Privacy Policy

Effective March 27, 2026 · Version 1.0

1. Overview

This Privacy Policy explains how buxjr (“Developer,” “we,” “us,” or “our”) handles information in connection with the Box Email Client (“Software”).

Short version: Your email and personal data stay on your device. We do not collect, store, or sell your data.

2. Information We Do Not Collect

The Software is designed to operate locally and does not collect or transmit the following to the Developer:

  • Email content (messages, attachments, metadata)
  • Contacts or address books
  • Email account credentials (passwords or OAuth tokens)
  • Usage analytics or behavioral telemetry
  • Crash reports or diagnostic data
  • Device activity or interaction tracking

We do not operate servers that store or process your email data.

3. Where Your Data Lives

All user data is stored locally on your device, including:

  • Emails and attachments (SQLite database at ~/.config/Box/)
  • Application settings and preferences
  • Account configuration and contacts

Credentials are stored securely using your operating system’s native keyring via Electron’s safeStorage API, encrypted by your OS using your login session. They are never written to plaintext files or stored in the application database.

The Developer does not have access to this data.

4. Network Connections

The Software may make outbound network connections as part of normal operation. You can verify these at any time using Box’s built-in Connection Log or external tools like ss, netstat, or Wireshark.

4.1 Email Providers

Connections to your configured IMAP and SMTP servers to send, receive, and synchronize your email. These are the servers you choose when adding an account.

4.2 OAuth Providers

When you choose to use OAuth login (e.g., for Microsoft accounts), authentication is handled via your default browser. Box receives only the resulting token, which is stored in your OS keyring.

4.3 Licensing Service

Licensed users may send periodic validation requests to the Developer’s licensing service (locksmith.buxjr.com). These requests include only:

  • Product identifier
  • License key
  • Machine identifier (/etc/machine-id)
  • Device hostname (used to label machines in your activation list)

These requests do not include email content, credentials, IP addresses (not logged by the service), hardware serial numbers, or usage data. Free-tier users never contact the licensing service at all. For full details, see Licensing Transparency.

4.4 DNS Lookups

Box performs outbound DNS lookups to verify email authentication (SPF, DKIM, DMARC). These are standard DNS queries made from your machine to your configured DNS resolver. Box does not operate its own DNS service.

4.5 Remote Content (Optional)

If you choose to load remote images in emails, external servers may receive your IP address. The Software blocks all remote images by default and provides per-sender trust controls. Tracking pixels are detected and neutralized regardless of this setting.

5. No Telemetry or Tracking

The Software:

  • Does not track user behavior
  • Does not collect analytics
  • Does not include third-party tracking libraries
  • Does not send usage data to the Developer

There is no telemetry code in Box because none was ever written. No analytics SDK, no usage reporting, no crash reporting that phones home. The absence is structural, not a setting we promise to leave off. See our Privacy Architecture page for verification methods.

6. No Advertising or Data Selling

We do not:

  • Sell user data
  • Share data with advertisers
  • Use tracking pixels or ad networks
  • Monetize personal information in any way

7. Third-Party Services

The Software interacts with third-party services you configure, such as email providers (Gmail, Outlook, Fastmail, etc.) and OAuth providers (Google, Microsoft). Those services operate under their own privacy policies. The Developer is not responsible for their data practices.

Box connects to these services using standard protocols (IMAP, SMTP, OAuth2) and does not relay your data through any intermediary.

8. Data Security

Box is designed to minimize your attack surface. Credentials are encrypted in your OS keyring. Email is stored in a local database accessible only to your user account. All IMAP and SMTP connections support TLS/SSL encryption. There are no cloud components, no shared servers, and no data that leaves your machine.

Because your data lives entirely on your device, its physical security depends on your environment. We recommend standard practices: keeping your OS updated, using full-disk encryption, and maintaining regular backups of ~/.config/Box/.

9. Children’s Privacy

The Software is not directed to children under 13. We do not knowingly collect personal information from children.

10. Changes to This Policy

If this Privacy Policy changes, the updated version will be published at this URL with a revised effective date. If future versions of the Software introduce any form of data collection, this Policy will be updated accordingly and the changes will be clearly noted.

11. Contact

If you have questions about this Privacy Policy:

buxjr
Email: box@buxjr.com
Website: box.buxjr.com

12. Summary

  • Your email stays on your device
  • We do not collect or track your activity
  • We do not sell or share your data
  • You control what gets transmitted

That’s the entire point of Box.