Last Updated: 1 October, 2025
Welcome to RewardBox. We are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our application and services.
Key Points:
Who we are and how to contact us
What data we collect and why we need it
How we use, share, and store your data
Your legal rights and choices regarding your personal data
How we protect your information
Data Controller: MAGIC CRYSTAL LIMITED ("we," "us," or "our") is the data controller responsible for processing personal data collected through RewardBox.
Contact Information:
Company Address: 66 Shanghai Street, Yau Ma Tei, Kowloon, Hong Kong
Data Protection Officer (DPO): dpo@reward.box
Contact Details: Email address, phone number, and other contact information you provide
Account Information: Username, profile settings, and preferences
Identity Verification: Information required for account verification when applicable
Device Information: Operating system, device model, browser type, IP address, unique device identifiers, battery status, screen activity, network connectivity status
App Usage Data: Features used, session duration, interaction patterns, performance metrics
Web Activity: Targeted application visited, search terms, in-app interactions
Location Data: General location information for service optimization
Session Cookies: Temporary cookies for registration, authentication, and preferences
Analytics Cookies: To understand app usage and improve functionality
Preference Cookies: To remember your settings and accessibility preferences
We do not intentionally collect sensitive personal data (health information, racial/ethnic origin, political opinions, religious beliefs, genetic/biometric data, sexual orientation, criminal records). If such data is inadvertently collected, it will be removed upon detection.
We collect data through:
Direct Collection: When you create an account, contact us, or provide information voluntarily
Automatic Collection: Through your use of the app, including background monitoring (with your consent)
Third-Party Sources: From partners or service providers (only when legally permissible)
Device Permissions: Accessibility permissions, network access, targeted app(s) usage monitoring
Important: We never and will not record the content of your calls, messages, or private communications. If such data is inadvertently collected, it will be removed upon detection.
We process your data based on:
Consent: When you agree to data collection during app setup and grant permissions
Contractual Necessity: To provide and maintain the RewardBox service
Legitimate Interests: For app improvement, security, fraud prevention, and customer support
Legal Compliance: To meet regulatory requirements and respond to legal requests
Provide, operate, and maintain RewardBox’s basic app functionality
Personalize your experience and remember your preferences
Improve app performance and develop new features
Analyze usage patterns for service enhancement
Provide customer support and respond to inquiries
Send important notifications and service updates
Ensure security and prevent fraud or abuse
Conduct research and analytics (in anonymized form)
Comply with legal obligations
Send promotional materials (with your consent)
Provide information about new features or services
Conduct surveys or request feedback
Opt-out: You can unsubscribe from marketing communications at any time.
We may share data with trusted third-party service providers who help us operate our service, including:
Cloud hosting and storage providers
Analytics and performance monitoring services
Customer support platforms
Payment processors (if applicable)
All service providers are bound by strict confidentiality agreements and data protection requirements.
Research collaborators (anonymized/pseudonymized data only)
Technology partners for feature enhancement
Integration partners for expanded functionality
We may disclose data when required by law or to:
Respond to legal processes, court orders, or government requests
Protect our rights, property, or safety, or that of our users
Investigate potential violations of our Terms of Service
Prevent fraud, security breaches, or other illegal activities
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new entity, subject to the same privacy protections.
Encryption: Data encrypted both in transit and at rest using industry-standard protocols
Access Controls: Multi-factor authentication and role-based access limitations
Secure Infrastructure: ISO 27001 compliant data centers and security practices
Regular Security Audits: Penetration testing and vulnerability assessments
Staff training on data protection and privacy
Regular security policy reviews and updates
Incident response procedures and breach notification protocols
Privacy by design principles in product development
In case of a security incident:
We will investigate and contain the breach immediately
Affected users will be notified within 72 hours (or as required by law)
Relevant authorities will be notified as legally required
We will provide guidance on protective steps you can take
Account Data: Retained while your account is active and for a reasonable period after closure
Usage Data: Typically retained for 2-3 years for service improvement, then anonymized or deleted
Support Records: Retained for 3 years to provide ongoing assistance
Data is deleted when:
No longer necessary for the original collection purpose
You withdraw consent (where consent is the legal basis)
Processing becomes unlawful
Required for legal compliance
Depending on your location, you may have the following rights:
Request a copy of your personal data
Receive your data in a portable format
Obtain information about how your data is processed
Correct inaccurate or incomplete data
Request deletion of your personal data ("right to be forgotten")
Withdraw consent for data processing
Object to processing based on legitimate interests
Restrict processing in certain circumstances
Opt-out of automated decision-making or profiling
To exercise these rights:
Contact us at support@reward.box
Use in-app privacy settings where available
We will respond within 30 days (or as required by applicable law)
Identity verification may be required to protect your privacy
RewardBox is not intended for children under 16. We do not knowingly collect personal information from children below these age thresholds.
If we discover we have collected information from a child without proper consent:
We will delete the information promptly
We will terminate the child's account
Parents/guardians can contact us to request deletion of their child's data
If RewardBox is used in educational settings with children, schools must obtain appropriate parental consent and ensure compliance with applicable laws (such as COPPA in the US or GDPR in the EU).
Your data may be processed in countries outside your residence, including:
Countries with adequacy decisions from your local privacy authority
Countries where we use Standard Contractual Clauses or other appropriate safeguards
The United States under Privacy Shield successor frameworks (when applicable)
We ensure international transfers include:
Adequate legal protections for your data
Contractual commitments from data processors
Technical and organizational security measures
Regular compliance monitoring
Essential Cookies: Required for basic app functionality
Analytics Cookies: Help us understand usage patterns
Preference Cookies: Remember your settings and choices
You can control cookies through:
Your browser or device settings
In-app privacy preferences
Third-party opt-out mechanisms
Note: Disabling certain cookies may limit app functionality.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (“CCPA”):
Right to know what personal information is collected
Right to delete personal information
Right to opt-out of the sale of personal information
Right to non-discrimination for exercising your rights
We do not sell personal information to third parties.
If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting us at support@reward.box with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Data as sales are defined in Nevada Revised Statutes Chapter 603A.
If you are a resident of the EU, United Kingdom, Lichtenstein, Norway or Iceland, you may have additional rights under the EU General Data Protection Regulation (the “GDPR”) with respect to your Personal Data. Please note that not all the features and functionalities of the Services are available to EU users due to legal, technical, business, or other reasons.
If you are a resident of Brazil, you have additional rights under the Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados Pessoais” or “LGPD”):
● Right to confirm the existence of the processing of your Personal Data
● Right to access your Personal Data
● Right to correct incomplete, inaccurate, or outdated Personal Data
● Right to anonymize, block, or delete unnecessary or excessive Personal Data, or Personal Data processed in noncompliance with LGPD
● Right to portability of your Personal Data to another service or product provider, subject to the regulation of the Brazilian data protection authority (ANPD)
● Right to delete Personal Data processed with your consent
● Right to information about public and private entities with which we have shared your Personal Data
● Right to information about the possibility of denying consent and the consequences of such denial
● Right to revoke your consent at any time
You may exercise these rights by contacting us at support@reward.box with the subject line “Brazil LGPD Request” and providing us with your name and the email address associated with your account. Please note that certain rights may be subject to legal limitations under LGPD.
We may update this Privacy Policy to reflect:
Changes in our data practices
New legal requirements
Service enhancements or modifications
We will notify you of material changes through:
Email notification to your registered address
In-app notifications
Prominent notice on our website
Updated "Last Updated" date at the top of this policy
Your continued use of RewardBox after changes become effective constitutes acceptance of the updated policy.
For any privacy-related questions, concerns, or requests:
Email: support@reward.box
Data Protection Officer: dpo@reward.box
Response Time: We aim to respond to all privacy inquiries within 30 days.
Address: 66 Shanghai St, Yau Ma Tei, Kowloon, Hong Kong