Privacy Policy

Last updated: 7 June 2026

This policy explains what personal data Bosh (“we”, “us”, “our”) collects, why, and what rights you have. Bosh is operated by [Your legal entity / trading name] of [your address]. For any privacy question or request, contact [privacy@yourdomain].

What we collect

• Account details — your name, email address and profile image, provided by Google when you sign in with Google.
• Payment records — when you buy credits or a plan, payment is processed by Stripe. We receive and store transaction records (amount, status, Stripe identifiers) but never your full card details — those go directly to Stripe.
• Server & deployment data — the public IP address and domain of the VPS you connect, deployment status, and operational logs needed to run and support the service.
• Secrets you enter (e.g. Stripe and Google API keys) are encrypted (sealed)to your server’s key before storage. We hold only the ciphertext and cannot read them after sealing.
• Compatibility check— if you run the pre-flight check, we record your server’s reported public IP to show the result.
• Authentication cookie — a single strictly-necessary session cookie (see our Cookie Policy). We use no analytics or advertising cookies.

How we use it

• To provide, operate and secure the service and your deployments.
• To process payments and maintain billing records.
• To respond to support requests and prevent abuse/fraud.
• To meet our legal and accounting obligations.

Legal bases (UK/EU GDPR)

We process your data to perform our contract with you (providing the service), for our legitimate interests (security, fraud prevention, improving the service), and to comply with legal obligations. Where we ever rely on consent, you can withdraw it at any time.

Who we share it with

We do not sell your data. We share it only with the providers needed to run the service: Google (sign-in), Stripe (payments), and our infrastructure/hosting provider. Each acts under its own terms and privacy policy.

Your deployed site is yours. Once deployed to your VPS, the application, its database and any data your own users submit live on your server and are outside our control — you are the data controller for them.

Retention

We keep account and billing records for as long as your account is active and as required for legal/accounting purposes, then delete or anonymise them. Operational logs are kept for a limited period.

Your rights

Subject to law, you can request access to, correction or deletion of your data, restriction or objection to processing, and portability. To exercise any right, email [privacy@yourdomain]. You may also complain to your data protection authority (in the UK, the ICO).

Security

We encrypt secrets in transit and at rest, store only hashed access tokens, serve everything over HTTPS, and follow least-privilege practices. No system is perfectly secure, but we take protecting your data seriously.

International transfers, children, and changes

Some providers may process data outside your country under appropriate safeguards. The service is not directed at children under 16. We may update this policy; we will change the “last updated” date and, for material changes, take reasonable steps to notify you.

Contact

Questions or requests: [privacy@yourdomain].