Last updated: April 12, 2026
1. Introduction
Bosly (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our AI-powered business management platform.
2. Data We Collect
We collect the following categories of personal data:
- Account data: name, email address, and hashed password
- Business data: invoices, client contacts, transaction records, task lists, and finance entries you create within the Service
- Financial data: income, expense, VAT, and pension information you enter (used to generate guidance only)
- Communication data: emails and messages you connect to the inbox feature (stored encrypted)
- Usage data: feature usage counts for AI query limits and subscription enforcement
- Payment data: billing details processed securely by Stripe. We do not store payment card numbers.
- Technical data: IP address (for rate limiting and security), session cookies, and basic browser information
3. How We Use Your Data
- To provide, maintain, and improve the Service
- To generate AI-powered suggestions, summaries, and draft communications
- To calculate tax estimates, VAT positions, and financial guidance (for informational purposes only)
- To send transactional emails (account verification, password resets, subscription receipts)
- To enforce usage limits and subscription tiers
- To comply with legal obligations
4. AI Processing Disclosure
We use Civo (civo.com) via their Relax AI API as an AI data processor to provide intelligent features. Message content you process through Bosly's AI features may be sent to Civo's API. Civo is bound by their Data Processing Agreement. We do not use your data to train AI models.
5. Sharing of Data
We share your data only as necessary:
- Civo (Relax AI): For AI-powered features (see Section 4)
- Stripe: For payment processing and subscription management
- Hosting providers: Cloud infrastructure providers who store your data under appropriate data processing agreements
- Legal authorities: When required by law or to protect our rights
We never sell your personal data to third parties.
6. Cookies
We use the following cookies:
| Cookie | Purpose | Duration | Flags |
|---|
| bosly_uid | Authentication — identifies your user account server-side | 1 year | HttpOnly |
| bosly_session | Session verification — authenticates your current session | Session | HttpOnly |
| bosly_tracking | UTM/ad tracking — records campaign attribution for analytics | 30 days | — |
| bosly_analytics_consent | GDPR consent flag — records your analytics consent choice | 1 year | — |
We do not use advertising tracking cookies from third parties. No third-party tracking scripts are loaded without your consent.
7. Data Retention
- User accounts: Retained until you submit a deletion request
- Contacts, cards, and tasks: Retained until account deletion
- Invoices: Retained for 7 years (legal requirement for financial records)
- Log files: Retained for 90 days then automatically purged
- Backup data: Retained for 30 days, then permanently deleted
- Usage tracking data: Retained for 12 months then automatically deleted
- Session data: Expires after 14 days of inactivity
8. Security
- Passwords are hashed using bcrypt and never stored in plaintext
- Session cookies are HttpOnly and set to Secure in production
- All data is transmitted over HTTPS
- API endpoints require authentication; rate limiting protects against abuse
9. Your Rights
GDPR Rights (EU / UK)
If you are in the EU or UK, you have the following rights under GDPR / UK GDPR:
- Right to access: Request a copy of your personal data
- Right to rectification: Correct inaccurate or incomplete data
- Right to erasure: Request deletion of your data (“right to be forgotten”)
- Right to portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interests
- Right to withdraw consent: Withdraw consent at any time where processing is consent-based
To exercise these rights, contact us at privacy@bosly.ai.
CCPA Rights (California)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know: Request disclosure of the personal information we collect and how we use it
- Right to delete: Request deletion of your personal information
- Right to opt-out of sale: We do not sell your personal data to third parties
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights
To exercise your CCPA rights, contact us at privacy@bosly.ai.
PIPEDA Rights (Canada)
If you are in Canada, you have the following rights under PIPEDA:
- Right to access: Request access to your personal information we hold
- Right to correct: Request correction of inaccurate personal information
To exercise your PIPEDA rights, contact us at privacy@bosly.ai.
10. Hosting & Infrastructure
Bosly is hosted on AWS EC2 infrastructure in the EU/US. Your data may be processed in the UK, EU, and United States. Where data is transferred internationally, we ensure appropriate safeguards are in place including Standard Contractual Clauses.
11. International Transfers
Your data may be processed in countries outside the UK/EU (including the United States via Civo and Stripe). Where data is transferred internationally, we ensure appropriate safeguards are in place including Standard Contractual Clauses.
12. Contact
For privacy questions or to exercise your rights, contact us at:
Email: privacy@bosly.ai
If you are in the UK/EU and believe we have not handled your data appropriately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.