Book a demo

PRIVACY POLICY

Effective Date: 13 April 2026
Version: 1.2

Canonical URL: https://theboxinnovation.ai/privacy

This Privacy Policy describes how Quartz Labs Ltd (Company No. 16554478, 86-90 Paul Street, London EC2A 4NE, United Kingdom) processes personal data in connection with our public-facing websites (theboxinnovation.ai and quartzlabs.ai) and our SaaS platforms, The Mirror and The BOX, together with any custom engagements we undertake for clients (collectively, the “Services”).
We act as a data controller for our own business, marketing, and account data, and as a data processor for Client Content processed through the Services on behalf of our business clients.
Privacy contact: privacy@quartzlabs.ai

Who This Policy Applies To

  • Website visitors: anyone visiting theboxinnovation.ai or quartzlabs.ai, submitting demo requests, or subscribing to our newsletter.
  • Platform users: employees and contractors of our business clients who access The Mirror or The BOX.
  • Research participants: individuals whose data is uploaded to The Mirror by our clients (e.g., interview transcripts). In this context, our clients are the controllers and we are the processor.

Google Workspace API Data

Some features of The BOX allow users to connect their Google Drive to import documents into a Knowledge Base. When you authorise this connection, we access only the specific files and folders you explicitly select, using the minimum OAuth scopes necessary.
Quartz Labs’ use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • We use Google Workspace data solely to provide the features you request (indexing, semantic search, retrieval for AI-assisted innovation workflows).
  • We do not use Google Workspace data to develop, improve, or train generalised or non-personalised AI or machine learning models.
  • We do not transfer Google Workspace data to third parties except as necessary to provide the Services (e.g., passing content to our contracted LLM sub-processors under no-training API terms) or as required by law.
  • We do not allow humans to read Google Workspace data unless we have your explicit consent, it is necessary for security or debugging purposes, or it is required by law.

You can revoke our access to your Google Workspace data at any time from your Google Account permissions page or from within The BOX.

Data We Collect

  • Account Data: name, business email, job title, password hash, MFA secret. Retained for life of contract + 6 years.
  • Client Content: interview transcripts, research data, innovation projects, ideas, Knowledge Base uploads. Retained until client deletes, with encrypted backups rolling off after 90 days.
  • Generated Insights: AI-generated summaries, personas, ideas, scores. Tied to source data.
  • Usage Telemetry: IP address, device info, feature clicks, error logs. Retained 12 months.
  • Marketing Data: name, business email, company, role, demo requests, newsletter signups. Retained until opt-out or 3 years of inactivity.
  • Website Analytics and Cookies: cookie identifiers, pages visited, referrer. Retained up to 13 months.

We do not use Client Content to train publicly available AI models. All AI processing is conducted through paid API tiers with contractual guarantees against training use.

Legal Bases (UK/EU GDPR)

  • Contract: providing the Services to clients and platform users
  • Consent: marketing communications, non-essential cookies
  • Legitimate interests: improving the Services, website analytics, security monitoring, direct B2B marketing
  • Legal obligation: tax, accounting, regulatory compliance
  • Processor acting on client instructions: Client Content in The Mirror and The BOX

 

Sub-processors

We share personal data only with the following sub-processors, each bound by a written contract meeting GDPR Article 28 requirements:

  • Replit (US, via GCP): primary application hosting
  • Railway (EU): EU-resident deployment option and database backups
  • Neon (US East 1, via AWS): PostgreSQL database
  • OpenAI (US): LLM processing, paid API, no training
  • Anthropic (US): LLM processing, paid API, no training
  • Google (US, Gemini API): LLM and image generation, paid API, no training
  • Tavily (US): web search and content extraction
  • Mailtrap (EU): transactional email
  • GitHub (US): source code repository
  • Scrut (US): compliance audit platform
  • Google Workspace (US/EU): internal email and documents
  • Notion (US): internal CRM and documentation
  • Iubenda (EU): cookie consent management

A current list is maintained and available on request. We notify clients at least 30 days before adding or replacing a sub-processor. EU clients may request deployment on our EU-resident Railway infrastructure to avoid cross-border data transfers for the application layer. The EU deployment is outside the scope of our current ISO 27001:2022 and SOC 2 Type II audits (completed March 2026); extension of audit scope is planned.

 

International Transfers

Where personal data is transferred outside the UK/EEA, we rely on the 2021 EU Standard Contractual Clauses (Modules 3 and 4 as applicable) and the UK International Data Transfer Addendum (IDTA).

Security

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Role-based access control and MFA for administrative access
  • Quarterly access reviews and annual penetration testing
  • ISO 27001:2022 certified (audit passed March 2026, certificate pending issuance via Scrut)
  • SOC 2 Type II certified (audit passed March 2026, certificate pending issuance via Scrut)
  • 72-hour breach notification commitment
  • Business continuity and disaster recovery plan tested at least annually

 

Your Rights Under UK and EU GDPR

Subject to UK GDPR and EU GDPR, you have the rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. To exercise these rights, email privacy@quartzlabs.ai. We respond within one month.
UK complaints: Information Commissioner’s Office (ico.org.uk)
EEA complaints: your local Supervisory Authority
EU Representative (Art 27 GDPR): Jonathan Kahan, Calle de Galileo 19, 28015 Madrid, Spain, privacy@quartzlabs.ai

 

Your Rights Under US State Laws

This section applies to residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, and Montana. Depending on your state, you may have the following rights:

  • Right to know / access: confirm whether we process your Personal Information and obtain a copy
  • Right to correct: request correction of inaccurate Personal Information
  • Right to delete: request deletion of your Personal Information
  • Right to portability: obtain your Personal Information in a portable format
  • Right to opt out of Sale or Sharing: we do not sell Personal Information, and we do not share it for cross-context behavioural advertising
  • Right to opt out of Targeted Advertising: we do not engage in Targeted Advertising
  • Right to non-discrimination: we will not discriminate against you for exercising your rights
  • Right to limit use of Sensitive Personal Information (California): where applicable
  • Right to appeal (Virginia, Colorado, Connecticut, and others): if we deny your request, you may appeal

To exercise these rights, email privacy@quartzlabs.ai. We will respond within the timeframe required by applicable law (typically 45 days, extendable by 45 days for complex requests). If you are not satisfied with our response, you may contact your state Attorney General.
Notice at Collection (California CCPA): In the preceding 12 months, we have collected the categories of Personal Information described in the “Data We Collect” section above. We do not sell Personal Information and do not share it for cross-context behavioural advertising. We retain each category for the periods specified in “Data We Collect.”

 

Your Rights Under Swiss FADP

If you are in Switzerland, you have rights of access, correction, deletion, and objection under the Swiss Federal Act on Data Protection. Contact privacy@quartzlabs.ai to exercise these rights.

Your Rights Under Brazilian LGPD

If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados including access, correction, anonymisation, portability, deletion, and objection. Contact privacy@quartzlabs.ai. You may also lodge a complaint with the ANPD (National Data Protection Authority).

Children

The Services are not directed to children under 16. We do not knowingly collect Personal Information from children. If we become aware that we have collected such data, we will delete it promptly.

 

Cookies and Trackers

Our websites use cookies and similar technologies. For details of the specific cookies and trackers used, and to manage your preferences, see our Cookie Policy, which is managed via Iubenda and accessible from the footer of our websites.

 

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified to administrative users by email and the Effective Date at the top of this document will be updated. We recommend reviewing this page periodically.

 

Contact

Privacy enquiries: privacy@quartzlabs.ai
Legal notices: legal@quartzlabs.ai
Postal address: Quartz Labs Ltd, 86-90 Paul Street, London EC2A 4NE, United Kingdom