GDPR Compliance
Your privacy rights under the General Data Protection Regulation
Our Commitment to GDPR
Boxed is fully committed to complying with the General Data Protection Regulation (GDPR). We believe that data protection is a fundamental right, and we have implemented comprehensive measures to ensure your personal data is handled securely and transparently.
This page outlines your rights under GDPR and explains how we protect your personal data. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, these rights apply to you.
Your GDPR Rights
Right to Access
You have the right to request a copy of all personal data we hold about you. We will provide this information within 30 days of your request.
Right to Rectification
If any of your personal data is inaccurate or incomplete, you have the right to request that we correct or complete it.
Right to Erasure
Also known as the 'right to be forgotten,' you can request that we delete your personal data under certain circumstances.
Right to Restrict Processing
You can request that we limit how we use your data while we verify accuracy or consider your objection to processing.
Right to Data Portability
You can request your data in a structured, commonly used format to transfer to another service provider.
Right to Object
You have the right to object to processing of your personal data for direct marketing or based on legitimate interests.
Legal Basis for Processing
Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:
Contract Performance
Processing necessary to perform our contract with you, including identity verification, task assignment, and payment processing.
Legal Obligations
Processing required to comply with legal requirements, such as tax reporting and responding to lawful government requests.
Legitimate Interests
Processing necessary for our legitimate business interests, such as fraud prevention, security, and service improvement, where these do not override your rights.
Consent
For certain processing activities, such as marketing communications, we rely on your explicit consent, which you may withdraw at any time.
International Data Transfers
As a global platform, we may transfer your personal data to countries outside the EEA. When we do so, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Transfers to countries with an adequacy decision from the European Commission
- Binding Corporate Rules where applicable
- Your explicit consent for specific transfers
Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee our compliance with GDPR and handle your data protection queries.
How to Exercise Your Rights
To exercise any of your GDPR rights, you can:
Email Our DPO
Send a request to dpo@boxed.com with your specific request and proof of identity.
Use Account Settings
For certain requests like data access or deletion, you can use the privacy settings in your account dashboard.
Response Time
We will respond to your request within 30 days. Complex requests may take up to 90 days, and we will inform you if this is the case.
Right to Lodge a Complaint
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. You can do this in the EU member state where you live, work, or where the alleged infringement took place.
We encourage you to contact us first so we can address your concerns directly. However, this does not affect your right to contact your local data protection authority.
Questions About GDPR?
If you have any questions about how we handle your data or your rights under GDPR, please don't hesitate to reach out.