1. Introduction
miniEcho (“we”, “us”) operates BoxxCat (“Service”). We are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and applicable global standards such as the GDPR.
2. Data We Collect
Account Data
We collect information necessary to manage your account, primarily managed through Supabase Auth:
- Email address and authentication credentials.
- Subscription status and billing preferences.
Usage Data
We collect basic operational metadata to ensure service reliability:
- Feature usage metrics (e.g., command counts, quota limits).
- Technical logs (IP addresses, browser type) for security, abuse prevention and service reliability.
3. Chatroom Data Processing
When you deploy the Service in a chatroom, group, or third-party messaging platform:
- Role Definition: You determine whether and where the Service is used, including in Shared Environments. miniEcho processes data to operate the Service and may act as a processor or independent controller depending on the context.
- User Authority: You represent that you have the authority or necessary consents from all participants in that environment to permit this processing.
- Third-Party Transmission: Messages are transmitted to third-party AI providers (e.g., OpenAI) in real-time. We do not verify user authority and are not responsible for how the Service is deployed in third-party environments.
4. Stateless Architecture
To minimize your data liability surface, we utilize a privacy-by-design stateless architecture:
- No Persistent Chat Storage: We do not store the content of your chats, logs, or messages in our databases.
- Transient Processing: Data is processed in volatile memory only for the duration of the request-response cycle.
- Limited Exceptions: Data is not retained unless temporarily required for active debugging of a specific technical failure, security investigation, or mandatory legal compliance. These exceptions are temporary and limited in scope, and data is not retained beyond what is necessary to resolve the issue or meet legal obligations.
5. Third-Party Services & Overseas Disclosure
Providers
We rely on the following primary sub-processors:
- Supabase: For authentication and account management.
- OpenAI: For AI processing and logic generation.
Overseas Disclosure (APP 8)
We disclose personal data to third-party service providers located outside of Australia, primarily in the United States. While we take steps to ensure these providers respect your privacy, by using the Service, you acknowledge that these overseas recipients may not be subject to the Australian Privacy Principles, and we are not liable for their acts or omissions.
6. AI Processing and Training
Inputs are sent to AI providers to generate outputs. We have configured our integration with these providers (where the option is available) to opt-out of model training. Your chat data is used to generate a response for you, not to train the underlying models of third-party providers.
7. Data Retention & Your Rights
- Retention: We retain account and usage data only as long as necessary to provide the Service.
- Rights: Depending on your jurisdiction, you may have rights to access, correct, or delete your personal data.
- Limited Scope: Because we do not store chat content, any request for data access or deletion will be limited to your account information and usage metadata.
8. Security
We implement reasonable technical safeguards to protect your data. However, as the Service operates across third-party messaging platforms and the open internet, no method of transmission is 100% secure.
9. Complaints
If you have a concern about how we handle your data, please contact us at support@boxx.cat.
We will aim to resolve your complaint within 30 days.
10. Contact
miniEcho New South Wales, Australia
Email: support@boxx.cat
