Last updated: June 27, 2026
The following applies to all cardbox.moe services and subdomains unless explicitly noted otherwise:
The browser extension transfers your Chub.ai login to cardbox.moe entirely within your browser. It reads your authentication token, username, user ID, and subscription status.
When you click "Sync Chub Login" on cardbox.moe, this data is written to cardbox.moe's browser storage. No data is sent to any server beyond *.chub.ai and *.cardbox.moe. There is nothing to sell, share, or use for advertising.
Clear this data anytime via the "Logout" button on cardbox.moe, or by clearing cardbox.moe's site data in your browser settings.
cardbox.moe — Proxy
A reverse proxy for Chub.ai. Requests are forwarded without logging or retention. This is a proxy — while nothing is logged, your traffic still passes through this operating node. Treat this like a VPN. Content displayed is from Chub.ai and is subject to their privacy policy.
archive.cardbox.moe — Card Archive
Indexes available character cards via Chub.ai's public API. Search queries are not logged in normal operation; transient, scoped logging may be used to investigate abuse or secure the service. Archived content is retained for as long as the service operates. Content creators may request removal by contacting [email protected]; verification may be required.
slop.cardbox.moe — File Hosting
Anonymous file hosting with tripcode-based identity. Your tripcode is derived deterministically from your passphrase — the passphrase itself is never stored on the server. Uploaded images are scanned automatically for content moderation. Files are retained indefinitely unless they violate content policies. There are no "accounts" — your passphrase derives your tripcode identity. If you lose it, you lose the ability to manage your uploads.
clit.cardbox.moe — LLM Aggregation
Routes LLM requests to third-party providers (Anthropic, Moonshot, Google, aggregators, etc.). API keys are stored encrypted at rest and decrypted only in-memory at request time. Prompts and completions are not logged — only usage metadata (token counts, model, timestamp) is recorded for the user's dashboard. If a user is deleted, usage records are orphaned and unattributable. Each upstream provider operates under their own data handling policies.
chat.cardbox.moe — Encrypted Chat (under development)
Zero-knowledge encrypted chat client. All messages are encrypted client-side before reaching the server. The server stores only ciphertext it cannot decrypt. This also follows the tripcode model, so losing your passphrase means that your data is unrecoverable. Tripcodes are not shared. Chat requests routed to LLM providers are subject to those providers' data policies.
Uploaded and user-submitted content is the sole responsibility of the uploader. We do not create, endorse, or verify content accessed through our services.
Automated content scanning is used to enforce content policies on ingress. Illegal content will be removed and may be reported to relevant authorities. We reserve the right to remove any content at our discretion.
Content that is removed from cardbox consists of photorealistic depictions that are not readily distinguishable from reality at first glance, in accordance with Dutch law governing the hosting jurisdiction.
Removal requests: Contact [email protected].
By using cardbox.moe, its subdomains, or the Cardbox Auth Bridge extension, you agree to the following:
Age Requirement: You must be at least 18 years old to use cardbox.moe and its services.
As-Is Service: All services are provided "as-is" without warranty of any kind. We make no guarantees regarding availability, accuracy, or fitness for any particular purpose. Services may be modified, suspended, or discontinued at any time without notice.
User Conduct: Do not use cardbox.moe to engage in illegal activity, abuse platform resources, or interfere with service operation.
API Keys: While we encrypt API keys at rest, it is ultimately your responsibility to manage, rotate, and revoke your own keys. We are not liable for any costs or consequences arising from API key usage through our services.
Encryption & Data Loss: Services using passphrase-based identity or client-side encryption operate on a zero-knowledge basis. If you lose your passphrase, your data is unrecoverable. We cannot assist with credential recovery.
Termination: We reserve the right to restrict or terminate access to any user, for any reason, without notice.
Limitation of Liability: cardbox.moe and its operators shall not be liable for any indirect, incidental, or consequential damages arising from use of our services, except where such limitation is prohibited by mandatory Dutch law. This limitation does not apply to damages caused by our intentional misconduct or gross negligence.
No Affiliation: cardbox.moe is not affiliated with or endorsed by Chub.ai.
Governing Law and Jurisdiction: These terms are governed by Dutch law. Any disputes will be subject to the exclusive jurisdiction of the competent courts in Amsterdam, Netherlands.
Changes to Terms: We may update these terms at any time. Continued use of the services after changes constitutes acceptance of the revised terms.
Questions? Email [email protected] or Discord: joeh