privacy policy

To make this policy easier to read, here are some terms we use:

• Brag – a customer review submitted via BragBox (video, audio, text, or image).
• Business User – the company using BragBox to collect and manage reviews.
• Customer / Review Submitter – the individual who submits a review.
• Purpose of Collection – Brags are collected so businesses can showcase authentic feedback and improve their services.

BragBox is a trading name of DatrBox Ltd, registered in England under company number 16562581.

Registered Office: 71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.

We take your privacy seriously and are registered with the Information Commissioner's Office (ICO) under registration number ZB938203.

This Privacy Policy explains how we collect, use, disclose, and protect personal data when:

• (a) Businesses use BragBox to receive and manage reviews.
• (b) Customers submit a review via BragBox.

We collect personal data directly from you or, in some cases, from the business that invited you to submit a review.

We use cookies and similar technologies to operate the service (essential cookies), understand usage (analytics cookies), and improve performance. You can manage cookies in your browser settings. Where required, we seek consent for non-essential cookies. See our Cookie Policy for details.

We use artificial intelligence tools, including OpenAI services, to:

• Transcribe review content (e.g. convert speech to text).
• Analyse and summarise reviews.
• Provide sentiment tagging to support reporting.

When reviews or user information are sent to OpenAI, they may also be used by OpenAI to train and improve its models.

All AI processing is carried out with safeguards. While AI helps categorise and summarise, all final decisions about review moderation involve human oversight. We do not carry out solely automated decisions that produce legal or similarly significant effects without human involvement.

• Contract: To provide and administer the platform, host and display reviews, and support your account.
• Legitimate Interests: To maintain and improve the service, prevent misuse, and protect security (balanced against your rights).
• Consent: For review collection and display where required, for non-essential cookies, and for certain marketing communications.
• Legal Obligation: To comply with applicable laws and enforce our terms.
• Marketing: Where you consent to receive marketing from us, we will use your contact details to send updates and offers. You can opt out at any time using the unsubscribe link in our emails or by contacting us.

To provide our service, we will send service communications (for example confirmations, status updates, or review links) via email and SMS. These may be automated.

If you wish to receive marketing and business communications from us, you can give your permission when:

• Signing up as a business user.
• Completing a review.
• Joining our guestlist for paused sign-ups.
• Subscribing to our mailing list.

You can withdraw permission to receive marketing and business communications at any time by emailing hello@bragbox.co.uk or privacy@bragbox.co.uk. We will process your request within 5 working days.

We share data with service providers (for example, hosting, email, analytics, payments) strictly as needed to provide the service.

• Primary Storage: Data is hosted in the United Kingdom.
• International Systems: Some processing and storage occurs outside of the UK (e.g. in the USA) using secure cloud partners. We apply enterprise-grade security measures when transferring data and have verified the security and data handling standards of our partners. Where required, we use the UK Addendum to the EU Standard Contractual Clauses to ensure legal protections.

Plain explanation: this means we sometimes use trusted, secure systems in other countries to make sure the service is fast and reliable.

• Business User Data: Retained for the duration of the subscription and deleted within 90 days of account closure unless we must keep it longer by law.
• Reviews: Retained until withdrawn by the customer or deleted by the business controller.
• Logs / Analytics: Retained for a limited period necessary for security and performance.

Retention periods are determined based on the minimum time necessary to fulfil the purposes set out in this policy, legal requirements, and the potential need to resolve disputes or enforce agreements.

• Compliance: BragBox complies with UK GDPR and the Data Protection Act 2018.
• Location: Primary data storage and management is hosted on Google Cloud infrastructure in UK-based data centres, with some secure processing outside the UK.
• Security: Encryption in transit and at rest; access restricted to authorised personnel; enterprise-grade monitoring and safeguards.
• Partner Standards: We verify the security and data controls of all third-party providers.
• Incident Response: We assess, mitigate, and notify where required by law.

Under UK GDPR, you may have the following rights:

• Right to be Informed – about how we process your data.
• Right of Access – to obtain a copy of your personal data.
• Right to Rectification – to correct inaccurate data.
• Right to Erasure – to request deletion of your data.
• Right to Restrict Processing – to limit how your data is used.
• Right to Data Portability – to receive your data in a usable format.
• Right to Object – to processing based on legitimate interests or for marketing.
• Rights Related to Automated Decision-Making and Profiling – to request human review.

Where processing is based on consent, you can withdraw consent at any time.

You can lodge a complaint with the ICO at ico.org.uk, or with your local supervisory authority if outside the UK.

Customers can withdraw their review at any time by:

• Clicking the withdraw link provided in the SMS or thank-you email after submission.
• Contacting us at privacy@bragbox.co.uk.

Important note: The business (data controller) may already have downloaded or shared your review. While withdrawal removes it from active display and the BragBox platform, it cannot undo distribution that has already happened online. If you wish to remove content that has been shared elsewhere, you may need to contact search engines (like Google) or hosting providers directly.

BragBox is not directed to children under 16. Do not submit reviews from minors without appropriate parental/guardian consent and compliance with applicable law.

We may update this policy from time to time. Material changes will be notified via the service or by email.

You can contact our Data Protection Officer by email at privacy@bragbox.co.uk for any privacy-related queries.

Postal: 71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

• 7 September 2025 – V1.2 – Added glossary, clarified AI processing with OpenAI, updated withdrawal process, expanded systems/storage explanations, added communications section, and included plain-language explainers.
• 10 August 2025 – V1.1 – Clarified international transfers, data sources, and rights.