Privacy Policy

For data you provide directly to us as an individual user (e.g. your name and email when you sign up), Boyevi is the data controller.

For data that an organization (Customer) processes through our service on behalf of its users, employees or contacts (“Customer Data”), Boyevi acts as a data processor and the Customer is the data controller. The terms of that processing are set out in our Data Processing Agreement.

We collect the following categories of data:

• Account data: name, email, password (hashed), avatar, language preference, organization membership, role.
• Authentication data: OAuth identifiers from third parties (e.g. Google) when you choose to sign in via SSO.
• Usage data: pages visited, features used, timestamps, IP address, browser/device type, errors, performance metrics.
• Customer Data: data you connect to the Service via data sources, the questions you ask, and the AI-generated reports.
• Billing data: company name, billing address, VAT number (if applicable), and payment metadata. Card details are handled directly by Stripe and never stored on our servers.
• Support data: any information you provide when contacting us for support.

• Performance of a contract — to deliver the Service you subscribed to.
• Legitimate interests — to secure the Service, prevent fraud, improve our product, and conduct internal analytics.
• Legal obligation — to comply with tax, accounting, and regulatory requirements.
• Consent — for optional features such as marketing communications. You can withdraw consent at any time.

• To create and operate your account.
• To process your data through our AI pipeline and generate reports.
• To bill you, send invoices and receipts.
• To respond to your support requests.
• To detect, prevent, and address security incidents and fraud.
• To improve the Service through aggregated, non-identifying analytics.
• To send you operational emails (e.g. invitation, password reset, important updates).

We do not sell your personal data, and we do not use your Customer Data to train our or any third-party AI models.

We share your data with carefully selected third-party providers (“subprocessors”) that help us operate the Service. They act only under our instructions and are bound by data protection agreements.

The current list of subprocessors is published at /legal/subprocessors. We will give you reasonable notice before adding new subprocessors for Customers covered by our DPA.

Some of our subprocessors are located outside the European Economic Area (notably in the United States). When we transfer personal data outside the EEA, we rely on:

• The European Commission’s Standard Contractual Clauses (SCCs);
• Adequacy decisions where applicable (e.g. EU–US Data Privacy Framework);
• Additional technical and organizational safeguards (encryption in transit and at rest).

We retain your personal data only as long as necessary to provide the Service and meet our legal obligations:

• Account and Customer Data: while your account is active.
• After account deletion: data is anonymized or removed within 30 days, except invoices and accounting records that we retain for the legal duration (typically 10 years in France).
• Backups: encrypted backups may persist for up to 30 days after deletion, after which they are overwritten in normal rotation.
• Server logs: 30 days for security and debugging purposes.

Under GDPR, you have the following rights:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion (“right to be forgotten”).
• Restriction — limit how we process your data.
• Portability — receive your data in a machine-readable format.
• Object — object to processing based on legitimate interests.
• Withdraw consent — for processing based on consent.
• Lodge a complaint — with your local supervisory authority (in France: the CNIL).

To exercise any of these rights, contact privacy@boyevi.com. You can also export your data directly from your account settings.

We use a small number of strictly necessary cookies to operate the Service (authentication session, language preference, CSRF token). We do not use third-party advertising cookies or tracking pixels.

We implement industry-standard technical and organizational measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest.
• Strict access controls and least-privilege principle.
• Regular security reviews and dependency updates.
• Database backups with encrypted off-site storage.
• Multi-factor authentication for administrative access.

No system can be 100% secure. In the event of a breach affecting your personal data, we will notify you and the competent supervisory authority within 72 hours where required by law.

The Service is not intended for individuals under 18. We do not knowingly collect personal data from minors. If you believe we have collected such data, contact us and we will delete it.

We may update this Privacy Policy. Material changes will be notified by email at least 30 days before the effective date. The current version is always available at this URL.

Boyevi SAS, registered in France.
Privacy enquiries: privacy@boyevi.com.