Privacy policy
Last updated: 01.01.2026
This privacy policy explains how BoxCase Besloten Vennootschap (B.V.) ("BoxCase", "we", "us") collects, uses, stores and shares personal data when you visit our website, request a demo, contact us or use the BoxCase platform as an authorised user.
BoxCase is a business-to-business platform. In most cases, our customers (your employer or service organisation) decide why and how client and staff data is processed inside a workspace. This policy covers BoxCase's own processing as a service provider and as a data controller for website, account and billing interactions.
Governing entity: BoxCase Besloten Vennootschap (B.V.), KVK 58992545, Doldersestraat 39, 2574 TB 's-Gravenhage, Netherlands. Questions: contact.
Overview
BoxCase provides a white-label client onboarding and client-operations platform. We process personal data to deliver the service, secure accounts, respond to enquiries, meet legal obligations and improve the product in a privacy-conscious way.
We design the platform so that document content, client messages and other sensitive operational data remain within controlled tenant boundaries. Analytics on public marketing pages are consent-based and exclude personal identifiers.
If you are a client participant invited into a customer workspace, your organisation's privacy notice and the applicable service agreement govern most processing inside that workspace. Contact your service provider in the first instance for access requests relating to their use of BoxCase.
Data collected
Account and profile data: name, work email address, role, organisation name, authentication identifiers, session metadata and audit events linked to your user account.
Workspace and operational data: information, documents, messages, tasks, approvals, payment references and configuration data submitted by authorised users on behalf of a customer organisation. Customers determine what categories of client data are collected through their workflows.
Website and enquiry data: contact details, company information, role, industry selections and messages submitted through demo, contact or support forms, together with consent records.
Billing data: subscription status, invoice references and payment metadata processed through our payment provider. Card details are handled directly by the payment provider and are not stored by BoxCase.
Technical and security data: IP address, browser type, device identifiers, request logs, error references and security signals used to protect the service. We do not send document content or free-text form values to analytics tools.
Lawful basis and purpose
We process personal data on the following bases, depending on context: performance of a contract with the customer organisation; legitimate interests in operating, securing and improving a B2B SaaS platform; compliance with legal obligations; and consent where required, for example for non-essential analytics cookies on the public website.
Typical purposes include: providing and administering the platform; authenticating users; delivering notifications configured by the customer; supporting customers and end users; detecting abuse and security incidents; billing and account management; maintaining audit trails required for professional-service workflows; and analysing aggregated, privacy-safe usage of public pages.
Customers are responsible for establishing an appropriate lawful basis for personal data they upload about their clients and staff, and for providing any required notices to data subjects.
Retention
We retain account and workspace data for as long as the customer subscription remains active and for a limited period afterwards to allow export, dispute resolution and legal compliance.
When a customer terminates the service, we delete or anonymise tenant data in accordance with the applicable service agreement and data processing terms, subject to backup retention windows and legal hold requirements.
Website enquiry records are retained for the period needed to respond, qualify opportunities and maintain a proportionate business record, then deleted or anonymised.
Security, audit and billing records may be retained for longer where necessary to evidence compliance, resolve incidents or meet statutory limitation periods.
Data subject rights
Depending on your location, you may have rights to access, rectify, erase, restrict or object to certain processing, and to data portability where applicable.
If BoxCase processes your data as a controller (for example when you submit a website enquiry or hold a BoxCase user account), contact us using the details below. We will respond within applicable statutory timeframes.
If your data is processed inside a customer workspace, we will normally direct requests to the customer organisation acting as controller. We will assist customers in fulfilling requests where required by our data processing agreement.
You may lodge a complaint with your local supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (AP).
Contact
For privacy questions, data protection requests or subprocessors information, contact us via the contact page or the data protection route listed there.
BoxCase Besloten Vennootschap (B.V.) (KVK 58992545), registered at Doldersestraat 39, 2574 TB 's-Gravenhage, Netherlands, is the data controller for processing described in this policy that relates to our website, accounts and direct customer relationship. Our current subprocessors are listed at /legal/subprocessors.