Legal
Privacy Policy
Effective 30 April 2026.
This Privacy Policy explains how GPUBox (operated by Mobile Paradigm Consultancy Ltd, a UK Limited Company; VAT GB 397 0678 46; trading as Frontendlabs) processes personal data. It covers data we collect about you in your capacity as a customer, prospect, or website visitor. For the data you (or your end users) send through the API, see the Data Processing Agreement.
1. Who we are
We are the data controller for personal data we collect about you as a GPUBox customer or website visitor. Contact us at hello@gpubox.ai for any privacy-related question or to exercise your rights.
2. What we collect
| Category | Examples | Purpose | Lawful basis |
|---|---|---|---|
| Account & billing | Name, email, billing address, VAT id | Issue API keys, send receipts, comply with VAT/tax law | Contract; legal obligation |
| Payment | Card details (handled by Stripe; we never see the PAN) | Take payment for top-ups | Contract |
| Usage metadata | API request timestamps, model id, token / unit counts, status code, request id | Bill correctly, prevent abuse, audit | Contract; legitimate interests |
| Customer Data | Inputs sent through the API and outputs returned | Process the request; not retained beyond the request lifecycle | Contract; see DPA |
| Website analytics | Page views, referrer, country (Cloudflare Web Analytics — no cookies, no fingerprinting) | Understand which content is useful | Legitimate interests |
| Support correspondence | Emails to hello@gpubox.ai | Reply to your message; remember context for follow-ups | Legitimate interests |
3. How we use your data
We use personal data to: (i) provide the Service you signed up for; (ii) bill correctly and reconcile payments; (iii) prevent fraud, abuse, and security incidents; (iv) communicate with you about your account and material Service changes; (v) comply with our legal obligations (tax, accounting, lawful disclosure where required).
We do not use your Customer Data or your usage metadata to train, fine-tune, or evaluate any AI model that we or any third party serve to another customer.
4. Where data is stored
AI inference happens on hardware physically located in the United Kingdom. Account, billing, and usage metadata are stored in the United Kingdom. Some subprocessors (see Section 7) host data outside the UK; in those cases we rely on the UK's adequacy regulations, the UK International Data Transfer Agreement (IDTA), or Standard Contractual Clauses with appropriate supplementary measures.
5. How long we keep it
- Customer Data (your API inputs and outputs): not retained beyond the time needed to serve the response, unless you explicitly opt in.
- Usage metadata (per-call audit log): minimum 30 days, typically up to 12 months for billing reconciliation, then aggregated.
- Account & billing records: kept for the life of your account, plus 7 years after the end of the relationship to comply with UK accounting and VAT obligations.
- Support emails: kept for up to 3 years from last contact.
6. Sharing your data
We share personal data only with named subprocessors and service providers under written contracts that bind them to confidentiality and to processing only on our instructions. We do not sell personal data and we do not share it for advertising.
7. Subprocessors (current list)
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe Payments UK Ltd | Payment processing, invoicing | UK / Ireland / US under SCCs |
| Resend Inc. | Transactional email (top-up receipts) | EU (Ireland, eu-west-1) |
| Cloudflare Inc. | DNS, CDN, edge security, web analytics | UK / Ireland / global edge |
| GitHub, Inc. | Source code hosting and CI | US under SCCs |
We will notify you in advance of material changes to this list. The live list always reflects current arrangements; older versions are archived in our git history.
8. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- correct inaccurate data;
- request deletion ("right to be forgotten") where applicable;
- restrict or object to processing;
- data portability for data we hold under contract or consent;
- withdraw consent at any time, where consent is the lawful basis;
- complain to the Information Commissioner's Office (ico.org.uk) if you believe we have mishandled your data.
To exercise any of these rights, email hello@gpubox.ai. We respond within one calendar month.
9. Cookies and tracking
Our marketing site (gpubox.ai, gpubox.uk) uses no advertising cookies and no third-party tracking. We use Cloudflare Web Analytics, which is cookie-less and does not fingerprint visitors. Our dashboard at /dashboard/ uses localStorage only, to remember your pasted API key on your device — never sent to any third party.
10. Children
The Service is intended for use by businesses and developers and is not directed at children under 16. We do not knowingly process personal data of children for marketing purposes.
11. Security
We implement reasonable technical and organisational measures to protect personal data, including TLS in transit, encryption at rest on infrastructure subprocessors, hashed API keys (we never store the plaintext), least-privilege access, and audit logging. No system is perfectly secure; we will notify affected customers and the ICO of a personal-data breach within statutory timelines where required.
12. Changes
We will post material changes to this Policy with at least 14 days' notice on this page and (where we have your email) by email. The "Effective" date at the top reflects the latest version.
13. Contact
Mobile Paradigm Consultancy Ltd · trading as Frontendlabs · United Kingdom · VAT GB 397 0678 46. Email hello@gpubox.ai for any privacy question. We do not currently have a designated UK representative or DPO; we will appoint one if required when we cross the relevant statutory thresholds.