1. Data controller
The controller responsible for processing your personal data is:
- Controller: LOUREO, S.L.
- Tax ID (NIF): B19835214
- Registered address: Avenida Reina Victoria, 29, 28003, Madrid (España)
- Contact and exercise of rights: info@boonbox.app
We have not appointed a Data Protection Officer (DPO), as this is not mandatory under Article 37 of the GDPR. For any privacy-related matter you can write to us at info@boonbox.app.
2. Data we process
We process the following categories of data, depending on your use of the service:
Your Instagram account data
- Account identifier, username, name and profile picture.
- Access token for the Meta/Instagram API, which we store encrypted.
Content of your direct messages (DMs)
- The content of the messages received in your Instagram inbox, as well as the sender's identifier and name, for the purpose of filtering them and finding collaboration and billing opportunities.
Contact and account data in Boonbox
- Notification email and, where applicable, phone number for WhatsApp notifications.
- Notification preferences and account settings.
Billing data
- If you subscribe to a paid plan, the transaction and subscription data. Payment is processed by Stripe; we do not store your full card details.
Technical data
- Data strictly necessary for operation (session, security). See the Cookie Policy.
3. Purposes and legal basis
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Providing the service: connecting your Instagram, filtering your DMs through automated processing and notifying you of opportunities. | Performance of the contract (Art. 6(1)(b)). |
| Sending notifications by email or WhatsApp about detected opportunities. | Performance of the contract (Art. 6(1)(b)). |
| Managing payment and the Pro plan subscription. | Performance of the contract (Art. 6(1)(b)). |
| Ensuring the security of the service and preventing fraud. | Legitimate interest (Art. 6(1)(f)). |
| Handling your requests and the exercise of your rights. | Compliance with a legal obligation (Art. 6(1)(c)). |
4. Automated analysis of your messages
To filter opportunities, the content of your direct messages is processed automatically through a language-model technology provider, Anthropic (provider of the Claude model). This processing is essential for the provision of the service.
The analysis is automated and supportive: it classifies messages to prioritise your attention, but it does not produce legal effects concerning you nor similarly significantly affect you. Decisions about opportunities are always made by you. In accordance with its API terms, the provider does not use the processed content to train its models.
5. Recipients and data processors
We do not sell your data. To provide the service we share strictly necessary data with the following providers, which act as data processors under contract in accordance with Article 28 of the GDPR:
| Provider | Purpose | Location |
|---|---|---|
| Meta Platforms (Instagram) | Source of the data and authentication (Instagram API) | USA / EU |
| Anthropic | Automated analysis of message content | USA |
| Supabase | Database, authentication and storage | EU / USA |
| Vercel | Application hosting | USA / EU |
| Upstash | Job queue and temporary storage (Redis/QStash) | EU / USA |
| Resend | Sending notification emails | USA |
| Kapso | Sending WhatsApp notifications | EU / USA |
| Stripe | Payment and subscription processing | USA / Ireland |
We may also disclose data to the competent authorities where there is a legal obligation to do so.
6. International transfers
Some of the providers listed are located outside the European Economic Area (mainly in the USA). Such transfers are carried out with the appropriate safeguards provided for in Chapter V of the GDPR, primarily by means of Standard Contractual Clauses approved by the European Commission and, where applicable, the provider's adherence to the EU-US Data Privacy Framework. You can request information about these safeguards by writing to us at info@boonbox.app.
7. Retention periods
- While your account is active, we retain the data necessary to provide you with the service.
- If you delete your account or revoke access to Instagram, we delete or anonymise your data within a reasonable period, except for data we are required to retain due to legal obligations.
- Billing data is retained for the periods required by tax and commercial regulations (generally, up to 6 years).
8. Your rights
You may exercise the following rights at any time:
- Access to your personal data.
- Rectification of inaccurate data.
- Erasure (the "right to be forgotten").
- Restriction of processing.
- Objection to processing.
- Portability of your data.
To exercise them, write to us at info@boonbox.app indicating the right you wish to exercise. If you consider that we have not handled your request properly, you have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).
9. Deletion of your data
You can delete your account and all associated data at any time, on your own, from your account's Settings page, in the "Danger zone" → "Delete account" section.
When you delete your account, the following are permanently removed, among others:
- Your Boonbox account and your profile and contact data.
- The connection to your Instagram account and the stored access token.
- The content of the analysed direct messages and the detected opportunities.
- Your notification preferences and settings.
If you have an active paid subscription, it is automatically cancelled as part of the deletion process. Deletion is immediate and irreversible and requires a double confirmation to prevent accidental deletions. We will only retain data that we are legally obliged to keep (for example, billing data during the tax periods indicated in the retention section).
You can also disconnect Boonbox from your Instagram account's app settings. When you withdraw access to the application from Instagram, we receive a notice from Meta and delete your data in an equivalent and automatic manner.
If you prefer not to do it yourself, or have any problem with the process, you can ask us to delete your data by writing to us at info@boonbox.app.
10. Security
We apply appropriate technical and organisational measures to protect your data, including encryption of Instagram access tokens (AES-256), encrypted connections (HTTPS) and access controls. No system is infallible, but we work to maintain a level of security appropriate to the risk.
11. Minors
The service is intended for persons over 14 years of age. If you are under that age, you must not use Boonbox or provide us with your data. If we detect that we have processed a minor's data without the appropriate authorisation, we will delete it.
12. Changes to this policy
We may update this Privacy Policy to reflect legal or service changes. We will publish the current version on this page, indicating the date of the last update. We recommend that you review it periodically.