Privacy Policy
Effective date: April 16, 2026
1. Who we are
BOSS ("we", "us", "our") is a business intelligence platform that connects to your business tools, surfaces exceptions, and delivers a daily intelligence brief. We are operated by the BOSS platform team. If you have questions about this policy, contact us at privacy@tryboss.co.
2. What we collect and why
Account information
When you sign up, we collect your email address and optionally your business name. Your email is your identity in BOSS — we use it to send your daily brief, authentication links, and important account notifications.
Authentication
BOSS uses passwordless magic links: we email you a single-use sign-in link that expires in 15 minutes. We never store a password.
If you choose Sign in with Google, we receive your email address and email-verified status from Google. We request the minimum OAuth scope:openid email. We do not receive or store your Google profile picture, phone number, contacts, calendar, or any other Google data. We do not store your Google access token — it is discarded after we extract your email.
Business integration data
When you connect a business tool (QuickBooks, Stripe, HubSpot, Xero, etc.), we access that tool using OAuth credentials you authorise. We read the data needed to generate your brief — such as invoices, cash flow, pipeline status, or support tickets. We do not write to your connected tools without your explicit approval in the app.
Integration credentials (OAuth tokens) are stored encrypted at rest using AES-256-GCM envelope encryption with per-tenant key derivation. We do not share your integration credentials with any third party.
Usage data
We collect standard usage telemetry: pages visited, features used, brief open rates, and error logs. This data is used to improve the product. We use Google Analytics on the marketing site (tryboss.co) to measure traffic. The product app (app.tryboss.co) does not load third-party tracking scripts.
Session data
We issue a session token stored in an HttpOnly cookie after sign-in. The cookie is scoped to .tryboss.co, marked Secure in production, and expires after 7 days. We do not use persistent tracking cookies.
3. How we use your data
- To generate and deliver your daily intelligence brief
- To surface exceptions and recommended actions from your connected tools
- To authenticate you and maintain your session
- To send transactional emails (sign-in links, brief delivery, account notices)
- To improve the product based on aggregated usage patterns
- To comply with our legal obligations
We do not use your data to train AI models offered to other customers. We do not sell, rent, or trade your personal data or your business data to any third party.
4. Third-party services we use
BOSS uses the following third-party infrastructure services. Each is used only for the stated purpose.
| Service | Purpose | Data shared |
|---|---|---|
| Amazon Web Services (SES) | Transactional email delivery (sign-in links, brief emails) | Your email address |
| Vercel | Frontend hosting (app.tryboss.co, tryboss.co) | None — static/SSR rendering only |
| AWS EC2 | Backend API and worker hosting | Encrypted data at rest on our own servers |
| Google OAuth | Optional: Google Sign-In identity verification | Email address only — no profile data |
| Google Analytics | Marketing site traffic analytics (tryboss.co only) | Anonymised page views |
| Anthropic (Claude) | AI-generated brief narrative | Aggregated, de-identified business signals — no PII |
5. Data retention
We retain your account data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (typically up to 7 years for financial records).
Anonymised, aggregated usage statistics may be retained indefinitely as they cannot be linked back to you.
6. Your rights
Depending on your location, you may have the following rights:
- Access — request a copy of the data we hold about you
- Correction — ask us to correct inaccurate data
- Deletion — request deletion of your account and associated data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing in certain circumstances
To exercise any of these rights, email us at privacy@tryboss.co. We will respond within 30 days.
7. Data security
We take the security of your data seriously:
- All data in transit is encrypted using TLS 1.2+
- Integration credentials are encrypted at rest with AES-256-GCM
- Session tokens are stored in HttpOnly, Secure, SameSite cookies — inaccessible to JavaScript
- Magic link tokens are stored as SHA-256 hashes — the raw token exists only in your email
- Access to production systems is restricted to authorised personnel
No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to security@tryboss.co.
8. Cookies
BOSS uses two types of cookies:
- Session cookie (
boss_session) — required for authentication. Expires after 7 days. HttpOnly; not accessible to JavaScript. - Google Analytics cookies — used on tryboss.co only, to measure marketing traffic. Not set on app.tryboss.co.
We do not use advertising cookies, cross-site tracking cookies, or third-party retargeting pixels.
9. Children
BOSS is a business tool intended for use by adults operating businesses. We do not knowingly collect data from anyone under 18 years of age. If you believe a minor has created an account, contact us at privacy@tryboss.co and we will delete it.
10. International transfers
BOSS is hosted on AWS infrastructure in the United States. If you are located outside the US, your data is transferred to and processed in the US. By using BOSS, you consent to this transfer. We apply appropriate safeguards consistent with applicable data protection law.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and notify you by email at least 14 days before the change takes effect. Continued use of BOSS after that date constitutes acceptance of the updated policy.
12. Contact us
For privacy-related questions, data requests, or security disclosures: