Dealer account data: business name, address, EIN, billing contact, principal contact, and any users you add to the platform. This is the minimum needed to run BoaterOS for your dealership.
Buyer personal information: on your behalf, when a buyer interacts with your website, AI Companion, or CRM, we process their name, contact details, vehicle interests, financing data, and government ID for identity verification. You are the data controller; we are the processor.
Device and usage telemetry: page views, feature usage, session durations, and error logs. Used only for product improvement and support.
Payment data: processed by Stripe. We receive a token, not card numbers.
To operate, maintain, and improve the BoaterOS platform for your dealership.
To deliver the specific features you've turned on (AI Companion, syndication, F&I, etc.).
To send transactional communications — security alerts, billing, service notifications.
To comply with legal obligations including TCPA, e-sign, and tax reporting.
We do not use your data — or your buyers' data — to train foundation models. Our Anthropic and OpenAI agreements explicitly prohibit training on customer content.
Sub-processors who help us run the platform. A current list lives on our Security & Trust page. Every sub-processor is contractually bound to protect your data.
Regulators, when required by law or court order. We notify you unless legally prohibited.
Business transfers: in the unlikely event of an acquisition, we notify you 30 days in advance and give you an export option.
We do not share or sell data to advertisers, data brokers, or third-party marketing systems.
Active account data: kept while your subscription is active.
After termination: production data deleted within 30 days; encrypted backups purged within 90 days.
Financial records: retained up to 7 years where required for tax, audit, or regulatory compliance.
TCPA consent logs: retained 7 years to defend against any future consent dispute.
Under GDPR (EU/EEA/UK) and CCPA/CPRA (California) you have the right to access, correct, delete, port, and restrict processing of your personal data. We honor all requests within 30 days.
To exercise rights: email privacy@boater.os or use the self-service export tool in your account settings.
You may also lodge a complaint with your local data protection authority. We hope you talk to us first.
We use a minimal set of first-party cookies: session management, CSRF protection, preferences, and light product analytics.
We do not use third-party advertising cookies. We honor Global Privacy Control (GPC) and Do Not Track signals.
A full cookie inventory is available on request from privacy@boater.os.
BoaterOS is a B2B platform. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided data through one of our dealer customers, contact privacy@boater.os and we'll delete it.
Today, BoaterOS data is stored in the United States (AWS us-east-1 and us-west-2). EU data residency is on the roadmap for Q3 2026.
For transfers out of the EU/UK, we rely on Standard Contractual Clauses. A copy of our DPA is available on request.
We maintain a SOC 2 Type II program, encryption in transit (TLS 1.3) and at rest (AES-256), role-based access, and a 24/7 incident response rotation. Detail at /company/security.
If a breach occurs, we notify affected customers within 72 hours as required under GDPR and applicable US state laws.
When we update this policy, we post the new version here and update the "last updated" date. For material changes — like adding a new category of data or a new purpose of processing — we email the primary contact at your dealership at least 30 days before it takes effect.
Data Protection Officer: privacy@boater.os
EU representative: (placeholder) — available on request.
Postal: BoaterOS, Inc. · 200 Central Ave, Suite 2220 · St. Petersburg, FL 33701, USA