Privacy Policy | BOXMEX

Our role and how to read this policy

Data controller. BOXMEX, LLC, a Texas limited liability company ("BOXMEX," "we," "us," or "our"), is generally responsible for personal information processed through the Services described below.

What this policy covers. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you use our websites, applications, and related shipping and logistics offerings (collectively, the "Services"), including https://www.boxmex.ai.

Related terms. Our Terms of Service govern use of the Services (for example, English or Spanish, depending on the locale you select). They are incorporated by reference only as needed to explain account obligations. If anything in this policy conflicts with a separate written agreement you enter into with us (for example, an enterprise agreement), that agreement controls to the extent of the conflict.

Agreement. By accessing or using the Services, you acknowledge this Privacy Policy. If you do not agree, please do not use the Services.

"Personal information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with you or your household, directly or indirectly, depending on applicable law. It does not include information that is aggregated or de-identified in line with applicable law.

1) Scope

This Privacy Policy applies to personal information we process in connection with:

• account creation and authentication;
• quote, checkout, payment, shipping, tracking, and claims workflows;
• customer support and communications;
• security, fraud prevention, and legal compliance.

This Privacy Policy does not apply to third-party websites, carriers, payment processors, or platforms that have their own privacy policies, even if you reach them through links or integrations we provide.

2) Information we collect

Depending on how you use the Services, we may collect:

A. Account and identity data

• name and profile data (for example, when using OAuth or another social sign-in provider you choose);
• email address;
• account identifiers and role or access metadata;
• preferred language or locale.

B. Contact and shipping data

• sender and recipient name;
• phone number;
• address information (street, city, state, postal code, country);
• shipment details needed to generate labels and process delivery.

C. Order and transaction data

• quote selections, order number, order status, and shipment lifecycle data;
• payment transaction metadata (such as processor transaction IDs and payment channel);
• claim and refund records;
• support ticket data and related communications.

D. Compliance and risk data

• records of required acknowledgments (for example, prohibited-items acknowledgment);
• sanctions or compliance screening data associated with order processing;
• anti-fraud and abuse-prevention signals.

3) Sources of information

We collect information:

• directly from you (for example, when you sign in, create shipments, or contact support);
• from service providers you authorize or interact with through the Services (for example, payment processors and shipping providers);
• automatically from your use of the Services and system events; and
• from compliance and security sources used to support lawful operations.

If you choose not to provide information that is necessary for a shipment, payment, or account feature, we may be unable to complete that transaction or provide that feature.

4) How we use information

We use personal information to:

• provide and operate the Services;
• authenticate users and maintain account and session security;
• create, manage, and fulfill shipments;
• process payments, refunds, and related accounting records;
• provide tracking, support, and claims handling;
• detect, investigate, and prevent fraud, abuse, and security incidents;
• maintain logs and evidence for operational integrity and dispute handling;
• comply with legal, tax, regulatory, customs, and contractual obligations;
• communicate with you about transactions, account activity, service updates, and (where permitted) marketing;
• improve service reliability, performance, and safety.

5) Legal bases (EEA, UK, Switzerland, and similar laws)

If data protection laws such as the GDPR or UK GDPR apply, we process personal information on one or more of these legal bases:

• Contract: providing shipping, account, and related services you request;
• Legitimate interests: securing the Services, preventing fraud and abuse, improving reliability, and internal operations that are not overridden by your rights;
• Legal obligation: tax, customs, sanctions, and recordkeeping duties; and
• Consent: where required by law or where we specifically ask for your consent (for example, certain optional communications or cookies, if we later offer them).

6) How we share information

We may share personal information with:

• Service providers and processors that support our operations (for example, infrastructure, database hosting, authentication, email delivery, payment processing, shipping APIs, logging, monitoring, and rate limiting);
• Shipping, payment, and logistics partners needed to quote, purchase, and manage shipment and payment services;
• Professional advisors (such as legal, audit, and accounting advisors) under confidentiality obligations;
• Authorities and regulators when required by law, legal process, or to protect rights, safety, and platform integrity; and
• Business transferees in connection with a merger, financing, acquisition, reorganization, or asset sale, subject to appropriate safeguards.

We do not sell personal information for money. We also do not share personal information for cross-context behavioral advertising as those terms are defined under applicable U.S. state privacy laws.

7) Service providers and integrations

We use third-party providers to operate the Services. Categories include:

• hosting and deployment;
• managed database and infrastructure services;
• authentication and account access;
• transactional email delivery;
• payment processing;
• shipping and logistics APIs; and
• error monitoring and observability tooling.

Providers may change over time. We update this policy when our processing practices materially change.

8) Data retention

We retain personal information only as long as necessary to:

• provide the Services and maintain your account;
• complete shipments and related workflows;
• comply with legal, tax, accounting, sanctions, and customs obligations;
• enforce our agreements and resolve disputes; and
• preserve security, fraud-prevention, and audit records.

Retention periods vary by data category and legal requirements. When no longer needed, we delete, de-identify, or aggregate personal information, unless longer retention is required or permitted by law.

9) Security

We use administrative, technical, and organizational safeguards designed to protect personal information, including access controls, transport security, event logging, and data minimization or redaction in operational telemetry.

No method of transmission or storage is completely secure. You are responsible for safeguarding your account credentials and notifying us promptly of suspected unauthorized access.

10) Your privacy rights

Depending on where you live, you may have the right to:

• Access personal information we hold about you;
• Correct inaccurate personal information;
• Delete personal information, subject to legal exceptions;
• Object to or restrict certain processing;
• Port eligible data to another service, where technically feasible;
• Withdraw consent where processing is based on consent; and
• Appeal a refusal of your request where applicable state law requires an appeal process.

How to submit a request. Contact us using the details in Section 16. We may need to verify your identity before responding and will request only the minimum information needed to do so.

Timing. We will respond within the time period required by applicable law (for example, many U.S. state laws require a response within 45 days, subject to extension where permitted; GDPR timeframes may apply in the EEA or UK).

Authorized agents. Where permitted by law, you may designate an authorized agent to submit a request on your behalf. We may require proof of authorization and may still need to verify your identity.

11) U.S. state privacy notices

If you reside in a U.S. state with comprehensive privacy laws, our collection, use, and disclosure practices are described in this policy—particularly Section 2 (information we collect), Section 4 (how we use information), Section 6 (how we share information), and Section 10 (your privacy rights).

Sensitive personal information. Some laws classify certain data as "sensitive" (for example, account credentials or, in some contexts, precise geolocation). We use such information only to provide the Services, security, and compliance as described in this policy. Where a state grants a right to limit use of sensitive personal information, you may contact us as set out in Section 16.

12) Automated processing

We may use automated systems (for example, compliance screening, fraud scoring, or risk signals) to support decisions about whether we can process a transaction or account activity. Significant decisions are designed to involve human review where required by law. If you believe an automated decision has affected you unlawfully, contact us using Section 16 and we will explain how to seek review where applicable.

13) Third-party sites and services

The Services may contain links to third-party websites, carrier tools, or payment interfaces. Their collection and use of information are governed by their policies, not this one. We encourage you to read those policies before providing information.

14) Communications and marketing

We may send transactional messages (for example, order confirmations, shipment updates, security notices, and policy changes) as needed to operate the Services.

If we send promotional communications where law requires consent or an opt-out, we will provide a way to opt out (for example, an unsubscribe link in marketing email or account settings, where available). You may always contact us at privacy@boxmex.ai to ask about marketing preferences.

15) Security incidents

If we become aware of a breach affecting your personal information that requires notification under applicable law, we will notify you and regulators as required by those laws.

16) Contact us

Questions, requests, or complaints about this Privacy Policy or our privacy practices:

17) Changes to this privacy policy

We may update this Privacy Policy from time to time. We will post the updated version on the Services with a revised Last modified date and policy version. Where required by law, we will provide additional notice (for example, email or prominent in-product notice) or obtain consent.

Your continued use of the Services after the effective date of an update means you acknowledge the revised Privacy Policy, except where your consent is required for a new use and we seek that consent separately.