Privacy Policy

9Box is operated by [REGISTERED COMPANY NAME] ("9Box", "we", "us"), a company registered in England and Wales under company number [COMPANY NUMBER]. Our registered address is [REGISTERED ADDRESS].

For the purposes of UK GDPR, 9Box acts as a data controller for visitor and account data, and as a data processor for the workspace data that customers put into the platform (reviewer responses, employee names, cycle data).

Account data. When you create a workspace, we collect: your name, work email address, the workspace name, and a password (stored hashed, never in plain text).

Workspace data. When you run a feedback cycle, your workspace contains: the names and email addresses of subjects and reviewers, the scores reviewers submit, and any comments they leave. This data belongs to your organisation. We process it on your behalf.

Usage data. We collect basic analytics about how the site and product are used: pages visited, actions taken, browser type, approximate location (derived from IP, country level only). We do not use cookies for advertising or cross-site tracking.

Communications. If you email us, we keep that email and our reply.

We do not collect payment information while in beta. We do not sell data to third parties under any circumstances.

To provide the service: run accounts, store workspace data, generate reports, and contact you about your account. We rely on contractual necessity (UK GDPR Art. 6(1)(b)) for account and workspace data, and legitimate interests (Art. 6(1)(f)) for product analytics and security.

Data is stored on EU/UK-region infrastructure provided by our hosting and database partners (currently Cloudflare and Supabase). All connections are encrypted in transit (TLS). Passwords are hashed with industry-standard algorithms. Access to production data is restricted to a small number of named engineers and logged.

Individual reviewer scores and comments are never shown to the subject, their manager, or HR. Only aggregated results across reviewers are ever displayed in reports. This is enforced in the application, not just in policy.

We use a small set of trusted sub-processors to deliver the service:

• Cloudflare, hosting, CDN, edge runtime (UK/EU)
• Supabase, managed Postgres database and authentication (EU)
• Resend (or equivalent), transactional email delivery

Each sub-processor is bound by a data-processing agreement.

Workspace data is retained for as long as the workspace is active, and for up to 90 days after deletion (to allow recovery from accidental deletion). On request we will delete it sooner. Account data is retained while the account exists. Analytics data is aggregated and retained for up to 24 months.

Under UK GDPR you have the right to: access your data, correct it, delete it, restrict or object to processing, and request data portability. To exercise any of these, email privacy@9box.co.uk. We respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

We use a single first-party cookie to keep you signed in. We do not use marketing or cross-site tracking cookies.

If we make material changes we'll notify workspace owners by email and update the "last updated" date above.

Questions about this policy: privacy@9box.co.uk. For general enquiries see our contact page.