Privacy Policy

The app.bosnet.io application (“BOSNet,” “the Service”) is operated by Eikon Digital Solutions (“Eikon Digital,” “we,” “us”). BOSNet is a business operating system built on a patent-pending governance kernel. This policy explains what information we collect when you use the Service, how we use it, how we retain it, and your rights — including rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

BOSNet is currently in Alpha. The Service, the data we collect, and the way we process it may change as the product matures. Material changes to this policy will be reflected by an updated effective date above.

BOSNet is intended for US-based business use. We do not knowingly collect personal data from residents of the European Union or other jurisdictions outside the United States.

1. Data We Collect

Account & Identity Data

When you create or are invited into a workspace, we collect your email address, name, organization affiliation, role, and authentication credentials (passwords are stored as salted hashes; we never store plaintext passwords). If you enable multi-factor authentication, we store the associated MFA secrets.

Workspace Content

The Service stores the content you create and interact with inside your workspace, including conversations with the NLUI surface, prompts, attached files, generated artifacts, decisions, confirmations, anomalies, and any documents you upload or link.

Governance & Audit Records

BOSNet’s governance kernel records the evidence, state transitions, approvals, denials, and tool-execution events that constitute the audit trail for your operations. These records are retained as part of the Service’s core function and are surfaced to you through artifact panels and exports.

Integration Tokens

If you connect a third-party system (for example, an email provider or a CRM), we store the OAuth tokens or API credentials required to operate that integration. Tokens are encrypted at rest and used only to perform the actions you have authorized through the workspace.

Usage & Telemetry

We collect technical session information (hashed IP, browser type, OS, request paths, latency, error context) for security, debugging, and product improvement. We do not use behavioral advertising and do not share telemetry with advertising networks.

Email Engagement

Transactional and operational email we send to you generates standard deliverability events (delivered, opened, clicked, bounced, complaint) recorded by our email service provider. These events are used for deliverability monitoring and anti-spam compliance.

Browser Storage

We use browser localStorage and session cookies to maintain your authenticated session, remember UI preferences, and (where applicable) record your cookie consent. These items remain on your device.

2. How We Use Your Information

• To deliver, operate, secure, and improve the Service.
• To execute the workflows, tool calls, and integrations you authorize.
• To maintain the governance audit trail that the Service is designed to produce.
• To detect, prevent, and respond to abuse, fraud, and security incidents.
• To send transactional and operational emails related to your account or workspace.
• To meet our legal, tax, accounting, and compliance recordkeeping obligations.

We do not sell your personal information. We do not use your workspace content to train third-party foundation models. We do not share your data with advertising networks.

3. Large Language Model (LLM) Providers

BOSNet’s NLUI surface and certain agentic capabilities are powered by third-party large language model providers, including Anthropic and OpenAI. When you interact with the Service:

• The content of your prompts, the relevant workspace context the kernel chooses to include, and the resulting model output may be transmitted to and processed by these providers in order to generate a response.
• We use provider API endpoints that, per provider terms, do not train their public foundation models on customer inputs or outputs by default. Provider logging and abuse-monitoring retention is governed by the provider’s then-current policy.
• You should not paste regulated, restricted, or third-party-confidential information into the Service unless you have confirmed your organization permits doing so under its agreement with the relevant provider.
• Provider lists may change as BOSNet adds or removes capabilities. The then-current provider list is documented in our public technology disclosures and inside the Service.

4. Other Service Providers

Supabase

Primary database, authentication, file storage, and vector store. Hosted in US regions.

Vercel

Application hosting, edge compute, and anonymized request telemetry.

Mailgun

Transactional and operational email delivery, including deliverability events.

Google reCAPTCHA Enterprise

Protects authentication and public form endpoints from automated abuse. Sets a _GRECAPTCHA cookie and is subject to Google’s Privacy Policy.

Each provider acts as a data processor on our behalf and is bound by its own data processing terms.

5. Your California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights:

• Right to Know — request the categories and specific pieces of personal information we have collected about you.
• Right to Delete — request that we delete personal information we have collected from you, subject to legal retention exceptions described in Section 6.
• Right to Correct — request correction of inaccurate personal information we hold about you.
• Right to Opt-Out of Sale or Sharing — direct us not to sell or share your personal information. We do not sell or share personal information for cross-context behavioral advertising — ever.
• Right to Non-Discrimination — we will not discriminate against you for exercising any privacy right.

To exercise any of these rights, contact us at the address in Section 8.

6. Data Retention

We retain data only as long as needed for the purpose it was collected, to meet legal, tax, accounting, and compliance obligations, or to defend against legal claims. When retention ends, data is securely deleted or irreversibly anonymized.

You may request earlier deletion at any time by contacting us at the address in Section 8. We will honor verified deletion requests within 45 days, except where we are legally required to retain specific records (for example, tax or anti-fraud documentation), in which case we will disclose the basis for the exception.

7. Security

We protect data in transit with TLS and at rest with the encryption controls provided by our hosting and database providers. Authentication uses salted password hashing and supports multi-factor authentication. Access to production systems is limited to personnel with a business need. The Service is currently in Alpha and security controls continue to mature as the product progresses toward general availability.

8. Contact

For privacy inquiries, data requests, or to exercise your CCPA rights, contact: