Privacy Policy

1. Scope and Roles

BossWe is an enterprise communication and collaboration product. Your employer, customer, school, or other organization (the "Customer Organization") may create and administer your BossWe account.

Depending on the context:

• The Customer Organization generally acts as the data controller or business for personal data contained in workspaces, employee directories, messages, files, meeting content, and other content submitted under its account. BossWe processes that data as a processor or service provider on the Customer Organization's instructions.
• BossWe acts as an independent controller or business for account administration, billing, security, fraud prevention, service analytics, direct interactions with you, and compliance with legal obligations.

If you use BossWe through a Customer Organization, that organization may access, export, restrict, retain, or delete information associated with your account. Questions about its privacy practices should be directed to the Customer Organization. Requests concerning data controlled by the Customer Organization may be referred to it.

This Privacy Policy does not cover third-party products, websites, or services that display or link to their own privacy notices.

2. Personal Data We Collect

The personal data we collect depends on the features you use, your device settings, and how your Customer Organization configures the Services.

2.1 Information You Provide

We may collect:

• Account and profile data: name, username, password or authentication credentials, email address, telephone number, profile photo, job title, department, organization, employee or member identifier, and preferred language.
• Verification data: verification codes and information reasonably necessary to verify an account, recover access, prevent fraud, or comply with applicable law. We do not require government identification unless it is necessary for a specific feature, transaction, security review, or legal obligation and you are notified at the time of collection.
• Communications and content: messages, posts, comments, contacts you choose to import, files, images, audio, video, meeting content, calendar information, and other content you submit or share through the Services.
• Customer support data: support requests, feedback, survey responses, correspondence, and any attachments or diagnostic information you provide.
• Transaction and billing data: subscription, invoice, purchase, and payment status information. Payment card details may be collected directly by a payment provider and are subject to that provider's privacy notice.

If you provide personal data about another person, you must have the authority and any legally required permission to do so.

2.2 Information Collected Automatically

We may automatically collect:

• Device and network data: device type, manufacturer, model, operating system and version, app version, browser type, language, time zone, IP address, network type, mobile carrier, and device or app identifiers permitted by the operating system.
• Usage and log data: login time, features used, pages viewed, searches, clicks, interaction events, crash reports, performance data, security logs, and referring URLs.
• Approximate location: a general location inferred from an IP address. We collect precise location only when you enable a location-based feature and grant device permission.
• Cookie and similar-technology data: cookie identifiers, local storage, pixels, software development kits ("SDKs"), and similar technologies, as described in Section 7.

We do not intentionally collect call history, SMS contents, clipboard contents, a complete list of installed applications, precise location, contacts, photos, camera input, or microphone input unless the relevant feature requires it, the operating system permits it, and any required notice or permission has been provided.

2.3 Information From Other Sources

We may receive information from:

• Your Customer Organization and its administrators;
• Other BossWe users who communicate with you or add you to a workspace;
• Identity providers and single sign-on services;
• Integration partners and third-party applications you connect to BossWe;
• Payment, security, fraud-prevention, analytics, and customer-support providers; and
• Publicly available sources and authorities where permitted by law.

3. Device Permissions and Optional Features

BossWe may request device permissions only when needed for a feature. Depending on your device and the Services you use, these may include:

You can manage most permissions in your device settings. Disabling a permission may prevent the related feature from working but should not affect unrelated core features.

4. How and Why We Use Personal Data

We process personal data for the following purposes and, where the EU GDPR, UK GDPR, or similar law applies, on the following legal bases:

Where we rely on legitimate interests, we consider the impact on your rights and do not rely on that basis where our interests are overridden by your interests or fundamental rights.

We will obtain consent where required, including for certain device permissions, non-essential cookies or SDKs, precise location, direct marketing, or sensitive personal data. Withdrawal of consent does not affect processing that occurred before withdrawal.

We do not use Customer Content to train general-purpose artificial intelligence models unless this is expressly agreed with the Customer Organization and any legally required notice, choice, or consent is provided.

5. How We Disclose Personal Data

We may disclose personal data as follows:

• Customer Organizations and administrators. Administrators may access account information, workspace activity, content, audit logs, settings, and other data according to the Customer Organization's configuration and agreement with BossWe.
• Other users and recipients. Your profile, presence, messages, files, meeting content, and other information may be visible to people or groups with whom you choose or are configured to communicate.
• Service providers and processors. We use providers for hosting, content delivery, communications, push notifications, identity verification, analytics, crash reporting, customer support, payments, security, and other business operations. They may process data only for contracted purposes and subject to appropriate safeguards.
• Integrations and third-party services. If you or your Customer Organization enables an integration, relevant data may be sent to or received from that third party. Its own terms and privacy notice will apply to its independent processing.
• Affiliates. We may share data within our corporate group for the purposes described in this Privacy Policy, subject to appropriate contractual and security controls.
• Legal and safety recipients. We may disclose data when we reasonably believe it is necessary to comply with law or valid legal process; protect rights, safety, and property; investigate fraud or security incidents; or enforce our agreements.
• Corporate transaction recipients. Data may be disclosed to advisers and counterparties in connection with a proposed or completed corporate transaction. A successor must continue to protect the data consistently with applicable law.
• With your direction or consent. We may disclose information when you direct us to do so or provide legally valid consent.

We do not sell personal data for money. If our use of advertising or analytics technologies constitutes "selling," "sharing," or targeted advertising under an applicable US state privacy law, we will provide the required notice and a method to opt out. CONFIRM BOSSWE ADVERTISING PRACTICES

6. Third-Party SDKs and Subprocessors

BossWe may use SDKs and subprocessors to provide infrastructure, storage, communications, notifications, mapping, document viewing, analytics, crash reporting, and security functions.

Before publication, BossWe must provide and maintain an accurate, version-specific list at SUBPROCESSOR / SDK LIST URL, including each provider's name, purpose, categories of personal data, processing location, and privacy notice. SDKs used only in the domestic version must not be listed for the overseas version unless they are actually included and activated.

Non-essential analytics, advertising, or similar SDKs will be activated only after any consent required by applicable law. Essential SDKs may operate as necessary to provide, secure, or maintain the Services.

7. Cookies and Similar Technologies

We use cookies, local storage, pixels, and SDKs for:

• Strictly necessary authentication, security, load balancing, and service functionality;
• Remembering preferences;
• Performance measurement, diagnostics, and analytics; and
• Advertising or campaign measurement, if used and permitted.

Where required, we will present a cookie consent tool before using non-essential technologies. You can manage choices through COOKIE SETTINGS LINK, your browser, or device settings. Blocking some technologies may affect functionality.

We honor legally required opt-out preference signals, such as Global Privacy Control, where they apply to our processing.

8. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with Customer Organization instructions, meet legal and accounting requirements, resolve disputes, enforce agreements, and protect security.

Retention periods depend on the type of data, sensitivity, business need, Customer Organization settings, legal requirements, and whether the data is needed for an active account or legal claim. Customer Content is generally retained according to the Customer Organization's configuration and agreement with BossWe.

When retention is no longer necessary, we delete or anonymize data. Data in backups may remain isolated until the backup is overwritten under our normal retention cycle.

9. Security

We use reasonable administrative, technical, and physical safeguards designed to protect personal data, such as encryption in transit, access controls, logging, vulnerability management, personnel training, and incident-response procedures.

No service can guarantee absolute security. You are responsible for protecting your credentials, using appropriate passwords and authentication controls, and promptly reporting suspected unauthorized access.

If a personal data breach occurs, we will investigate and notify affected Customer Organizations, individuals, and regulators as required by applicable law and our contractual obligations.

10. International Data Transfers

BossWe and its service providers may process personal data in countries other than the country where you live. These countries may have different data-protection laws.

Where required, we use recognized transfer mechanisms and safeguards, such as:

• Adequacy decisions;
• The European Commission's Standard Contractual Clauses;
• The UK International Data Transfer Agreement or UK Addendum;
• Contractual, organizational, and technical supplementary measures; or
• A legally permitted exception for a specific transfer.

Information about relevant transfer safeguards may be requested using the contact details in Section 16. Before launch, BossWe must identify its actual hosting regions, support-access locations, subprocessors, and transfer mechanism at DATA HOSTING / TRANSFER DISCLOSURE URL.

11. Your Privacy Rights and Choices

Depending on your location and applicable law, you may have the right to:

• Know whether and how we process your personal data;
• Access or obtain a copy of personal data;
• Correct inaccurate personal data;
• Delete personal data;
• Restrict or object to processing;
• Withdraw consent;
• Receive certain data in a portable format;
• Opt out of sale, sharing, targeted advertising, or certain profiling;
• Limit certain uses and disclosures of sensitive personal data;
• Appeal a decision concerning a privacy request; and
• Lodge a complaint with a data-protection or privacy authority.

You may update certain profile information in the Services, manage device permissions in system settings, manage marketing preferences through an unsubscribe link, and request account deletion through IN-APP PATH.

To exercise a right, contact us as described in Section 16 or use PRIVACY REQUEST WEBFORM URL. We may verify your identity and authority before completing a request. Authorized agents may submit requests where permitted by law. We will respond within the period required by applicable law and will not discriminate against you for exercising a privacy right.

If BossWe processes the relevant data solely on behalf of a Customer Organization, please submit your request to that organization. We will assist it as required by law and contract.

12. Additional Information for the EEA, United Kingdom, and Switzerland

The controller for processing performed by BossWe is LEGAL ENTITY AND ADDRESS. Contact our Data Protection Officer, if appointed, at DPO EMAIL.

If required under applicable law, our representatives are:

• EU representative: NAME, ADDRESS, AND EMAIL
• UK representative: NAME, ADDRESS, AND EMAIL

You may complain to the supervisory authority in the country where you live or work or where you believe a violation occurred. A list of EEA supervisory authorities is available through the European Data Protection Board. UK users may contact the UK Information Commissioner's Office.

Where we make a decision based solely on automated processing that produces legal or similarly significant effects, we will provide the notices, safeguards, and rights required by applicable law. BossWe does not make such decisions unless expressly disclosed for the relevant feature.

13. Additional Information for Residents of US States

Subject to legal thresholds and exceptions, residents of California and other US states with comprehensive privacy laws may have the rights described in Section 11.

For the preceding 12 months, the categories of personal information we may have collected and disclosed for business purposes are: identifiers; customer-record information; commercial information; internet or electronic network activity; geolocation information; audio, electronic, visual, or similar information; professional or employment-related information; inferences; and sensitive personal information when a feature requires it.

We collect these categories from the sources described in Section 2, use them for the purposes in Section 4, and disclose them to the recipients described in Section 5. We retain them as described in Section 8.

BossWe does not knowingly sell or share the personal information of consumers under 16 without legally required authorization. To submit a request or appeal, use PRIVACY REQUEST WEBFORM URL or contact us using Section 16.

ADD A "DO NOT SELL OR SHARE MY PERSONAL INFORMATION" LINK IF REQUIRED

14. Children and Teenagers

The Services are designed for organizations and are not directed to children under 13. We do not knowingly collect personal data directly from a child under 13 without legally valid authorization.

Where a Customer Organization provides the Services to minors, it is responsible for obtaining any required parental or guardian consent and providing legally required notices, unless BossWe expressly agrees otherwise in writing.

Some jurisdictions apply a higher age threshold for consent to online services. Users below the applicable age may use the Services only with authorization required by local law and the Customer Organization's policies. If you believe a child has provided personal data improperly, contact us so we can investigate and take appropriate action.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in the Services, our practices, or applicable law. We will post the updated version and revise the "Last Updated" date. If a change materially affects your rights or how we use personal data, we will provide additional notice or request consent where required.

Archived versions will be made available at ARCHIVE URL.

16. Contact Us

For privacy questions, requests, or complaints, contact:

We aim to respond within the period required by applicable law. If you are not satisfied with our response, you may contact the competent privacy or data-protection authority or exercise any appeal right available in your jurisdiction.