Legal
Privacy Policy
Last updated June 4, 2026
Bossy ("Bossy", "we", "us") provides a people-operations and operations platform for frontline businesses. This Privacy Policy explains what personal data we handle, why, and the choices you have. It applies to our website, our web and mobile apps, and our marketing.
Bossy is operated by Bossy LLC, 2108 N St, Ste N, Sacramento, CA 95816.
Who this policy is for
We handle personal data for three distinct groups, and your rights depend on which group you fall into:
- Customers — the business owners and administrators who sign up for and manage a Bossy account. For their own account and contact data, Bossy is the controller.
- Members of a customer's team (employees) — when a business uses Bossy, it adds its workers, supervisors, and managers. Their task records, photos, schedules, performance notes, feedback, and journal entries are processed on the employer's behalf. For this data the employer is the controller and Bossy is the processor. If you are an employee and want to access, correct, or delete your data, your request generally goes to your employer; we will support them in responding.
- Marketing contacts — people who join our waitlist, submit our contact form, or are imported as leads. For this data Bossy is the controller.
Data we collect
Account & profile — name, email, role, organization, and authentication data (including two-factor settings).
Operational content you create in the app — tasks and their completion status, photos submitted as proof of work, schedules and shift data, checklists, reports, internal announcements and messages, and people-ops content such as 1-on-1 notes, feedback, goals, and Exchange Journal entries.
Billing data — plan, subscription status, and billing contact. Card details are collected and stored by our payments provider (Stripe); Bossy never receives or stores full card numbers.
Usage & device data — log data, approximate location derived from IP, device and browser information, and product-analytics events used to understand and improve the product.
Marketing data — email address, any name/company you provide, consent timestamp, and campaign attribution (UTM) parameters. We store a hashed form of your IP address for abuse prevention, not your raw IP.
How we use data
- To provide, secure, and operate the service for you and your organization.
- To send transactional messages (e.g. task notifications, schedule changes, account and billing emails).
- To send marketing email only where you have consented, with one-click unsubscribe in every marketing message.
- To monitor reliability and prevent abuse, fraud, and security incidents.
- To understand product usage and improve Bossy.
- To comply with legal obligations.
How we share data
We do not sell personal data. We share data with the third-party providers ("subprocessors") that power the service — for hosting, database and storage, payments, email and messaging delivery, error monitoring, and analytics. See our Subprocessors page for the current list. Each is bound by contract to protect the data and use it only to provide their service to us.
We may also disclose data where required by law, to protect rights and safety, or in connection with a corporate transaction (with notice where required).
Retention
We retain personal data for as long as an account is active and as needed to provide the service, then delete or anonymize it within a reasonable period unless a longer retention is required by law (for example, billing records). Customer content is retained according to the customer's configuration and is removed following account deletion — see Account Deletion & Data Requests.
Your rights & choices
Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal data, and to object to certain processing. To exercise these rights:
- Customers and marketing contacts can contact us at privacy@bossyhq.com.
- Employees should contact their employer (the controller); we will assist the employer as the processor.
You can opt out of marketing email at any time via the unsubscribe link or by contacting us. Opting out of marketing does not affect transactional messages necessary to operate your account.
Security
We protect data with tenant isolation enforced at the database layer, encryption in transit and at rest, two-factor authentication, and audit logging. Read more on our Security & Trust page.
International transfers
Our providers may process data in the United States and other countries. Where required, we rely on appropriate safeguards for cross-border transfers.
Children
Bossy is a workplace product and is not directed to children. We do not knowingly collect personal data from anyone under 16.
Changes to this policy
We may update this policy from time to time. Material changes will be reflected by an updated date at the top of this page and, where appropriate, additional notice.
Contact
Questions or requests: privacy@bossyhq.com, or Bossy LLC, 2108 N St, Ste N, Sacramento, CA 95816.