Privacy Policy

At a Glance

This summary gives you a quick overview. Full details follow below.

We do not sell your personal information. We do not use advertising cookies or third-party tracking cookies. Our analytics are cookieless and contain no personal identifiers.

1. Who We Are

Boxly Games ("Boxly," "we," "us," or "our") operates the website boxly.games and its subdomains (collectively, the "Service"). Boxly is the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR) and the UK GDPR.

For privacy-related inquiries, you can reach us at:

privacy@boxly.games

2. Scope of This Policy

This Privacy Policy applies to data collected when you visit or use boxly.games and any game hosted on its subdomains (e.g., tap-stack.boxly.games).

This policy does not apply when you play Boxly games on third-party platforms such as CrazyGames. When our games run on CrazyGames, Boxly does not collect any personal data whatsoever — all authentication, analytics, and advertising are handled entirely by CrazyGames under their own privacy policy. Boxly's data collection services (Supabase, PostHog, and AdinPlay) are completely disabled and removed from CrazyGames builds at build time.

3. Information We Collect

3.1 Information You Provide

• Email address — provided only when you choose to create a Boxly account to save your progress. You can play all games anonymously without providing any personal information.

3.2 Information Collected Automatically

• Game activity — scores, coins earned, games played, and gameplay events. This data is tied to your account (if you have one) or to an anonymous session identifier (a random UUID with no personal meaning).
• Device information — browser type, screen size, and operating system. Collected via cookieless analytics and never linked to an identifiable individual.
• Usage data — pages visited, features used, and session duration. Collected via cookieless analytics and never linked to an identifiable individual.

3.3 Information We Do NOT Collect

• Passwords (we use passwordless magic-link authentication)
• Payment or financial information (payment features are not active)
• Precise geolocation
• Biometric data
• Social media profiles
• Data from children under 13 (see Section 9)

4. How We Use Your Information

We use collected information for the following purposes only:

• Account management — to create and maintain your account, authenticate you via magic links, and keep you signed in across games on boxly.games
• Game functionality — to save your game progress, track your coin balance, and sync data across devices
• Transactional communications — to send sign-in magic links when you request them (we do not send marketing emails unless you explicitly opt in)
• Service improvement — to understand how our games are used through aggregated, anonymized analytics so we can fix bugs, improve performance, and build better games
• Anti-cheat and security — to enforce server-side limits (e.g., 100 coins per minute per game) and detect abuse

We do not use your data for profiling, behavioral advertising, automated decision-making, or AI training.

5. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR:

• Performance of a contract (Article 6(1)(b)) — processing your email address, game activity, and authentication cookies is necessary to provide the Service you requested (your Boxly account, saved progress, and coin balance).
• Legitimate interests (Article 6(1)(f)) — processing anonymized device and usage data through cookieless analytics to improve our games and services. Our legitimate interest is understanding how our games perform and identifying bugs. This processing poses minimal risk to your privacy because the data contains no personal identifiers, and we have conducted a balancing test confirming that our interests do not override your rights.

We do not rely on consent as a legal basis for any processing, because we do not use any non-essential cookies or trackers that would require consent. If we introduce consent-based processing in the future, we will update this policy and implement an appropriate consent mechanism.

6. Cookies and Similar Technologies

6.1 Cookies We Set

We use essential cookies only. These are strictly necessary for the Service to function and do not require consent under the ePrivacy Directive or GDPR.

6.2 Cookies We Do NOT Set

• No advertising or targeting cookies
• No third-party tracking cookies
• No analytics cookies — our analytics provider (PostHog) runs in cookieless mode, meaning it does not set any cookies or store persistent identifiers on your device

6.3 Third-Party Cookies

Advertising partners (AdinPlay) may set their own cookies when serving ads. We do not control these cookies. You can manage third-party cookies through your browser settings. See Section 8 for links to our ad partners' privacy policies.

7. Data Storage, Security, and International Transfers

7.1 Where Your Data Is Stored

• Supabase (PostgreSQL on AWS) — user accounts, authentication data, and coin transactions. Data is hosted in the United States.
• Cloudflare — website hosting, CDN, and API Workers. Data may be processed at Cloudflare edge locations worldwide.
• PostHog — cookieless analytics. US instance (us.i.posthog.com). Analytics data contains no personal identifiers.

7.2 International Data Transfers

If you are located in the EEA, UK, or Switzerland, your data may be transferred to the United States. We ensure appropriate safeguards for these transfers through:

• The EU-US Data Privacy Framework (where our processors are certified)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Our processors' compliance with equivalent data protection standards

You can request a copy of the applicable transfer safeguards by contacting us at privacy@boxly.games.

7.3 Security Measures

We protect your data with:

• Encryption in transit (HTTPS/TLS on all connections)
• Encryption at rest (provided by Supabase/AWS)
• Row-level security policies on our database
• Restricted access to personal data on a need-to-know basis
• Passwordless authentication (magic links eliminate the risk of password breaches)

No system is 100% secure. If we discover a data breach that poses a risk to your rights, we will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR.

8. Third-Party Services

We share data with the following third-party service providers, who process data on our behalf (as data processors) or as independent controllers where indicated:

Supabase (data processor)

Provides authentication and database hosting. Processes your email address, authentication tokens, and game data. Supabase Privacy Policy

PostHog (data processor)

Provides cookieless product analytics. Receives only anonymized device and usage data with no personal identifiers. PostHog Privacy Policy

Cloudflare (data processor)

Provides hosting, CDN, and serverless compute (Workers). May process IP addresses transiently for security and routing purposes. Cloudflare Privacy Policy

AdinPlay (independent controller)

Provides advertising on boxly.games. AdinPlay and its demand partners may collect data through ads they serve, including via cookies. Boxly does not control AdinPlay's data collection. AdinPlay Privacy Policy

CrazyGames (independent controller)

Distributes Boxly games on crazygames.com. When you play our games on CrazyGames, Boxly collects no data — CrazyGames handles all data processing under their own policy. CrazyGames Privacy Policy

Paddle (dormant)

Payment processing is integrated but currently inactive (feature-flagged off). No payment data is collected at this time. If payments are activated in the future, this policy will be updated before any financial data is processed. Paddle Privacy Policy

We do not sell, rent, or trade your personal information to any third party.

9. Children's Privacy (COPPA and GDPR-K)

Boxly takes children's privacy seriously. Our approach is designed to comply with the US Children's Online Privacy Protection Act (COPPA), the EU General Data Protection Regulation as it applies to children (GDPR-K), and the UK Age Appropriate Design Code.

9.1 Age Requirements

• You must be at least 13 years old to create a Boxly account.
• Users of any age may play games anonymously without creating an account. Anonymous gameplay on boxly.games does not collect any personal information — only anonymized analytics data that contains no personal identifiers.

9.2 No Data Collection from Children Under 13

We do not knowingly collect, use, or disclose personal information from children under the age of 13. We do not have a verifiable parental consent mechanism, and therefore we do not permit account creation by children under 13.

9.3 Discovery and Deletion

If we discover that we have inadvertently collected personal information from a child under 13, we will:

• Immediately delete the account and all associated personal data
• Remove all coin transaction records linked to that account
• Purge all authentication session data

If you are a parent or guardian and believe your child under 13 has created a Boxly account or provided personal information to us, please contact us immediately at privacy@boxly.games and we will delete the data promptly.

9.4 Advertising and Children

Boxly does not engage in behavioral advertising or profiling of any user. Ads displayed on boxly.games are contextual (not targeted based on user behavior). We do not knowingly serve personalized ads to children.

10. Your Privacy Rights

10.1 Rights for All Users

Regardless of where you are located, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — request that we correct inaccurate personal data
• Deletion — request that we delete your account and all associated personal data
• Data portability — request your data in a structured, machine-readable format

10.2 Additional Rights for EEA, UK, and Swiss Residents (GDPR)

Under the GDPR, you also have the right to:

• Object to processing — you may object to processing based on legitimate interests (e.g., analytics). We will stop processing unless we demonstrate compelling legitimate grounds.
• Restrict processing — you may request that we limit how we use your data while a dispute is being resolved.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time. (Note: we currently do not rely on consent for any processing.)
• Lodge a complaint — you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

10.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:

• Right to know — you may request the categories and specific pieces of personal information we have collected about you in the past 12 months, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to delete — you may request deletion of your personal information, subject to certain exceptions.
• Right to correct — you may request correction of inaccurate personal information.
• Right to opt out of sale/sharing — we do not sell or share (as defined by the CCPA/CPRA) your personal information. Because we do not sell or share personal information, there is no need for a "Do Not Sell or Share My Personal Information" link.
• Right to non-discrimination — we will not deny you services, charge different prices, or provide a different quality of service because you exercise your CCPA rights.
• Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CCPA/CPRA (we collect only email addresses and gameplay data).

CCPA categories of personal information collected:

• Identifiers — email address, unique account ID
• Internet or network activity — game activity, usage data (anonymized, cookieless)

Categories of personal information sold or shared: None. We do not sell or share personal information.

Categories of personal information disclosed to service providers: Identifiers (to Supabase for authentication); Internet or network activity (to PostHog, anonymized and containing no personal identifiers).

To exercise any CCPA right, email us at privacy@boxly.games. We will verify your identity before processing your request and respond within 45 days.

10.4 How to Exercise Your Rights

To exercise any of the rights described above, contact us at privacy@boxly.games. We will respond within 30 days (or 45 days for CCPA requests, with a possible 45-day extension if needed).

11. Account Deletion

You may request deletion of your Boxly account and all associated data at any time. To do so:

1. Send an email to support@boxly.games
2. Use the subject line: "Account Deletion Request"
3. In the email body, include the email address associated with your Boxly account

Using this exact subject line helps us process your request quickly.

Upon receiving a valid deletion request, we will:

• Delete your user account record
• Delete all coin transaction records associated with your account
• Delete all authentication session data
• Complete the deletion within 30 days of your request

Anonymized, aggregated analytics data (which contains no personal identifiers) will be retained, as it cannot be linked back to you.

12. Data Retention

• Account data (email, game activity, coin transactions) — retained for as long as your account is active. Deleted within 30 days of an account deletion request.
• Authentication cookies — expire after 1 year. Renewed automatically when you sign in.
• Anonymized analytics data — retained indefinitely. This data contains no personal identifiers and cannot be used to identify you.
• Anonymous session identifiers (UUIDs for users who never create an account) — these are random identifiers with no personal meaning and are not considered personal data.

13. Advertising

Boxly games on boxly.games display ads provided by AdinPlay. These include:

• Rewarded video ads — you choose to watch an ad in exchange for an in-game benefit (e.g., a second chance)
• Interstitial ads — displayed between gameplay sessions

Boxly itself does not set advertising cookies. However, AdinPlay and its demand-side partners may use their own cookies and tracking technologies when serving ads. Please review AdinPlay's Privacy Policy for details on their data practices.

When our games run on CrazyGames, advertising is handled entirely by the CrazyGames SDK, and Boxly has no involvement in ad-related data collection on that platform.

14. Virtual Currency (Coins)

Boxly games feature a virtual currency called "Coins." Please see our Terms of Service for full details. From a privacy perspective:

• Coin transactions are stored as append-only records in our database, linked to your account
• Your coin balance is derived from the sum of these transactions
• All coin transaction records are deleted when you delete your account
• Coins have no monetary value and are not considered financial data

15. Do Not Track Signals

Some browsers transmit a "Do Not Track" (DNT) signal. Because we do not engage in cross-site tracking and our analytics are cookieless and anonymized, our Service inherently respects DNT signals. We also recognize and honor the Global Privacy Control (GPC) signal as a valid opt-out of sale/sharing under the CCPA — though because we do not sell or share personal information, no change in behavior is required.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will:

• Update the "Last updated" date at the top of this page
• Post a prominent notice on boxly.games for at least 30 days
• Where required by law, obtain your consent before applying material changes

Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes. If you do not agree, you should stop using the Service and request account deletion.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

• Privacy inquiries: privacy@boxly.games
• Account deletion: support@boxly.games (subject line: "Account Deletion Request")
• General support: support@boxly.games

If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.