Privacy Policy

Last updated: March 2026

This product is designed for privacy-aware technical users: your inventory data stays in the EU, is encrypted in transit and at rest, and agent access is explicit, scoped, and auditable.

1. What We Collect

When you use SmartLittleBoxes, we collect:

  • Account information: Name and email address (via Cognito, Google, or Apple sign-in)
  • Inventory data: Item names, descriptions, photos, locations, tags, and quantities you add
  • Usage data: How you interact with the app (pages visited, features used)
  • Device data: Browser type, operating system, IP address

2. How We Use Your Data

  • To provide and improve the SmartLittleBoxes service
  • To authenticate you and maintain your session
  • To enable AI agent access to your inventory (only when you explicitly enable it)
  • To send service-related emails (account verification, security alerts)

3. AI Agent Access

When you connect an AI agent (e.g., Claude, ChatGPT) via our MCP server:

  • The agent accesses only your own inventory data
  • Agent access must be explicitly enabled by you in account settings
  • All agent operations are logged and visible to you
  • You can revoke agent access at any time
  • We do not share your inventory data with AI providers — your data stays on our servers

4. Data Residency & Encryption

SmartLittleBoxes is operated with EU-first data residency. Production customer data is stored on EU infrastructure (primary region: eu-central-1, Frankfurt) and protected with encryption in transit and at rest.

  • Encryption in transit: TLS 1.2+ for browser/API traffic and service-to-service communication
  • Encryption at rest: encrypted object and database storage for photos, metadata, and indexed search data
  • Key management: centralized key lifecycle controls, rotation policies, and strict access separation
  • Backups: encrypted backups retained under defined retention windows and deleted per policy

5. Access Controls & Auditability

  • Role-based access controls and least-privilege permissions are used for internal operations
  • Sensitive administrative actions are logged and reviewable
  • Agent operations are tied to your account context and audit logs
  • Session and token handling follows short-lived token and refresh token patterns

6. Third-Party Services

  • AWS Cognito: Authentication
  • Google / Apple: Social sign-in (subject to their respective privacy policies)
  • Amazon S3: Photo storage

7. Your Rights (GDPR)

If you are in the EU, you have the right to:

  • Access all personal data we hold about you
  • Rectify incorrect data
  • Delete your account and all associated data
  • Export your data in a portable format
  • Object to processing

To exercise these rights, email us at privacy@smartlittleboxes.com.

8. Data Retention

We retain your data as long as your account is active. Upon account deletion, your inventory data and photos are permanently deleted within 30 days.

9. Contact

Questions about this policy? Contact us at privacy@smartlittleboxes.com.