Boxed Up — Privacy policy

1. Summary

Boxed Up is an iOS application published by Hjortsholm Studio. We do not run a backend that stores your personal data. Every box, item, location, photo, and label preference lives on-device in SwiftData. No Hjortsholm-operated server stores your inventory. No analytics, no tracking, no crash reporters route through our servers.

This policy describes — in plain language — what limited data may leave your device, who it goes to, and the rights you have under the EU General Data Protection Regulation (GDPR) and equivalent laws.

2. Data controller

The data controller responsible for any personal data processed in connection with Boxed Up is:

3. What data we process

We — meaning Hjortsholm Studio — do not collect, store, or transmit your personal data on our own servers. The app does not require an account.

Data created by your use of the app (settings, library entries, journal entries, episode logs, generated content, conversation history — depending on the app) is stored locally on your device using the operating system's standard secure storage. If the app offers iCloud sync and you opt in, that data syncs through your private iCloud container, controlled by Apple under your Apple ID.

Where the app integrates with third-party services, only the data you explicitly send (for example, the prompt you type, or the coordinates needed to fetch a forecast) is transmitted to that service. Any API keys you supply are stored on-device using the iOS Keychain and are never sent to Hjortsholm Studio.

4. Third-party services

The following third parties may receive data when you use specific features of Boxed Up. Each provider is an independent data controller for the data they receive, and their own privacy policy governs how they handle it.

• Open Food Facts ↗

  Purpose: Looks up product details (name, brand, category, quantity, ingredients) when you scan a food barcode.

  Data shared: Only the scanned barcode number you choose to look up. No identifiers, no account.

• Open Library ↗

  Purpose: Looks up book details (title, author, publisher, year, subjects) when you scan an ISBN.

  Data shared: Only the scanned ISBN you choose to look up. No identifiers, no account.

5. Legal basis for processing

Where Boxed Up causes personal data to be processed (for example, by sending a prompt to a model provider you have configured), the legal basis under Article 6(1) GDPR is your consent, given when you enable the relevant feature and configure your own API keys or authorisations. You can withdraw that consent at any time by removing the configuration or uninstalling the app.

Where the app reads from Apple HealthKit, that processing happens entirely on your device under permission you grant Apple — Hjortsholm Studio never receives that data.

6. Data retention

Hjortsholm Studio retains no personal data on its servers, because there are no servers processing personal data for Boxed Up. Data you generate stays on your device — and your iCloud container, if you enabled sync — for as long as you keep it. You can delete it at any time by removing entries from within the app or uninstalling the app.

7. Your rights under the GDPR

If you are in the EU, EEA, UK, or another GDPR-aligned jurisdiction, you have:

• The right of access — to know what personal data is being processed.
• The right to rectification — to have inaccurate data corrected.
• The right to erasure — to have personal data deleted.
• The right to restriction — to limit how data is processed.
• The right to data portability — to receive your data in a structured, machine-readable format.
• The right to object — to processing based on legitimate interests.
• The right to withdraw consent — at any time, where processing is based on consent.
• The right to lodge a complaint — with your local supervisory authority (in France, the CNIL).

Because Hjortsholm Studio holds no central record of you, most of these rights are exercised on-device: deleting an entry, disabling iCloud sync, removing an API key, or uninstalling the app fulfils them. For data held by the third parties listed above, please contact those providers directly using the privacy policies linked in section 4.

If you have a question or want to exercise a right that involves us as the controller, email contact+privacy@studio.hjortsholm.com. We will respond within 30 days.

8. International transfers

Hjortsholm Studio does not transfer your personal data internationally because we do not hold it. The third parties you may opt into using (for example, OpenAI, OpenRouter, or Replicate) may process data in the United States or other jurisdictions. Their own privacy policies, linked above, describe the safeguards (such as Standard Contractual Clauses) they rely on for cross-border transfers.

9. Children

Boxed Up is not directed at children under 16. We do not knowingly collect data from children. Because the app does not collect personal data centrally, there is no central record to remove — but if a parent or guardian believes a child has used the app and wants to ask a question, please contact contact+privacy@studio.hjortsholm.com.

10. Security

On-device data is protected by the standard iOS security model — Data Protection, sandboxing, and (where used) Keychain. Network requests to third-party services use HTTPS/TLS. We rely on Apple's platform security and the security guarantees of the third-party providers you configure.

11. Changes to this policy

If we change how Boxed Up processes data — for example, by adding a new third-party integration — we will update this policy and revise the "last updated" date at the top. Material changes will also be reflected in the app's release notes.

12. Contact

Privacy questions: contact+privacy@studio.hjortsholm.com.
App-specific support: contact+boxedup@studio.hjortsholm.com.