Privacy Policy

Last updated: 30 March 2026

1. Introduction & Scope

Dev in a Box Limited (“we”, “us”, or “our”) is committed to protecting your privacy. We process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This General Privacy Policy applies to all products, services, and websites provided by Dev in a Box Limited, including but not limited to our Windows desktop applications and SaaS products. It covers both current and future offerings unless stated otherwise.

2. Who We Are

The data controller responsible for your personal data is:

We are not required to appoint a Data Protection Officer under Article 37 of the UK GDPR. For any privacy-related queries, please use the contact details provided in Section 15 below.

3. Products Covered

This policy covers the following products and services, including any future products released under the Dev in a Box brand:

Desktop Applications

• GPT Powertoys — Windows client for large language models (OpenAI, Azure)
• PDF Foundry — PDF creation and editing tool
• UniMail Viewer — Lightweight .eml and .msg email file viewer
• RecurCal — Recurring calendar event scheduler

SaaS Products

• Deckfolio — Trading card game collectors platform

As we release new products, they will be governed by this General Privacy Policy unless they have their own Product Privacy Policy, which will be clearly indicated.

4. What Personal Data We Collect

4.1 Desktop Applications

Our desktop applications are designed with a local-first, privacy-by-design approach. They do not collect, transmit, or store personal data on our servers. All data you create or use within our desktop applications remains on your local device. This includes:

• Application settings and preferences
• Conversation history and chat data (GPT Powertoys)
• Documents and files you open or create
• API keys and connection credentials you configure

We do not have access to, nor do we collect, this locally stored data. You may delete this data at any time by uninstalling the application or deleting the relevant files from your device.

4.2 Website

When you visit our website, we may collect standard web server log data such as IP addresses, browser type, and pages visited. We do not use third-party tracking or analytics cookies.

4.3 SaaS Products

Our SaaS products may collect additional data necessary for providing the service, such as account information, usage data, and payment details. The specifics of data collection for each SaaS product will be detailed in the relevant Product Privacy Policy accessible within that product.

5. How We Collect Personal Data

We may collect personal data through the following means:

• Directly from you — when you contact us, submit a support request, or create an account for a SaaS product
• Automatically — standard web server logs when you visit our website
• From third parties — the Microsoft Store may provide us with aggregated, anonymised download and usage statistics

6. Purposes & Lawful Basis for Processing

Where we do process personal data, the purposes and lawful bases under Article 6 of the UK GDPR are as follows:

Where we rely on legitimate interest, our interest is in maintaining the security and functionality of our products and providing support to our users. We have assessed that this processing does not override your rights and freedoms.

7. Third-Party Services & Data Sharing

Certain features of our products allow you to connect to third-party service providers. When you use these features, data is transmitted directly from your device to the third-party service. We do not intercept, store, or process data exchanged with these services on our infrastructure.

Third-party integrations include:

• OpenAI — GPT Powertoys may send your conversation input to OpenAI’s API for processing. See OpenAI’s Privacy Policy.
• Microsoft Azure — GPT Powertoys may connect to Azure OpenAI Service endpoints you configure. See Microsoft’s Privacy Statement.

We do not sell, rent, or trade your personal data to any third parties.

8. International Data Transfers

Our desktop applications process data locally on your device and do not transfer data to our servers. However, when you choose to use third-party integrations (such as OpenAI or Azure), your data may be transferred to servers located outside the United Kingdom, including in the United States.

These transfers are initiated by you and governed by the respective third party’s privacy policy and data processing terms. Where we ourselves transfer personal data outside the United Kingdom, we ensure appropriate safeguards are in place in accordance with UK GDPR, including reliance on adequacy decisions or the UK International Data Transfer Agreement (IDTA).

9. Data Retention

Desktop applications: All data is stored locally on your device and is under your sole control. We do not retain any of this data. You can delete it at any time by removing the application data or uninstalling the product.

Website and support enquiries: If you contact us, we will retain your correspondence for as long as reasonably necessary to address your enquiry and comply with any legal obligations, after which it will be securely deleted.

SaaS products: Retention periods specific to SaaS products will be detailed in the relevant Product Privacy Policy.

10. Data Security

We take appropriate technical and organisational measures to protect personal data, including:

• All connections to third-party APIs use modern encryption (TLS/HTTPS)
• Locally stored data benefits from your device’s own security measures (device encryption, user authentication)
• API keys and credentials you store within our applications are kept locally and are not transmitted to us

11. Your Rights Under UK GDPR

Under the UK GDPR, where we process your personal data, you have the following rights:

• Right of access — request a copy of personal data we hold about you
• Right to rectification — request correction of inaccurate personal data
• Right to erasure — request deletion of your personal data (“right to be forgotten”)
• Right to restrict processing — request that we limit how we use your data
• Right to data portability — request your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interest
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time
• Rights related to automated decision-making — we do not carry out automated decision-making or profiling

To exercise any of these rights, please contact us using the details in Section 15. We will respond within one calendar month of receiving your request.

Please note that for our desktop applications, data is stored entirely on your device and is not accessible to us. You have full control over this data at all times.

12. Microsoft Store Distribution

Our desktop applications are distributed via the Microsoft Store. As part of the Store platform, Microsoft may collect telemetry, diagnostic data, and usage statistics in accordance with your Windows privacy settings. This data collection is operated by Microsoft and is subject to Microsoft’s Privacy Statement. We may receive aggregated, anonymised statistics from Microsoft about download counts and crash reports but do not receive any personally identifiable information through this channel.

13. Generative AI Disclosure

GPT Powertoys enables you to interact with generative AI models (such as GPT-4) provided by third-party services. Content you input into these features is sent to the configured AI service provider for processing. AI-generated responses are returned directly to your device. We do not process, log, or have access to these interactions.

14. Product-Specific Privacy Policies

Some of our products and services collect, process, or handle personal data in ways specific to that product. Where this is the case, a separate Product Privacy Policy is provided within the product itself, on the product’s store listing page, or on our website.

Products that currently have their own Product Privacy Policies:

• No product-specific policies are currently published. This section will be updated as they become available.

Products not listed above are governed solely by this General Privacy Policy. As we release new products, we may introduce additional Product Privacy Policies, which will be made available within the relevant product and linked from this page.

15. Children’s Privacy

Our products and services are not directed at individuals under the age of 13. We do not knowingly collect personal data from children. If you believe that we have inadvertently collected data from a child, please contact us and we will delete it promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will indicate the date of the most recent update at the top of this page. For material changes, we may also provide notice within our products. We encourage you to review this Privacy Policy periodically.

17. Contact Us & Complaints

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a concern about how we handle personal data, please contact us at:

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):