Privacy Policy

Last updated: March 12, 2026

1. Introduction

BOS 360 ("we", "our", "the Service") is a business management platform for solopreneurs, freelancers, and small agencies. We are committed to protecting your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable privacy laws.

This policy explains what data we collect, why we collect it, how we store it, and your rights regarding that data.

2. Data Controller

The data controller is WebcraftStudio, registered in Dubai, UAE.
Contact: privacy@bos360.app

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Full name
  • Email address
  • Password (hashed, never stored in plain text)
  • Profile picture (optional)

3.2 Business Data

Data you create within the platform:

  • Clients, leads, and contact information
  • Projects, milestones, and tasks
  • Invoices, payments, and financial records
  • Notes, mindmaps, and documents
  • Calendar events and appointments
  • Messages and communication threads

3.3 Third-Party Integrations

When you connect external services, we store:

  • Google (Gmail, Calendar, Drive): OAuth refresh token (encrypted), email address. We access: gmail.modify, calendar.events, drive.file, userinfo.email
  • Custom IMAP/SMTP: Server credentials (encrypted with AES-256-GCM)

3.4 Email Data

When you connect an email account, we may cache email metadata (sender, recipient, subject, snippet, date) and full email content for custom IMAP accounts. All cached email data is encrypted at rest using AES-256-GCM encryption before storage.

3.5 File Storage

BOS 360 does not store your files on our servers. All documents and files are stored on your own cloud provider (e.g., Google Drive). We only store the connection tokens (encrypted) needed to access your cloud storage on your behalf. Company logos used in invoicing are the only files stored on our infrastructure.

3.6 Technical Data

  • Session tokens (for authentication)
  • Temporary OAuth state cookies (2-minute lifetime)
  • Browser type and language preference

4. How We Use Your Data

  • Provide the Service: manage your clients, projects, invoices, emails, and calendar
  • Authentication: verify your identity and manage sessions
  • Email Integration: send, receive, and display emails through connected accounts
  • File Storage: access and manage files on your own cloud storage
  • Newsletters: send email campaigns you create to your contact lists
  • Improvement: debug issues and improve performance

We do not sell your data. We do not use your data for advertising. We do not train AI models on your data.

5. Legal Basis (GDPR)

We process your data under the following legal bases as defined in Article 6 of the GDPR:

  • Contract performance (Art. 6(1)(b)): processing necessary to provide the Service you signed up for
  • Consent (Art. 6(1)(a)): when you connect third-party services (e.g., Google). You can disconnect at any time from your dashboard settings
  • Legitimate interest (Art. 6(1)(f)): security monitoring, fraud prevention, and service improvement — we only process the minimum data necessary and balance our interests against your privacy rights

6. Data Storage and Security

Your business data (clients, invoices, projects, notes, etc.) is stored on Convex, our real-time database provider, hosted on secure cloud infrastructure. Your files and documents are stored on your own cloud provider (Google Drive, etc.) — we do not host them.

  • Sensitive fields (passwords, tokens, email content) are encrypted with AES-256-GCM
  • OAuth tokens are stored encrypted and only decrypted at the moment of use
  • Passwords are hashed using industry-standard algorithms
  • All communications use HTTPS/TLS encryption in transit
  • Access is restricted by organization-level and role-based permissions

7. Third-Party Services

  • Convex — database and backend infrastructure
  • Resend — transactional email delivery (verification emails, password resets)
  • Google APIs — Gmail, Calendar, Drive (only when you connect your account)

8. Data Retention

  • Account data: retained while your account is active
  • Business data: retained while your account is active; deleted upon account deletion
  • OAuth tokens: retained while the integration is connected; deleted when you disconnect
  • Cached emails: retained while the email account is connected
  • Session tokens: expire automatically after inactivity

9. Your Rights (GDPR)

You have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Delete your account and all associated data — you can do this directly from your account settings, or contact us to request deletion
  • Export your data in a portable format
  • Disconnect third-party integrations (Google) at any time from your dashboard settings
  • Lodge a complaint with your local data protection authority

To exercise these rights, contact us at privacy@bos360.app.

10. Google API Services — Limited Use Disclosure

BOS 360's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only access Google data that users have explicitly authorized
  • We use Google data solely to provide the features you requested (email, calendar, file storage)
  • We do not transfer Google data to third parties except as needed to provide the Service
  • We do not use Google data for advertising or to build user profiles
  • We do not allow humans to read your Google data unless required for support with your explicit consent, security investigation, or legal obligation

11. Children

BOS 360 is not intended for users under the age of 16. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notification. The "Last updated" date at the top reflects the latest revision.

13. Contact

For privacy-related inquiries:
privacy@bos360.app