Privacy Policy
Last updated: October 16, 2025
1. Introduction
Topbox Technologies (“Topbox,” “we,” “our,” or “us”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share personal information when you visit our websites, use our services, or otherwise interact with us.
This policy applies to individuals in the European Economic Area (EEA), the United Kingdom, Switzerland, Canada, and the United States. For EEA/UK/CH users, it satisfies the transparency requirements under the General Data Protection Regulation (GDPR). For Canada, it aligns with the Personal Information Protection and Electronic Documents Act (PIPEDA). For the United States, it includes disclosures required by certain state privacy laws such as the California Consumer Privacy Act (CCPA/CPRA).
2. Who We Are and Contact Details
Controller:
Topbox Inc.
33 Melford Dr, Unit 6, Scarborough ON M1B 2G6
Email: privacy@topboxtechnologies.com
Website: https://topboxtechnologies.com
Data Protection Officer (DPO):
Email: dpo@topboxtechnologies.com
Supervisory Authority Contact (EU/UK):
You have the right to lodge a complaint with your local data protection authority. A list is available from the European Data Protection Board. For the UK, contact the ICO.
UK-GDPR
UK-GDPR Data Protection Representative:
Data Protection Representative Limited (as DataRep)
Want to exercise your rights in respect of your personal data? Contact us below:
Via Email:
Email Address: datarequest@datarep.com
(Please quote “TOPBOX Inc.” in the subject line)
Via Mail:
Mailing Address: 107-111 Fellet Street, London, EC4A 2AB, United Kingdom
(Please ensure the request is addressed to “DataRep” and not TOPBOX Inc.)
Via Webform:
Webform URL: https://www.datarep.com/data-request
3. Definitions
- “Personal Data” means any information that identifies or can identify an individual.
- “Processing” means any operation performed on personal data (e.g., collection, storage, use, transmission, or deletion).
- “Controller” determines the purposes and means of processing personal data.
- “Processor” processes personal data on behalf of a controller.
4. The Data We Collect
We may collect and process the following categories of personal data:
| Category | Examples |
|---|---|
| Identity Data | Name, username, job title, and (where applicable) company or organization name when associated with an individual |
| Contact Data | Email address, phone number, postal address |
| Account Data | Login credentials, account preferences |
| Transaction Data | Billing details, payment history |
| Technical Data | IP address, browser type, operating system, device identifiers |
| Usage Data | Pages visited, time on site, interactions, analytics |
| Marketing Data | Newsletter subscriptions, communication preferences |
| Recruitment Data | CV/resumé, employment history, qualifications |
| Support Data | Messages or call logs with customer service |
We do not intentionally collect special categories of data (e.g., health or biometric data).
5. How We Collect Your Data
- Direct interactions: forms, sign-ups, demos, events.
- Automated means: cookies, analytics, device identifiers.
- Third-party sources: partners, social media integrations, clients. If you apply for a job through a third‑party recruitment platform, that platform collects your information on our behalf and transfers it to us for review. We store such data securely within our company cloud environment.
6. Purpose and Lawful Basis of Processing
We process personal data only when a lawful basis applies (Article 6 GDPR). For individuals in Canada, we rely on consent as the primary basis for processing personal information, except where otherwise permitted by law.
| Purpose | Lawful Basis | Example |
|---|---|---|
| Provide and maintain our services | Contractual necessity | Creating and managing your account |
| Communicate with you (support, updates) | Legitimate interest / contract | Responding to contact forms |
| Send marketing communications | Consent | Email newsletters (opt-in) |
| Analyze usage and improve products | Legitimate interest | Website analytics |
| Comply with legal obligations | Legal obligation | Accounting and tax records |
| Process payments | Contract / legal obligation | Subscription billing |
| Recruitment | Pre-contractual necessity / legitimate interest | Processing job applications |
You may withdraw consent at any time by contacting privacy@topboxtechnologies.com.
7. Data Retention
We retain personal data only as long as necessary for the purposes described or to meet legal obligations. Afterwards, we securely delete or anonymize the data.
| Data Type | Retention Period |
|---|---|
| Account & billing data | Contract duration + 7 years |
| Marketing data | Until consent is withdrawn |
| Support records | Up to 3 years after resolution (or longer where required to establish, exercise, or defend legal claims, comply with law, or meet contractual obligations). |
| Analytics & cookies | 13 months |
We may retain limited records beyond the standard periods where necessary to comply with legal obligations, resolve disputes, or enforce agreements. When retention is no longer necessary, we will securely delete or anonymize the data.
8. Cookies and Similar Technologies
Our website uses cookies and similar technologies. Non‑essential cookies (e.g., analytics, advertising) are deployed only after consent via our cookie banner. You can manage or withdraw consent any time via our cookie banner or your browser settings. See our (e.g., analytics, advertising) are only set with your consent. You can manage or withdraw consent any time via our cookie banner or your browser settings. See our Cookie Policy for details. for details. You can change your choices at any time via the “Cookie Settings” link in the site footer.
9. International Data Transfers
We host and process all personal data on Google Cloud Platform (GCP) infrastructure located in the United States. Google Cloud is certified under the EU–U.S. Data Privacy Framework (DPF) and the UK Extension to the DPF, which provides an adequacy decision under Article 45 of the GDPR.
This means transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States via GCP are considered to provide an adequate level of data protection and do not require Standard Contractual Clauses (SCCs).
Where we engage other providers outside the EEA/UK/CH that are not certified under the Data Privacy Framework, we implement appropriate safeguards such as European Commission Standard Contractual Clauses or equivalent mechanisms.
You can verify Google’s current Data Privacy Framework certification at: https://www.dataprivacyframework.gov/s/participant-search.
10. Sharing Your Data
We may share personal data with service providers / processors (hosting, analytics, payment, communication), affiliated companies, regulators when required by law, and business partners or clients where necessary to perform a contract or with consent.
We use service providers to operate our services (e.g., cloud hosting, analytics, communications, payments). Examples include Google Cloud Platform (hosting) and email/communications providers. We enter into written data processing agreements with each provider to ensure GDPR‑compliant handling of personal data. We do not sell or share personal information as defined by the California Consumer Privacy Act (CCPA/CPRA).
11. Security Measures
- Encryption of data in transit (TLS) and at rest
- Access controls and authentication
- Regular audits and security testing
- Incident response procedures
- Employee confidentiality and training
- Vendor security reviews
No system is perfectly secure; you share data at your own risk.
12. Your Rights (GDPR & Generally)
- Access – obtain a copy of your data
- Rectification – correct inaccurate or incomplete data
- Erasure – request deletion in certain cases
- Restriction – limit processing in specific cases
- Data portability – receive your data in a machine-readable format
- Objection – object to processing based on legitimate interests or direct marketing
- Withdraw consent – at any time without affecting prior lawful processing
- Complain – to a supervisory authority
These rights may be subject to limitations (for example, where fulfilling a request would adversely affect others’ rights and freedoms or where we must retain certain data to comply with legal obligations). We generally respond within one month; this may be extended by up to two additional months for complex requests, as permitted by law.
To exercise any right, contact privacy@topboxtechnologies.com with “Data Request” in the subject line.
13. Automated Decision-Making and Profiling
We do not use automated decision‑making that produces legal or similarly significant effects. If we introduce such processing, we will provide meaningful information about the logic involved and your rights, including the right to obtain human intervention.
14. Children’s Privacy
Our services are not intended for children under 16. We do not knowingly collect data from minors. If you believe a child has provided us with data, please contact us to delete it.
15. Policy Updates
We may update this policy periodically. Material changes will be announced on our website or via email at least 30 days before taking effect. The "last updated" date reflects the current version. Archived versions are available upon request.
“Material changes” include updates that significantly affect how we process personal data (e.g., new categories of data, new purposes, new recipients, or new transfer mechanisms). We will provide advance notice (e.g., email or prominent site notice) at least 30 days before such changes take effect.
16. Contact Us
If you have any questions about this Privacy Policy or our data practices, contact us at:
Email: privacy@topboxtechnologies.com
Postal: Topbox, 33 Melford Dr, Unit 6, Scarborough ON M1B 2G6
17. Regional Supplements
Canada (PIPEDA)
This policy also applies to the collection, use, and disclosure of personal information subject to Canada’s PIPEDA. Where required, we rely on consent as the primary basis for processing, except where otherwise permitted by law. Canadian residents may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca for more information about their rights.
United States (State Privacy Laws, including CCPA/CPRA)
If you are a resident of the United States, you may have additional rights under state privacy laws (e.g., California CCPA/CPRA, Virginia VCDPA, Colorado CPA), including rights to know/access, deletion (subject to exceptions), correction, opt‑out of sale/share (we do not sell/share), and non‑discrimination for exercising rights. U.S. residents may contact privacy@topboxtechnologies.com to exercise these rights.