PRIVACY AND COOKIES STATEMENT

Version March 2025

  1. General

    1. This privacy and cookies statement (“Statement”) is applicable to all products, services and activities from Bosun B.V., located in Utrecht, the Netherlands, registered in the chamber of commerce under number 96839651. Bosun B.V. is responsible for the processing of your personal data. In this statement is described how your personal data is processed, and to which ends this data is processed.

    2. By using Bosun, you agree with the following conditions. If you do not agree with this statement, you are requested not to use Bosun.

  2. Processing personal data

    1. Below you can find an overview of how Bosun processes personal data, for what purposes, on what legal basis, and for how long.

Connecting your GitHub/GitLab account and creating/managing your Bosun account

Bosun allows you to connect your GitHub and/or GitLab account so we can provide our service (automating software maintenance based on the code in your repositories). We use your account information to authenticate you, display your profile, link the correct organizations, and provide access to the Bosun application. This processing is necessary for the performance of the agreement with you (the provision of Bosun).

Categories of personal data

Account data: e-mail address, avatar image, user ID/username, profile name, profile URL. Retrieved from GitHub and/or GitLab when you connect your account.

Organization data: organization name associated with your GitHub/GitLab account. Used to provide the service to the correct organization/workspace.

Authentication data: OAuth access tokens. Stored to access the repositories you authorize. Stored securely.

Legal basis: performance of a contract (Article 6(1)(b) GDPR).
Retention period: while your account is active; deleted upon request within 1 month, and removed from backups/security logs within 3 months.

Providing the service (automation of software maintenance)

To deliver Bosun, we process data from the repositories and metadata you authorize us to access. This includes repository contents (code) and repository metadata. Repository contents may (depending on what you store in repositories) contain personal data; in that case, you remain responsible for ensuring you have the right to share that content with Bosun.

Repository metadata: repository names and related technical metadata. Needed to run automations and to show relevant information in the product.

Repository contents (code): Processed to perform automated maintenance tasks.

Legal basis: performance of a contract (Article 6(1)(b) GDPR).
Retention period: while your account is active; deleted upon request within 1 month, and removed from backups/security logs within 3 months.

Customer support and communications

We use your contact and account details to respond to questions, provide support, and communicate about service-related matters (e.g., operational updates).

Contact data: e-mail address, profile name: Used to communicate with you.

Support correspondence: Information you provide to us in support requests.

Legal basis: performance of a contract (Article 6(1)(b) GDPR) and/or legitimate interests (Article 6(1)(f) GDPR) (efficient customer support and service improvement).
Retention period: deleted upon request where applicable (and in any event aligned with the deletion timelines above where the data is part of your account).

Security, abuse prevention, and service reliability (logging & monitoring)

We process certain technical data to secure Bosun, prevent abuse and fraud, and maintain stable operations (e.g., debugging and incident handling). We do not store IP addresses in our logs.

Usage and access logs: timestamps, user agent information, access logs. Used for security monitoring and troubleshooting.

Error logs: Used to detect and fix issues and ensure reliability.

Legal basis: legitimate interests (Article 6(1)(f) GDPR) (security, fraud prevention, and maintaining the service).
Retention period: deleted from backups and security logs within 3 months after account deletion request, unless a longer retention is necessary for security investigations or legal obligations.

Billing, payments, and accounting

If you purchase a paid plan, billing and payment processing is handled via our payment provider, and we process invoicing/financial data for administration and compliance.

Categories of personal dataCommentsBilling data: company invoicing information and related payment administration dataUsed for invoicing, payment processing, and accounting.

Legal basis: performance of a contract (Article 6(1)(b) GDPR) and legal obligation (Article 6(1)(c) GDPR) for tax/accounting compliance.
Retention period: financial and invoicing records are retained as required under applicable tax/accounting laws.

Marketing emails / newsletters (opt-in only)

We only send marketing emails/newsletters if you have explicitly opted in. You can opt out at any time.

Contact data: e-mail address and name. Used to send newsletters/marketing messages.

Legal basis: consent (Article 6(1)(a) GDPR).
Retention period: until you withdraw consent or unsubscribe.

  1. Transfer to third parties (inside the EEA)

    1. Only persons authorized by Bosun B.V. to protect and/or otherwise process personal data and/or perform IT maintenance work have access to your personal data.

    2. Bosun B.V. may engage third parties for the processing purposes described in the statement. Insofar as these third parties process your personal data on behalf of Bosun B.V., they do so in the role of processor. Bosun B.V. has concluded a processing agreement with those third parties that regulates, among other things, security, confidentiality, and your rights.

    3. Processors we use (and what they do)

    Hosting / infrastructure (Hetzner)

    • Purpose: hosting Bosun and related infrastructure.

    • Data categories: account data, authentication data (tokens), repository data, logs, billing administration data (as stored in the product).

    AI/LLM processing (Microsoft Azure – OpenAI service)

    • Purpose: supporting automation features that use language models.

    • Data categories: repository data and related inputs needed to perform the requested automation (as applicable).

    Authentication providers (GitHub, GitLab)

    • Purpose: OAuth authentication and authorized access to your repositories/organizations.

    • Data categories: account/profile data, organization data, authentication-related data as part of the OAuth flow.

    Email delivery (Postmark)

    • Purpose: sending service emails (e.g., verification, notifications, support).

    • Data categories: e-mail address and email content metadata.

    Error monitoring (Sentry)

    • Purpose: monitoring application errors and performance for reliability and security.

    • Data categories: technical logs and error data (configured to avoid unnecessary personal data).

    Customer support (Google)

    • Purpose: handling support communications and internal collaboration.

    • Data categories: support correspondence and contact details.

    CRM / internal administration (Notion)

    • Purpose: managing customer relationships and internal administration.

    • Data categories: limited customer contact and account context as needed.

    Payments (Stripe)

    • Purpose: payment processing and billing.

    • Data categories: billing and payment-related data.

    1. Insofar as these third parties themselves determine the purposes and means of processing your data, they do so as controllers. This means that they too require a legal basis for processing your data. These third parties must comply with the obligations that arise from the GDPR. For more information, Bosun B.V. kindly refers to the privacy statements of these third parties.

    2. In all other respects, Bosun B.V. will not disclose your personal data to third parties, unless this is necessary for the performance of its services, pursuant to a legal requirement or in an emergency, to the extent that, in the reasonable opinion of Bosun B.V., it is in your best interest.

  2. International transfer (outside the EEA) of your personal data

    1. Bosun B.V. aims to process personal data within the European Economic Area (EEA) using EU data center options where available.

    2. If (incidentally) personal data is accessed or transferred outside the EEA—for example due to global corporate structures of service providers or support access—Bosun B.V. will ensure appropriate safeguards are in place (such as model contracts approved by the European Commission), so that your data remains protected in accordance with the GDPR.

  3. Your rights regarding the processing of personal data

    1. You have the following rights regarding the personal data that Bosun B.V. processes of you:

      1. Right to information about what happens to your data and why. You can find this information in this Statement.

      2. Right of access. For this purpose, you may ask Bosun B.V. among other things what data has been recorded and what it is used for.

      3. Right to have the data collected from you by Bosun B.V., corrected, amended or completed if it is inaccurate or incomplete.

      4. Right to erasure (‘right to be forgotten’) (in a number of legally determined cases).

      5. Right to restriction of processing by Bosun B.V. (in a number of legally determined cases).

      6. Right to data portability, meaning that you can request your data from Bosun B.V. and have it transferred to third parties (in a number of legally determined cases).

      7. Right to object to the processing of your personal data by Bosun B.V.

    2. Requests to exercise the rights above can be made to Bosun B.V. via contact@bosun.ai.

    3. If you have given consent for the processing of your personal data, you may withdraw this consent at any time. To do so, please send a request to Bosun B.V. The processing of your personal data in the period before the withdrawal of consent remains lawful.

  4. Retention period

    1. Bosun B.V. will not retain your (personal) data for longer than is necessary for the performance of its services, unless it is obliged to store personal data for longer use under legislative provisions (e.g., tax/accounting obligations).

  5. Security

    1. Bosun B.V. has implemented appropriate technical and organizational measures to secure your personal data against loss or unlawful processing, including:

    • encryption in transit (TLS);

    • encryption at rest for personal information;

    • OAuth authentication via GitHub/GitLab (including reliance on their MFA options);

    • MFA for all Bosun administrator accounts;

    • secrets management via 1Password and Kubernetes secrets;

    • logging and application monitoring;

    • vulnerability scanning;

    • weekly checking for security updates/patching;

    • availability of the technical team for incident response within 24 hours; and

    • data processing agreements with processors.

    1. Despite the fact that Bosun B.V. has taken and will take all possible security measures, the processing of your personal data via the internet involves risks inherent to the use of the internet.

  6. Cookies

    1. Bosun B.V. uses functional cookies on the Bosun application website. On the Bosun marketing website, Bosun B.V. uses analytical measurement to understand website usage (see below).

    2. Cookies are small text files that a computer stores when a website is visited. Functional cookies ensure that the website/application of Bosun B.V. functions properly. Analytical cookies (or similar technologies) gather information about your visit to the website of Bosun B.V.

    3. Bosun B.V. uses the following cookies / measurement:

    A) Functional cookies (application website)

    • Purpose: login/session management, security (e.g., keeping you logged in, preventing misuse, ensuring the application works correctly).

    • Retention period: typically for the duration of your session and/or a limited period as required for secure operation. Logging out will end the session.

    B) Analytical measurement (marketing website) – Plausible Analytics

    • Purpose: to understand aggregated website traffic and improve our marketing website.

    • Data minimization: Plausible is designed to provide privacy-friendly, aggregated statistics and is typically configured to avoid tracking individuals across sites.

    • Retention period: retained according to our Plausible configuration, and only as long as needed for the above purpose.

  7. Third party cookies

    1. Third-party cookies (or similar technologies) may be placed via Bosun, depending on the third-party services used (for example, analytics providers). The privacy and cookie policy of the company in question applies to the use of cookies by other companies. Bosun B.V. has no influence on this. You are advised to read the privacy statements and/or cookie statements of these third parties to see what they do with the personal data that they collect via these cookies. We would like to point out that these third-party privacy and cookie statements may also change regularly.

    2. Bosun B.V. is not responsible or liable for any damage caused by the actions or omissions of third parties.

  8. Withdrawing consent for cookies

    1. Where consent is required for non-essential cookies, you may withdraw your consent at any time by changing your browser settings (blocking or deleting cookies) and/or by using any cookie settings option offered on our website. For functional cookies on the application website, logging out ends the session and limits further cookie use.

  9. Modifications

    1. Bosun B.V. reserves the right to modify this Statement. You are therefore advised to regularly check this Statement on Bosun. Continued use of Bosun after modification(s) implies your agreement to the modified Statement.

  10. Contact

    1. In case of any questions, suggestions or complaints about this Statement or other aspects of our service, please contact us via contact@bosun.ai.

Bosun B.V. — January 2026