Privacy Policy

BBos Holdings, LLC

612 S. Cochran Ave. #409

Los Angeles, CA 90036

United States

3.1 Who This Policy Applies To

This Privacy Policy applies to:

3.2 Customer Data vs. BBos Data

3.3 Links to Other Websites

The Services may contain links to third-party websites, applications, or services that are not owned or controlled by BBos. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services before providing them with your information.

4.1 Information You Provide Directly

4.2 Information We Collect Automatically

4.3 Information from Third Parties

4.4 Inferences and Derived Information

We may derive additional information and inferences about you based on the information we collect, including:

• Preferences, interests, and behavior patterns
• Predicted demographics and characteristics
• Usage patterns and engagement scores
• Risk and fraud indicators
• Product recommendations and personalization data
• Customer lifetime value estimates
• Propensity scores (likelihood to purchase, churn, etc.)

4.5 Aggregated and De-Identified Data

We create aggregated, anonymized, and de-identified data from the information we collect. Once information is de-identified or aggregated such that it can no longer reasonably identify you or any individual, it is no longer considered personal information under this Privacy Policy and we may use and disclose it for any lawful purpose without restriction, including:

• Product development and improvement
• Training and improving artificial intelligence and machine learning models
• Analytics, benchmarking, and industry research
• Marketing and promotional activities
• Creating and distributing reports, insights, and data products

5.1 Providing and Operating the Services

• Creating and managing your account
• Authenticating users and preventing unauthorized access
• Providing access to features and functionality
• Processing transactions and payments
• Storing and managing your files and data
• Providing customer support and responding to inquiries
• Communicating with you about the Services
• Sending transactional emails and notifications
• Facilitating collaboration and communication features

5.2 Improving and Developing the Services

• Analyzing usage patterns and user behavior
• Identifying bugs, errors, and technical issues
• Testing new features and functionality
• Conducting product research and development
• Developing new products and services
• Personalizing your experience
• Optimizing performance and user experience
• Benchmarking and competitive analysis

5.3 Artificial Intelligence and Machine Learning

Note: As described in our Terms and Conditions, once Customer Data is incorporated into AI models in de-identified or aggregated form, it becomes part of our intellectual property and cannot be extracted, deleted, or attributed to any individual or organization.

5.4 Marketing and Advertising

• Sending promotional emails and marketing communications (with consent or as permitted by law)
• Displaying targeted advertisements on our website and third-party platforms
• Conducting market research and surveys
• Analyzing marketing campaign effectiveness
• Building custom audiences for advertising
• Retargeting visitors who have shown interest in the Services
• Creating lookalike audiences based on customer characteristics
• Measuring return on advertising spend (ROAS)
• Distributing newsletters, product updates, and thought leadership content

5.5 Business Operations and Analytics

• Processing payments and managing billing
• Maintaining accurate financial and business records
• Conducting internal audits and compliance reviews
• Analyzing business performance and key metrics
• Strategic planning and business development
• Preparing financial reports and forecasts
• Managing vendor and partner relationships
• Conducting due diligence for business transactions (M&A, financing, etc.)

5.6 Security and Fraud Prevention

• Detecting, investigating, and preventing fraud, abuse, and security incidents
• Monitoring for suspicious activity and unauthorized access
• Protecting against malicious, deceptive, or illegal activity
• Enforcing our Terms and Conditions and other policies
• Investigating violations and taking appropriate action
• Maintaining the security and integrity of the Services
• Conducting security audits and risk assessments
• Implementing access controls and authentication measures

5.7 Legal Compliance and Protection

• Complying with applicable laws, regulations, and legal obligations
• Responding to legal process (subpoenas, court orders, government requests)
• Protecting our rights, property, and safety
• Protecting the rights, property, and safety of our customers and others
• Enforcing our legal rights and defending against legal claims
• Cooperating with law enforcement and regulatory authorities
• Maintaining records required by law
• Conducting investigations and litigation

5.8 Communications and Customer Relationship Management

• Sending service announcements and administrative messages
• Providing customer support via email, chat, phone, or video
• Soliciting feedback and conducting satisfaction surveys
• Managing customer relationships and account health
• Identifying upsell and cross-sell opportunities
• Reducing customer churn and improving retention
• Building customer communities and user groups
• Hosting webinars, training sessions, and events

5.9 Recruiting and Human Resources

• Evaluating job applications and candidates (if you apply for a job with us)
• Conducting background checks and reference verification
• Managing the interview and hiring process
• Onboarding new employees and contractors
• Administering benefits and compensation
• Managing employee performance and development

5.10 Research and Public Interest

• Publishing research reports, whitepapers, and case studies
• Contributing to academic and industry research
• Sharing anonymized data with researchers (with appropriate safeguards)
• Participating in industry benchmarking studies
• Supporting public policy development

5.11 Other Business Purposes

• Any other purposes disclosed to you at the time of collection
• Any purposes for which you provide consent
• Any purposes reasonably necessary or compatible with the above purposes
• Any purposes permitted by applicable law

6.1 Contract Performance (GDPR Article 6(1)(b))

Processing is necessary to:

• Provide the Services you have requested
• Create and manage your account
• Process payments and fulfill transactions
• Respond to your support requests
• Perform our obligations under the Terms and Conditions

6.2 Legitimate Interests (GDPR Article 6(1)(f))

Processing is necessary for our legitimate interests or those of third parties, including:

• Product improvement: Analyzing usage to improve the Services
• Security: Detecting and preventing fraud, abuse, and security incidents
• Business operations: Managing our business, finances, and strategy
• Marketing: Sending promotional communications (where consent is not required)
• AI development: Training AI models using aggregated, de-identified data
• Analytics: Understanding user behavior and measuring effectiveness
• Customer relationships: Managing customer accounts and reducing churn

We have balanced these legitimate interests against your rights and freedoms and determined that processing is proportionate and necessary.

6.3 Consent (GDPR Article 6(1)(a))

Where required by law, we obtain your explicit consent before processing, such as:

• Marketing emails and promotional communications (in certain jurisdictions)
• Non-essential cookies and tracking technologies
• Processing of special categories of personal data (if applicable)
• Use of precise geolocation data

You may withdraw consent at any time by contacting us or using the unsubscribe mechanisms provided.

6.4 Legal Obligations (GDPR Article 6(1)(c))

Processing is necessary to comply with legal obligations, such as:

• Tax and accounting requirements
• Financial reporting and record-keeping
• Responding to legal process (subpoenas, court orders)
• Anti-money laundering (AML) and know your customer (KYC) requirements
• Data breach notification obligations
• Employment and labor law compliance

6.5 Vital Interests (GDPR Article 6(1)(d))

In rare circumstances, processing may be necessary to protect vital interests, such as:

• Preventing harm to individuals
• Emergency situations requiring immediate action

6.6 Public Interest (GDPR Article 6(1)(e))

Processing may be necessary for tasks carried out in the public interest, such as:

• Cooperating with regulatory authorities
• Supporting public health and safety initiatives
• Contributing to academic or scientific research

6.7 Special Categories of Personal Data

We do not intentionally collect special categories of personal data (such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data) unless you voluntarily provide such information (for example, in your profile or in content you upload).

If we do process special categories of personal data, we will:

• Obtain your explicit consent (GDPR Article 9(2)(a))
• Process only as necessary for employment/social security purposes (GDPR Article 9(2)(b))
• Rely on other legal bases permitted under GDPR Article 9

7.1 Service Providers and Subprocessors

We share information with third-party service providers who perform services on our behalf, including:

These service providers are contractually obligated to:

• Process information only as instructed by us
• Implement appropriate security measures
• Not use information for their own purposes (except as permitted by law)
• Comply with applicable data protection laws

For EEA, UK, and Swiss data subjects, these transfers are governed by Standard Contractual Clauses or other appropriate safeguards as described in our Data Processing Addendum.

7.2 Business Partners and Affiliates

We may share information with:

7.3 Business Transactions

We may share information in connection with, or during negotiations of, any:

• Merger, acquisition, or sale of company assets
• Financing or investment transaction
• Bankruptcy, dissolution, or similar proceeding
• Business combination, reorganization, or transfer of business

In such transactions, information may be shared with:

• Prospective buyers, investors, or merger partners
• Legal, financial, and professional advisors
• Lenders and financing partners

Recipients will be bound by confidentiality obligations and required to use information only for purposes of evaluating or completing the transaction.

7.4 Legal Obligations and Protection

We may disclose information when we believe in good faith that disclosure is necessary to:

7.5 Public Information

Information you make publicly available through the Services may be viewed by others, including:

7.6 With Your Consent or Direction

We may share information:

• When you direct us to share information with third parties
• When you authorize third-party integrations
• When you provide consent to specific sharing
• When you participate in co-branded or joint marketing activities

7.7 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that does not identify you or any individual with:

• Business partners and advertisers
• Research institutions and academics
• Industry analysts and journalists
• The public through reports, blog posts, or publications

Such data is not subject to this Privacy Policy and may be used and shared without restriction.

8.1 Where We Process Data

BBos is based in the United States. When you use the Services, your information will be transferred to, stored, and processed in the United States and potentially other countries where BBos or its service providers operate.

Our primary infrastructure is hosted on Google Cloud Platform with data centers in the United States. We also use service providers located in:

• United States: Google Cloud (Vertex AI), Twilio, Plaid, Stripe, Intuit
• Other locations: As listed in Annex 3 of our Data Processing Addendum

8.2 Transfers from the EEA, UK, and Switzerland

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to the United States and other countries that may not provide the same level of data protection as your home country.

We rely on the following mechanisms for international transfers:

8.3 Additional Safeguards

In addition to the mechanisms above, we implement additional safeguards including:

• Strong encryption in transit and at rest
• Strict access controls and authentication
• Data minimization and pseudonymization where possible
• Contractual protections with service providers
• Regular security audits and assessments
• Transparency about government access requests

8.4 U.S. Government Access

As a U.S.-based company, BBos may be subject to U.S. government requests for information pursuant to U.S. law, including the Foreign Intelligence Surveillance Act (FISA) and national security letters. While we will challenge overbroad or inappropriate requests, we may be legally compelled to comply with valid legal process.

If we receive government requests for your information, we will:

• Review the request for legal validity
• Notify you if legally permitted to do so
• Challenge requests that appear invalid or overbroad
• Disclose only the minimum information required by law
• Publish transparency reports (available at bbos.ai/transparency)

8.5 Transfers from Other Countries

If you are located in Canada, your information is protected by PIPEDA (Personal Information Protection and Electronic Documents Act) and may be subject to lawful access by courts, law enforcement, and national security authorities in the jurisdictions where we operate.

If you are located in other countries with data protection laws, your information will be processed in accordance with this Privacy Policy and applicable law.

9.1 Retention Periods

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

General Retention Periods:

9.2 Factors Determining Retention

We determine retention periods based on:

• The nature and sensitivity of the information
• Purposes for which we collected the information
• Legal, regulatory, tax, and accounting requirements
• Legitimate business needs (fraud prevention, security, legal defense)
• Contractual obligations
• Industry standards and best practices

9.3 Deletion After Termination

When you terminate your account or subscription:

We may retain certain information as required by law or for legitimate business purposes, including:

• Transaction records (for tax and accounting)
• Records of fraud or abuse
• Information necessary for legal compliance or defense
• Aggregated or de-identified data (indefinitely)

9.4 Extended Retention

We may retain information for longer periods when:

9.5 Aggregated Data Retention

As stated in Section 4.5 and our Terms and Conditions:

• Aggregated, anonymized, and de-identified data is retained indefinitely
• Such data is no longer considered personal data and is not subject to deletion requests
• This data is used for AI training, product development, analytics, benchmarking, and research
• Once Customer Data is incorporated into AI models, it cannot be extracted or deleted

9.6 Backup Retention

Information may remain in backup or archival systems for a limited period after deletion from active systems:

• Incremental backups: 30 days
• Full backups: 90 days

Backup data is:

• Securely stored and encrypted
• Isolated from production systems
• Subject to the same confidentiality and security protections
• Used only for disaster recovery purposes

9.7 Your Deletion Rights

Subject to the exceptions above, you may request deletion of your information as described in Section 10. However, deletion rights do not apply to:

• Aggregated or de-identified data
• Information incorporated into AI models
• Information we are required or permitted to retain by law
• Information necessary for legitimate business purposes

10.1 Rights for EEA, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR:

10.2 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

10.3 Rights for Other U.S. State Residents

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or other U.S. states with consumer privacy laws, you may have rights similar to those described above, including:

• Right to confirm and access personal data
• Right to correct inaccuracies
• Right to delete personal data
• Right to obtain a copy of personal data
• Right to opt out of targeted advertising, sale of personal data, and profiling

Contact us at privacy@bbos.ai to exercise these rights.

10.4 Rights for Canadian Residents (PIPEDA)

If you are a Canadian resident, you have the following rights under PIPEDA:

• Right to access personal information
• Right to challenge accuracy and completeness
• Right to withdraw consent for certain processing
• Right to file a complaint with the Privacy Commissioner of Canada

10.5 Marketing Communications

You can opt out of marketing communications by:

• Clicking "unsubscribe" in any marketing email
• Adjusting your notification preferences in your account settings
• Emailing privacy@bbos.ai with "Unsubscribe" in the subject line
• Contacting us using the information in Section 17

Note: You cannot opt out of transactional or service-related communications (such as account notifications, security alerts, or billing communications).

10.6 Cookies and Tracking Technologies

You can control cookies and tracking technologies by:

• Adjusting your browser settings to block or delete cookies
• Using the cookie consent manager on our website

Opting out of third-party advertising cookies at:

• Digital Advertising Alliance: optout.aboutads.info
• Network Advertising Initiative: optout.networkadvertising.org
• Google Analytics: tools.google.com/dlpage/gaoptout

• Enabling "Do Not Track" or Global Privacy Control (GPC) in your browser

For more information, see Section 11 (Cookies and Tracking Technologies).

10.7 How to Exercise Your Rights

To exercise any of the rights described above:

Information we need:

• Your name and email address
• Description of your request
• Verification information (such as your account details)
• Jurisdiction (for location-specific rights)

10.8 Verification Process

To protect your privacy, we will verify your identity before fulfilling requests. Verification may require:

• Matching information you provide with information in our records
• Additional verification steps for sensitive requests (such as deletion)
• Authentication through your account login

If you use an authorized agent to submit a request on your behalf:

• The agent must provide written authorization signed by you
• We may require verification directly from you
• California residents: Authorized agents must be registered with the California Secretary of State (for CCPA requests)

10.9 Response Timeline

We will respond to verified requests within:

• GDPR: 1 month (may be extended by 2 months for complex requests)
• CCPA/CPRA: 45 days (may be extended by 45 days)
• Other laws: As required by applicable law

We will notify you if we need additional time or information.

10.10 Fees

We do not charge fees for:

• Your first request in a 12-month period
• Reasonable requests that are not excessive

We may charge a reasonable fee or refuse to act on requests that are:

• Manifestly unfounded or excessive
• Repetitive (multiple requests for the same information)
• Requiring disproportionate effort

10.11 Limitations on Rights

Your rights are not absolute. We may deny requests when:

• We cannot verify your identity
• The request is manifestly unfounded or excessive
• Processing is necessary for legal compliance or legal claims
• Processing is necessary for compelling legitimate interests
• Information is aggregated, de-identified, or incorporated into AI models
• Deletion would impact the rights and freedoms of others
• Applicable law permits or requires us to deny the request

We will explain our reasons if we deny a request.

11.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our website. We use cookies and similar tracking technologies (web beacons, pixels, local storage, etc.) to:

• Provide and improve the Services
• Understand how you use the Services
• Personalize your experience
• Deliver targeted advertising
• Analyze performance and traffic

11.2 Types of Cookies We Use

11.3 Third-Party Cookies

We use third-party services that may place cookies on your device:

11.4 Cookie Duration

• Session cookies: Deleted when you close your browser
• Persistent cookies: Remain on your device for a set period (typically 30 days to 2 years) or until you delete them

11.5 Managing Cookies

You can control cookies through:

11.6 Mobile Device Identifiers

For mobile applications (if applicable):

• iOS: Use Limit Ad Tracking in Settings > Privacy > Advertising
• Android: Use Opt out of Ads Personalization in Settings > Google > Ads

11.7 Consequences of Disabling Cookies

If you disable cookies:

• You may not be able to log in or use certain features
• The Services may not function properly
• We cannot remember your preferences
• You may see less relevant advertising (but the same amount of ads)

11.8 Cookie Policy Updates

We may update our use of cookies from time to time. Check this Privacy Policy for the most current information about our cookie practices.