BOXWOODSign in

Privacy Policy

Effective April 9, 2026

1. Who We Are

BoxWood is a commodity hedge management platform operated by BoxWood Inc. This Privacy Policy explains how we collect, use, and protect information when you use BoxWood (including the BoxWood Excel Add-in).

2. Information We Collect

We collect only what is required to operate the service:

  • Account data: name, work email, organization, authentication factors (Google OAuth identifier or WebAuthn passkey public key).
  • Customer hedge data: trades, confirmations, production forecasts, hedge policies, and MTM snapshots that you or your organization upload.
  • API usage: API key identifier, timestamp, endpoint, and response code for each request to our data endpoints.
  • Market data: publicly available CME, ICE, EIA, and price reporting agency settlements (not personal data).

3. How We Use Information

  • Deliver the BoxWood service and its Excel Add-in functions to you.
  • Authenticate users and enforce customer-level data isolation.
  • Send transactional notifications (daily MTM, market, and working orders reports) that you have opted into.
  • Diagnose errors, detect abuse, and maintain service availability.

We do not sell personal data, advertise to users, or use customer hedge data to train machine learning models. AI features use providers (Anthropic Claude, Google Gemini via Vertex AI) configured under zero-data-retention, zero-training terms.

4. Data Sharing

Customer hedge data is visible only to users within the same customer namespace. BoxWood enforces row-level isolation in its database and at the API layer. The BoxWood Excel Add-in can only return data for the customer that issued the API key used by the add-in.

We share data with these processors, strictly to run the service:

  • Supabase (database and authentication)
  • Vercel (application hosting)
  • Resend (transactional email)
  • Anthropic, Google Vertex AI (AI validation and assistant features · zero retention)
  • DocuSign (electronic signature for trade confirmations)

5. Data Retention

Account data and customer hedge data are retained for the life of the customer relationship and for a reasonable period afterward for audit and legal purposes. You may request deletion at any time by emailing support@boxwood.cc.

6. Security

Data is encrypted in transit (TLS 1.2+) and at rest. API keys are stored as SHA-256 hashes, not in plaintext. Access to production systems is limited to BoxWood staff under least-privilege controls.

7. Excel Add-in

The BoxWood Excel Add-in stores your API key locally in browser storage scoped to the add-in. The key never leaves your machine except in authenticated HTTPS requests to BoxWood. The add-in does not read data from your workbook and does not transmit workbook contents anywhere.

8. Contact

Questions about this policy: support@boxwood.cc.

BOXWOOD · A ComCurv companyPrivacy · Terms · Support