Privacy Policy

Last updated: June 15, 2026

1. Who We Are

Burn Box is operated by Burn Box LLC. This policy describes how we collect, use, and protect your information when you use our secure document sharing platform.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password (hashed, never stored in plain text). If you subscribe to a paid plan, payment is processed by Stripe. We store your Stripe customer ID but never your card details.

Uploaded Files

Files you upload are encrypted and stored temporarily on our servers. When a Burn Box is destroyed, files are permanently and irreversibly deleted. We do not access, read, analyze, or make copies of your uploaded content.

Usage Data

We collect basic usage data including: when boxes are created and destroyed, view counts, session duration, and device/browser information for viewers. We use this data to provide features (view analytics, capture attempt detection) and improve the Service.

View Logs

When a recipient views a Burn Box, we log the timestamp, browser/device type, session duration, and any detected capture attempts. IP-based location is not collected by default.

3. How We Use Your Information

  • To provide and maintain the Service
  • To process payments and manage subscriptions
  • To enforce viewing rules and document security
  • To detect and log capture attempts
  • To send transactional emails (account confirmation, box notifications)
  • To improve the Service

We do not sell your data. We do not use your uploaded content for advertising, training, or any purpose other than delivering the Service.

4. Data Retention

Active files: Stored encrypted until the Burn Box is destroyed (manually, by timer, or by view exhaustion).

Destroyed files: Permanently deleted. No backups. No recovery. Gone.

History metadata: Box name, description, document count, and timestamps are retained in your account history indefinitely so you have a record of what was shared and when.

Account data: Retained while your account is active. Deleted upon account deletion.

View logs: Retained for 90 days, then automatically purged.

5. Data Security

We take security seriously:

  • All files encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Files rendered server-side as protected image tiles
  • No client-side file caching
  • Anti-capture technology (screenshot blocking, dev tools detection, right-click prevention)
  • Short-lived signed URLs for file access
  • Row-level security on all database tables
  • Passwords hashed with bcrypt via Supabase Auth

6. Third-Party Services

We use the following third-party services:

  • Supabase - Database, authentication, and file storage (hosted in the US)
  • Stripe - Payment processing
  • Vercel - Application hosting

These providers have their own privacy policies. We select providers with strong security and privacy practices.

7. Your Rights

You have the right to:

  • Access your account data
  • Correct inaccurate information
  • Delete your account and all associated data
  • Export your history metadata
  • Opt out of non-essential communications

To exercise these rights, contact us at privacy@totumtechnologies.com.

8. Cookies

We use essential cookies only for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Children

Burn Box is not intended for users under 18. We do not knowingly collect information from children.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email. Continued use of the Service after changes constitutes acceptance.

11. Contact

Questions about privacy? Contact us at privacy@totumtechnologies.com.