bOpus, Inc. — Privacy Policy

bOpus, Inc. ("bOpus", "we", "us", or "our") respects your privacy. This Privacy Policy explains how we collect, use, share, and protect personal information in connection with our website at bopus.ai, the bOpus Performance Cloud subscription service, and our other products and services (collectively, the "Services").

This Policy provides general notice of our data practices. Where bOpus processes Customer Data on behalf of a customer organization under the bOpus Performance Cloud Subscription Agreement ("PCSA") or a separate Data Processing Addendum ("DPA"), those agreements govern the contractual relationship and any conflict between this Policy and the PCSA or DPA shall be resolved in favor of the PCSA or DPA.

1. Information We Collect

1.1. Information You Provide

• Contact and Identity Information — name, email address, phone number, company name, job title, and similar professional contact details you provide when creating an account, requesting a demo, contacting support, or corresponding with us.
• Account Credentials — user IDs and passwords for authentication. Authentication is managed through our identity partner (currently Logto); credentials are stored in accordance with industry-standard practices.
• Billing Information — when you make a payment, billing contact details and invoice records. Payment card numbers are processed by our payment processor and are not stored on bOpus systems.
• Communications — the content of emails, support tickets, and other messages you send us.

1.2. Information Collected Automatically

• Usage and Log Data — technical logs, system metadata, and event records describing how users interact with the Services, including timestamps, feature use, and error reports.
• Device and Connection Data — IP address, browser type and version, operating system, referring page, and similar information collected automatically when you use our website or Services.
• Cookies and Similar Technologies — small data files placed on your device. We use strictly-necessary cookies to operate the Services, and (on the public website) limited analytics and security cookies to understand traffic and protect against abuse. We do not use advertising or behavioral-tracking cookies. You can control cookies through your browser settings; disabling strictly-necessary cookies may impair Service functionality.

1.3. Information from Third Parties

We may receive limited information from service providers we use (for example, our authentication partner or payment processor) and from publicly available sources when verifying business contact information.

1.4. Customer Data (Subscription Customers Only)

When a customer organization uses the bOpus Performance Cloud, the organization or its machines upload business data ("Customer Data"), which may include limited personal information about the organization's employees or contractors. bOpus processes Customer Data as a service provider on behalf of the customer organization, in accordance with the PCSA and any applicable DPA. This Policy does not govern the processing of Customer Data; if you are an employee, contractor, or end-user of a bOpus customer, please direct privacy inquiries about Customer Data to your organization.

1.5. Information We Do Not Collect

We do not knowingly collect or accept:

• Protected Health Information regulated by HIPAA, as expressly excluded under § 2.2.2 of the PCSA;
• Payment card numbers, security codes, or other cardholder data subject to PCI-DSS, as expressly excluded under § 2.2.3 of the PCSA (such data is handled by our payment processor);
• Personal information of children under the age of 16; or
• "Sensitive personal information" within the meaning of the California Consumer Privacy Act, except as incidentally provided as Customer Data and processed under the PCSA.

2. How We Use Information

We use the information we collect to:

• Provide, operate, secure, and improve the Services;
• Authenticate users and protect against unauthorized access;
• Send transactional communications (account notices, billing, support responses, security alerts);
• Process payments and manage billing under our Standard Invoice Terms;
• Send marketing and product communications, where permitted by law and subject to your right to unsubscribe at any time;
• Provide customer support and respond to inquiries;
• Conduct internal analytics, troubleshooting, and product development;
• Detect, prevent, and respond to fraud, abuse, and security incidents;
• Comply with applicable laws, regulations, court orders, and lawful requests; and
• Establish, exercise, or defend legal claims.

3. How We Share Information

We share information only as described in this Section.

3.1. Service Providers (Sub-processors)

We share information with vendors that perform services on our behalf, including cloud hosting and infrastructure, authentication, payment processing, email delivery, web analytics, content delivery and security (e.g., Cloudflare), and customer support tools. These vendors are contractually required to use the information only to provide services to bOpus and to protect it appropriately. A current list of material sub-processors is available on request to .

3.2. Within Your Organization

If you access the Services through an organization (your employer or a customer of bOpus), administrators and other authorized users within that organization may have access to your account information and activity within the Services.

3.3. Legal and Safety

We may disclose information when we reasonably believe disclosure is required to comply with a law, regulation, court order, subpoena, or other lawful process; to enforce our agreements; to investigate or respond to suspected fraud, abuse, or violations of our policies; or to protect the rights, property, or safety of bOpus, our users, or others.

3.4. Business Transfers

If bOpus is involved in a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, information may be transferred to the successor or acquiring party as part of the transaction.

3.5. With Your Consent

We may share information with other third parties when you direct us to do so or otherwise consent.

4. We Do Not Sell or "Share" Personal Information

We do not sell personal information for monetary or other valuable consideration, and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act and similar U.S. state laws. We have not done so in the preceding twelve (12) months and have no current plans to do so.

5. Data Retention

We retain personal information for as long as needed to provide the Services and for legitimate business purposes, including the following defaults (which may be extended where required by law, contract, or active investigation):

• Account and contact data: for the duration of the customer relationship plus a reasonable wind-down period (typically up to twelve (12) months after account closure);
• Authentication and security logs: typically twelve (12) months;
• Billing and tax records: as required by applicable financial and tax-record retention laws (typically seven (7) years);
• Marketing contacts: until you unsubscribe or request deletion;
• Customer Data in bOpus Performance Cloud: as set forth in the PCSA and the applicable Ordering Document.

6. Data Security

We maintain commercially reasonable physical, technical, and administrative safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include encryption of data in transit, access controls, secure authentication, vulnerability monitoring, and personnel training. No method of transmission over the internet or electronic storage is perfectly secure, and we cannot guarantee absolute security.

7. International Data Transfers

bOpus is based in the United States and processes information in the United States. If you access the Services from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have different data-protection rules than your country. By using the Services, you consent to such transfer and processing.

8. Your Rights

8.1. All Users

You may at any time:

• Request access to or a copy of personal information we hold about you;
• Request correction of inaccurate information;
• Request deletion of your personal information, subject to limits where we are required or permitted to retain it;
• Unsubscribe from marketing communications using the unsubscribe link in any marketing email or by contacting us; and
• Lodge a complaint with us at .

We will respond to verifiable requests within the time required by applicable law. We may need to verify your identity before fulfilling certain requests.

8.2. California Residents (CCPA/CPRA)

California residents have the right to: know what personal information we collect, use, disclose, and (if applicable) sell or share; request deletion; request correction; opt out of sale or sharing (we do neither); limit our use of sensitive personal information (we collect none from California residents in this capacity); and not receive discriminatory treatment for exercising these rights. You may also designate an authorized agent to make a request on your behalf.

8.3. EU/UK/EEA Residents (GDPR/UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights of access, rectification, erasure, restriction of processing, data portability, and objection to processing, as well as the right to withdraw consent (where processing is based on consent) and the right to lodge a complaint with your local data-protection authority. The lawful bases on which we process personal information include performance of a contract, our legitimate interests in operating and improving the Services, your consent (where applicable), and compliance with legal obligations.

8.4. Other U.S. States

Residents of other U.S. states with comprehensive privacy laws (including, as applicable, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) have rights similar to those described above. To exercise these rights, contact us using the information in Section 12.

9. Children's Privacy

The Services are intended for businesses and adult professional users. We do not knowingly collect personal information from children under the age of sixteen (16). If you believe we have collected such information, please contact us at and we will take appropriate steps to delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this Policy reflects when it was most recently revised. If we make material changes, we will provide additional notice (for example, by email to account administrators or through the Services) before the changes take effect. The version of this Policy in effect on the date you use the Services governs our practices at that time. Prior versions are archived and available at bopus.ai/privacy-policy/archive or upon written request.

11. Order of Precedence

If you are a customer with a signed bOpus Performance Cloud Subscription Agreement, Data Processing Addendum, or other written agreement with bOpus that addresses privacy or data protection, that agreement controls in the event of conflict with this Policy. If a conflict arises that cannot be resolved by reading the documents together, the order of precedence is: (1) any signed DPA, (2) the PCSA or other signed services agreement, (3) this Policy.

12. Contact Us

Questions, requests, or complaints regarding this Privacy Policy or our data practices may be directed to:

bOpus, Inc.
Attn: Privacy