Privacy Policy

This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your sensitive information and how we will deal with it. By visiting any website available on the domain, domain, or domain(the ‘Website’) you accept and consent to the practices described in this Privacy Policy including the processing of your personal data.


We are TOPBOX Inc.. We are a company registered in Canada and our registered office is at 53B Tycos Dr, North York, ON, Canada. Topbox Inc. is the processor of your data. If you have any concerns about the way we use your information or any questions about this Privacy Notice, please let us know. We can be contacted via email at, or you can write to us at the address above.


We use your information to:
- Send you products or samples you have requested from our brand partners
- Send transactional messages (such as confirmations and surveys)
- Provide customer service
- Send marketing communications on behalf of our brand partners
- Collect feedback from you on behalf of Topbox and our brand partners related to the sample that you have claimed and the service that we have delivered


Contact Information: Data elements in this category include names, mailing address, email address, and telephone/mobile number.

General Demographics & Psychographics Data elements in this category include personal characteristics and preferences, such as age range, marital and family status, shopping preferences, languages spoken, hobbies and interests.

Online & Technical Information This includes internet or other electronic network activity information. Data elements in this category include: IP address, MAC address, SSIDs or other device identifiers or persistent identifiers, device characteristics (such as browser information), web server logs, application logs, browsing data, first party cookies, and pixel tags.

Information we receive from other sources – This is information we receive about you if you use any of the other websites we operate or the other services we provide. In this case we will have informed you when we collected that data if we intend to share those data internally and combine it with data collected on this Website. We will also have told you for what purpose we will share and combine your data. We are working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies). We will notify you when we receive information about you from them and the purposes for which we intend to use that information.


Your privacy is important. That’s why we respect it by taking steps to protect it from loss, misuse, or alteration.

We respect your personal information and take steps to protect it from loss, misuse, or alteration. Where appropriate, these steps can include technical measures like firewalls, intrusion detection and prevention systems, unique and complex passwords, and encryption. We also use organizational and physical measures such as training staff on data processing obligations, identification of data incidents and risks, restricting staff access to your personal information, and ensuring physical security including appropriately securing documents when not being used.We will often share your information with our trusted brand partners that you have claimed a sample from through Tobpox, but only where you have expressly consented for us to do so. Sometimes our brand partners will require that you explicitly agree to this consent in order to receive your sample.


Data Subject Right Requests: You may make a request for access, erasure, rectification, to opt out of receiving marketing emails or texts, or to object to our use of your email address or phone number for advertising. To make this request, please email:

You can also tell us to stop sending you email and text messages by following the opt-out instructions sent with these communications. Please be aware that we may need to keep certain information to honor your choices (e.g.,  if you tell us to stop sending marketing emails, we will need your email address on file so that our systems remember that you no longer wish to receive marketing communications to that email address).

California Residents: If you live in California, you may access the personal information we hold about you, request details about how we process your personal information, ask us to delete your data or request that we no longer “sell” your personal information (as “sell” is defined in the CCPA). To make this request, please email:

As a California resident, you may have the right to request, twice in a 12-month period, the following information about the personal information we have collected about you during the past 12 months:

- the categories and specific pieces of personal information we have collected about you;

- the categories of sources from which we collected the personal information;

- the business or commercial purpose for which we collected or sold the personal information;

- the categories of third parties with whom we shared the personal information; and

In addition, you have the right to request that we delete certain personal information we have collected from you. To submit a request for general disclosure, to access all the information we have about you, or to ask to delete your data as described above you can  make this request by emailing: To help protect your privacy and maintain security, we take steps to verify your identity before granting you access to your personal information or considering your deletion request. Upon receipt of your request, we will send you a verification form by email or postal mail. To complete your request, please respond to the verification form when you receive it. To verify your identity, we may require you to provide any of the following information: Name, email address, postal address, or date of birth. In addition, if you ask us to provide you with specific pieces of personal information, we will require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.

EEA and UK Residents: If you live in the  EEA or the UK, or are physically in the EEA or the UK, you may access the personal data we hold about you, request that inaccurate, outdated, or no longer necessary information be corrected, erased, or restricted, and ask us to provide your data in a format that allows you to transfer it to another service provider. You also may withdraw your consent at any time where we are relying on your consent for the processing of your personal data. And you may object to our processing of your personal data (this means ask us to stop using it) where that processing is based on our legitimate interest (this means we have a reason for using the data). To make this request, please email:


You have the right to find out what information we hold about you. You can exercise that right by contacting us and we will send you all data we hold about you inside of 20 working days.  To make this request, please email:

If any of your personal data is incorrect then you have the right to rectify this information and ensure that it is accurate and up to date.  To make this request, please email:

You have the right ‘to be forgotten’ and to have your personal identifiable information permanently deleted from our systems. If you would like to exercise this right then please email:

There will be no charge made for reasonable electronic access to your information, your right to rectification or for your right to be forgotten from our systems.


We have procedures in place to regularly review what personal data we hold. We keep your personal data in a plain text format only for as long is required in order to carry out the processing activities you have permitted us to do. Once the sampling campaign that you engaged with has concluded (on average about 90 days) and we have completed all of the processing activities required to the get the sample into your hands and gather feedback from you, our data lifecycle management comes into effect. All personal data we hold on you in our production databases that was collected as part of your engagement with one of our sampling campaigns is encrypted using your email address and a secret hash as the encryption key. Once your personal information has been encrypted, we then create an irreversible hash of your email address plus a secret salt. We then replace the email address we hold on record with this hash.

At this point we will only be able to personally identify you as a user again if you attempt to claim another sample in the future, using the same email address as you did previously.

So that we can continue to improve how Topbox works, there are five bits of personal data which you share with us that we exclude from our data lifecycle management process – your postcode, country, opt-in preference, any HTTP referrer value present when you visited our sampling page and any “utm_source” query string parameter present when you visited our sampling page.

We keep your postcode and country in plain text so that we can report on what parts of the world we are delivering samples to. We cannot identify you as the owner of this postcode once your other personal data has been encrypted.

We keep your opt-in preference in plain text so that we can report on average opt-in rates on our platform so that we can keep our brand partners informed about benchmarks on our platform. We cannot identify you as the owner of an opt-in preference once your other personal data has been encrypted.

We keep your utm_source and HTTP referrer value in plain text for two reasons. Firstly, so that we can report back to our brand partners about the performance of their sampling campaigns. Secondly, to help combat abuse of our platform by entities who act against our terms and conditions. We cannot identify you as the owner of a utm_source value or HTTP referrer once your other data has been encrypted.

Of course, you also have the right to forgotten at any point and can find out more about this in the ‘Access to Information’ section above.


Any changes we may make to our Privacy Policy in the future will be posted on this page. The new terms may be displayed on-screen and you will be required to read and accept them to continue your use of our services.


Our Website uses cookies to distinguish you from other users of our Website. This helps us to provide you with a good experience when you browse our Website and also allows us to improve our site. By continuing to browse the Website, you agree and consent to our use of cookies.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.

As part of our overall approach to privacy and transparency, this section describes what cookies are in the context of our web and mobile interfaces, and what their use means to you. At the end, we’ve included some links to help you research cookies and their impact, and how you can use your web browser to control the way it manages cookies.

We use the following types of cookies:

Strictly necessary cookies – these are cookies that are required for the operation of our Website. They include, for example, cookies that enable you to log into secure areas of our Website, use a shopping cart or make use of e-payment system.

Analytical/performance cookies – these allow us to recognise and count the number of visitors and to see how visitors move around our Website when they are using it. This helps us to improve the way our Website works, for example, by ensuring that users are finding what they are looking for easily.