Who We Are
Controller Identity
Company: Mohammad Khalid Bashammakh Establishment
Legal Form: Sole Proprietorship (مؤسسة فردية)
Headquarters: Jeddah, Kingdom of Saudi Arabia
App Name: BOXIT365
Privacy Contact: privacy@boxit365.com
What is BOXIT365?
BOXIT365 is a mobile application that enables users to create QR codes for their physical storage boxes, log the contents of each box, and instantly retrieve that information by scanning the QR code — without opening a single box. The app serves homeowners and renters who want to stay organized during moves or home storage.
What Data We Collect
2.1 Account Registration Data
When you create a BOXIT365 account, we collect the following personal data:
- Full name
- Email address
- Phone number
- Password (stored in encrypted form — we never store plain-text passwords)
If you register using Google Sign-In, we receive your name and email address from Google in accordance with Google's own privacy policy. We do not receive your Google password.
2.2 Box & Content Data
- Box names and labels you assign
- Item descriptions and content lists you enter
- Photos of box contents that you choose to upload (stored securely on third-party servers)
- QR code identifiers linked to each box
- Voice recording descriptions of the items inside the box (recorded by user)
2.3 Location Data (Optional)
BOXIT365 does not collect your location by default. If you choose to tag a geographic storage location to a specific box, the app will request your permission to access your device location. This data is:
- Collected only with your explicit permission
- Used solely to associate a physical location with that box
- Never shared with third parties or used for advertising purposes
You may revoke location permission at any time through your device settings without affecting access to any other app features.
2.4 Technical & Usage Data
- Device type, operating system, and version
- App version
- IP address (used for security and fraud prevention only)
- Session duration and general feature usage patterns
- Crash reports and error logs (for debugging and service improvement)
2.5 Communications Data
If you contact us for support, we collect your name, email address, and the content of your communications solely to respond to your inquiry and improve our service.
2.6 Data We Do NOT Collect
- Payment or credit card data (handled entirely by Apple App Store / Google Play Store)
- Sensitive personal data (health, biometric, racial, religious, or criminal data)
- Advertising identifiers or cross-app tracking data
- Contacts, microphone, or camera data beyond photos you explicitly upload
How We Use Your Data
We process your personal data only for the following lawful purposes, in compliance with Articles 5 and 6 of the PDPL:
- To create and manage your BOXIT365 account Contractual
- To provide the QR box-organization service you signed up for Contractual
- To store and display your box contents when you scan a QR code Contractual
- To process your freemium upgrade and manage your subscription tier Contractual
- To send service-critical notifications such as account alerts and security notices
- To improve the app based on usage patterns and crash data Legitimate Interest
- To respond to your support requests Legitimate Interest
- To comply with our legal obligations under Saudi law
PDPL Article 11: We only collect the minimum personal data necessary to achieve each stated purpose. We do not collect data in excess of what is required.
Legal Basis for Processing
In accordance with Articles 5 and 6 of the Saudi PDPL, our processing relies on the following legal grounds:
4.1 Your Consent Article 5
For optional features such as location tagging, we obtain your explicit consent before processing. You may withdraw consent at any time by contacting privacy@boxit365.com or adjusting your device settings.
4.2 Contractual Necessity Article 6.2
Processing your account data, box content data, and subscription information is necessary to perform the service contract between you and BOXIT365.
4.3 Legitimate Interests Article 6.4
We process technical and usage data to maintain, secure, and improve BOXIT365 — where this does not override your rights and interests.
4.4 Legal Obligation Article 6.3
We may process or disclose your data when required by Saudi law, court order, or a competent government authority.
Data Sharing & Disclosure
5.1 We Do Not Sell Your Data
We do not sell, rent, trade, or monetize your personal data to any third party under any circumstances whatsoever.
5.2 No Third-Party Sharing
We do not currently share your personal data with any external third parties for their own use. Your data is processed within BOXIT365's infrastructure for the purposes described in this policy.
5.3 Infrastructure Providers
Cloud providers operate as data processors under our instruction and are contractually prohibited from using your data for any purpose other than storing and transmitting it on our behalf, consistent with Article 8 of the PDPL.
5.4 Subscription Processing
Subscription upgrades are processed entirely through the Apple App Store or Google Play Store. We receive only a confirmation of your subscription status — we never receive, store, or process your payment card details.
5.5 Legal Disclosure
We may disclose your personal data to competent Saudi authorities when required by law, per Article 15(3) of the PDPL, including judicial orders, national security requirements, or regulatory compliance requests from SDAIA.
5.6 Business Transfer
In the event of a merger, acquisition, or asset sale, your personal data may be transferred to the acquiring entity. You will be notified in advance, and your rights under this policy will be preserved.
International Data Transfers
BOXIT365 uses a combination of local storage and cloud infrastructure which may involve servers located outside the Kingdom of Saudi Arabia. In compliance with Article 29 of the PDPL, any such transfer is subject to:
- No harm to Saudi national security or vital interests
- An adequate level of personal data protection in the destination environment, as assessed by SDAIA
- Transfer limited to the minimum data necessary for the intended purpose
By using BOXIT365, you acknowledge that your data may be processed on cloud servers outside Saudi Arabia, subject to these PDPL-mandated safeguards.
Data Retention
7.1 Active Accounts
We retain your personal data for as long as your BOXIT365 account remains active and is necessary to provide the service.
7.2 After Account Deletion
When you request account deletion by contacting privacy@boxit365.com, your personal data will be permanently and irreversibly deleted within 90 days of your request, in accordance with Article 18 of the PDPL. During this window, your data is deactivated and inaccessible. After deletion, we retain only fully anonymized, non-identifiable aggregate statistics.
7.3 Legal Retention Obligations
Notwithstanding the above, we may retain certain data for longer periods where required by Saudi law or ongoing legal proceedings, per Article 18(2) of the PDPL. You will be informed if this applies to your data.
Your Rights as a Data Subject
In accordance with Article 4 of the Saudi PDPL, you have the following rights:
📧 Exercise Your Rights: Email all data rights requests to privacy@boxit365.com — We respond within the timeframe set by SDAIA regulations. All requests are free of charge.
Data Security
In accordance with Article 19 of the PDPL, we implement the following technical and organizational security measures:
- Encryption of passwords and sensitive data in transit (TLS/HTTPS) and at rest
- Access controls limiting data access to authorized personnel only
- Regular security assessments and vulnerability monitoring
- Secure HTTPS connections for all app-server communications
- Photos stored on secured cloud servers with restricted access
9.1 Data Breach Notification Article 20
In the event of a personal data breach that may harm your rights or interests, we will notify you and report to SDAIA within the timeframes prescribed by the PDPL implementing regulations.
Subscription & Freemium Model
BOXIT365 operates on a freemium model. The free tier is available to all users at no cost. A paid upgrade tier is available for enhanced features. All payment processing is handled exclusively by Apple App Store or Google Play Store. BOXIT365 does not process, store, or have access to any payment card or financial data. Subscription management, refunds, and billing disputes are governed by Apple's or Google's respective terms of service.
No Advertising
BOXIT365 does not display third-party advertisements and does not use your personal data for advertising purposes — now or in the future. We do not participate in advertising networks, sell advertising space, or use your data to build advertising profiles. Our revenue model is limited to the freemium subscription described above.
Children & Minors
BOXIT365 is available to users of all ages. However, users under the age of 18 should use the app under parental supervision. If you are a parent or guardian and believe your minor child has provided personal data without your consent, please contact privacy@boxit365.com and we will address the matter promptly in accordance with Article 10 of the PDPL.
Cookies & Device Technologies
BOXIT365 is a mobile application only — we do not operate a website and therefore do not use browser cookies. The app uses the following limited device-based technologies:
- Secure session tokens — to keep you securely logged in
- Device identifiers — for app functionality and security purposes only
- Local device storage — to cache your box data for offline access
None of these technologies are used for advertising, cross-app tracking, or profiling.
Third-Party Services
Google Sign-In
If you choose to register or log in using Google Sign-In, Google will share your name and email address with BOXIT365. We do not receive any additional Google account data beyond name and email.
Apple App Store / Google Play Store
Subscription payments are processed by Apple or Google. Their respective privacy policies govern all payment data. BOXIT365 receives only a subscription status confirmation.
Cloud Infrastructure
User data (including uploaded photos and box content) is stored using a combination of local storage and cloud hosting. Cloud providers process data solely as our processors under data processing agreements that include PDPL-compatible protections.
Future Analytics Integration
BOXIT365 has not yet integrated any third-party analytics tools. If an analytics SDK is added in a future version, this policy will be updated and users will be notified before the integration takes effect.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the 'Last Updated' date at the top of this document
- Display a prominent in-app notice informing you of the change
- Obtain renewed consent where required by the PDPL
We encourage you to review this policy periodically. Continued use of BOXIT365 after notification of changes constitutes acceptance of the updated policy.
Governing Law & Jurisdiction
This Privacy Policy is governed exclusively by the laws of the Kingdom of Saudi Arabia. Any disputes arising from or relating to this policy shall be subject to the exclusive jurisdiction of the competent courts in the Kingdom of Saudi Arabia, in accordance with the PDPL, its implementing regulations issued by SDAIA, and all other applicable Saudi regulations.
Contact Us
For any questions, privacy rights requests, or concerns regarding this policy or your personal data, contact:
We are committed to responding to all data rights requests within the timeframes prescribed by SDAIA and the PDPL implementing regulations.