Privacy Policy
This Privacy Policy explains how BOMvault collects, uses, and protects your information when you use our services.
Privacy Overview
Full DocumentEffective Date: January 1, 2025 | Version: 1.0
Summary
BOMvault is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding your personal information.
Key Commitment: We do not sell your personal information. We process your data only to provide and improve our services.
Information We Collect
You Provide
- Account info (name, email, company)
- SBOMs and software metadata
- Payment information (via Stripe)
- Support communications
Collected Automatically
- Usage data (pages, features, actions)
- Device info (IP, browser, OS)
- Log data (API requests, errors)
- Cookies (essential and analytics)
How We Use Your Information
- Provide Services: Process SBOMs, generate reports, manage your account
- Improve: Analyze usage patterns, fix bugs, develop features
- Communicate: Send alerts, updates, and support responses
- Secure: Prevent fraud, enforce terms, protect the platform
- Comply: Meet legal obligations and respond to lawful requests
Data Sharing
We share data only with:
- Service Providers: AWS, Stripe, Sentry, and others listed in our DPA
- Your Integrations: GitHub, Slack, Jira as you configure
- Legal Requirements: When required by law or to protect rights
- Business Transfers: In connection with mergers or acquisitions
Data Retention
| Data Type | Retention |
|---|---|
| Active account data | Duration of subscription + 30 days |
| Backups | 90 days after deletion |
| Audit logs | Up to 7 years (regulatory compliance) |
| Immutable evidence | Configured retention period |
Your Rights
Depending on your location, you may have rights to access, correct, delete, or port your data. You can also object to processing or withdraw consent.
- GDPR (EU/UK): Full data subject rights apply
- CCPA/CPRA (California): Rights to know, delete, correct, opt-out
- We do not sell or share your data as defined under CCPA
Security
Technical
- Encryption in transit (TLS) and at rest (AES-256)
- Multi-tenant database isolation (RLS)
- Role-based access control
Organizational
- Employee security training
- Regular security assessments
- Incident response procedures
Cookies
We use essential cookies for authentication and security, plus privacy-focused analytics. We do not use advertising trackers. You can control cookies in your browser settings.
International Transfers
Data may be transferred to the United States. We use Standard Contractual Clauses (SCCs) for transfers from the EEA, UK, and Switzerland. See our Data Processing Agreement for details.
Questions About Your Data?
To exercise your privacy rights or ask questions about this policy, contact our privacy team.
Contact Privacy TeamContact
- Privacy: privacy@bomvault.com
- Security: security@bomvault.com
- Address: BOMvault, Inc., 1111B S Governors Ave STE 34802, Dover, DE 19904, USA
Last Updated: January 1, 2025