Nadabox

Nadabox Privacy Policy


Last updated: July 6, 2026

Nadabox is a doorstep returns and recycling concierge. We pick up returns and recyclable packaging from your door, keep your items in verified custody until they're processed, and show you the environmental impact of what you divert. This Privacy Policy explains what personal information we collect through our website (nadaboxclub.com), our iOS and Android apps, and our related services (together, the "Services"), how we use and share it, and the choices and rights you have.

Nadabox is operated by Nadabox Holdings LLC ("Nadabox," "we," "us," or "our"). Our operator platform is branded Unship. This policy applies to the consumer Nadabox Services. It is incorporated into and supplements our Terms of Service and, where you receive text messages from us, our SMS Terms.

Please read this policy alongside those documents. If you do not agree with it, please do not use the Services.


1. Who this policy applies to

The Services are intended for residents of the United States and are directed to people 18 years of age or older. We do not currently offer the Services in the European Union, the United Kingdom, or other regions outside the United States. If you access the Services from outside the United States, please be aware that your information will be processed in the United States, where data-protection laws may differ from those in your location. See "International users" below.

The Services are not directed to children and are intended for adults 18 and older. We do not knowingly collect personal information from anyone under 18. See "Children's privacy" below.


2. Information we collect

We collect the following categories of personal information. We only collect what we need to run the Services, and several categories below are provided directly by you.

Account and identity information

  • Email address. Required for every account. We use passwordless sign-in, so you receive a secure "magic link" by email to log in. You may also sign in through a third-party provider (see "Sign-in providers" below).
  • Name. Your first and last name, collected after sign-up.
  • Mobile phone number. Collected after sign-up, used for pickup coordination and, if you opt in, text notifications.
  • Profile details. An optional profile photo (avatar) and, for business accounts, a business name and account type.

When you upload a profile photo, we automatically strip all embedded metadata — including any GPS coordinates — before storing the image. Profile photos are stored in a public image bucket and are only reachable through the link associated with your profile.

Sign-in providers

You can create or access your account using a third-party sign-in provider. The provider tells us your basic account identifiers (such as your email address) so we can authenticate you. We do not receive your password for that provider. The specific providers available to you are shown on our sign-in screen.

Address and pickup information

  • Service addresses. Street address (including any unit/line 2), city, state/region, and postal code for each place we pick up from. You can save more than one address and mark a primary. Your postal code determines whether you're in a serviceable area.
  • Access notes. Any instructions you give us to reach your pickup point (for example, "gate code," "side door," "leave with doorman").

Return and recycling information

When you schedule a return or recycling pickup, we collect the details you provide and generate to manage it:

  • Retailer, item description, return reason, and order or return-authorization number.
  • Approximate item value, return deadline, packaging type, and any carrier tracking number.
  • Your preferred pickup date and your UnshipTag (our custody-tracking identifier for the item).
  • Photos you upload — for example, a photo of the item or of a retailer's return QR code / return screenshot (up to five per return).
  • Extracted return fields. When you upload a return screenshot or QR code, our assistant reads it to auto-fill fields such as the item, refund amount, deadline, and return method, so you don't have to type them. See "Photos and our assistant" and "How we share information."

Photos you upload

Return and QR-code photos are stored in a private storage area scoped to your account, accessible only to you and to authorized Nadabox personnel processing your pickup. As with profile photos, we strip all embedded metadata — including any GPS location — from every photo you upload before storing it.

Our operations team may also attach photos to custody events for an item (for example, a photo taken at pickup or hand-off) as part of chain-of-custody verification. Within your account view, these appear only as an indicator that a photo exists for that step.

Camera (mobile apps)

Our mobile apps may ask for permission to use your device's camera so you can capture a photo of a return item or scan a retailer's return QR code directly, instead of uploading an existing image. We only access the camera when you take a photo or start a scan. Any image you capture with the camera is treated exactly like a photo you upload: we strip all embedded metadata (including any GPS location) before storing it, we keep it in the private per-account storage area described above, and — if it is a return screenshot or QR code — the image is sent to our AI vision service solely to auto-fill your return details, as described in "Photos and our assistant." We do not record video or use the camera in the background.

Assistant (Nia) conversations

Our in-app assistant, Nia, answers questions about your account, pickups, returns, and impact. Your messages to Nia and Nia's responses are stored in your account so you have a history of your conversations. Nia's answers are generated from your own account data. Today, Nia's conversational responses are produced by our own rule-based system — your chat messages are not sent to any third-party AI model. The one exception is image reading, described next.

Photos and our assistant

When you upload or capture a return screenshot or QR-code image, that image is sent to a third-party AI vision service (Anthropic's Claude) solely to read the return details and auto-fill your return form. Only the image is sent for this purpose — your chat messages are not. If this feature is unavailable, your form fields simply remain blank for you to complete manually.

Payment information

We use Stripe to process payments and manage subscriptions. Stripe collects and processes your card details directly. We do not store your full card number. We keep only a Stripe customer reference and your subscription identifiers and status so we can manage your plan and billing.

Communications and support

  • Support and inquiries. If you contact us, join a waitlist, or submit a franchise, partner, investor, or amenity inquiry, we collect the details you provide (such as your name, email, and message).
  • Privacy and deletion requests. When you ask us to export or delete your data, we record the request so we can verify and fulfill it.

Device and technical information

  • IP address. We use your IP address transiently to protect the Services (for example, rate-limiting sign-in attempts) and for error diagnostics. If you consent to text messages, our records of that consent may include your IP address and basic device information.
  • Session data. To keep you signed in, we store authentication session tokens. On mobile, these are held in your device's secure storage (iOS Keychain / Android Keystore).

We do not use advertising identifiers, device fingerprinting, or third-party analytics/tracking SDKs in the Services.

Biometric app-lock (mobile apps only)

Our mobile apps offer an optional Face ID / Touch ID / fingerprint lock so you can require biometric authentication to open the app. This check is performed entirely by your device's operating system. Nadabox never collects, receives, stores, or transmits any biometric identifier, template, face geometry, or fingerprint data. Your biometric data never leaves your device's secure hardware. All we store is a simple on-device setting indicating whether you turned the app lock on.

Location information

The Nadabox consumer website and apps do not currently collect your device's precise or background GPS location. The apps do not request device-location permission. We determine service eligibility from the postal code you enter, not from device location.

Our Terms reserve the ability to use location and geofence data to verify pickups and hand-offs in the future (for example, on the driver side of a pickup). We are not describing that as a current practice. If we begin collecting device location through the consumer apps, we will request the appropriate permission at that time, update this policy, and describe how the data is used before we start.


3. How we use your information

We use personal information to:

  • Provide the Services — schedule and route pickups, manage returns and recycling, and maintain verified chain-of-custody for your items using UnshipTags.
  • Manage your account — authenticate you, remember your addresses and preferences, and determine whether you're in a serviceable area.
  • Process payments — manage subscriptions, checkout, and billing through Stripe.
  • Read your return screenshots — auto-fill return details from images you upload or capture, so you don't have to type them.
  • Calculate your environmental impact — compute metrics such as boxes and packaging diverted, weight diverted, and estimated CO2 saved, based on your activity.
  • Communicate with you — send transactional messages such as pickup reminders, return status updates, and service notices by email. If you opt in and we enable text notifications, we will also send certain messages by text.
  • Provide support — answer your questions through Nia and our support team and resolve issues.
  • Keep the Services secure and reliable — prevent fraud and abuse, rate-limit and protect sign-in, diagnose and fix errors, and maintain chain-of-custody and audit records.
  • Meet legal obligations — comply with tax, accounting, insurance, regulatory, and legal requirements, and preserve records where required.

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects concerning you. Features such as auto-filling a return form from an image or calculating your impact metrics do not make any decision with legal or similarly significant effect about you.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.


4. How we share your information

We share personal information only as described here. We use trusted service providers ("processors") that handle data on our behalf and under contract, and only for the purposes we specify.

Service providers we use:

  • Cloud database, authentication, and file storage — hosts our database, handles sign-in (magic link and third-party sign-in), and stores the files you upload (profile photos, return and QR photos). This provider processes essentially all account, address, return, and conversation data on our behalf.
  • Web hosting — hosts and runs our website and its server functions.
  • Payment processing (Stripe) — processes your payments and manages subscriptions. Stripe handles your card data directly under its own privacy policy.
  • Transactional email — sends account and service emails such as return confirmations and notifications.
  • AI vision (Anthropic / Claude) — reads the return/QR images you upload or capture to auto-fill your return details, as described above. Only the image is sent for this purpose.
  • Sign-in providers — if you choose to sign in with a third-party provider, that provider authenticates you and shares basic identifiers with us.
  • Error monitoring — helps us detect and fix problems. Before any error report is sent, we scrub personal information — emails, tokens, phone numbers, and addresses are redacted — so only a sanitized diagnostic envelope is shared.

A current list of our sub-processors is available on request at the contact address in "Contact us."

Other ways we may share information:

  • Text-message delivery. If you opt in to text messages and we enable text notifications, we will use a messaging provider to deliver them. Information you provide for text messaging is not sold, rented, or shared with third parties for their own marketing.
  • Legal and safety. We may disclose information when we believe it's required by law, subpoena, or other legal process, or when necessary to protect the rights, property, or safety of Nadabox, our users, or others, to enforce our Terms, or to investigate fraud or abuse.
  • Business transfers. If Nadabox is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to this policy.
  • With your direction or consent. We share information when you ask us to or otherwise consent.

If in the future we buy return shipping labels on your behalf, the carrier or label provider would receive the shipping details necessary to create that label. This is not active today; if we enable it, we'll update this policy.

We do not share your information with advertising networks or data brokers, and we do not allow our processors to use your information for their own purposes.


5. Cookies and similar technologies

Our website uses a small number of strictly necessary cookies to keep you signed in and to operate core features. We do not use advertising cookies, cross-site tracking, or third-party analytics or marketing trackers, and we do not currently serve a cookie-consent banner because we do not use non-essential cookies. Our mobile apps do not use web cookies; they store sign-in tokens in your device's secure storage instead.


6. Data retention

We keep personal information for as long as your account is active and as long as we need it to provide the Services, and afterward as required to comply with our legal, tax, accounting, insurance, and regulatory obligations, resolve disputes, prevent fraud, and enforce our agreements. When we no longer need information for these purposes, we delete or de-identify it.

We apply the following general retention criteria:

  • Active-account data (profile, addresses, returns, custody events, impact metrics, subscriptions, and your conversations with Nia) — retained while your account is active and until you delete it, except records we must keep as described below.
  • Billing and transaction records — retained for seven (7) years to meet tax and accounting requirements.
  • Chain-of-custody and audit records — retained for seven (7) years for dispute resolution, fraud prevention, and legal-hold purposes.
  • Backups — copies of data may persist in routine backups and are rotated out within 90 days.
  • Closed-account residuals — where we must retain information after account closure (for the reasons above), we keep only what is required and for no longer than as required by law.

When you delete your account, we write an immutable audit record noting the deletion.


7. Security

We take the security of your information seriously. We encrypt personal information in transit and at rest, and we enforce row-level access controls so that your data — including your private return photos — is only accessible to you and to authorized personnel who need it to run the Services. We scrub personal information from error and diagnostic logs, store authentication tokens in secure device storage on mobile, and rate-limit sensitive actions to protect against abuse.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a security incident affecting your personal information, we will notify you and any regulators as required by applicable law.


8. Your choices and rights

You have meaningful control over your information regardless of where you live.

Access and export

You can download a copy of your Nadabox data at any time. Sign in and go to Account → Privacy → Export information to download a JSON file of your profile, customer record, addresses, subscriptions, membership records, returns, custody events, impact metrics, and your conversations with Nia.

Correction

You can update your name, phone number, addresses, and other profile details directly in your account settings. To correct anything you can't edit yourself, email us at privacy@nadaboxclub.com.

Account deletion

You can ask us to delete your account and personal information at any time. You can start account deletion from within the iOS and Android apps and on the website at Account → Privacy → Requests — this is the primary method. You can also email us as a fallback.

Because deletion is permanent and we need to confirm it's really you, we handle deletion as a verified request rather than a one-click action:

  • In the app or website, go to Account → Privacy → Requests and submit an account-deletion request, or
  • Email us at privacy@nadaboxclub.com from the address on your account.

Once we verify your request, we remove your active account data — including your profile, addresses, returns, custody events, impact metrics, uploaded photos, your conversations with Nia, and subscription records — and cancel any active subscription. As noted in "Data retention," certain records may be retained where the law requires or to prevent fraud, and residual copies may remain in backups for a limited time before they age out.

Communication preferences

You can unsubscribe from non-essential emails using the link in those emails. If you opt in to text messages, reply STOP to any message to opt out or HELP for help. We may still send you essential transactional messages about your account and active pickups.

Sign-in and app lock

You control the optional biometric app lock in your mobile app's settings. Turning it off removes the on-device setting; no biometric data was ever collected in the first place.


9. Your California privacy rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the CPRA:

  • Right to know the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
  • Right to delete the personal information we have collected from you, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of your personal information. We do not sell your personal information and we do not share it for cross-context behavioral advertising, so there is nothing to opt out of — but you may still exercise the right.
  • Right to limit the use of sensitive personal information.
  • Right to non-discrimination. We will not deny you service, charge you a different price, or provide a different quality of service because you exercised your privacy rights.

Categories of personal information we collect map to the sections above and include: identifiers (name, email, phone, account identifiers); customer records (billing and payment identifiers processed by Stripe); commercial information (returns, subscriptions, transaction history); internet/network activity (IP address, session data, error diagnostics); geolocation (postal code only — we do not collect device GPS); visual information (photos you upload or capture, with location metadata stripped); and the contents of your communications with us and with Nia. We collect these directly from you and generate some of them through your use of the Services. We disclose them to the service providers listed above solely to run the Services. We do not sell or share any category.

Sensitive personal information. The sensitive personal information we collect is limited to your account log-in credentials and payment/financial identifiers (handled by Stripe). We use this information only to provide the Services you request and do not use or disclose it for purposes that would require us to offer a right to limit its use under CCPA/CPRA (Cal. Civ. Code §1798.121). We do not collect precise geolocation (we use postal code only).

How to exercise your rights: use the export and deletion tools in your account, or email privacy@nadaboxclub.com. We will verify your request using information associated with your account and will respond within 45 days (extendable by an additional 45 days with notice, as the CCPA permits). You may use an authorized agent to submit a request on your behalf; we may ask the agent for proof of authorization and may ask you to verify your identity directly.


10. Your rights in the EU, UK, and similar regions (GDPR)

Our Services are directed to the United States and we do not currently offer them in the European Economic Area or the United Kingdom. If, however, applicable data-protection law such as the GDPR or UK GDPR applies to your use of the Services, the following applies.

Legal bases. We process your personal information to:

  • Perform our contract with you — to provide pickups, returns, custody tracking, billing, and support (account, address, return, and payment data).
  • Pursue our legitimate interests — to secure the Services, prevent fraud, diagnose errors, and improve reliability, in a way that does not override your rights.
  • Comply with legal obligations — tax, accounting, and regulatory record-keeping.
  • Act on your consent — for optional features such as text-message notifications, which you can withdraw at any time.

Your rights. Subject to applicable law, you may request access to your personal data, correction of inaccurate data, erasure, restriction of or objection to certain processing, and data portability (a machine-readable copy — available through the export tool). You may also withdraw consent where processing is based on consent, and lodge a complaint with your local supervisory authority.

We do not carry out automated decision-making, including profiling, that produces legal or similarly significant effects concerning you (GDPR Art. 22).

To exercise these rights, use the tools in your account or email privacy@nadaboxclub.com. We will respond within the timeframes required by law.


11. International users

We operate and store data in the United States. If you access the Services from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States and other countries where we or our service providers operate. Those countries may have data-protection laws that differ from those in your home jurisdiction. Where cross-border transfers of data protected by EU/UK law occur and a safeguard is required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), and you may request a copy of the relevant safeguard at the contact address below.


12. Children's privacy

The Services are intended for adults 18 and older and are not directed to children. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from someone under 18 without proper consent, we will delete it and close the account. If you believe a minor has provided us personal information, please contact us at privacy@nadaboxclub.com.


13. Third-party services

The Services rely on the providers named above (including our cloud database and authentication provider, web host, Stripe, our email provider, our AI vision provider, and any sign-in provider you choose). Those providers process your information under their own privacy policies and our agreements with them. Our Services may also reference retailers and carriers relevant to your returns. We are not responsible for the privacy practices of third-party websites or services we do not control; we encourage you to review their policies.


14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify you through the Services or by email. Your continued use of the Services after an update means you accept the revised policy. We encourage you to review this page periodically.


15. Contact us

If you have questions about this Privacy Policy or how we handle your personal information, or to exercise any of your rights, contact us:

  • Entity: Nadabox Holdings LLC
  • Privacy email: privacy@nadaboxclub.com
  • General email: hello@nadaboxclub.com Nothing in this Privacy Policy limits any rights you have under mandatory data-protection or consumer-protection laws that apply to you. To the extent a governing-law reference applies (consistent with our Terms of Service), it does not override those mandatory rights.