Privacy Policy

Last updated: July 3, 2026

1. Who We Are

ISPbox (ispbox.net) is operated by Nielogiczny (“we”, “us”), based in Poland. This policy explains what personal data we process when you visit our website or use the ISPbox platform (the “Service”), and what rights you have. For data protection matters, contact us at [email protected].

2. Our Two Roles

We act as a data controller for the personal data of our own users and website visitors (account details, billing, support, analytics). We act as a data processor for the data our customers (internet service providers) store in the platform about their end-customers — that data belongs to our customers, who decide how it is used; we process it only to provide the Service.

3. Data We Collect

  • Account data — name, email address, password (stored hashed), company/tenant name, locale, and role.
  • Billing data — subscription plan, invoices, and payment status. Card payments are handled by our payment processor (Stripe); we do not store full card numbers.
  • Customer Data you store in the platform — records about your end-customers (contact details, services, invoices, payments, tickets) and your network infrastructure. We process this on your behalf.
  • Usage & technical data — IP address, browser type, pages visited, and similar log data needed for security and to operate the Service. Website analytics are collected via a self-hosted, cookie-less Umami instance.
  • Support communications — messages you send to us by email or through the ticketing system.

4. How We Use Data

  • To provide, operate, secure, and improve the Service (performance of a contract, Art. 6(1)(b) GDPR).
  • To process subscription payments and issue invoices (contract and legal obligation, Art. 6(1)(b)–(c) GDPR).
  • To respond to support requests (contract / legitimate interest, Art. 6(1)(b), (f) GDPR).
  • To prevent abuse, fraud, and security incidents (legitimate interest, Art. 6(1)(f) GDPR).
  • To send service-related notices (e.g. billing, security, or feature announcements related to your account).

We do not sell personal data and we do not use Customer Data for advertising.

5. Third-Party Integrations You Enable

The platform can connect to third-party services only at your direction:

  • Intuit QuickBooks Online — if you connect QuickBooks, we synchronize the accounting records you choose (customers, invoices, payments, credit memos) between ISPbox and your QuickBooks company. OAuth tokens are stored encrypted, and we access your QuickBooks data solely to perform the synchronization you configured. You can disconnect at any time in Settings, which revokes our access. Intuit’s processing is governed by Intuit’s Privacy Statement.
  • Stripe — if you enable online payments for your end-customers, payment data is processed by Stripe under Stripe’s Privacy Policy.
  • Email providers — if you connect your own mailbox (e.g. Microsoft 365) to send invoices and notifications, mail is sent through that provider on your behalf.

6. Sharing & Subprocessors

We share personal data only with service providers that help us run the Service — hosting/infrastructure providers, our payment processor, and email delivery providers — under agreements that restrict their use of the data, and with authorities where required by law. We do not share Customer Data with third parties except as described here or as directed by you.

7. Security

All traffic to the Service is encrypted in transit (TLS). Passwords are stored using strong one-way hashing. Sensitive credentials (such as integration tokens and VPN keys) are encrypted at rest. Each customer’s data is logically isolated per tenant. Access to production systems is restricted and logged.

8. Data Retention

We keep account and Customer Data for as long as your account is active. After account termination, Customer Data is deleted or anonymized within a reasonable period (you may request an export within 30 days of termination), except where we must retain records to comply with legal obligations (e.g. tax and accounting law) or to resolve disputes.

9. International Transfers

We store data in the European Union. Where a provider processes data outside the EU/EEA (for example Stripe or Intuit), transfers are protected by appropriate safeguards such as the EU Standard Contractual Clauses or an adequacy decision.

10. Your Rights

Under the GDPR you have the right to access, rectify, erase, and receive a copy of your personal data, to restrict or object to its processing, and to withdraw consent where processing is based on consent. You can exercise these rights by emailing [email protected]. You also have the right to lodge a complaint with your supervisory authority (in Poland: the President of the Personal Data Protection Office, UODO). If you are an end-customer of an ISP that uses ISPbox, please direct requests to that ISP — we will assist them in fulfilling your request.

11. Cookies

The application uses strictly necessary cookies for authentication, session management, and security (e.g. CSRF protection). Our website analytics (self-hosted Umami) do not use cookies and do not track you across sites.

12. Changes & Contact

We may update this policy from time to time; material changes will be announced on this page with an updated date, and where appropriate by email. Questions? Contact Nielogiczny · ISPbox at [email protected].