Illinois BoxesRecycle · RockfordRockford ▣ IL ▣ Est. 2014
Legal

Privacy Policy.

Plain-language privacy. What we collect, why, and how to ask us to delete it.

Last updated: January 2026

What we collect

When you submit the contact form, we receive: your name, email, phone, company, city, state, postal code, message, requested quantity, product type, service, grade, and the URL of the page you submitted from. We don't drop tracking cookies or use any third-party advertising pixels on this site.

Why we collect it

To respond to your inquiry. That's it. We don't enrich it, sell it, or share it with marketing partners. We don't have marketing partners.

Where it goes

Form data is stored in our lead-capture system (a hosted database provider with TLS in transit and at-rest encryption). It's accessible only to our office staff and dispatchers. We retain it for 24 months, then delete it.

Cookies

This site uses no analytics cookies, no advertising cookies, and no tracking pixels. The only cookies that may appear are those Next.js uses for technical session continuity.

Your rights

You can ask us at any time to: (1) see what data we have about you, (2) correct it, or (3) delete it. Email hello@illinoisboxesrecycle.com with the subject line "Privacy request."

Children

This site is for business buyers and sellers; we do not knowingly collect data from anyone under 18.

Changes

If we update this policy, we'll change the date at the top. Material changes will be flagged at the top of the page for 60 days.

Data processors we use

We use a small number of third-party processors to operate the website and the lead pipeline. Each is contractually bound to handle your data only for the purpose of providing services to us.

  • Vercel — website hosting. Standard HTTPS request logs (IP, browser, timestamp) retained 30 days.
  • Convex — lead-database backend. Stores form submissions as part of our internal ledger.
  • PostHog — analytics. Captures pageviews and the single custom event "contact_form_submitted." No personally identifying information is sent to PostHog unless you log in to a customer portal (we don't have one).
  • Google Workspace — our email inbox. Standard Workspace privacy and security controls.

If you're a California or EU resident, you have additional rights under CCPA / GDPR — see the relevant section below.

California residents (CCPA)

Under the California Consumer Privacy Act, you have the right to:

  • Know what personal information we have collected about you
  • Request deletion of your personal information
  • Opt out of any "sale" of your personal information (we don't sell information, so opt-out is automatic)
  • Non-discrimination for exercising your CCPA rights

Submit any of these requests via email with subject "CCPA Request" — we'll respond within 45 days.

EU and UK residents (GDPR / UK GDPR)

If you're in the EU or UK, you have rights under GDPR:

  • Right of access — copy of the data we hold
  • Right to rectification — correction of inaccurate data
  • Right to erasure — deletion of your data ("right to be forgotten")
  • Right to restriction — limit how we process your data
  • Right to portability — receive your data in a portable format
  • Right to object — to processing for direct marketing or legitimate interests
  • Right to lodge a complaint with your local data protection authority

Our legal basis for processing your inquiry is the legitimate interest of responding to your business inquiry. Email subject "GDPR Request" for any of these.

Data retention specifics

By data type:

  • Lead form submissions — 24 months active retention, then deleted from the active database
  • Customer order history — 7 years (tax and warranty record requirement)
  • Recycling chain-of-custody — 7 years (EPA / mill audit requirement)
  • Email correspondence — Indefinitely as part of business records; can be purged on request
  • Website analytics — 12 months, then aggregated and anonymized
  • HTTPS access logs — 30 days (Vercel default)

How we secure data

TLS encryption in transit (HTTPS everywhere on this site). At-rest encryption at the database layer. Access controls limited to authenticated staff with a need to know. Two-factor authentication required on all internal accounts. We don't keep credit card information directly — payments are handled by a PCI-compliant processor.

Children

This site is for business buyers and sellers. We do not knowingly collect data from anyone under 18. If you believe a minor has submitted data, contact us and we'll delete it.

Contact for privacy questions

Email hello@illinoisboxesrecycle.com with "Privacy" in the subject line. We aim to respond within 5 business days for general questions, and within the statutory deadlines for formal CCPA/GDPR requests.

Talk to us