. Authorized agents may submit requests on your behalf with verifiable authorization.
7.4 If you are elsewhere
Other jurisdictions (Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, etc.) provide similar rights. Contact us using the address below and we will honor applicable rights to the extent required by your local law.
7.5 How to exercise your rights
Email privacy@dmbox.org from the email address associated with your account, or use the in-product "Privacy" page to generate an authenticated request. We respond within 30 days (extendable by a further 60 days where the request is complex, with notice).
7.6 Identity verification
To prevent unauthorized disclosure, we may ask you to confirm control of the account email before fulfilling access, deletion, or portability requests. For account-less requests (for example, from a person whose data appears in another customer's Content), we may ask for sufficient information to locate the records and confirm identity. We will not ask for more information than is necessary to verify the request.
7.7 Automated decision-making
We do not make decisions about you based solely on automated processing that produces legal or similarly significant effects (GDPR Art. 22). The Service uses AI to generate suggested content, transcripts, and summaries, but these outputs are surfaced for human review and do not by themselves determine your access to the Service, your pricing, or any other matter affecting your rights.
8. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
9. Security
We use industry-standard technical and organizational measures including TLS in transit, encryption at rest for sensitive fields, scoped access controls, and audit logging. No system is perfectly secure; in the event of a personal data breach affecting you we will notify you and the relevant supervisory authority as required by law.
10. Cookies
We use the minimum cookies necessary to operate the Service:
| Cookie | Type | Purpose | Lifetime |
|---|---|---|---|
dmbox_session |
Strictly necessary | Authenticated session | Session or 30 days (if "remember me") |
dmbox_csrf |
Strictly necessary | CSRF token | Session |
dmbox_pref |
Functional | UI preferences (theme, sidebar) | 1 year |
Strictly necessary cookies do not require consent under the ePrivacy Directive. We do not use third-party advertising cookies and do not embed third-party trackers in the authenticated cockpit. Optional analytics, if enabled in a future release, will be documented in the in-product cookie banner and require opt-in consent.
11. Changes to this Policy
Material changes will be communicated by email or in-product notice at least 14 days before they take effect.
12. Contact
- Operator: Gad1001
- Email: privacy@dmbox.org
- EU representative (where required by GDPR Art. 27): TBD before launch
- UK representative (where required by UK GDPR): TBD before launch