At Bootup Studios Inc. ("we," "our," or "us"), we value your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our website bootupstudios.ai and related services (collectively, the "Services").
1. Information We Collect
Information you provide directly:
When you register for our Services using Google authentication or email and password, we may collect:
• Name
• Email address
• Password (stored securely via Firebase Authentication; we do not have access to your plaintext password)
• Profile picture (if provided via Google)
• Phone number (if you choose to link one for SMS features or multi-factor authentication)
• Additional contact information you choose to share
Information we collect automatically:
When you use our Services, we may automatically collect certain information, including:
• Usage data and access logs
• Device and connection information
• IP address, browser type, and pages visited
• Cookies and similar technologies (see Section 5)
Information generated through your use of the Services:
• Business plans, timelines, and project data you create
• Conversations with AI assistants
• Lead generation queries and results
• Files and attachments you upload
2. Authentication
Our Services support two authentication methods:
Google OAuth: We use Google OAuth authentication to allow you to log in securely. By using this feature:
• Google will share your basic profile information with us according to your Google privacy settings
• We only request access to the essential information needed to provide our Services to you
• You can revoke our access to your Google information at any time through your Google account settings
Email and Password: You may also register with an email address and password. Your password is managed securely through Firebase Authentication and is never stored in plaintext by us.
3. How We Use Your Information
We use the information we collect to:
• Provide, maintain, and improve our Services
• Power AI-assisted features including chat, business planning, and lead generation
• Facilitate third-party integrations you choose to connect
• Process payments and manage subscriptions
• Send SMS messages when you opt in by linking your phone number
• Personalize your experience and provide relevant content
• Communicate with you about updates, security, and support
• Enforce our Terms of Use and protect against fraud
• Comply with legal obligations and protect our rights
4. AI Services and Data Processing
Our platform uses AI models from third-party providers (including OpenAI, Anthropic, and Google) to power features such as chat, business plan generation, and lead research. When you use AI features:
• Your prompts, messages, and relevant project context are sent to the applicable AI provider to generate responses
• AI-generated content is stored in your account for your continued access
• We use your conversation data to provide the Services but do not use it to train AI models
• Each AI provider has its own data processing policies; we encourage you to review them
If you provide your own API keys ("Bring Your Own Key"), those keys are encrypted using AES-256-GCM before being stored and are only decrypted server-side when making API calls on your behalf.
5. Cookies and Session Management
We use a minimal set of cookies to operate the Services:
• auth-token: A session cookie containing your Firebase authentication token, used to keep you signed in. This cookie expires after 7 days and is refreshed on active use.
We do not use tracking cookies or third-party advertising cookies.
6. SMS and Twilio Services
If you choose to link your phone number in Settings, we use Twilio to provide SMS functionality. This involves:
• Collecting and storing your phone number in E.164 format
• Sending verification codes to confirm your phone number
• Transmitting SMS messages between you and the platform (including AI-generated responses, lead generation results, and project notifications)
• Storing SMS session data to maintain conversational context
Opt-in is established when you voluntarily link your phone number and verify it via a one-time code. You may opt out at any time by unlinking your phone number in Settings, which deletes your phone number and associated session data from our systems. Standard messaging rates from your carrier may apply.
For multi-factor authentication (MFA), if you choose SMS as your MFA method, your phone number is also used to deliver one-time verification codes. MFA phone numbers are stored separately from SMS feature phone numbers.
7. Third-Party Integrations (Composio)
When you connect third-party services through our integrations feature (such as Gmail, Google Calendar, Notion, Airtable, Stripe, Google Drive, Google Docs, or Outlook), data is exchanged between the Services and the connected application via Composio. Specifically:
• We only access data from connected services when you explicitly initiate actions through the platform
• Connection credentials are managed by Composio and are not stored by us
• You can disconnect any integration at any time from Settings, which revokes our access
8. Payment Data (Stripe)
Payment processing is handled by Stripe. When you subscribe to a paid plan:
• Your payment card details are processed directly by Stripe and are never stored on our servers
• We store only subscription metadata: customer ID, subscription status, plan type, and billing period dates
• Stripe handles PCI compliance for all payment data
• You can manage payment methods, view invoices, and cancel subscriptions through the Stripe billing portal accessible from Settings
9. Lead Generation (Tavily)
Our lead generation features use Tavily's web search API to research and identify potential business leads. When you use these features:
• Your search queries are sent to Tavily to perform web research
• Results are processed, normalized, and stored in your project data
• Lead data consists of publicly available information gathered from the web
10. Multi-Factor Authentication
If you enable MFA, we store additional security data:
• TOTP secrets are encrypted using AES-256-GCM before storage
• Backup codes are hashed using SHA-256 and cannot be reversed
• SMS verification codes are temporary and expire after a short window
• MFA session tokens are short-lived and action-specific
11. Information Sharing
We do not sell, trade, or transfer your personal information to third parties, except in the following circumstances:
• With service providers who help us operate our business and provide the Services (including AI model providers, Twilio, Stripe, Composio, and Tavily as described above)
• To comply with legal requirements or respond to legal processes
• To protect our rights, property, or safety, as well as those of our users
• In connection with a merger, acquisition, or sale of assets
12. Information Security
We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
• Encryption of data in transit (HTTPS/TLS) and at rest
• AES-256-GCM encryption for sensitive data such as API keys and TOTP secrets
• SHA-256 hashing for backup codes
• Constant-time comparison for verification codes to prevent timing attacks
• Rate limiting on authentication and API endpoints
• Regular security reviews
• Restricted access to personal information
• Secure authentication protocols with support for multi-factor authentication
13. Your Privacy Rights
Depending on your location, you may have specific rights regarding your personal information, which may include:
• Accessing, correcting, or deleting your personal information
• Objecting to the processing of your personal information
• Requesting data portability
• Withdrawing your consent at any time
• Opting out of SMS communications by unlinking your phone number
• Disconnecting third-party integrations to revoke data sharing
To exercise these rights, please contact us using the information provided in the "Contact" section.
14. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. When you delete your account or unlink a service:
• SMS data is deleted when you unlink your phone number
• Integration connections are revoked when you disconnect them
• MFA data is deleted when you disable multi-factor authentication
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
16. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:
Email: team@bootupstudios.ai