Privacy Policy
Last updated: 18 May 2026 Effective date: Phase 1 launch (2026-05-22)
GOX ("we", "us", "the platform") respects your privacy. This policy explains what data we collect, why we collect it, how we use it, and how you can control it.
Draft notice: This document is a Phase 1 starter draft. A formal review by qualified counsel is scheduled before public launch (D14 ship gate). Any inconsistency with the laws of your jurisdiction (GDPR / CCPA / Vietnam PDPL) is unintended and will be corrected before that review concludes.
1. Who we are
GOX is operated by GOX Inc. (Delaware C-Corp) and its Vietnam subsidiary GOX Vietnam Co., Ltd. Contact: privacy@gox.life. EU representative + DPO contact will be published before EU launch.
2. Who can use GOX
GOX is for users aged 13 and over. We collect a year-of-birth on signup to enforce this. If you are under 13 (or under the digital-consent age in your country), do not create an account; if you have, contact privacy@gox.life and we will erase the account.
3. What we collect
We collect the minimum necessary to operate the platform.
You give us directly:
- Account info: email, name, year-of-birth, password (hashed; we never see plaintext).
- Optional profile data you add later: birth month/day, public birthday flag, notification preferences.
We collect automatically:
- Session identifiers (cookies — see §7).
- Approximate region inferred from IP at signup (one of: us / eu / asia / other) — used to apply the right consent flow + tax rules.
- Audit log of administrative actions on your account (sign-in, password change, etc.), retained 90 days then trimmed to aggregate.
You opt-in to share:
- Saved tools, ratings, comments, posts you publish (Phase 1.5+).
- Analytics events (page views, clicks) — only if you accept analytics cookies.
We do not sell your data. We do not display third-party ads. We do not use third-party trackers for advertising.
4. Why we collect it (legal basis)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the service (auth, content delivery) | Contract |
| Comply with legal obligations (audit, AML, age gate) | Legal obligation |
| Improve the product (analytics, A/B tests) | Consent |
| Communicate with you (transactional + opt-in newsletter) | Contract / consent |
5. How long we keep it
- Account data: while the account is active. After deletion, retained 30 days then permanently erased (legal hold + backup expiry).
- Audit events: 90 days then aggregated.
- Analytics events: 13 months then aggregated.
- IP addresses: 90 days then dropped from logs.
6. Who we share it with
- Infrastructure providers acting as processors under our control: Neon (database, US East 1), Vercel (hosting, US), Cloudflare (CDN + WAF + geo-routing), Resend (transactional email), Anthropic (AI inference for Cal summaries —
claude-sonnet-4-6model for per-tool summaries; no user PII passed to model inference). - Authorities, when legally compelled.
- A buyer or successor, if GOX is sold or merged. We will notify you 30 days in advance.
We do not transfer your data to processors outside the EU/UK without an adequate-decision country, SCCs, or your explicit consent.
7. Cookies
| Name | Purpose | Required | Lifetime |
|---|---|---|---|
gox_session | Better Auth session token | Yes | Per-session |
gox_locale | Remember your locale preference | Yes | 365 days |
gox_cookie_consent | Remember your cookie choices | Yes | 365 days |
| Analytics cookies (Phase 1.5+) | Product improvement | No (opt-in) | 13 months |
EU/EEA/UK/CH users see a consent banner on first visit (detected server-side via Cloudflare's geographic IP header cf-ipcountry). You can change your choice anytime from Settings → Privacy. Users outside GDPR scope still receive only essential cookies by default; analytics + product cookies require opt-in regardless of geography.
8. Your rights
Under GDPR (EU/UK), CCPA (California), and Vietnam PDPL:
- Access — see what we have on you.
- Correct — fix inaccuracies.
- Erase — delete your account + data.
- Export — get a machine-readable copy.
- Object — opt out of analytics/marketing.
- Restrict — pause processing while we investigate a complaint.
Use Settings → Privacy in the dashboard, or call the API endpoints directly when signed in. Both endpoints require a POST body of {"confirm": true} and are rate-limited to one request per 24 hours per account:
POST /api/user/erase— permanent account deletion (GDPR Art. 17)POST /api/user/export— JSON bundle of all your data (GDPR Art. 15)
Rate-limit responses include a Retry-After header (seconds). The confirm body field protects against accidental abuse, browser autofill replay, and drive-by curl. Every DSR attempt — success, rate-limited, or rejected — is logged to our audit trail.
Or email privacy@gox.life. We respond within 30 days.
9. Children
We do not knowingly collect data from children under 13 (or under the digital-consent age in your country). If you believe we have, contact privacy@gox.life.
10. Security
- Passwords are hashed with industry-standard algorithms (Better Auth default — argon2id or bcrypt).
- All connections are TLS 1.2+ end-to-end.
- Database access is gated by Postgres row-level security.
- Audit logs are append-only.
We follow a coordinated disclosure policy. Report vulnerabilities to security@gox.life.
11. Changes to this policy
We will post material changes here and email signed-in users at least 14 days in advance. Continued use after the effective date constitutes acceptance.
12. Contact
- General privacy:
privacy@gox.life - Security:
security@gox.life - DPO (EU): pending appointment, published before EU launch