Legal
Privacy Policy
Effective date: April 24, 2026
This Privacy Policy explains how Kabinary LLC ("we", "us", or "Boundrify") collects, uses, and protects your personal information when you use https://boundrify.com and the Boundrify services (the "Services"). It is written to meet the European General Data Protection Regulation (GDPR), the French Loi Informatique et Libertés, and the California Consumer Privacy Act (CCPA).
1. Data controller
Kabinary LLC, registered at 30 N Gould St, Ste N, Sheridan, Wyoming 82801, United States, is the controller of your personal data. You can reach us at [email protected].
2. Data we collect
2.1 Data you give us
- Account data: name, email, password hash, profile picture, language.
- Business data: company name, country, currency, team size, business structure — collected during onboarding.
- Project data: projects, tasks, clients, contracts, invoices, time entries, notes. You own this data; we process it on your behalf.
- Payment data: card details are entered directly in Stripe; we never see or store the card number. We only receive a customer token and transaction status.
- Communications: support requests, feedback, bug reports.
2.2 Data we collect automatically
- Technical data: IP address, browser, device, operating system — needed to deliver the service securely.
- Security events: sign-in history, approximate location of each session (city / country derived from IP via ip-api.com) to detect account takeovers.
- Error logs: when the application crashes in your browser, a sanitized error trace is sent to Sentry (no form content, no personal identifiers).
- Aggregate usage: page views, source of traffic, device type — collected by our self-hosted Plausible Analytics instance, without cookies or personal identifiers.
2.3 Data we do not collect
We do not use Google Analytics, Facebook Pixel, Hotjar, or any advertising / cross-site tracking technology. We do not sell personal data. We do not profile users for advertising.
3. How we use your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide the Services to you | Performance of contract — Art. 6(1)(b) |
| Process payments | Performance of contract — Art. 6(1)(b) |
| Send transactional emails (verification, password reset, invoice) | Performance of contract — Art. 6(1)(b) |
| Secure your account (2FA, fraud detection, rate limiting) | Legitimate interest — Art. 6(1)(f) |
| Improve the Services, diagnose bugs (Sentry, aggregate analytics) | Legitimate interest — Art. 6(1)(f) |
| Comply with accounting, tax, or legal obligations | Legal obligation — Art. 6(1)(c) |
| Send marketing emails (newsletter) | Consent — Art. 6(1)(a), revocable at any time |
4. Sub-processors
We rely on the following providers to deliver the Services. Each is bound by a data processing agreement and processes data only under our instructions.
| Provider | Purpose | Location |
|---|---|---|
| Hostinger | Primary application + database hosting | EU (Lithuania / Netherlands) |
| Stripe | Payment processing, billing | United States (DPF certified) |
| Resend | Transactional email delivery | United States (DPF certified) |
| Sentry | Crash / error reporting (frontend) | European Union (Germany) |
| Google (OAuth) | Optional "Sign in with Google" | United States (DPF certified) |
| LinkedIn (OAuth) | Optional "Sign in with LinkedIn" | United States (DPF certified) |
| Google reCAPTCHA | Anti-bot protection on public forms | United States (DPF certified) |
| ip-api.com | IP-to-city lookup for security alerts | Germany |
When data is transferred outside the European Economic Area, the transfer is protected either by the EU-U.S. Data Privacy Framework (where the provider is DPF-certified) or by Standard Contractual Clauses approved by the European Commission.
5. How long we keep your data
- Account data: for the life of the account, then deleted or anonymized within 30 days of account closure.
- Invoicing data: retained for 10 years to comply with accounting law.
- Security logs: 12 months rolling window.
- Error traces (Sentry): 90 days.
- Database backups: 7 daily + 4 weekly + 6 monthly backups (GFS rotation).
6. Your rights
Under the GDPR, the French Loi Informatique et Libertés, and the CCPA, you have the right to:
- Access — get a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — delete your data, unless we must keep it for legal reasons.
- Portability — receive your data in a machine-readable format.
- Restriction / objection — ask us to stop or limit specific processing activities.
- Withdraw consent — when processing is based on consent, you can revoke it at any time.
- Define the fate of your data after death (French law specific).
- Lodge a complaint — with your local supervisory authority. In France: CNIL.
To exercise any of these rights, email [email protected]. We answer within 30 days.
7. Security
We protect your data with industry-standard measures: HTTPS enforced via HSTS (TLS 1.2+), PBKDF2-SHA256 password hashing with 100,000 iterations (ASP.NET Identity default), optional two-factor authentication, SHA-256 hashing of long-lived device tokens, IP-based rate limiting on authentication endpoints, idempotency keys on sensitive write endpoints, principle-of-least-privilege access controls, and automated dependency update monitoring (GitHub Dependabot). Storage volumes are encrypted at rest by our hosting provider. No method is 100% secure, and we cannot guarantee absolute security — but we take it seriously.
8. Children
The Services are not directed at anyone under 16. We do not knowingly collect personal data from minors. If we learn we have, we delete it promptly.
9. Changes to this policy
We may update this policy to reflect changes in the Services or the law. Significant changes will be notified by email or by a banner on the Services. The "Effective date" above always reflects the latest version.
10. Contact
Kabinary LLC
30 N Gould St, Ste N
Sheridan, Wyoming 82801, United States
[email protected]
See also: Cookie Policy, Data Processing Agreement, Legal Notice.