1. Introduction

Boord-ITS ("we," "us," or "our") operates BITSM — Boord Information Technology Service Management, a multi-tenant B2B SaaS platform that provides AI-powered IT helpdesk and ticketing services to organizations (each a "Customer" or "Tenant").

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use BITSM, and describes your rights with respect to that data. It applies to all users of BITSM, including tenant administrators, agents, and end users of Customer organizations.

If you are an employee or contractor of a Customer organization, your primary privacy relationship is with your employer (the Customer). We act as a data processor on the Customer's behalf for data submitted through the platform. See Section 8 for details.

Questions? Contact us at [email protected].

2. Data We Collect

2.1 Account and Identity Data

• Name, email address, and profile picture (from OAuth provider — Microsoft 365 or Google)
• Organization/tenant association
• Role and permission assignments within the platform
• Authentication tokens (short-lived, server-side session storage)

2.2 Helpdesk and Ticket Data

• Support ticket content: subject, description, comments, attachments
• Ticket metadata: status, priority, category, location, assigned agent, timestamps
• Internal comments (visible only to agents and admins of the same tenant)
• AI-generated content: triage notes, route suggestions, audit scores, knowledge gap identifications

2.3 AI Conversation Data

• Messages sent to and received from Atlas (the AI assistant)
• Conversation history, session context, and message metadata
• AI interaction logs used for cost tracking and quality auditing

2.4 Usage and Technical Data

• Log data: IP address, browser/device type, pages accessed, actions taken, timestamps
• API usage metrics: model invoked, token counts, cost per call, aggregate monthly spend per tenant
• Error and diagnostic data (optionally sent to Sentry error tracking)
• Session data (stored server-side in Redis; session cookies are HttpOnly and Secure)

2.5 Voice and Telephony Data

• Caller phone numbers and call metadata (call duration, timestamps, routing selections)
• Voice audio transmitted to ElevenLabs for speech recognition and voice synthesis during phone interactions
• Conversation transcripts generated from phone sessions
• IVR menu selections and agent routing data
• SIP signaling data processed by Twilio for call routing and telephony

2.6 Billing and Subscription Data

• Billing email address associated with the Customer account
• Subscription plan, status, and invoice history
• Payment method tokens (tokenized by Stripe — BITSM does not store raw card numbers)

2.7 Knowledge Base Data

• Documents, articles, and embedded knowledge content uploaded or scraped by Customers
• Vector embeddings of document content (used for AI-powered search and retrieval)

2.8 Data We Do Not Collect

• Payment card numbers or banking information (payment processing handled by third-party providers)
• Sensitive personal data categories (health, race, religion, biometrics) — do not submit these to BITSM
• BYOK API keys in plaintext — Enterprise customers' API keys are encrypted with Fernet encryption before storage

3. How We Use Personal Data

Purpose	Legal Basis (GDPR)
Providing and operating the BITSM platform and its features	Performance of contract
Authenticating users and maintaining secure sessions	Performance of contract / Legitimate interest (security)
Processing support tickets and routing them to appropriate agents	Performance of contract
Powering the Atlas AI assistant (ticket analysis, triage, routing, audit)	Performance of contract / Legitimate interest (service improvement)
Monitoring API usage and enforcing per-tier cost caps	Performance of contract / Legitimate interest (billing accuracy)
Generating anonymized analytics and quality reports for Customers	Legitimate interest (product improvement)
Sending transactional notifications (ticket updates, invitations)	Performance of contract
Detecting and preventing security incidents, fraud, or abuse	Legitimate interest (security)
Complying with legal obligations	Legal obligation

4. AI Processing and Third-Party AI Providers

BITSM uses the following third-party AI services to power the Atlas AI engine. When you submit a support ticket or initiate an AI conversation, ticket content and conversation messages may be transmitted to these providers for processing:

Provider	Purpose	Data Sent
Anthropic	Primary AI inference (ticket analysis, triage, conversation, audit)	Ticket content, KB context, conversation messages
OpenAI	AI failover (used when Anthropic is unavailable)	Same as Anthropic — only when failover triggers
Voyage AI	Text embeddings for semantic search (primary)	Document and ticket text for vector embedding
ElevenLabs	Voice synthesis, speech recognition, and conversational AI for phone service	Caller voice audio, conversation transcripts, agent system prompts
Twilio	Telephony, call routing, and SIP connectivity for phone service	Phone numbers, call metadata, SIP signaling data
Stripe	Payment processing and subscription management	Billing email, payment method tokens, subscription and invoice data

BYOK (Bring Your Own Key) Enterprise Customers: Enterprise tenants who supply their own Anthropic, OpenAI, and/or Voyage AI API keys have their data processed directly under their own agreements with those providers. Boord-ITS does not transmit BYOK customers' data to these providers using Boord-ITS's API accounts.

We do not use your data to train third-party AI models. We rely on each provider's data processing commitments. Customers should review the privacy policies of each provider linked above.

5. Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We disclose data only in the following circumstances:

• Customer administrators: Tenant admins of your organization have access to data submitted by users in their tenant, including tickets, comments, and AI interactions.
• Sub-processors: We share data with the sub-processors listed in Section 7 to operate the platform.
• Legal compliance: We may disclose data if required by law, court order, or to protect the rights and safety of Boord-ITS, our Customers, or others.
• Business transfers: In the event of a merger, acquisition, or sale of all or substantially all assets, personal data may be transferred. We will notify affected Customers.

6. Data Retention

• Active accounts: Data is retained for as long as the Customer's account is active.
• Ticket data: Retained for the duration of the Customer's subscription plus 90 days following termination, unless earlier deletion is requested.
• AI conversation logs: Retained for 12 months for billing and quality purposes, then deleted or anonymized.
• API usage logs: Retained for 24 months for billing and audit purposes.
• Session data: Server-side sessions expire after 24 hours of inactivity.
• Backup data: Database backups are retained on a GFS (Grandfather-Father-Son) rotation schedule. Backup media is encrypted.

7. Sub-Processors

Sub-Processor	Purpose	Location
Anthropic	AI inference (primary)	United States
OpenAI	AI inference (failover)	United States
Voyage AI	Text embeddings	United States
Cloudflare	Tunnel / TLS termination / email routing	Global (distributed)
Resend	Transactional email delivery	United States
Dropbox	Encrypted database backup storage	United States
Sentry (optional)	Error tracking and diagnostics (only if SENTRY_DSN is configured)	United States
ElevenLabs	Voice synthesis, speech recognition, and conversational AI (phone service)	United States
Twilio	Telephony, call routing, and SIP connectivity (phone service)	United States
Stripe	Payment processing and subscription management	United States

We will maintain an up-to-date sub-processor list and notify Customers of material changes via email at least 10 days in advance.

8. Controller and Processor Roles (GDPR)

When BITSM is provided to a Customer organization:

• The Customer is the data controller for personal data submitted by their employees and end users into the platform.
• Boord-ITS is the data processor, processing data on the Customer's behalf and under their instructions.
• Boord-ITS is the data controller for data collected directly (e.g., account data for direct sign-ups, platform analytics).

Our Data Processing Agreement (DPA), available at /legal/dpa, sets out the terms of our data processing activities in accordance with GDPR Article 28.

9. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

• Access: Request a copy of personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations.
• Portability: Request your data in a machine-readable format.
• Restriction: Request restriction of processing in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are an employee of a Customer organization, you should direct requests to your organization's administrator first, as they control your data within the platform.

CCPA / California Residents: California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt out of sale of personal information. We do not sell personal information. To exercise CCPA rights, contact [email protected].

10. Security

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption of connector credentials and API keys using Fernet (AES-128-CBC with HMAC-SHA256)
• HTTPS-only access enforced via Cloudflare Tunnel
• HttpOnly and Secure session cookies
• Server-side session storage (Redis) — sessions are not stored client-side
• OAuth 2.0 authentication with CSRF state parameter validation
• Non-root Docker container execution
• SSRF protection on all outbound HTTP to user-supplied URLs
• Role-based access control (RBAC) enforced on all endpoints
• Multi-tenant data isolation — all database queries are scoped by tenant_id

No security system is impenetrable. In the event of a data breach affecting personal data, we will notify affected Customers and relevant supervisory authorities as required by applicable law.

11. Cookies

BITSM uses one first-party session cookie ("session") to maintain your authenticated session. This cookie is:

• HttpOnly (not accessible to JavaScript)
• Secure (transmitted only over HTTPS)
• SameSite=Lax (protects against CSRF)
• Session-scoped (expires after 24 hours of inactivity or on browser close)

We do not use third-party tracking cookies, advertising cookies, or analytics cookies.

12. International Data Transfers

Boord-ITS is based in the United States. Our sub-processors (Anthropic, OpenAI, Voyage AI, Cloudflare, Resend, ElevenLabs, Twilio, Stripe) are also primarily US-based. If you are located in the European Economic Area (EEA) or United Kingdom, data may be transferred to the United States. We rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms for such transfers. Contact us at [email protected] for details.

13. Children's Privacy

BITSM is a B2B enterprise platform not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data, contact us at [email protected].

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to Customer administrators via email at least 14 days before taking effect. The "Effective Date" at the top of this document reflects the date of the most recent update. Continued use of BITSM after the effective date constitutes acceptance of the updated policy.

15. Contact Us

For privacy-related questions, rights requests, or to report a privacy concern:

• Email: [email protected]
• Product: BITSM — https://bitsm.io
• Company: Boord-ITS