Czytaj po polsku ↗
●TL;DR
We don't see your conversations. We don't store your model API key. Your Google access token stays on your device, never on our servers. The only data we hold is your email (for shipping and support) and the fact that you bought a NotiBox.
Who we are
NotiBox is a plug-and-play AI assistant device that runs in your home on NVIDIA Jetson hardware. NotiBox is a company registered in Poland. We do not sell ads, we do not collect data to train models, and we do not resell your data to partners.
Data controller (GDPR): NotiBox [TODO: fill in the full legal entity name, registered address and tax ID (NIP) — see §1 of the Terms]. For data protection and privacy matters: prywatnosc@notibox.ai.
Data we collect
Data is collected in three clearly separated places:
1. The notibox.ai website
- At checkout: name, email, shipping address, billing data. Stored in Stripe and by us for 5 years (tax obligation).
- Newsletter sign-up: email only. One-click unsubscribe.
- Analytics: Vercel Analytics— aggregated on Vercel's side, no cookies, no fingerprinting, no per-user identification. No Google Analytics, no Facebook Pixel.
2. Your NotiBox device (at your home)
- Telegram bot token and model-provider API key — stored locally in an encrypted keystore on the device SSD. Never sent anywhere.
- Google access and refresh tokens — stored locally in a per-user encrypted keychain on the device (see below).
- Conversation history — stored locally, 30 days by default (configurable 1–∞ days, or off).
3. OTA update + support server
- Once a day your device asks our server for available updates. Data sent: serial number, OS version, country (from IP). No conversation content.
- Tailscale VPN — when you open a support ticket and enable remote access, an operator can see system logs (not conversations) for a 48h window.
Waitlist & newsletter
If you sign up through the "waitlist" form in the footer, that's a separate, lightweight dataset (just your email), independent of the device and your Google account.
- What we collect: your email address (optionally the sign-up source / UTM parameters if you arrived from a specific link).
- Why: to tell you about the NotiBox launch and news.
- Legal basis: your consent (Art. 6(1)(a) GDPR), given by ticking the checkbox at sign-up. We use double opt-in — after sign-up we send a confirmation-link email; without clicking it we do not add you to the list.
- Where we store it: on NotiBox infrastructure (server in the EU, Frankfurt) — not with a third-party mailing-list provider.
- Who sends the email: for delivery only we use an email provider (Resend) — solely to deliver the message.
- How long: until you withdraw consent or unsubscribe.
- Withdrawing consent:any time — the "unsubscribe" link in the email footer or a message to prywatnosc@notibox.ai. You also have the right of access and erasure (see Your rights).
AI models & content processing
NotiBox uses external language models to answer and act on your data. The model provider can vary — e.g. Google Gemini, Anthropic Claude, OpenAI or xAI (an example list, not exhaustive). There are two access modes, with different data flows.
Mode 1 — your own key (BYOK)
You enter your own API key for a chosen provider in the device panel (notibox.local/panel). The device connects to that provider directly using your key — traffic goes device → provider, bypassing NotiBox servers.
- The key is entered on a panel served by your NotiBox, on your local network. It is stored in an encrypted LUKS container on the SSD and never leaves your LAN.
- NotiBox servers do not see the key, the content, or even the fact that you sent a request. In this mode your data (including Google data) never reaches NotiBox infrastructure at all — we are technically unable to view it. This is the strongest privacy option.
Mode 2 — NotiBox-managed plan
If you use a model under a NotiBox plan, content passes through a gateway on the NotiBox server to the model provider appropriate for your plan (varies by plan — e.g. Gemini for basic plans, Claude for higher ones; it may also be OpenAI, xAI or another). The gateway (audit-verified 21 May 2026):
- relays content only in transit — it does not store or log it (the code passes only metadata, verbose logging is disabled, the billing database holds no content, and the cache is kept in RAM only),
- records only metadata in billing: token counts, cost and model name — no message content,
- does not expose content to NotiBox staff or support — we have no access to the content of your data.
In both modes, the chosen AI provider processes content under its owndata policy — NotiBox does not control its retention. Major providers' commercial APIs do not use submitted data to train models by default, but the details depend on the provider and your plan. It's worth reading the policy of the provider you choose.
Google account integration
NotiBox can — optionally and only with your consent — connect to your Google account so the assistant can work across your Gmail, Drive, Calendar, Contacts, Sheets and Docs. The device works without this; the Google integration is an extra feature you enable yourself in the device panel (/integracje) and can disable at any time.
How we access your data
- You connect your ownGoogle account through Google's standard OAuth consent screen, authorizing exactly the scopes you see there.
- After your consent, Google returns a one-time, short-lived authorization code. Our backplane (
vendor.notibox.ai) relays this code only to your device. The code is single-use and deleted immediately after it is read. - The exchange of the code for tokens (including the refresh token) happens locally on your device. Tokens are stored in an encrypted, per-user keychain on the NotiBox SSD. Tokens never reach our servers. We hold no copy of your Google token and cannot log in to your account from our infrastructure.
How we use your data
We use data from Google APIs only to provide user-facing assistant features: reading and summarizing email, sending and organizing mail, managing calendar events, working with documents and spreadsheets, and addressing messages from your contacts. We never use it for advertising, profiling, or model training.
How we store and share your data — AI processing
When the assistant summarizes or analyzes the content of your Google data (e.g. an email, document, or event), that content is sent to an AI model to perform the requested feature. The same two modes apply as for all AI handling (see AI models & content processing):
- BYOK mode — Google data goes from the device directly to your provider and never reaches NotiBox servers at all.
- Managed plan — content passes through a gateway on the NotiBox server in transit only (no storage or logging of content; billing is metadata only; no staff access to content). This is the only point at which data from your Google account may pass through our infrastructure — and only in this mode.
Regardless of mode, the chosen AI provider processes content under its own policy (retention, training) — described above. Aside from this transit, we do not sell your Google data and do not share it with other parties except as described in the Limited Use commitments below.
How you revoke access and delete your data
- In the device panel:
/integracje→ "Disconnect Google account". The token is removed from the device keychain. - On Google's side: revoke NotiBox's access at any time at myaccount.google.com/permissions.
- Disconnecting stops all further reads of and actions on your Google data.
OAuth scopes we request
We request only the scopes the assistant needs. Some are classified by Google as sensitive or restricted; these require Google verification and are subject to the Limited Use requirements below.
| Scope | Classification | Why we use it |
|---|
gmail.modify | Restricted | Read and summarize email, send replies, organize the mailbox (labels, archiving) on your instruction. |
gmail.settings.basic | Restricted | Read and change basic mail settings (e.g. signature, vacation responder) when you ask. |
gmail.settings.sharing | Restricted | Configure mail forwarding and delegation when you ask. |
drive | Restricted (full) | Read existing files and create and save new documents on your Drive. |
calendar | Sensitive | Create, read and manage events in your calendar. |
contacts, contacts.other.readonly, directory.readonly | Sensitive | Access contacts so the assistant can address email and recognize people. |
spreadsheets (+ drive) | Sensitive | Read and edit Google Sheets. |
documents (+ drive) | Sensitive | Read and edit Google Docs. |
openid, email, userinfo.email | Basic | Identify the account you connect. |
We request the full drive and gmail.modify scopes intentionally: the assistant is meant not only to read but also to create and organize content on your instruction. The actual access always matches what you approve on Google's consent screen.
Limited Use — Google API compliance
NotiBox's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In practice, that means four commitments:
- We use data from Google APIs only to provide or improve user-facing features that are prominent in the application (assistant: reading/summarizing email, managing calendar, working with documents, etc.).
- We do not transfer data to third parties except: (a) as necessary to provide or improve user-facing features and with the user's consent, (b) for security purposes, (c) to comply with applicable law, or (d) as part of a merger or acquisition, with prior notice to users.
- We do not use Google API data for serving advertisements (including personalized ads, remarketing, or advertising profiling).
- We do not allow humans (ours or our service providers') to read user data unless: (a) the user gives affirmative consent to read specific data, (b) it is necessary for security (e.g. investigating abuse), (c) required by law, or (d) the data is aggregated and anonymized for internal operations.
These commitments are consistent with how NotiBox actually behaves. The transfer of content to the chosen AI provider (commitment 2) happens solely to perform a user-facing feature that you initiate yourself. Commitment 4 — no human reads your data — concerns NotiBox infrastructure: in BYOK mode your data never reaches it at all, and on a managed plan the gateway does not log content (audit-verified), so staff and support have no access to it.
Retention & deletion
- Google tokens: kept on the device until you disconnect; removed from the device keychain on disconnect.
- Google content: processed on demand; by default we do not build a persistent copy of your mailbox or Drive on our side.
- Invoices: retained 5 years (tax obligation).
- Everything else: deleted on request (see GDPR rights below).
Your rights (GDPR)
- Access — request via the support page; we send all data we hold about you within 14 days.
- Rectification — as above, tell us what to change.
- Erasure — we delete everything except invoices (tax obligation, 5 years).
- Portability — JSON format, on request.
- Complaint — to the Polish DPA (Prezes UODO).
Changes to this policy
Current version: 1.0, 12 April 2026. If we change anything material, we will give 30 days' notice before it takes effect.
Support and everything else — through our support page.
For data protection and privacy matters: prywatnosc@notibox.ai