Privacy Policy

April 30, 2026

Effective date: 30 April 2026. Controller: SIA "Bitbox 28", registration number 40203454887, registered at Atpūtas 11, Cēsis, LV-4101, Latvia.

If you don't feel like reading the whole thing — here's the short version. We're a small Latvian software studio. We collect the minimum data we need to run our website, talk with people who reach out, and measure whether our ads are working. We don't sell your data, we don't run creepy profiling, and you can email info@bitbox.lv anytime to see, correct, or delete what we have on you. The rest of this page is the detail behind those statements.

Who we are

This policy is published by SIA "Bitbox 28" (registration number 40203454887), trading as BITBOX.lv. We're based at Atpūtas 11, Cēsis, LV-4101, Latvia.

You can reach us by email at info@bitbox.lv, by phone at +371 26175354, or by post at the address above. For privacy-specific questions, write to info@bitbox.lv with "Privacy" in the subject line. We're a small business and don't have a dedicated Data Protection Officer; one isn't required for an organisation our size under GDPR.

What data we collect

We try to collect as little as possible. In practice that means three buckets.

Direct from you. When you fill in the contact form or chat with our Clippy assistant, we receive whatever you type — typically your email address, sometimes your name, and the content of your message or project brief. If you decide to send us a project brief through Clippy, the full chat transcript is included in the email we receive.

Collected automatically. When you visit bitbox.lv, our hosting provider (Vercel) logs technical information — your IP address, user agent, the page you requested, and the time. Browsers also store cookies as described below. None of this is tied to a name or email until you actively send us one.

From third parties. We don't get data from third parties. We don't buy marketing lists, scrape contact information, or enrich your details from data brokers. Everything we know about you, you handed us directly or your browser sent us as part of a normal page load.

How we use your data and our legal basis

Under GDPR every use of personal data needs a legal basis. Here's how that maps for us.

Replying to your enquiries — Article 6(1)(b) and 6(1)(f). When you contact us, we use your email and message to write back. This is necessary to take steps prior to a possible contract, and it's also our legitimate interest in being able to do business.

Improving our services — Article 6(1)(f). We may keep contact-form submissions and Clippy transcripts for a reasonable period to refine our knowledge base, train Clippy on better answers, and audit response quality. Our legitimate interest is making the product better over time, balanced against the minimum amount of data needed.

Security and abuse prevention — Article 6(1)(f). Server logs, rate-limiting state, and IP-based throttling protect the site from spam and attacks. Our legitimate interest is keeping the site running.

Analytics — Article 6(1)(a). Google Analytics 4 only runs after you accept analytics cookies. If you don't, no analytics data is collected. Your consent is the legal basis, and you can withdraw it any time via the cookie banner.

Advertising and measurement — Article 6(1)(a). Meta Pixel, Meta Conversions API, and Google Ads tracking only run after you accept marketing cookies. Same as analytics — your consent, withdrawable any time.

Compliance with law — Article 6(1)(c). Where we have to keep records for tax, accounting, or other legal reasons, we keep them for as long as the law requires.

We do not use your data for automated decision-making or profiling that produces legal effects on you.

Cookies and similar technologies

Cookies are small text files your browser stores. We use four categories.

  • Strictly necessary. Required for the site to work — for example, remembering your cookie consent choice. Always on. No tracking.
  • Analytics. Help us see which pages get visited, where people drop off, and whether the site is fast enough. Off by default; turned on only if you accept analytics in the cookie banner.
  • Marketing. Used by Meta Pixel, Google Ads, and (potentially in the future) LinkedIn Insight Tag to measure whether the ads we run are working. Off by default; turned on only if you accept marketing in the cookie banner.

You can change your choice at any time. Click "Customize" in the cookie banner — the full list of cookie names, durations, and purposes lives in that panel.

Third parties we share data with

We use a small number of established providers to actually run the site. Each handles a narrow slice of data and is bound by a Data Processing Agreement.

  • Vercel (USA) — hosting. Receives every page request. Standard logging retains request metadata for 30 days. Certified under the EU-U.S. Data Privacy Framework.
  • Sanity (Norway / USA) — content management. Stores our website content and Clippy chat transcripts (only when a transcript is generated, used for quality and product improvement).
  • Resend (USA) — transactional email. When you submit the contact form or a Clippy brief, we send an internal email through Resend to ourselves. Resend processes the message contents to deliver it. Certified under the EU-U.S. Data Privacy Framework.
  • Anthropic (USA) — AI model provider for the Clippy chatbot. The text you type into Clippy is sent to Anthropic's API for processing. Anthropic acts as our processor and uses what you send only to generate a response. See Anthropic's privacy policy for full data practices.
  • Google (USA / Ireland) — Google Analytics 4 and Google Ads conversion tracking. Only active after analytics or marketing consent. Certified under the EU-U.S. Data Privacy Framework.
  • Meta Platforms Ireland Limited (Ireland) — Meta Pixel and Conversions API. Only active after marketing consent. Receives the events listed in the Meta section: PageView, ViewContent, Lead, etc., along with a hashed version of your email when you submit a form, your IP, your user agent, and the page URL.
  • Supabase (USA / Singapore) — used only for our experimental scan-to-control feature. If you use it, brief broadcast messages relay through Supabase's infrastructure. No personal data is stored there.

We do not sell your data, and we don't share it outside the list above.

International data transfers

Most of our processors are based outside the EU/EEA — primarily in the United States. For those transfers:

  • US providers certified under the EU-U.S. Data Privacy Framework (Vercel, Resend, Google) rely on the European Commission's adequacy decision as the legal basis.
  • For other transfers we rely on Standard Contractual Clauses (SCCs) signed with the relevant processor.

If you'd like to see the specific transfer mechanisms or the DPAs we have in place, email us and we'll point you to the documents.

How long we keep your data

We retain personal data only as long as we need it for the purpose we collected it. In practice:

  • Contact form messages and Clippy briefs: 24 months from receipt, unless you become a customer (in which case correspondence is kept for the duration of the relationship plus 5 years for accounting purposes, as required by Latvian tax law).
  • Clippy chat transcripts: 12 months, then deleted. Used to improve responses and audit quality.
  • Server logs: 30 days, then deleted automatically by Vercel.
  • Cookies: per the duration listed in the cookie banner — typically 90 days to 2 years depending on the cookie.
  • Tax and accounting records: 5 years (general), 10 years (tax), as required by Latvian law.

We don't keep data "just in case." If a category isn't listed here, we don't retain it.

Meta Pixel and Conversions API

Our website uses the Meta Pixel and the Meta Conversions API, services provided by Meta Platforms Ireland Ltd. They allow us to measure the effectiveness of our advertising on Meta platforms (Facebook, Instagram), to understand which actions visitors take after seeing or clicking our ads, and to build retargeting and lookalike audiences.

The Pixel sets cookies (_fbp, _fbc) and sends events such as PageView, ViewContent, and Lead to Meta, including a hashed version of your email address (only when you submit a contact form or project brief), your IP address, your browser user agent, and the URL of the page. Meta processes this data to deliver and measure ads. Both the Pixel and the Conversions API are loaded only after you accept marketing cookies, and you can change your consent at any time via our cookie banner.

For more information, see Meta's Privacy Policy (https://www.facebook.com/privacy/policy/) and Meta's Cookie Policy (https://www.facebook.com/policies/cookies/).

Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access (Article 15) — get a copy of the data we hold on you.
  • Right to rectification (Article 16) — fix anything that's wrong.
  • Right to erasure (Article 17) — have your data deleted, subject to the legal retention requirements above.
  • Right to restriction (Article 18) — pause processing while a dispute is sorted out.
  • Right to data portability (Article 20) — get your data in a machine-readable format you can take elsewhere.
  • Right to object (Article 21) — object to processing based on legitimate interest.
  • Right to withdraw consent — at any time, for any consent-based processing (e.g. marketing cookies). Withdrawal does not affect processing that already happened.
  • Right to lodge a complaint — with the Data State Inspectorate (Datu valsts inspekcija), the Latvian supervisory authority, at https://www.dvi.gov.lv

To exercise any of these, email info@bitbox.lv. We respond within 30 days. For most requests we'll need to verify your identity first — usually a quick reply from the email address on file is enough.

Children's privacy

bitbox.lv is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe we have collected data from a minor, email info@bitbox.lv and we'll delete it.

Security

We protect data in transit with HTTPS and at rest through our processors' standard encryption. Access to systems holding personal data is limited to the small number of people who actually need it for their work, with multi-factor authentication on the accounts that touch it.

Despite all that, no system is 100% secure. If we ever discover a breach affecting your personal data, we'll notify you and the supervisory authority within 72 hours, as required by Article 33 of GDPR.

Changes to this policy

We may update this policy as we change tools, add features, or as the law evolves. The effective date at the top of this page reflects the most recent change. Material changes (new processors, new categories of data, new purposes) will be flagged on the homepage; if we have your email from prior correspondence, we may also write to you directly. You can request earlier versions of this policy by emailing info@bitbox.lv.

BITBOX.lvContact Us