Last Updated: March 2026
This Privacy Policy describes how Bosys ("BOSYS", "we", "our", or "us") collects, processes, stores, uses, and protects personal data and business data in connection with our AI-powered business operating system, workflow automation platform, and related services (collectively, the "Services").
BOSYS provides enterprise-grade software for organizations globally, including customers in the European Union, United States, United Arab Emirates, Turkey, and other jurisdictions. This policy applies to all users, enterprise customers, organization administrators, and visitors to our website.
This Privacy Policy governs Personal Data, Business Data, Operational Data, System Usage Data, and AI Processing Data. It applies whether data is processed through the web application, mobile applications, APIs, integrations, or automation workflows — regardless of access location.
Customer: a business entity using BOSYS. User: an individual authorized to access the system. Administrator: a user with elevated privileges. Business Data: operational or organizational information processed within the platform. Personal Data: information relating to an identifiable individual. Tenant: an isolated organizational environment. AI Processing: automated analysis or decision support performed by BOSYS algorithms.
Account and Identity Data: full name, email, phone number, company name, role, login credentials, and authentication data. Business and Operational Data: financial transactions, accounting records, inventory, sales data, procurement, employee data, supplier and customer records, workflows, uploaded documents, and system configurations. Technical and System Data: IP address, device identifiers, browser type, session logs, login timestamps, API requests, and error logs. Integration Data: when customers connect external systems, we may process accounting, payment, CRM, and warehouse data along with API tokens.
AI processing in BOSYS operates under strict principles. Tenant-Isolated Learning: AI training occurs only within the same organization environment. Customer data is never shared across organizations, used to train global models, sold, or reused for external datasets. Each organization maintains a private AI learning context. AI systems may analyze operational data, identify anomalies, predict risks, suggest actions, and automate workflows — but final decision authority always remains with the customer.
BOSYS operates using a multi-tenant architecture with strict logical separation between tenants. This includes database isolation, access control boundaries, authentication segregation, encryption separation, and role-based permissions. No customer can access another customer's data under any circumstances.
We use data to provide the BOSYS platform, authenticate users, process transactions, execute workflows, generate analytics, monitor system performance, maintain service reliability, detect security threats, and comply with legal obligations. We do not sell customer data.
We may share data with cloud infrastructure providers, hosting providers, backup providers, security monitoring providers, email delivery services, and payment processors — only according to our instructions. We may disclose data when required by law, court orders, or regulatory obligations. Data may also be transferred in connection with mergers, acquisitions, or asset sales.
Active account data is retained while the account remains active. Deleted data is removed from primary systems, though backup copies may remain temporarily (up to 90 days). Some data may be retained longer when required for financial records, tax compliance, fraud investigation, or legal disputes.
Users may delete records, files, and accounts at any time. Deletion triggers immediate removal from production systems. Backup removal occurs during scheduled cycles.
Users and administrators may create accounts, assign permissions, restrict access, delete records, export data, reset credentials, and disable users. Administrators may also monitor system activity, review audit logs, and manage security settings.
Customer data may be processed in multiple jurisdictions. We implement safeguards including Standard Contractual Clauses, data processing agreements, and encryption protocols to protect data during international transfers.
We implement technical and organizational safeguards including encryption in transit and at rest, access control systems, multi-factor authentication, firewall protection, intrusion detection, continuous monitoring, and backup and recovery systems.
In the event of a security incident, we will investigate and contain the threat, notify affected customers, restore services, and report to regulators as required by applicable law.
The Services are designed for business use only. We do not knowingly collect data from individuals under 18 years of age.
We may update this policy periodically. Updates will be published on our website with the effective date noted at the top of the policy.
Bosys, operating in the United Arab Emirates and Turkey.
Privacy inquiries: privacy@bosys.ai. Security incidents: security@bosys.ai.