BossAll policies
← All policies
Version 2026-06-04 · Effective 2026-06-04

Privacy Policy

Boss — a product of ARWIC

This Privacy Policy explains how [LEGAL ENTITY NAME] ("ARWIC," "we," "us") collects, uses, shares, and protects personal information in connection with the Boss platform at bossitall.com (the "Service").

1. Our two roles (please read — this is important)

Boss serves businesses ("tenants"). We handle personal information in two distinct roles:

  1. As a controller — for information about our tenants and their users (account, billing, and usage information). This Privacy Policy governs that information.
  2. As a processor (service provider) — for the personal information our tenants load into Boss about their own customers and contacts ("Customer Data"). For that data, the tenant is the controller and decides why and how it is processed; we act on the tenant's instructions under our Terms of Service and Data Processing Addendum. If you are a customer of one of our tenants and have a privacy request about your data, please contact that business directly.

2. Information we collect

You provide to us:

  • Account information: name, business name, email, phone, password, and profile details.
  • Billing information: subscription plan and payment details (card data is collected and stored by our payment processor, not by us).
  • Customer Data: information you enter about your business operations and your own customers (e.g., contacts, invoices, expenses, messages). (Processed on your behalf — Section 1.)
  • Communications: messages you send to support and feedback you provide.

Collected automatically:

  • Usage and device data: log data, IP address, browser/device type, pages and features used, timestamps, and similar diagnostic data.
  • Cookies and similar technologies: used to keep you logged in, remember preferences, and understand usage. See Section 9.

From third parties:

  • Payment/Connect data from Stripe (see Section 4).
  • Imported data you choose to bring in (e.g., from QuickBooks/Intuit).

What we do NOT store. We do not collect or store full payment card numbers, bank-account credentials, Social Security numbers, or government-ID/KYC documents. That sensitive information is collected and held by Stripe when you use payments (Section 5). Boss stores the business and contact information described above so that the Service can do its job; it is not a vault for your most sensitive financial identifiers.

We do not intentionally collect special-category data and ask that you not enter it unless necessary and lawful.

3. How we use information

We use information to: provide, operate, secure, and maintain the Service; authenticate users; process subscriptions and payments; provide support; send service and transactional messages; detect, prevent, and investigate fraud, abuse, and security incidents; comply with legal obligations and enforce our agreements; improve and develop the Service (including AI features); and create aggregated or de-identified analytics that do not identify any individual.

AI features. When you use AI features, your inputs and the resulting outputs are processed to generate responses and operate the feature. We do not sell this data. See our AI provider note in Section 4.

We do not sell your personal information for money, and we do not use your Customer Data to advertise to your customers.

4. How we share information

We share personal information only as described here:

  • Service providers / sub-processors who help us run the Service under contract, including: Stripe (payments), our SMS provider (texting), our email delivery provider, our AI model provider, our cloud hosting provider, and analytics/error-monitoring tools. A current sub-processor list is maintained in the Data Processing Addendum.
  • At your direction, including communications you send through the Service and integrations you connect.
  • For legal reasons — to comply with law, lawful requests, or legal process, or to protect the rights, safety, and property of ARWIC, our users, or the public.
  • Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
  • With your consent for any other purpose.

5. Payments and our role as a Stripe Connect platform (important disclosure)

If you enable payments, Stripe processes them. Stripe collects and stores sensitive payment and identity information (card numbers, bank credentials, government-ID/KYC details) directly; we do not receive or store that sensitive information.

Because Boss operates as a Stripe Connect platform, Stripe gives us, as the platform, visibility into your connected account — including your payment volume, account balances, payout status, and account/verification status and requirements. This is a standard, designed feature of the Connect platform relationship that you agree to with Stripe when you onboard, and we use this visibility only to operate the payments feature, provide you support, monitor for fraud and abuse, and help resolve disputes. Key points:

  • We have visibility, not custody. Charges are made directly to your connected account and pay out to your bank; the funds never sit in our balance.
  • We do not sell or misuse this data and do not share it except as described in this Policy.
  • Sensitive details stay with Stripe. We receive business-level financial information, not your raw identity or banking credentials.
  • Your use of Stripe is also governed by Stripe's Privacy Policy and the Stripe agreements referenced in our Terms.

6. How we protect information

We use administrative, technical, and organizational safeguards designed to protect personal information, including encryption in transit, tenant isolation (each tenant's data is logically separated and access is constrained at the database level), private internal networking for our data stores, audit logging, and access controls. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for safeguarding your credentials.

7. Data retention

We retain personal information for as long as your account is active and as needed to provide the Service. After you cancel or your account is terminated, we retain Customer Data for thirty (30) days to allow export, then delete or de-identify it, except where longer retention is required by law or for legitimate business records (e.g., transaction and security logs, tax records). When acting as a processor, we delete or return Customer Data per the DPA.

8. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, to opt out of certain processing, and to not be discriminated against for exercising these rights. To exercise rights for information we control, contact privacy@bossitall.com. We will verify your request as required by law. If your request concerns Customer Data held by one of our tenants, contact that tenant (we will assist them as their processor).

U.S. state privacy laws (e.g., California/CCPA-CPRA). We do not "sell" personal information or share it for cross-context behavioral advertising in exchange for money. California residents may request the categories and specific pieces of personal information we have collected, deletion, and correction, and may designate an authorized agent.

EU/UK (GDPR/UK GDPR). Where GDPR applies, our legal bases are performance of a contract, our legitimate interests (operating and securing the Service), consent (where required), and legal obligations. You may lodge a complaint with your supervisory authority. International transfers are made under appropriate safeguards such as Standard Contractual Clauses.

9. Cookies and tracking

We use strictly necessary cookies to operate the Service (e.g., session/login) and may use functional and analytics cookies. You can control cookies through your browser. Where required by law, we will present a consent mechanism (banner) before setting non-essential cookies. (See the launch plan for the cookie-banner to-do.)

10. Children's privacy

The Service is for businesses and is not directed to children under 16 (or 13 in the U.S.). We do not knowingly collect personal information from children. If you believe a child provided us information, contact privacy@bossitall.com and we will delete it.

11. International users

We operate in the United States, and information may be processed there. By using the Service, you understand your information may be transferred to and processed in the U.S. and other countries with different data-protection laws.

12. Changes to this Policy

We may update this Policy. We will post the new version with an updated Effective Date and, for material changes, provide additional notice. Continued use after changes take effect means you accept the updated Policy.

13. Contact us

[LEGAL ENTITY NAME] Attn: Privacy — Boss / ARWIC [BUSINESS ADDRESS] Privacy requests: privacy@bossitall.com Support: support@bossitall.com