PRIVACY POLICY

Last updated November 26, 2025

This privacy notice for Forever Box by Design Studio Eiteneuer (“we”, “us”, or “our”), describes how and why we might collect, store, use, and/or share (“process”) your information when you use our services (“Services”), such as when you:

• Use our web application (Forever Box) at foreverbox.app
• Register as a Couple to create a digital time capsule or interact as a Guest to upload media (videos, photos, or audio)
• Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@designstudioeiteneuer.com.

SUMMARY OF KEY POINTS

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with Forever Box. This includes account details for Couples and names/media files provided by Guests.

Do we process any sensitive personal information? We do not affirmatively ask for sensitive personal information. However, because Guests upload video and audio content, such media may incidentally contain sensitive data depending on the Guest's recording.

Do we receive any information from third parties? We may receive information from social login providers (like Google) if you choose to register using those services.

How do we keep your information safe? We use secure serverless environments, encrypted databases (Neon), and industry-standard media storage (Cloudflare R2) to protect your memories.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
5. HOW LONG DO WE KEEP YOUR INFORMATION?
6. HOW DO WE KEEP YOUR INFORMATION SAFE?
7. WHAT ARE YOUR PRIVACY RIGHTS?
8. CONTROLS FOR DO-NOT-TRACK FEATURES
9. DO WE MAKE UPDATES TO THIS NOTICE?
10. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
11. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal Information you disclose to us

In Short: We collect personal information that you provide to us, including media files.

Couple Information: We collect email addresses and names when you create an account. We also store "Event Details" (names of the partners and wedding date) to generate your QR codes and landing pages.

Guest Information: Guests are not required to create an account. However, we collect the Guest's name (as provided by the Guest) and themedia content (Videos, Photos, Audio) they choose to upload to a specific Forever Box event.

Payment Data: We use Paddle as our Merchant of Record. We do not store your credit card numbers on our servers. All payment data is processed by Paddle. You may find their privacy notice here: https://www.paddle.com/legal/privacy.

Information automatically collected

In Short: Some information — such as your IP address and device characteristics — is collected automatically for security and rate limiting.

When you visit Forever Box, we automatically collect certain information. This is primarily needed to maintain the security and operation of our Services (for example, to prevent brute-force attacks on Event PINs via Upstash Rate Limiting). This includes:

• Log and Usage Data: IP addresses, browser type, and timestamp of uploads.
• Device Data: Information about the computer or mobile device used to record or view memories.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide the time capsule service, secure the uploads, and communicate with you.

• To deliver the Service: To store media files in Cloudflare R2 and release them to the Couple on the selected "Unlock Date."
• To facilitate account creation: Using NextAuth.js for secure login via Google or Magic Links.
• To protect our Services: To rate-limit PIN attempts and prevent spam uploads.
• To send administrative information: Using Resend to send transaction emails, account notifications, and expiration warnings.

3. WHAT LEGAL BASES DO WE RELY ON?

If you are in the EU or UK, we process your information under the following legal bases:

• Consent: For marketing or when a Guest voluntarily uploads a memory.
• Performance of a Contract: To provide the digital storage and time-release service you purchased.
• Legitimate Interests: To detect fraud, secure the application, and improve our media compression logic.
• Legal Obligations: Where we must comply with tax reporting (via Paddle) or law enforcement requests.

4. WHEN AND WITH WHOM DO WE SHARE YOUR INFORMATION?

We share information with specific service providers to operate the App:

• Cloudflare R2: For secure, private storage of your media files.
• Paddle: For payment processing and tax compliance.
• Neon: For our serverless PostgreSQL database storage.
• Resend: For sending transactional and notification emails.
• Vercel: For hosting our application infrastructure.
• Upstash: For rate-limiting security services.

5. HOW LONG DO WE KEEP YOUR INFORMATION?

Forever Box is built on a specific data lifecycle:

• Active Term: We keep your data for the duration of your purchased tier (1, 3, or 5 years).
• Expiration & Grace Period: After the term ends, data is kept in a "Frozen" state for 7 days.
• Hard Deletion: After the 7-day grace period, all media in R2 and database records are permanently deleted via automated cron jobs. We do not keep archives of deleted wedding memories.

6. HOW DO WE KEEP YOUR INFORMATION SAFE?

We aim to protect your personal information through a system of organisational and technical security measures. Media files are stored privately in Cloudflare R2 and are only accessible viaSigned URLs that expire after a short duration, ensuring that only the authorized Couple or Guest (with a PIN) can view the files.

7. WHAT ARE YOUR PRIVACY RIGHTS?

Under the GDPR, you have the right to access, rectify, or erase your personal data.

Couples: You can delete specific memories or your entire account via the "Memories" dashboard. Deletion from the dashboard triggers an immediate deleteObject call to Cloudflare R2.

Guests: Since you do not have an account, if you wish to request the deletion of a memory you uploaded, you must contact the Wedding Couple (the Admins) or email us with the specific Event name and the content details.

8. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers include a Do-Not-Track ("DNT") feature. Because there is no uniform standard for recognizing DNT signals, we do not currently respond to them.

9. DO WE MAKE UPDATES TO THIS NOTICE?

Yes, we will update this notice as necessary to stay compliant with relevant laws. The "Revised" date at the top of this page indicates the latest update.

10. HOW CAN YOU CONTACT US?

If you have questions or comments about this notice, you may email us at privacy@designstudioeiteneuer.com or contact us by post at:

11. HOW CAN YOU REVIEW, UPDATE, OR DELETE YOUR DATA?

To request to review, update, or delete your personal information, please submit a request to privacy@designstudioeiteneuer.com. We will respond to your request within 30 days.