Privacy Policy

This Privacy Policy explains how Boo Lab, Inc. collects, uses, discloses, and protects personal data in connection with Boo, our websites, sales, support, billing, and related services.

Scope

This Privacy Policy applies to personal data we process as a business for our websites, marketing, sales, billing, support, and account administration. When Boo processes Customer Data on behalf of a customer through the Services, Boo generally acts as a processor or service provider, and that processing is governed by the customer agreement and Data Processing Addendum.

Personal data we collect from users and visitors

We may collect account information, contact information, login information, billing information, transaction history, workspace information, communications with us, support requests, survey responses, preferences, device information, browser information, usage information, log information, cookie information, approximate location from IP address, and other information provided to us.

Customer Data processed through Boo

Boo may process Customer Data from systems connected by Customer, including chat systems, email, documents, calendars, source code repositories, data warehouses, analytics tools, project tracking tools, support tools, databases, cloud storage, customer relationship systems, and other systems. Customer decides what systems to connect, what credentials to provide, and what scopes to grant.

Connected system access

Boo accesses connected systems through tokens, API keys, credentials, accounts, scopes, and permissions made available by Customer. If a credential does not have access to data in a source system, Boo does not have access to that data through that credential.

How we use personal data

We use personal data to provide the Services, operate accounts, authenticate users, process payments, meter usage, send invoices, provide support, communicate with customers, maintain security, detect abuse, comply with law, enforce terms, conduct analytics, and manage our business. We also use personal data to improve the Services, subject to the Customer Data limits in the customer agreement, and we distinguish two kinds of improvement. We may use Customer Data to improve the Services for the customer whose data it is, as part of providing the Services to that customer. We improve the Services for all customers and develop new features only using Generalized Learnings and aggregated or de-identified information that do not contain Customer Data, except where the customer gives Explicit Approval.

AI data use

Boo may process Customer Data to answer questions, complete tasks, retrieve context, create outputs, run workflows, maintain private workspace memory, build indexes, create embeddings, and improve Boo for that Customer. Boo will not use Customer Data to train foundation or generative AI models unless Customer gives Explicit Approval under the customer agreement.

Boo may use Customer Data to improve Boo for that Customer, including through private workspace memory, retrieval, indexing, embeddings, summaries, and Customer-specific workflows. Boo does not use Customer Data to improve the Services for other customers except through Generalized Learnings or aggregated or de-identified information as described in the customer agreement.

Third-party model providers

Boo may send relevant Customer Data to third-party model providers for inference and related services when needed to provide the Services. Boo requires such providers to protect Customer Data and not use Customer Data to train their models unless Customer gives Explicit Approval, including through a Customer-Approved Provider Setting that is off by default.

Product analytics and de-identified information

We may create aggregated, de-identified, or non-identifying information and use it for analytics, service improvement, security, reliability, usage forecasting, billing accuracy, model routing, cost optimization, and business operations. We will not use aggregated or de-identified information in a way that reasonably identifies Customer, a user, or an individual, and we maintain and use the information as de-identified. We will not attempt to re-identify de-identified information except to test whether our de-identification processes comply with applicable law.

How we disclose personal data

We may disclose personal data to service providers, subprocessors, model providers, cloud providers, payment processors, analytics providers, support tools, professional advisors, affiliates, business transaction counterparties, law enforcement, regulators, courts, and others when required or permitted by law. We may also disclose personal data with Customer's instructions or consent.

Subprocessors

Our subprocessors and model providers help us provide the Services. We maintain a Subprocessor and Model Provider Policy that describes how we use these providers and how customers may request provider restrictions where supported.

Business transfers

We may disclose or transfer information, agreements, and assets in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction. Any successor that receives Customer Data must handle Customer Data subject to the applicable contractual commitments unless Customer agrees otherwise. Boo Technology, General Skills, Generalized Learnings, de-identified information, aggregated information, and service improvements may be transferred as Boo assets.

Retention

We retain personal data for as long as needed to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, prevent abuse, maintain security, and operate our business. Customer Data is retained according to the customer agreement, Customer settings, legal requirements, backup practices, and any applicable Order Form.

Deletion

Customers may request deletion of Customer Data as described in the customer agreement and Data Processing Addendum. Some information may remain in backups, logs, billing records, security records, or legal archives for a limited period where permitted by law. Backup copies are deleted or overwritten in the ordinary course of backup rotation.

Security

We use administrative, technical, and physical safeguards designed to protect personal data. These safeguards include encryption, access controls, logging, monitoring, least privilege, incident response, and vendor management as described in the Security Addendum. No system is perfectly secure.

International transfers

We may process and transfer personal data in the United States and other countries where we, our affiliates, service providers, subprocessors, or model providers operate. Where required, we use appropriate transfer mechanisms, which may include the standard contractual clauses, a data privacy framework, or another lawful mechanism.

Privacy rights

Depending on location, individuals may have rights to access, correct, delete, export, restrict, or object to processing of personal data, to opt out of certain processing, and to appeal or withdraw consent. Requests related to Customer Data should usually be directed to the customer that controls the workspace. We will help customers respond to requests as required by the Data Processing Addendum.

We may need to verify a request before responding. Authorized agents may submit requests where permitted by law, subject to verification.

United States state privacy rights

Where applicable, individuals may have rights under state privacy laws, including the laws of California, Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws. These may include the right to know, access, correct, delete, and obtain a portable copy of personal data, the right to opt out of sale, sharing for cross-context behavioral advertising, and certain profiling, and the right not to be discriminated against for exercising these rights. Boo does not sell Customer Data. Boo does not share Customer Data for cross-context behavioral advertising as those terms are commonly used in state privacy laws. To exercise a right, an individual may contact us at privacy@boolab.ai. Where a request relates to a customer workspace, we will direct the request to that customer or assist the customer as required by the Data Processing Addendum.

Cookies and similar technologies

We use cookies and similar technologies as described in the Cookie Policy, and we honor legally required preference signals where required.

Children

The Services are available to organizations and to individuals, but are not directed to children under 18. You must not allow anyone under 18 to use the Services. Customers must not connect or submit children's personal data unless an Order Form or signed addendum permits it and all required consents and protections are in place.

Changes

We may update this Privacy Policy from time to time. We will post the updated version and update the effective date. Material changes will be handled as required by law or the customer agreement.

Contact

Privacy questions and privacy rights requests may be sent to privacy@boolab.ai. Legal notices may be sent to legal@boolab.ai or to the notice address stated in the applicable Order Form.