Legal
Privacy Policy
Last updated: February 2026
## 1. Introduction
This Privacy Policy explains how Boss Plan (operated by Boss Plan Kft., registered in Hungary) collects, uses, stores, and protects your personal data when you use our platform, website, and services. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable Hungarian data protection law (Act CXII of 2011 on Informational Self-Determination and Freedom of Information).
## 2. Data Controller
The data controller for the purposes of GDPR is Boss Plan Kft., with its registered office in Hungary. For data protection inquiries, please contact us at [email protected].
## 3. Data We Collect
We collect the following categories of personal data: (a) Account data: name, email address, company name, and phone number provided during registration. (b) Usage data: login timestamps, feature usage patterns, and device information (browser type, operating system, screen resolution). (c) Content data: any data you enter into the platform, including tasks, contacts, files, quotes, comments, and other business information. (d) Payment data: billing name, address, and payment method details. Payment processing is handled by third-party payment processors; we do not store full card numbers. (e) Communication data: messages you send to us via contact forms, email, or support requests.
## 4. Legal Basis for Processing
We process your personal data on the following legal bases under GDPR Article 6(1): (a) Contract performance: processing necessary to provide our services to you under our Terms of Service. (b) Legitimate interest: processing for platform security, fraud prevention, and service improvement. (c) Consent: where you have given explicit consent, such as for marketing communications. (d) Legal obligation: processing required to comply with applicable laws, such as tax and accounting regulations.
## 5. How We Use Your Data
We use your data to: provide and maintain our platform and services; process your transactions and manage your account; send service-related communications (updates, security alerts, support messages); improve our platform based on usage patterns; comply with legal obligations; respond to your inquiries and support requests. We do not sell your personal data to third parties.
## 6. Data Storage and Security
Your data is stored on servers located within the European Union. We implement appropriate technical and organisational measures to protect your data, including: encryption in transit using TLS; regular automated backups; access controls and role-based permissions; monitoring and logging of system access. Files uploaded to the platform are stored using secure cloud storage within the EU.
## 7. Data Retention
We retain your data for as long as your account is active or as needed to provide our services. When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g., accounting records which must be retained for 8 years under Hungarian law). Deleted files are retained in a soft-delete state for 30 days to allow recovery, after which they are permanently deleted.
## 8. Your Rights Under GDPR
Under the GDPR, you have the following rights: Right of access — request a copy of your personal data. Right to rectification — correct inaccurate personal data. Right to erasure — request deletion of your personal data ('right to be forgotten'). Right to restriction — restrict the processing of your data. Right to data portability — receive your data in a structured, machine-readable format. Right to object — object to processing based on legitimate interest. Right to withdraw consent — withdraw consent at any time where processing is based on consent. To exercise these rights, please contact us at [email protected]. We will respond within 30 days.
## 9. Third-Party Services
We use the following third-party services that may process your data: Cloud infrastructure providers (EU-based) for hosting; Firebase Cloud Messaging for push notifications; Email delivery services for transactional emails; Payment processing services for billing. All third-party processors are selected for their GDPR compliance and are bound by data processing agreements.
## 10. Cookies
Our website uses essential cookies required for the platform to function (e.g., session management, language preference). We also use analytics cookies to understand how our website is used. You can manage your cookie preferences through our cookie consent banner. Essential cookies cannot be disabled as they are necessary for the website to function.
## 11. International Data Transfers
We store and process your data within the EU. If any data transfer outside the EU is necessary (e.g., for specific third-party services), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.
## 12. Children's Privacy
Boss Plan is a business service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.
## 13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website or sending an email. The 'last updated' date at the top of this policy indicates when it was last revised.
## 14. Contact and Supervisory Authority
If you have questions about this Privacy Policy or wish to exercise your rights, contact us at [email protected]. If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) at [email protected] or your local supervisory authority.