Privacy Policy

Updated on June 5ht,2026

We are committed to protecting your privacy and being transparent about how we collect, use and protect your personal data.

This Privacy Policy explains how Altilium Technology d.o.o., Ljerke Šram 16, 10000 Zagreb, Croatia, registration number / OIB: 59756192595, operating under the commercial brand Boxy, collects, uses and protects your personal data when you use the Boxy application, the Boxy website and our portable power bank rental service.

Altilium Technology d.o.o. is the controller of your personal data within the meaning of the General Data Protection Regulation — GDPR.

This Privacy Policy applies to the Boxy application, the Boxy website, the Boxy portable power bank rental service, customer support communication, newsletters, prize contests and other services operated by Boxy.

By using the Boxy application and service, you confirm that you have read this Privacy Policy and understand how we process your personal data.

If you have any questions about this Privacy Policy or the processing of your personal data, you can contact us at:

Altilium Technology d.o.o.
Ljerke Šram 16
10000 Zagreb, Croatia
OIB: 59756192595
E-mail: info@boxypower.com

Given the scope and nature of our processing activities, we are not required to appoint a Data Protection Officer — DPO.

WHAT INFORMATION ABOUT ME IS COLLECTED AND STORED?

We collect only the personal data that is necessary for providing the Boxy service, complying with legal obligations, ensuring system security and — where applicable — communicating with you based on your consent.

We process your personal data on the following legal bases under the GDPR:

Performance of contract — Article 6(1)(b) GDPR — when processing is necessary to provide the Boxy service, create and manage your account, authenticate you, enable power bank rental, process billing and provide customer support.

Legal obligation — Article 6(1)(c) GDPR — when we are required to retain invoices, transaction records and other business documentation under applicable accounting, tax and legal regulations.

Legitimate interest — Article 6(1)(f) GDPR — when we process technical data to ensure system security, prevent misuse, detect fraud and protect the Boxy network.

Consent — Article 6(1)(a) GDPR — when you consent to marketing communication, location access, participation in prize contests or sharing data with sponsors.

Personal Information

When you register for the Boxy application or use the Boxy service, we may collect the following personal data:

  • First name and surname
  • E-mail address
  • Mobile phone number
  • Boxy User ID
  • Optional profile photo
  • Account registration and authentication data
  • Rental history
  • Power bank pickup and return locations
  • Rental duration
  • Transaction history
  • Customer support communication

These data are necessary to create your user account, provide the Boxy rental service, process transactions, communicate with you regarding your account and provide customer support.

If you participate in Boxy prize contests, we may collect additional data listed in the contest application form, such as your first name, surname, e-mail address, mobile phone number, Boxy User ID and answers to survey questions related to the specific contest.

The Boxy service is not intended for persons under 16 years of age. We do not knowingly collect personal data from minors without valid consent from a parent or legal guardian. If we become aware that we have collected personal data from a minor without valid consent, we will delete such data without delay.

Non-Personal Information

When you use the Boxy application or website, we may automatically collect technical and usage data necessary for the operation, security and improvement of the service.

This may include:

  • IP address
  • Device type and model
  • Operating system
  • Unique device identifiers
  • Access times
  • Basic application usage data
  • System logs
  • Error logs
  • Anonymized analytics data

We use this information to operate the service, maintain system security, detect technical issues, prevent misuse, improve the application and analyze general usage trends.

Where analytics cookies or similar technologies are used, they are used only in accordance with your consent where required by law.

Collection of Your Source IP Address/Location Information

The Boxy application may request access to your location for the purpose of displaying nearby Boxy stations and enabling proper use of the power bank rental service.

We use location data to:

  • Show the nearest available Boxy stations
  • Record the location where a power bank is picked up or returned
  • Support customer service requests
  • Prevent misuse of the service
  • Improve availability and operation of the Boxy network

You can disable location access at any time in your device settings. However, disabling location access may limit certain functionalities of the application.

We may also collect your device’s source IP address, which may indicate the approximate location of your device at the time you access the application or website. This is used for technical operation, security and fraud prevention.

Collection of Personal Information From or Through Social Media Sites or Using Your Social Media Logo

We do not currently rely on social media login or social media profile data as a core part of the Boxy service.

If, in the future, we enable login or interaction through social media platforms, we will collect only the data that you authorize and that the relevant platform permits us to access. Any such processing will be carried out in accordance with this Privacy Policy, the GDPR and the privacy settings of the relevant social media platform.

If you interact with Boxy through our official social media pages, we may see the information that you make publicly available through that platform, such as your profile name, public comments or messages you send to us.

Collection of Information From Other Sources

We may receive limited information from third-party service providers that are necessary for the operation of the Boxy service.

For example, our payment processor may confirm that a transaction has been completed, including transaction number, amount and date of payment.

We do not collect credit or debit card details directly. Payments in the Boxy application are processed by Monri Payments d.o.o., and card data are processed directly between you and Monri in accordance with Monri’s applicable privacy and security rules. Boxy receives only the transaction data necessary for records, invoicing, support and legal compliance.

We may also receive information from customer support communication, accounting records, technical providers or competent authorities where necessary and lawful.

Collection of Personal and Non-Personal Information Through Promotions

Boxy may occasionally organize promotions, campaigns, surveys or prize contests, either independently or in cooperation with sponsors.

Participation is always voluntary and, where personal data are collected, based on your consent or another applicable legal basis.

If you participate in a prize contest, the relevant application form will clearly state which personal data are collected, for what purpose, how long they are kept and whether any data may be shared with a sponsor.

Boxy prize contests are not games of chance within the meaning of the Croatian Gaming Act when the winner is not selected randomly but chosen by a jury based on predefined criteria, such as creativity, originality, relevance of the answer or other criteria specified in the rules of the particular contest.

Collection of Third-Party Personal Information Through Referrals Feature

We do not currently operate a standard referral feature that requires users to provide personal data of third parties.

If we introduce such a feature in the future, we will collect only the minimum information necessary to send the referral invitation and track the referral process. We will use the third party’s data only for the stated referral purpose and will delete or anonymize it when it is no longer necessary.

Use of Cookies and Other Tracking Technologies

The Boxy application and website use cookies and similar technologies for basic functionality, security, analytics and improvement of user experience.

We may use the following types of cookies:

Necessary cookies — required for basic functionality, authentication and security. These cookies cannot be disabled because the service cannot function properly without them.

Analytics cookies — used for anonymized usage measurement and service improvement. These are used only with your consent where required.

Functional cookies — used to remember your settings, such as language or region. These are used with your consent where required.

On your first visit to the Boxy website, a notice is displayed with the option to accept or reject non-essential cookies. You can change your cookie settings at any time through the link in the website footer.

Cookies and permissions in the mobile application can also be managed through your device settings.

If you disable certain cookies or permissions, some features of the website or application may not function properly.

How Do We Use Your Information?

We use your personal data only for specific and lawful purposes connected with the Boxy service.

These purposes include:

  • Creating and managing your Boxy user account
  • Authenticating users
  • Enabling power bank rental
  • Recording pickup and return of power banks
  • Processing transactions
  • Preparing transaction and invoice records
  • Providing customer support
  • Sending service-related notifications
  • Ensuring system security
  • Preventing misuse and fraud
  • Maintaining and improving the Boxy application and network
  • Sending marketing communication only where you have given consent
  • Organizing prize contests where you voluntarily participate
  • Complying with legal, accounting and tax obligations

We do not sell your personal data.

General Uses

We may use your personal data and technical data for the following general purposes:

  • To provide the Boxy service you request
  • To create, verify and manage your user account
  • To enable rental and return of Boxy power banks
  • To process payments and maintain transaction records
  • To communicate with you about your account, rental activity or service-related matters
  • To respond to your customer support requests
  • To inform you about changes to our policies, terms or service
  • To send newsletters and marketing communication only if you have given consent
  • To invite you to participate in prize contests, if you have consented to receive such communication
  • To analyze and improve the service using anonymized or aggregated data
  • To detect, investigate and prevent fraud, misuse, unauthorized access or other illegal activity
  • To comply with applicable legal obligations

Use of Your Location Information

We use your location information only where necessary for the Boxy service or where you have allowed location access.

Specifically, we may use location information to:

  • Show nearby Boxy stations
  • Record the pickup and return location of a power bank
  • Confirm whether a power bank has been returned to a valid station
  • Support customer service requests
  • Improve the placement and availability of Boxy stations
  • Prevent misuse of the service

You can disable location access in your device settings. However, some functions of the Boxy service may not work properly without location access.

Combination of Your Personal Information

We may combine information collected through different parts of the Boxy service when this is necessary to provide the service, maintain accurate account records, process transactions, respond to support requests, prevent misuse or comply with legal obligations.

For example, we may connect your user account data with rental history, transaction records and support communication.

We may also use anonymized or aggregated data for internal reporting, analytics and service improvement. Aggregated or anonymized data cannot be used to identify you and does not constitute personal data under the GDPR.

Who Do We Provide Your Information To?

We do not sell your personal data.

We share your personal data only where necessary for the provision of the Boxy service, where required by law or where you have given explicit consent.

We may share data with:

  • Payment processing providers
  • Hosting and cloud infrastructure providers
  • E-mail and notification service providers
  • Web analytics providers
  • Accounting and tax service providers
  • Customer support and technical service providers
  • Prize contest sponsors, but only with your explicit consent for a specific contest
  • Competent authorities where required by law or court order

All service providers that process personal data on our behalf are required to protect your data in accordance with GDPR standards and process it only according to our instructions.

Business Partners, Sponsors and Third Parties

Boxy may cooperate with business partners and sponsors in connection with campaigns, promotions or prize contests.

We share your personal data with sponsors only if:

  • You participate in a specific contest or campaign voluntarily
  • The form clearly identifies the sponsor
  • The form clearly states which data will be shared
  • The form clearly states the purpose of sharing
  • You give separate and explicit consent for such sharing

If a sponsor receives your personal data based on your consent, the sponsor becomes an independent controller for the processing described in the relevant consent and must comply with the GDPR and any limitations stated in the consent.

Sponsors may always receive aggregated and anonymized survey data that cannot be linked to a specific person, such as statistical averages or percentages. Such aggregated data do not constitute personal data under the GDPR.

Third-Party Agents

We use third-party service providers, also known as processors, to perform services necessary for the operation of Boxy.

These may include:

  • Monri Payments d.o.o. — card payment processing, Croatia
  • Hosting and cloud infrastructure provider — data storage in the EU/EEA
  • Brevo — e-mail marketing platform and transactional notifications, EU
  • Web analytics provider — anonymized analysis of application and website usage, EU
  • Accounting service — bookkeeping and tax compliance, Croatia
  • Technical support and infrastructure providers

These providers may access only the personal data necessary to perform their function.

They are contractually required to:

  • Process data only on our instructions
  • Apply appropriate technical and organizational security measures
  • Keep data confidential
  • Not sell or use the data for their own unrelated purposes
  • Not transfer data outside the EU/EEA without appropriate safeguards
  • Notify us without delay in the event of a personal data breach

Emergency Situations

We may disclose your personal data where required by law, court order or competent authority.

This may include disclosure to:

  • Courts
  • Police
  • Tax authorities
  • Regulatory bodies
  • Croatian Personal Data Protection Agency — AZOP
  • Other competent public authorities

We may also disclose data where necessary to protect the rights, property or safety of Boxy, our users, our partners or the public, including for fraud prevention, investigation of misuse, security incidents or unlawful activity.

What Steps Are Taken To Keep Personal Information Secure?

We apply appropriate technical and organizational measures to protect your personal data from unauthorized access, alteration, disclosure, loss or destruction.

These measures include:

  • Encrypted communication using HTTPS/TLS between the application and our servers
  • Secure storage of personal data
  • Encrypted storage where applicable
  • Access control so that only authorized persons can access data
  • Access limited to what is necessary for each person’s work
  • Regular data backups
  • System monitoring and detection of unusual activities
  • Contractual confidentiality obligations with associates and processors
  • Security obligations imposed on all service providers that process data on our behalf

Although we take reasonable and appropriate measures to protect your data, no method of transmission over the Internet or electronic storage can be guaranteed to be 100% secure.

In the event of a personal data breach that may result in a high risk to your rights and freedoms, we will notify you without undue delay and report the breach to AZOP within 72 hours, as required by the GDPR.

How Can We Transfer Your Personal Information?

We store and process your personal data exclusively within the European Economic Area — EEA.

Our service providers are located in the EU/EEA or process data in accordance with GDPR requirements.

If in the future it becomes necessary to transfer personal data outside the EEA, we will do so only where appropriate safeguards required by the GDPR are in place, such as:

  • An adequacy decision of the European Commission
  • Standard contractual clauses approved by the European Commission
  • Other lawful safeguards under the GDPR

We will not transfer your personal data outside the EEA without ensuring an adequate level of protection.

How Long Do We Keep Your Information?

We retain personal data only for as long as necessary to fulfill the purpose for which it was collected or as required by law.

Our retention periods are:

  • User account data — during active use of the account and 30 days after account deletion
  • Transaction data and invoices — 11 years, in accordance with Croatian accounting and tax regulations
  • Consent for marketing communication — until consent is withdrawn
  • Technical access logs — 12 months
  • Prize contest data — 12 months after the end of the contest
  • Customer complaints and communication — 3 years
  • Data shared with sponsors based on consent — as defined in the agreement with the sponsor, but no longer than 24 months

After the applicable retention period expires, we permanently delete or anonymize the data so that you can no longer be identified.

If you delete your account, we will delete account data unless we are legally required to retain certain information, for example invoices and transaction records.

 

What Happens When I Link To or From Another App?

The Boxy website or application may contain links to third-party websites, applications or services.

This Privacy Policy applies only to services operated by Boxy. We are not responsible for the privacy practices, content or security of third-party websites or services.

When you access a third-party website or service, their own privacy policy and terms apply. We recommend that you review them before submitting any personal data.

Governing Law

This Privacy Policy is governed by the laws of the Republic of Croatia and applicable European Union data protection law, including the General Data Protection Regulation — GDPR.

Altilium Technology d.o.o. is established in Croatia, and the Boxy service is primarily directed at users in Croatia and the European Union.

You have the right to lodge a complaint with the Croatian Personal Data Protection Agency:

Croatian Personal Data Protection Agency — AZOP
Selska cesta 136
10000 Zagreb, Croatia
E-mail: azop@azop.hr
Web: www.azop.hr

Assignment

If Boxy, Altilium Technology d.o.o. or part of our business is subject to a merger, acquisition, restructuring, transfer of business or sale of assets, personal data may be transferred as part of that transaction where necessary and lawful.

In such a case, we will take reasonable steps to ensure that the recipient continues to protect your personal data in accordance with this Privacy Policy and applicable data protection law.

If such transfer materially affects the processing of your personal data, we will notify you where required by law.

Changes to This Policy

We may update this Privacy Policy from time to time due to changes in legislation, our service, technology or business operations.

If we make significant changes, we will notify you by e-mail and/or in-app notification at least 30 days before the changes take effect, where required.

Minor changes, such as grammar corrections, formatting updates or clarification of wording, may be published without prior notice.

The current version of this Privacy Policy is always available in the Boxy application and on the Boxy website.

If you do not agree with the changes, you may stop using the Boxy service and request deletion of your user account.

WHAT ARE YOUR CHOICES AND HOW DO YOU OPT-OUT?

You have control over the collection, use and sharing of your personal data in accordance with the GDPR.

You may:

  • Choose not to provide optional data
  • Disable location access through your device settings
  • Reject non-essential cookies
  • Withdraw marketing consent
  • Unsubscribe from newsletters
  • Request access to your personal data
  • Request correction of inaccurate data
  • Request deletion of your data where legally possible
  • Object to processing based on legitimate interest
  • Request restriction of processing
  • Request data portability
  • Lodge a complaint with AZOP

Some data are necessary for providing the Boxy service. If you choose not to provide such data, certain features of the application may not be available.

Changes to This Policy

Providing certain personal data is necessary to use the Boxy service.

For example, we need your name, e-mail address, mobile phone number, account information and transaction data to create your account, enable rental, process payments and provide support.

Where data are optional, you may choose not to provide them.

Where processing is based on consent, such as marketing communication, location access where consent is required, prize contest participation or sharing data with sponsors, you may withdraw your consent at any time.

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Emails and Other Communications

We send service-related communication when necessary for the operation of your account and the Boxy service. This may include account verification, rental notifications, payment information, customer support messages, legal updates and important service notices.

Marketing communication, newsletters and promotional messages are sent only if you have given explicit consent.

When you first log in to the Boxy application, we may display a separate screen where you can choose whether you want to receive newsletters. This consent is separate from accepting the general terms of use and is not pre-selected.

You can withdraw your consent for marketing communication at any time:

  • By clicking the “Unsubscribe” link in any newsletter e-mail
  • In the Boxy application settings under “Communication”
  • By sending a request to info@boxypower.com

Withdrawal of consent takes effect immediately upon receipt.

Even if you unsubscribe from marketing communication, we may still send you non-marketing service messages necessary for your account or use of the Boxy service.

Tracking

You can control certain tracking technologies through your browser, device settings or the cookie settings on our website.

On your first visit to the Boxy website, you can accept or reject non-essential cookies. You can change your settings at any time through the link in the website footer.

In the mobile application, you can manage certain permissions, including location access, through your device settings.

Necessary cookies and technical data required for security and basic functionality cannot be fully disabled, because the service may not function without them.

If you reject or disable certain cookies or permissions, some features of the website or application may not work properly.

Accessing and Correcting Your Information

Under the GDPR, you have the following rights regarding your personal data:

Right of access — you have the right to obtain confirmation as to whether we process your personal data, receive a copy of those data and obtain information about the processing.

Right to rectification — you may request correction of inaccurate personal data or completion of incomplete data.

Right to erasure — you may request deletion of your personal data where the data are no longer necessary, where you withdraw consent or where you object to processing, unless we are legally required to retain the data.

Right to restriction of processing — you may request temporary suspension of processing while a dispute regarding data accuracy or the legal basis for processing is resolved.

Right to data portability — you may request to receive your data in a structured, commonly used and machine-readable format and transfer it to another controller.

Right to object — you may object to processing based on legitimate interest or processing for marketing purposes. If you object to marketing processing, we will stop such processing.

Right to withdraw consent — you may withdraw consent at any time, in the same way you gave it. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to lodge a complaint — you may lodge a complaint with the Croatian Personal Data Protection Agency — AZOP.

To exercise your rights, please contact us at:

info@boxypower.com

In your request, please state:

  • Which right you wish to exercise
  • Your first name and surname
  • The e-mail address used to register in the Boxy application
  • A short description of your request

We will respond within one month of receiving your request. In the case of complex requests, this period may be extended by an additional two months, and we will notify you accordingly.

To confirm your identity, we may request additional information if there is reasonable doubt about the identity of the person submitting the request.

Exercising your rights is free of charge, except in the case of manifestly unfounded or excessive requests.

For any questions about this Privacy Policy or the processing of your personal data, please contact:

Altilium Technology d.o.o.
Ljerke Šram 16
10000 Zagreb, Croatia
OIB: 59756192595
E-mail: info@boxypower.com

Last updated: June 2026