Legal

Privacy Policy

Last updated:

1. Data Controller

Boxed Off ("we", "us", "our") is the data controller for personal data processed through the Boxed Off platform. We are registered in the Republic of Ireland.

For any data protection enquiries, contact us at privacy@boxedoff.ie.

This Privacy Policy applies to all users of boxedoff.ie and any associated applications. It is written in accordance with the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Acts 1988–2018.

2. Data We Collect

Account information

  • Name and email address (provided at registration)
  • Phone number (optional; used for booking notifications)
  • Address / Eircode (for service location matching)
  • Profile photo (Providers only, optional)
  • Identity verification data (Providers only — processed by Stripe Identity)

Booking and transaction data

  • Service bookings: date, time, location, service type, notes
  • Payment data: transaction amounts, payment status (card details are processed and stored by Stripe — we never see or store your full card number)
  • Booking history and completion status

User-generated content

  • Reviews and ratings you submit
  • Photos attached to reviews
  • Messages sent via our in-platform chat
  • Portfolio photos (Providers)

Technical data

  • IP address and device information
  • Browser type and version
  • Pages visited and features used (via analytics tools)
  • Referral source (how you found us)

3. How We Use Your Data

PurposeLegal basis (GDPR)
Creating and managing your accountContract (Art 6(1)(b))
Processing bookings and paymentsContract (Art 6(1)(b))
Sending booking confirmations and remindersContract (Art 6(1)(b))
Verifying Provider identity (Stripe Identity)Legal obligation / Legitimate interest (Art 6(1)(c) and (f))
Displaying reviews and trust signalsLegitimate interest (Art 6(1)(f))
Platform analytics and improvementLegitimate interest (Art 6(1)(f))
Sending marketing emails (opt-in only)Consent (Art 6(1)(a))
Fraud prevention and safetyLegitimate interest (Art 6(1)(f))
VAT and financial record-keepingLegal obligation (Art 6(1)(c))

4. Data Sharing

We do not sell your personal data. We share data with third-party processors only as necessary to operate the Platform:

ProcessorPurposeLocation
SupabaseDatabase hosting and authenticationEU (eu-west-1, Ireland)
StripePayment processing, payouts, identity verificationEU (Ireland data centre for EU users)
ResendTransactional email deliveryEU
Google Analytics 4Usage analytics (if cookies accepted)EU (with IP anonymisation enabled)
PostHogProduct analytics (if cookies accepted)EU (EU Cloud)
CrispCustomer support chat widgetEU (France)

We may also disclose data where required by law, court order, or to protect the safety of our users or the public.

When you make a booking, your name and relevant booking details are shared with the Provider you have booked. Providers do not receive your full address until they confirm attendance.

5. Data Retention

  • Account data: Retained for the duration of your account plus 2 years after closure (for dispute resolution).
  • Booking and payment records: Retained for 7 years to comply with Irish Revenue and VAT record-keeping requirements.
  • Reviews: Retained until your account is deleted; the review text is anonymised (author name removed) if you delete your account.
  • Chat messages: Retained for 12 months after the associated booking is completed.
  • Analytics data: Aggregated and anonymised after 26 months.
  • Identity verification data: Stripe retains this per their own data retention policy; we store only the verification outcome.

When your account is deleted under GDPR Art 17, we anonymise your personal identifiers (name, email, phone) but retain financial records as required by law.

6. Your Rights

Under GDPR, you have the following rights:

  • Right of access (Art 15): Request a copy of the personal data we hold about you. You can do this from your account settings.
  • Right to rectification (Art 16): Correct inaccurate data. Update most data yourself in your profile settings.
  • Right to erasure (Art 17): Request deletion of your account and personal data. Exercisable from your account settings. Financial records required by law are retained.
  • Right to data portability (Art 20): Receive your data in a machine-readable format (JSON export available in account settings).
  • Right to object (Art 21): Object to processing based on legitimate interest (e.g., marketing analytics).
  • Right to restrict processing (Art 18): Request restriction of certain processing activities.
  • Right to withdraw consent (Art 7(3)): Withdraw consent for processing based on consent (e.g., marketing emails) at any time.

To exercise any of these rights, visit your account settings or contact us at privacy@boxedoff.ie. We will respond within 30 days.

7. Cookies

We use cookies and similar tracking technologies. You are asked for your consent when you first visit the Platform. You can manage your preferences at any time.

For full details of the cookies we use and how to manage them, see our Cookie Policy.

8. International Data Transfers

We store data primarily in the EU. Where any of our processors operate outside the EU/EEA, we ensure adequate safeguards are in place:

  • Supabase: EU region (Ireland) — no transfer outside EU.
  • Stripe: operates under EU Standard Contractual Clauses (SCCs) for any US-based processing.
  • Google Analytics: configured with IP anonymisation and EU data processing terms.

We do not knowingly transfer your data to countries without an EU adequacy decision or appropriate SCCs in place.

9. Children

The Platform is not directed at children under the age of 18. We do not knowingly collect personal data from children. If we become aware that a user is under 18, we will close their account and delete their data. If you believe a child has registered, contact us at privacy@boxedoff.ie.

10. Contact & DPO

For all data protection queries, contact us at:

We will acknowledge your request within 72 hours and provide a full response within 30 days. In complex cases, this may be extended by a further 60 days with notice.

11. Supervisory Authority

The supervisory authority for data protection in Ireland is the Data Protection Commission (DPC). If you are unsatisfied with how we have handled your personal data, you have the right to lodge a complaint with the DPC:

  • Website: www.dataprotection.ie
  • Phone: +353 57 868 4800
  • Post: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28