Last updated: June 2024


You can access previous versions of the Privacy Policy at this link


The person responsible for this Privacy Policy is Aotech Security Solutions SLU (hereinafter Aotech Security), whose identification details can be reviewed here.


What is a Privacy Policy and why is it important to read it?

A Privacy Policy is a document that explains the data collected and used by a platform, website or application, as well as the measures it applies to protect it. For this reason, it is important that you read the Privacy Policy before providing any personal data, or allowing the data of minors in your care. When you read the Privacy Policy you have:

  • Know your rights: The Policies inform you of your rights, such as the right to access your data, correct it if it is wrong, or even ask for it to be deleted.
  • Control over your data: Understanding the policy allows you to make informed decisions about what data you’re willing to share.
  • Security & Privacy: Helps you understand the security measures employed to protect personal data. This is crucial, especially if the information you provide is sensitive or personal.
  • Guarantees of compliance: In the event that you understand your rights are affected, you can resort to the complaint mechanisms provided for in the Privacy Policies.

In short, reading the privacy policy helps you protect your personal information and gives you control over how it is used and shared. It’s an essential step in making sure you understand and agree with the privacy practices of the service you’re using.

In short, it is essential that you read our Privacy Policy to understand how we collect, use and protect your personal data. These Policies are complemented by our Data Processing Addendum (DPA), a commitment we have with the Educational Institutions that hire our services, and which you can request in [email protected]

In any case, if you do not agree with the provisions of our Privacy Policy, we ask you not to register on the Platform, as we expressly request that you comply with the Policy.

If you are already registered and do not agree with our Privacy Policy, you can unsubscribe directly from the personal account area, or directly request the deletion of the account and the deletion of your data.

If you have any questions or concerns about this, you can email us at [email protected]


Terms we use that are important for you to know:

For you to understand this Privacy Policy, it is important that you are familiar with the following terms:

Personal Data or Personal Information: Any information that relates to an identified or identifiable natural person. A person is considered identifiable if he or she can be identified, directly or indirectly, by an identifier such as a name, an identification number, location data, an online identifier, or through one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural, or social context. This definition includes, but is not limited to, information that can be used on its own or with other data available to a data controller, to identify a natural person.


Processing of personal data

Data Processing Addendum: This is a legally binding document that is part of a contract between the personal information controller or data controller, and the processor or provider accessing the personal information under the former’s responsibility. It details the specific obligations related to the processing of personal data, including the nature and purpose of the processing, the types of personal data to be processed, and the security measures to be implemented.

Privacy Policy: It is a legal document that describes how an organization collects, uses, stores, protects, and discloses individuals’ personal information. This policy must be clear, transparent, and accessible to users or data subjects, and must comply with applicable data protection laws in the relevant jurisdictions.

Data Controller: This is the person or entity that, alone or jointly with others, determines the purposes and means of the processing of personal data.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 regulating the protection of natural persons with regard to the processing of personal data and the free movement of such data. It sets out requirements for the processing of personal data within the European Union.

FERPA: A federal law in the United States that protects the privacy of students’ education records and provides parents and students with certain rights with respect to those records. Once the student reaches the age of 18 or enters a post-secondary level institution, these rights are transferred to the student.

Third-Party Websites, Platforms, and Applications: To get the most out of Boxie, users may employ functionalities that are integrated or connected with third-party websites, platforms, or applications. For example, LMSs, Google Classroom, Vimeo, YouTube, etc.


Purpose of the Policy

The purpose of this Privacy Policy is to inform you about how Aotech Security, owner of Boxie and data controller of the educational platform, collects, uses, protects, and handles your personal data in accordance with the regulations in force in the European Union and the United States. The main components of our policy are as follows:

What is Boxie and what is its purpose?

Identification of the Data Controller: Here you will find information about Aotech Security, responsible for collecting and using your personal data to provide you with the service.

Purposes of Processing: We explain the specific reasons why we collect your personal data and the processes involved.

Personal Data Processed: We detail what types of personal data we collect, how we use it, and the legal bases for processing it.

Security Measures: We describe the technical and organizational measures implemented to protect your personal data and ensure its confidentiality, integrity, and availability.

User Rights: We provide detailed information about your rights under the GDPR and FERPA, including how you can exercise them to manage your personal data.

International Data Transfers: Information about transfers of personal data outside of your geographic region, the safeguards applied, and how we protect your data in these cases.

Data Breach Procedures: Details on how we respond to security incidents, including notifications to affected parties and regulatory authorities.

Use of Cookies and Similar Technologies: Clarification on the use of cookies and tracking technologies, including how you can adjust your preferences.

Data Retention: Specifications on the retention period of your personal data and the criteria for determining that duration.

Contact and How to Lodge Complaints: Contact information for our offices, the Data Protection Officer if applicable, and how you can lodge complaints with supervisory authorities.

These Policies seek not only to comply with current legislation, but also to promote transparency and trust between us and our users.


Our Privacy Principles

● At Boxie, we are committed to ensuring that our services are always aimed at processing user data, especially when they are minors:

● Under strict compliance with the law, loyalty, and transparency towards users. Any use of personal data will be reported to users, their parents or guardians, and to the educational institutions that hire us.

● Limiting its use to the stated purpose: Our purposes are specific, explicit, and legitimate, limited to fulfilling an educational function. Users’ information will not be used in a manner incompatible with those purposes.

● The personal information we collect is adequate, relevant, and limited to what is necessary in relation to the purposes for which we have disclosed.

● The personal information we store about our users must be accurate and current. We take reasonable steps to ensure that user data that is inaccurate is deleted or rectified without delay.

● We limit the retention period of our users’ data, which cannot last longer than is necessary for the purposes of which we have informed them.

● We guarantee integrity and confidentiality. We guarantee protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.






Special Considerations for Minors

If you use Boxie to process data of persons under the age of 18, this Policy is primarily intended for parents and legal guardians. It is crucial that guardians are informed and, if necessary, consent to the data processing necessary for the use of the tool by minors in their care.

Minor students can create an account on Boxie, but it must be linked to an institutional or teacher account that has integrated them into their educational environment.

The use of Boxie by minors will depend, in any case:

  • From the purchasing of Boxie by the educational entity.
  • The educational entity’s configuration of Boxie to be integrated into other educational platforms, environments, and applications, such as learning platforms or Personal Identification Systems, as well as the restrictions it activates based on the age of the minor or the approved uses of Boxie.
  • With the authorization of parents or guardians, who will be informed of this Privacy Policy and who, where appropriate, must consent to its use for access and communication of records.

Minor users, students, will be able to access and share information with other students in a limited way, depending on the configuration made by the teacher and the educational entity.

Parents and guardians who wish to do so may obtain the personal information and records of their children or minors in care that appear in Boxie, by making a request in this regard to the educational entity that has contracted the service.

In any case, the accounts of minor users associated with the service we provide to an educational entity will depend on it. As such, in the event that an educational institution asks us to delete an account or restrict data processing, we will take this action under the data processing agreement we have with it.


Special Considerations by Jurisdiction


Users in the European Union (GDPR):

For users within the European Union, this Privacy Policy is governed by the General Data Protection Regulation (GDPR). This implies a commitment to the protection of your personal data, providing a high level of security and transparency in the processing of your data. Specific sections under the GDPR detail your rights to access, rectify, and delete your personal data, among others.


Users in the United States (FERPA):

For users in the United States, we comply with the Family Educational Rights and Privacy Act (FERPA) and other applicable regulations that protect students’ educational and personal information. For users of educational institutions operating under U.S. federal regulations, specific sections designed to ensure compliance with these laws apply, including, but not limited to, the protection of educational records and the management of parental or guardian consent when required.

In any case, we assume the following commitments in compliance with FERPA:

Information Protection: We implement advanced administrative, physical, and technical security measures to protect student information from unauthorized access, alteration, disclosure, or destruction.

Data Access and Control: We ensure that only authorized personnel within educational institutions have access to educational records. We respect the policies of the institution and applicable law regarding the handling and disclosure of such records.

Consent and Data Disclosure: We adhere to FERPA’s requirements regarding obtaining explicit consent from eligible parents or students before disclosing any personal information, except where permitted by law without consent. Boxie does not sell or lease any of your, or your students’ personal information to any third party for any purpose, including for advertising or marketing purposes.

Transparency and Compliance: We provide educational entities with all the information necessary for them to comply with their obligations under FERPA. This includes providing details about data collection, use, and management practices within our app.

Training and Awareness: We ensure that our staff is trained in privacy and security policies, especially as it pertains to the protection of educational data under FERPA.

Responding to Data Breaches: As described in this Policy, and in our Data Processing Addendum, in the event of a data breach, we follow strict procedures to notify affected educational institutions in a timely manner, and we work with them to mitigate the effects of such breach.


Global Compliance:

We recognize the importance of data privacy in a global context and strive to comply with relevant local regulations in all jurisdictions in which we operate. This approach allows us to offer a service that not only respects local laws, but also fosters a culture of respect and care for the privacy of all our users, regardless of their geographic location.


Special Considerations for Educational Institutions


Educational Institutions in the European Union:

For educational institutions located in the European Union, it is essential to comply with the General Data Protection Regulation (GDPR), in particular Article 28 which refers to data processing by processors. To provide the service to the Centre, we act as data processors and in this context we have included in the Data Processing Addendum detailing our obligations and how we protect the personal data we process on your behalf. The Addendum can be requested at


Educational Institutions in the United States:

In the U.S., it is also essential that schools properly understand and manage the privacy and security of student data. To this end, we provide a Data Processing Addendum that contains our commitments to ensure the security and protection of the data managed by the Educational Center. This documentation details the security measures in place and specific compliance processes to ensure data integrity and confidentiality.

In the case of children under thirteen years of age, we provide educational entities with the means to obtain parental consent, complying with the provisions of COPPA (School Consent) and FERPA, if required.

On the other hand, in the event that the school designates us as a “school official”, in such a way that the school entrusts us with a service or function for which the entity would otherwise employ its own workers, the consent of parents or guardians will not be necessary according to FERPA.

It will be up to the institution to articulate the mechanisms that we make available to them to adapt the use of Boxie within their institution.


General Commitment to Safety and Compliance:

In both cases, we are committed to providing transparency in data processing practices and to providing the necessary means for schools to comply with their legal data protection obligations. Our goal is to be a reliable and responsible partner in the management of personal data, ensuring compliance with all applicable laws and regulations in the regions we serve.


Privacy Policy Summary

  • Data Controller: AOTECH SECURITY SOLUTIONS SLU (hereinafter Aotech Security)
  • Purposes of processing: All services provided through ClassInTheBox (CITB), including: Processing purchases, resolving queries, providing services, sending commercial communications about our products and services.

We may provide services directly or at the request of a third party, such as the educational center to which you belong or your company.

What is Boxie and ClassintheBox

We are a platform that helps educators harness the power of video and learning through books, through student engagement features and automated generation of learning resources.

This policy is applicable to all websites and web platforms that operate through the domains,,, as well as from the applications and integrations that we develop and make available to Educational Institutions and users.

This policy does not apply to websites, platforms or applications to which you link, and which are outside the control of Aotech Security, nor is it applicable to third-party websites, platforms or applications.

These third-party websites, platforms or applications have their own privacy policies, which users and customers must be aware of and accept if they use them.

Third-party content, uploaded by users to the platform, which contains personal information is also excluded. It is the responsibility of users and customers to have the authorizations and rights of third parties with respect to third parties.

Notwithstanding the above, Boxie promotes the responsible use of its application. Therefore, if you become aware of the upload of content with personal information of third parties, and that may constitute a violation of their rights and freedoms, please let us know at [email protected]

Why Boxie processes personal data and the purpose of this Privacy Policy

In order to use our tools, users must have a user account, either created directly or promoted by their educational institution.

Once the account has been created, more personal data will only be collected in cases where users provide this information, either by appearing in the audiovisual content uploaded to the platform, or by adding this information in the fields enabled for the enrichment of videos and documents.

This privacy policy establishes the purposes for which personal data and all personal information that we collect and use directly are processed, through the domains,,, as well as from the applications and integrations that we develop and make available to Educational Institutions and users.

At any time you are free to choose whether or not to register with Boxie, decide what information you share with the application, with whom you share it and, if you deem it necessary, unsubscribe and delete your user account.


Who we are and our responsibility in the processing of the data you provide us with

The Data Controller of personal data related to Boxie is AOTECH SECURITY SOLUTIONS, a Spanish company, identified with CIF B87293361 and registered office located at AVENIDA DE SICILIA, 71 – 28042 GALAPAGAR, MADRID (SPAIN). All data controllers and contact forms can be found in the legal notice on the company’s website.

At AOTECH SECURITY SOLUTIONS we are committed to protecting the personal information of Boxie users, respecting the legal requirements on data protection and with the maximum guarantees of confidentiality and security.

From the e-mail [email protected], all questions related to the data processing carried out by Boxie of its users are directly addressed.

Please bear in mind that, in the event that you access the platform at the direction of your Educational Center, the Data Controller may be the aforementioned Educational Center. Contact them for more information on the purposes of the processing of your data, its legal bases, as well as any other aspect that may be of interest to you. However, you can also contact us at the email address provided above and we will work together to obtain this information.


Means of collecting personal data

We collect data from our users:

● Through the registration form on Boxie
● Through the subscription form of our newsletter
● Through our contact email, when you communicate any questions or requests
● Through a Single Sign On (SSO) process: The user can register and access Boxie’s services by identifying themselves with a trusted provider.
● CITAB’s use and transfer to any other application of information received from Google’s APIs will be governed by the Google API Services User Data Policy, including the Limited Use requirements. This applies in particular to information collected through Google Classroom.
● Through cookies: We use cookies that will be installed in the user’s browser depending on the type of acceptance that the user makes in the cookie notice when entering the website. For more information on website cookies, please visit Cookies Policy.


What types of data do we process, for what purpose and what is the legal basis that enables such processing?

We process the following personal data for the purposes set out below. The information provided to us by the owner of the data must be truthful in order to provide our services.

If you do not provide us with your personal data, we may not be able to provide the services.


Data processed Purpose of the processing Legal basis for processing and type of data
Name and surname and email Registration on the platform.

The legal basis for this processing is the provision of the service, provided for in the Terms and Conditions that the user has accepted, as well as in the agreements reached with Educational Institutions.


Name and surname, email and/or telephone number, shipping address, order history.


Manage purchases of our products and process orders you place with us, whether they are carried out over the Internet, or if they are requested by telephone or by email.

The legal basis for this processing is the contractual relationship that we establish for the purchase or contracting of our products and services.


Name and surname, email and/or telephone number.


Resolve queries made to us about our products and services, whether made by email, form or telephone. The legal basis for this processing is our legitimate interest in being able to resolve your doubts and respond to your requests. We understand that it is within the expectations of the interested party that their data be processed for this purpose.

Name and surname, email, profile picture, images captured by the user’s camera(s) and voice, as well as all personal information that the interested party may record in the recordings made or imported with the application.


Provide Boxie’s services through its web platform and the applications linked to or in which it is integrated.

The legal basis for this processing is the contractual relationship that we establish with the user by contracting our services, in accordance with the accepted Terms and Conditions.

In the event that the service is contracted by an Educational Entity for its teachers and students, the legal basis is the agreement entered into with said entity.

First name, last name and email address.

Sending commercial communications to our customers, with information about our contracted products and services, and those that are similar to those previously purchased.

Any person who has purchased any of our products through our website or by telephone becomes a customer.

The legal basis for this processing is our legitimate interest.

We understand that it is within the expectations of the interested party that their data be processed for this purpose. However, the interested party has the right to object to continuing to receive commercial communications, through a link in the commercial communication itself.


User browsing data on our websites and applications through cookies.


The provision of the service, in those cookies that are essential or necessary, and to be able to carry out an analysis of the performance of our applications and websites, in analytical and statistical cookies.


The legal basis for cookies that are not essential or necessary is the express consent provided by the user through the cookie banner.

For more information on the processing of data by means of cookies, please consult our cookie policy.



Some special treatments


Data processing on behalf of teachers and educational entities

In the event that you are a teacher or an educational entity and you use Boxie with your students, you are responsible for the processing of their personal information and you assume responsibility for the role of data processor and you act as a data controller, under the terms provided for in the General Data Protection Regulation (EU 679/2016) and the Spanish legislation on the protection of personal data (LOPDGDD, Organic Law 3/2018).

In this case, you must request the data processing addendum to [email protected]

Voice and Image Data in Voice Command and Image Recognition Capabilities

In applications where voice commands and image recognition are used, Boxie does not collect biometric data, as it is based on general speech and image recognition patterns that run in the user’s own browser, without this data being transmitted to our servers.


Data Communications to Third Parties for Device Shipment

In the event that the owner of the data purchases products sold by Aotech Security, their contact and telephone details will be provided to the transport companies with which we work to send the products and coordinate the delivery, if applicable.


Offers and links to our app or website, communicated by third parties via email.

If you have accessed our website by clicking on offers that you have received through emails from third parties, Aotech Security will communicate your email to the entity that sent you the email so that this entity can have control that you have benefited from the offer when purchasing our products. In any case, that entity already had his email address as he was subscribed to offers from the entity. For more information, you should consult the privacy policies of the entities to whose offerings you are subscribed.


Böxie Suppliers

 Aotech Security contracts with different providers for the proper functioning of its services. For example, we contract with cloud data storage infrastructure companies, email marketing, parcel delivery, and help and support services. Before proceeding with the contract, Aotech Security verifies that these providers provide the appropriate guarantees and security measures to protect the personal information of their users. In the following link you have a list of the providers that can access Boxie information, and the services they provide to us.


Data retention

 Böxie retains the data for as long as is strictly necessary to provide its service. The following are the storage periods for the data that we process at Aotech Security:

Types of Methods Retention period
Processing of purchases and contracting of services The legal statute of limitations for legal and tax obligations related to the contracting of products and services.
Query resolution and user support A maximum of one month from the date the query was made, unless the person is a customer or user, in which case the different retention periods provided for in this table will apply.
Provision of services During the entire time that the service is provided and the user keeps his/her account active. Once the service has ended, the data is kept for the legal period of limitation due to legal and tax obligations related to the services provided.
Sending communications about products and services that may be of interest Until the recipient objects to further communications.
Sending commercial communications to our potential customers Until the recipient revokes their consent and/or decides to object to the sending of further communications.

Rights of Data Subjects

In accordance with current regulations, our customers and users have the right to:

– To be correctly informed about the processing of their personal data
– To revoke consent at any time for processing that is based on consent
– To request the rectification or deletion of your data
– To limit the processing of your data, during the time in which another request is resolved and you consider that the processing may cause you harm.
– To object to treatment
– Data portability

The exercise of your rights can be carried out by notifying [email protected]

If the user or client considers that we have not satisfactorily resolved the exercise of their rights, they may:

– File a complaint with the Spanish Data Protection Agency, for those customers or users residing in the European Union.
– File a complaint with the U.S. Department of Education’s Office for Civil Rights or appropriate authority in your territory, for customers or users located in the United States.

In any case, the withdrawal of consent and the right to object to the sending of commercial communications can always be done at the following address: [email protected]


We use cookies

We analyze users’ browsing data using cookies. For more information, please consult our cookies policy.


International Data Transfers

Böxie complies with European and US regulations on international data transfer, giving European citizens the option to host their data in the European Economic Area and, in any case, to have it transferred to the United States in compliance with the requirements of the US-EU Privacy Framework.

On the other hand, Boxie offers U.S. entities to host their data in data centers in their territory, complying with the state and federal regulations that apply to them.


Security measures: We protect the data of our users and customers

Aotech Security adopts technical and organizational measures necessary to prevent the loss, misuse, alteration, unauthorized access and theft of the personal data processed.

Specifically, we apply the default security measures in Böxie:

1. Encryption of data in transit and at rest to and from Böxie.
2. Access management and identity control on the platform.
3. Strong Password Policies
4. Regular audits and regularized access logs
5. Special protection measures against malware and ransomware
6. Rigorous physical security measures of our servers
7. Backup & Disaster Recovery
8. Segmentation and isolation of our networks.
9. Regular vulnerability scans and penetration testing
10. Continuous safety training for our employees
11. Ongoing updating and maintenance of our app
12. Use of secure data transfer protocols
13. Regular data protection impact assessments
14. Protocols for Reporting and Managing Security Breaches

In the event that all or a portion of Boxie or its assets are acquired by or merged with a third party, personal information that we have collected from users would be one of the assets transferred to or acquired by that third party. This Privacy Policy will continue to apply to your information, and any acquirer would only be able to handle your personal information as per this policy (unless you give consent to a new policy). We will provide you with notice of an acquisition within thirty (30) days following the completion of such a transaction, by posting on our homepage, and by email to your email address that you provided to us. If you do not consent to the use of your personal information by such a successor company, you may request its deletion from the company. In the unlikely event that Boxie goes out of business, or files for bankruptcy, we will protect your personal information, and will not sell it to any third party.


Social Media

Aotech Security is the owner of accounts and profiles on different social networks. The data processing carried out by Aotech Security is that allowed by the social networks themselves through their services, without extracting personal data from these social networks of their followers and users. Aotech Security uses these social networks to inform about its products and services in compliance with the contracting conditions established by the owners of the social networks themselves.


Policy Changes

Any changes made to our policies will be informed and communicated to our users and customers. In the event that the change is substantial, affecting the purposes and privacy principles to which we have committed, Boxie will again seek the consent of such users and customers.


Use Limits

Böxie confirms that it does not collect, maintain, use, or share student personal information beyond what is needed for authorized educational purposes or as authorized by the parent or student. Educational purposes include services or functions that take place at the direction of the educational institution or their teacher/employee, and that aid in the administration or improvement of educational and school activities, such as instruction, administration, and the development and improvement of educational products and services.


Student Profiles

Böxie confirms that it does not create or maintain student profiles for non-educational purposes. All student profiles are created and maintained solely for authorized educational purposes, and no student personal information is used for purposes beyond those authorized by the parent or student.


Behaviorally Targeted Ads

Böxie confirms that it does not engage in behavioral targeting of advertisements directed at students. Böxie does not sell personal information and does not collect, use, or share student personal information for any purposes beyond the authorized educational purposes or as authorized by the parent or student.


Third Parties

Böxie ensures that any third parties with whom it shares student data adhere to the same Pledge principles as Böxie. This includes, but is not limited to, maintaining high standards of security and data retention. Böxie only contracts with third parties that have policies consistent with these principles, ensuring that student data is handled with the same level of care and protection as Böxie provides.


Data Accessibility

Böxie provides schools and districts with the ability to access, update, or delete student data. This is done through our secure platform, which allows authorized school personnel to manage student data as needed. Schools and districts can request access to student data, make corrections, or delete data through their administrative dashboard or by contacting Böxie’s support team.

Böxie uses student personal information, including indirect identifiers such as emails and IP addresses, to provide and improve educational services. This information is collected and maintained on an individual level to ensure personalized and secure access to our platform. We use this data to support educational activities, communicate with users, and enhance the functionality of our services. All data is handled in compliance with FERPA and GDPR regulations, ensuring it is used only for authorized educational purposes and protected against unauthorized access.