Legal Information

Privacy Policy

Your privacy is fundamental to how we built RefineryBox. Complete transparency, maximum security.

Privacy Policy

Last updated: 2025-08-19

1 Who We Are

RefineryBox (“we”, “us”) is developed and operated by Frank Li, an independent developer.

Data Controller: Frank Li

Contact: f842213079@gmail.com

2 Scope

This Policy applies to:

  • the RefineryBox desktop application (the "Software");
  • the RefineryBox website and landing pages (the "Site"); and
  • support communications and related services (together, the "Services").

3 Summary (Plain English)

  • Local-first: Your text does not go to our servers. We do not run proxy servers for the app.
  • BYOK: You use your own API keys. Keys are stored in your OS keychain; we never receive them.
  • No tracking: No analytics SDKs or behavior tracking in the Software. The Site avoids tracking; see Cookies & Logs below.
  • No account: RefineryBox does not require sign-ups or user profiles.

4 What We Do Not Collect

By design, we do not collect, store, or transmit:

  • your text content, prompts, or AI outputs;
  • usage analytics, telemetry, or behavior data from the Software;
  • device identifiers, fingerprints, or advertising IDs;
  • your API keys or other authentication secrets (beyond secure local storage on your device).

5 What We May Process

Although the Software itself does not send data to us, we may process limited information in these situations:

  • Support communications. If you email f842213079@gmail.com or use a Site form, we process what you provide (e.g., name, email, message, attachments) only to respond and support you.
  • Transactions. If you purchase a license, a third-party payment processor collects billing details. We receive minimal metadata needed for fulfillment and compliance (e.g., transaction ID, product, timestamp, email for receipt). We do not receive full payment card details.
  • Voluntary diagnostics. The Software does not auto-send crash reports. If you voluntarily share logs or diagnostic files for troubleshooting, we use them only for that purpose.
  • Site access logs. Our hosting provider may maintain standard web server logs (e.g., IP address, user-agent, requested URL, timestamp) for security and operations. We do not link these to app behavior or use them for advertising.

We do not sell personal information, and we do not share it for cross-context behavioral advertising.

6 How the Software Works (Local-First & BYOK)

  • Your text is sent directly from your device to the AI provider(s) you configure (e.g., OpenAI, Anthropic) using your API keys.
  • We do not operate servers that proxy, inspect, or store your content.
  • Each request is stateless; the Software does not keep a history unless you explicitly save it.
  • AI Provider Policies: Your chosen provider(s) process your text under their privacy terms. Review their settings (e.g., data-use/training opt-outs) and configure them according to your needs.

7 Clipboard, Permissions & Local Storage

  • The Software can optionally read your clipboard only if you enable that setting.
  • API keys and sensitive preferences are stored via your operating system's secure keychain (e.g., macOS Keychain, Windows Credential Manager).
  • You can remove stored keys at any time in Settings, or directly within your OS keychain.
  • If your OS syncs keychain data (e.g., cloud/backup services), that syncing is governed by your OS/vendor settings, not by us.

8 Cookies, Analytics & Web Server Logs (Site)

  • We do not use analytics SDKs or behavioral tracking cookies.
  • Our host may maintain standard access logs for security and operations (see §5).
  • Do Not Track / Global Privacy Control (GPC): We do not track for targeted ads and honor GPC to the extent applicable to the Site.

9 Third-Party Services (Categories)

We use or interact with the following categories of third parties:

  • AI Providers (BYOK). You choose the provider(s) in the Software; they act as independent controllers/processors for your text. We do not control their processing.
  • Payment Processing. A third-party processor handles checkout and collects necessary billing information. At checkout, the processor's identity and terms are presented. We receive only minimal transaction metadata.
  • Email/Support. Our email provider processes your support messages solely to facilitate communication.
  • Hosting (Site). Our hosting provider may generate short-retention access logs for operations and security.

We do not sell personal information and do not enable cross-context behavioral advertising.

10 Legal Bases (EEA/UK)

For EEA/UK users who interact with us (e.g., support or purchase), we rely on:

  • Performance of a contract (to provide and support the Software);
  • Legitimate interests (e.g., prevent fraud, secure our Services); and
  • Compliance with legal obligations (e.g., tax/accounting).

Controller: Frank Li (Hangzhou, China). We do not currently appoint an EU/UK representative or DPO.

11 Security

  • API keys and sensitive preferences are stored using OS keychain facilities.
  • We do not operate production databases storing your content.
  • We apply data minimization and reasonable safeguards appropriate for a local-first desktop app.
  • No security program can guarantee perfect protection, but we aim to reduce risk commensurate with our size and data profile.

12 Data Retention

  • Support communications: retained only as long as needed to respond, resolve, and maintain reasonable records.
  • Transactions: retained as required by tax and accounting laws.
  • Site access logs: retained by the host for limited durations per host defaults.
  • Diagnostics (voluntary): deleted after troubleshooting unless needed for continued support or legal obligations.

13 International Transfers

Support communications and limited metadata may be processed in jurisdictions where we or our providers operate (including China and other countries). We protect information consistent with this Policy and applicable law.

14 Your Rights & Choices

Because we generally do not collect personal data via the Software, rights typically concern support or transaction records.

  • Global: Request access, correction, deletion, or a copy/portability of the limited data we hold about you (support/transaction records).
  • EEA/UK (GDPR): You may also object to or restrict certain processing and lodge a complaint with your supervisory authority.
  • California (CPRA): We do not sell/share personal information. Potential categories we may process (for support/transactions/Site logs): identifiers (e.g., email/IP), commercial info (transaction metadata), internet activity (basic access logs). You may request access or deletion; we do not process "sensitive" personal information.
  • China (PIPL): Where applicable, you may request access/correction/deletion and withdraw consent for support communications.

How to exercise rights: email f842213079@gmail.com. We may require reasonable verification (e.g., replying from the same email used previously).

Timing: We aim to respond within 30 days (GDPR) and 45 days (CPRA), extendable where permitted.

15 Children's Privacy

RefineryBox is not directed to children under 13 (or the age of digital consent in your jurisdiction). We do not knowingly collect personal information from children.

16 Changes to This Policy

We may update this Policy to reflect changes in our practices or legal requirements. We will update the "Last updated" date above. Material changes will be reasonably highlighted on the Site.

17 Contact

Questions or privacy requests: f842213079@gmail.com

18 Definitions

  • "Software": the RefineryBox desktop application.
  • "Site": pages at refinerybox.com or associated domains we control.
  • "You": an individual user or the entity on whose behalf the Software is used.
  • "Personal information / personal data": information relating to an identified or identifiable person, as defined by applicable law.