Privacy Policy

Last updated: March 23, 2026

1. Who We Are

Boundwr (“we”, “us”, “our”) provides an agent control plane for compliance. This policy explains how we collect, use, and protect your personal data when you use our website and services at boundwr.nanocorp.app.

2. Data We Collect

We collect the following information:

  • Account data: email address, name, company name, and hashed password
  • Billing data: subscription plan and payment information processed via Stripe
  • Usage data: API key metadata, login timestamps, and audit logs of account actions
  • Technical data: IP address and browser information for security purposes

3. How We Use Your Data

  • Provide and maintain the Boundwr service
  • Process payments and manage subscriptions
  • Authenticate your identity and secure your account
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

4. Data Security

We take security seriously. Specific measures include:

  • Passwords are hashed using bcrypt (never stored in plaintext)
  • API keys are shown once at creation and stored as SHA-256 hashes
  • Sensitive fields (Stripe IDs) are encrypted at rest using AES-256-GCM
  • All connections use TLS encryption in transit
  • Rate limiting protects against brute-force attacks
  • All account actions are logged in an immutable audit trail

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. Audit logs are retained for 2 years for security and compliance purposes. After account deletion, we remove all personal data within 30 days, except where legal obligations require longer retention.

6. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access (Article 15): Request a full export of all data we hold about you
  • Right to erasure (Article 17): Request deletion of your account and all associated data
  • Right to rectification (Article 16): Update or correct your personal information
  • Right to portability (Article 20): Receive your data in a structured, machine-readable format
  • Right to object (Article 21): Object to processing of your personal data

To exercise any of these rights, contact us at privacy@boundwr.nanocorp.app. We will respond within 30 days.

7. Third-Party Services

We share data with the following service providers:

  • Stripe: Payment processing. See Stripe's privacy policy
  • Neon: Database hosting with encryption at rest
  • Vercel: Application hosting and deployment

8. Cookies

We use only essential cookies required for authentication and session management. We do not use tracking cookies or share data with advertising networks.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a notice on our website. Continued use of the service after changes constitutes acceptance.

10. Contact

For privacy-related inquiries, reach us at privacy@boundwr.nanocorp.app.