Effective date: May 9, 2026 · Last updated: May 9, 2026
1. Overview
Bexbox is a personal ledger application for Android. We are committed to collecting only what is needed to make the app work, keeping your records private to you, and giving you the ability to export or delete everything at any time.
This policy applies to the Bexbox mobile application, our marketing website at bexbox.com, and any optional cloud storage subscription you choose to purchase.
2. Data we collect
2.1 Account data
When you sign in with Google, we receive your email address, display name, and profile picture URL from Google. When you sign in with email and password, we receive your email address and a hashed password is stored by our authentication provider.
2.2 Content you create
The contacts, transactions, notes, signatures, and attachments (photos, PDFs, videos) you add to your ledger are stored against your account. We do not read this content. It is scoped to your user ID at the database level.
2.3 Profile data
You may optionally add a phone number, address, default currency, and theme preference. This information is used inside the app and on PDF receipts you generate.
2.4 Device and diagnostic data
We log basic technical information needed to operate the service: error stack traces, request timestamps, and the type of operation performed. We do not collect advertising identifiers and we do not use third-party analytics SDKs.
2.5 Payment data
If you subscribe to a cloud storage plan, the transaction is processed by Google Play Billing. We never see or store your card number, billing address, or full payment instrument. We receive only the subscription state and storage tier from Google Play.
3. How we use your data
- To provide the app's core features: contacts, transactions, attachments, search, reports, and export.
- To authenticate you and keep your session secure.
- To enforce per-account storage quotas under your active plan.
- To respond to support requests sent to [email protected].
- To detect, prevent, and respond to security incidents and abuse of the service.
- To comply with legal obligations.
We do not sell your data. We do not use your content to train machine learning models. We do not show you advertising.
4. Legal basis
Where the GDPR or similar laws apply, we process data on the following bases:
- Contract: to deliver the service you signed up for.
- Legitimate interest: to keep the service secure and to debug issues.
- Consent: for any optional features that ask you to opt in (for example, future notification preferences).
- Legal obligation: when required by applicable law.
5. Storage and security
Bexbox uses Supabase as its primary backend. Your records are stored in a managed Postgres database with row-level security policies that scope every query to your user ID. Attachments are stored in private object-storage buckets, accessed only through short-lived signed URLs tied to your authenticated session.
Data is encrypted in transit (TLS) and at rest. Access to production systems by Bexbox staff is limited, audited, and only used for diagnostics or to comply with a lawful request.
No system is perfectly secure. We will notify affected users without undue delay if a breach occurs that is likely to result in risk to your rights.
6. Subscriptions and payments
The base Bexbox app is free to use with a 50 MB storage allowance. Additional cloud storage is offered through paid subscription tiers (Basic, Standard, Pro, Business).
Subscriptions are sold and managed entirely through Google Play Billing. You can view, change, or cancel your subscription at any time from the Google Play Store under "Subscriptions". Cancellation takes effect at the end of the current billing period; refunds are governed by Google Play's refund policy.
Receipts and tax documents are issued by Google Play, not by Bexbox.
7. How we share data
We share data only with the service providers we need to run Bexbox, and only for the limited purpose of running the service:
- Supabase (database, authentication, object storage).
- Google (sign-in, Google Play Billing for subscriptions, Google Play distribution).
- Cloudflare (DNS and CDN for the marketing site).
We do not sell, rent, or trade your data to advertisers, data brokers, or any other third party.
We may disclose information when legally required by a valid subpoena, court order, or other lawful request, after reviewing the request for sufficiency.
8. Data retention
We keep your account data for as long as your account is active. Soft-deleted transactions are kept until you delete your account or otherwise clear them, so that the audit trail remains intact. When you delete your account from Settings, your profile, contacts, transactions, attachments, and audit logs are removed from active systems within 30 days. Backups are rotated and overwritten on a rolling 30-day schedule.
9. Your rights
You can exercise these rights from inside the app or by emailing [email protected]:
- Access: see what we store about you.
- Export: download your transactions, contacts, and attachments as a ZIP at any time from Settings.
- Correct: edit your profile inside the app.
- Delete: remove your account and everything attached to it from Settings.
- Object or restrict: tell us to stop a particular processing activity where the law allows.
- Complain: lodge a complaint with your local data-protection authority.
10. Children
Bexbox is not intended for children under 13. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.
11. International transfers
Our infrastructure operates from servers that may be located outside your country of residence. Where required, we rely on standard contractual clauses or equivalent safeguards for cross-border transfers.
12. Changes to this policy
We will update this page when material changes happen. The "Last updated" date at the top reflects the most recent revision. If a change materially reduces your rights, we will notify you in-app or by email.
13. Contact
Questions, requests, or feedback: [email protected].