PersonaBox

Privacy Policy

Effective Date: March 27, 2026

PersonaBox, Inc. (“PersonaBox,” “we,” “our,” or “us”) respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, and safeguard your data when you use our website (personabox.app), Chrome extension, and related services (collectively, the “Services”).

If you do not agree with this Policy, please discontinue use of our Services.

1. Information We Collect

We collect the following types of information when you use PersonaBox:

a. Account Information

When you sign up or log in using Clerk, we collect basic information such as your name, email address, and organization.

b. Payment Information

When you subscribe or make a purchase, payment details are processed securely by Stripe. We do not store your credit card number or billing details directly.

c. Usage Data

We collect analytics data, including feature usage, browser type, device information, and actions within our Chrome extension and web app. This data helps us improve product performance and user experience. We use Google Analytics and PostHog for this purpose.

d. Documents and Content

When you upload or analyze text or documents using PersonaBox, we temporarily process this data to provide AI-powered insights and messaging feedback. Documents may be processed using LlamaIndex Cloud for parsing and retrieval. Data may be stored in Supabase for functionality and analytics.

e. AI Processing

When you use AI-related features, your data (such as text snippets or prompts) may be securely transmitted to OpenAI and Anthropic APIs to generate responses. We do not sell or train models on your proprietary content.

f. Chrome Extension Storage

The Chrome extension stores selected content, personas, user preferences, and analysis results locally on your device using Chrome's storage API. This data is stored locally in your browser and is only transmitted to our servers when you explicitly request content analysis.

g. Email Communications

We use Resend to send transactional emails such as account notifications and service updates. Your email address is shared with Resend solely for the purpose of delivering these communications.

h. Newsletter and Email Marketing Data

PersonaBox provides a newsletter feature that allows you to create, manage, and send email newsletters to your subscribers. This feature involves the following data collection and processing:

  • Subscriber data: When you add subscribers to your mailing list, their email addresses and optional names are sent to and stored by Mailgun (our email delivery provider).
  • Newsletter content: Newsletter drafts, including text, images, styling, and layout, are stored in our database for as long as your account is active.
  • Sender domain configuration: When you set up a newsletter sending domain, we configure a sending domain on your behalf and store your domain configuration (sender name, sender email, reply-to address, and privacy policy URL) in our database.
  • Email engagement tracking: Mailgun tracks email engagement metrics on our behalf, including opens, clicks, bounces, unsubscribes, and spam complaints.
  • Unsubscribe handling: Every newsletter includes an unsubscribe link. When a recipient unsubscribes, they are automatically removed from your mailing list.

i. Web Content Analysis

When you analyze web content, we may use Browserbase to securely access and process publicly available web pages. This allows us to provide content analysis features. Only content you explicitly request to analyze is processed.

j. Source Code and Repository Data

When you connect a GitHub repository and enable automated product updates, we access the following data from GitHub via our GitHub App integration:

  • Pull request metadata (title, description, labels, author).
  • Code diffs (the changes introduced by a pull request).
  • Repository contents (temporarily cloned for context during visual generation).

How your code is processed: Your repository is cloned into an isolated sandbox environment powered by E2B (a third-party sandbox provider). These sandboxes are isolated virtual machines hosted entirely on E2B's infrastructure — not on PersonaBox servers. Your source code is never stored on PersonaBox infrastructure, databases, or file systems.

Sandbox lifecycle: After the initial workflow completes, the sandbox is paused (not immediately destroyed) so that you can return to edit generated animations via our video editing feature. While paused, your cloned repository remains on E2B's infrastructure. Paused sandboxes are automatically destroyed by E2B after a retention period of up to 25 days, after which all data within them — including your repository clone — is permanently deleted. We do not control or have access to paused sandbox data outside of your authenticated editing sessions.

What we retain: Only the AI-generated outputs are saved — marketing copy, screenshots, and high-level codebase learnings (general patterns and insights, not source code). Raw code diffs and repository contents are processed in memory during the workflow and are not persisted to our database.

Third-party AI processing: Truncated portions of your PR diff (up to 60KB) are sent to AI providers (OpenAI and Anthropic) to generate marketing copy and visuals. These providers process data under their respective data processing agreements and do not use your data for model training.

2. How We Use Your Information

We use your information to:

  • Provide and improve our Services.
  • Authenticate and manage your account.
  • Process payments and subscriptions.
  • Analyze product performance and user engagement.
  • Communicate with you about updates, security, or product changes.
  • Deliver newsletters and email marketing campaigns on your behalf to your subscribers via Mailgun.
  • Comply with legal obligations and enforce our Terms of Service.

3. Data Sharing and Disclosure

We may share your information with:

  • Service providers who help us operate the platform (e.g., Clerk, Stripe, Supabase, Mastra, Google Analytics, OpenAI, Anthropic, LlamaIndex Cloud, PostHog, Resend, Mailgun, Cloudflare, Browserbase, E2B, GitHub, Brandfetch, Cal.com, Svix).
  • Legal authorities if required by law, court order, or to protect our rights.
  • Business transfers, such as mergers, acquisitions, or financing events.

We do not sell personal information to third parties.

4. Data Retention

We retain your personal data as long as your account is active or as needed to provide our Services. You may request deletion of your data at any time by contacting mike@personabox.app.

Chrome Extension Data: Selected content and analysis results are stored locally in your browser with a maximum of 5 items in your history. You can clear this data at any time by clearing the extension's storage through Chrome's settings or by uninstalling the extension. Analysis results stored in our database are retained as long as your account is active.

Newsletter and Subscriber Data: PersonaBox does not store subscriber email addresses or names. This data is managed entirely by Mailgun and is subject to Mailgun's Privacy Policy. Newsletter content (drafts, styling, and layout) is stored in our database for as long as your account is active. Email engagement metrics (opens, clicks, bounces, unsubscribes) are managed by Mailgun. When a subscriber unsubscribes, they are automatically removed from your mailing list.

Source Code and Repository Data: Your source code is never stored on PersonaBox servers or in our database. During processing, your repository is cloned into an isolated E2B sandbox (third-party infrastructure). After the workflow completes, the sandbox is paused to allow you to edit animations, and is automatically destroyed by E2B after up to 25 days. Raw PR diffs are processed in memory and are not persisted. Only AI-generated outputs (marketing copy, screenshots, and high-level codebase learnings) are retained for as long as your account is active. GitHub authentication tokens are generated fresh for each session, scoped to a single operation, and are never persisted. We do not use your source code or repository data to train any AI models.

5. International Data Transfers

We operate in the United States. Our primary data storage (Supabase), sandbox processing (E2B), and email delivery (Mailgun) are hosted in the United States. AI providers (OpenAI, Anthropic) may process data in the United States or other regions in accordance with their respective data processing agreements.

For users in the European Union, United Kingdom, or Switzerland, we rely on approved transfer mechanisms such as Standard Contractual Clauses (SCCs) to safeguard your data. If you have specific questions about data location for your organization, please contact us at mike@personabox.app.

6. Your Rights

Depending on your location, you may have the right to:

  • Access, correct, or delete your personal information.
  • Object to or restrict certain processing activities.
  • Request data portability.
  • Withdraw consent at any time (where applicable).

To exercise your rights, contact us at mike@personabox.app.

7. Cookies and Tracking

PersonaBox uses cookies and similar technologies to enhance functionality, remember preferences, and analyze usage patterns. You can control cookies through your browser settings.

8. Chrome Extension Permissions

Our Chrome extension requests the following permissions to provide its features:

  • Active Tab Access: To read and select content from web pages when you explicitly choose to analyze it.
  • Storage: To save your personas, preferences, and analysis history locally on your device.
  • Cookies: Required for secure authentication via Clerk.
  • Scripting: To inject content selection tools into web pages when you activate the selection feature.
  • Optional Site Access: You may grant the extension access to specific websites to enable content selection. The extension only accesses page content when you actively use the selection feature.

You can manage or revoke these permissions at any time through Chrome's extension settings.

9. Data Security

We use encryption, secure access controls, and regular monitoring to protect your data. However, no online service is 100% secure. You use PersonaBox at your own risk.

10. Children's Privacy

Our Services are not intended for children under 16, and we do not knowingly collect data from minors.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be posted on personabox.app/privacy with a new “Effective Date.”

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

mike@personabox.app

PersonaBox, Inc.
Delaware, USA