Working draft
This policy is being finalized in tandem with our SOC 2 audit and outside counsel review. It accurately reflects current behavior; legal language will be tightened.1. Strictly necessary
- Session cookies for authenticated platform sessions (Supabase Auth).
- CSRF tokens for state-changing requests.
- Cart / billing context during Stripe checkout.
2. Analytics
- First-party event analytics on the marketing site — page views, button clicks, source attribution. Cookieless where possible; otherwise scoped to the sendaboxli.com domain.
3. Recipient landing pages
Personalized landing pages set a per-send tracking cookie used to attribute return visits to the same engagement record. The cookie expires 30 days after issuance and contains no identifying information beyond the send_id reference.
4. Opt-out
You can clear cookies in your browser at any time without affecting platform functionality (you'll need to sign in again). To stop receiving boxli sends entirely, email optout@sendaboxli.com.
5. Contact
Privacy Policy covers our full data handling practices.