Key Points — Plain Language Summary
BoundaryAI is a privacy-first AI company. Here is what that means in practice:
- We do not sell your personal data — ever.
- We never use your content or data to train AI models.
- Your data stays in your region. We operate isolated infrastructure in the EU, Canada, and USA.
- AI inference runs on infrastructure we control — your data never touches shared third-party AI services.
- You can request access to, correction of, or deletion of your data at any time.
- We will give you at least 30 days notice of any material changes to this Policy.
Questions? Contact our Privacy Officer: privacy@boundary-ai.com
1. Introduction and Scope
BoundaryAI, Inc. and its affiliated entities (collectively "BoundaryAI", "we", "us", or "our") are committed to protecting your privacy and handling your personal data with transparency and care. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data when you use our platform, products, and services (the "Services").
This Policy applies to:
- Customers and authorised users of the BoundaryAI platform ("Customers");
- Visitors to our websites at boundary-ai.com and associated domains;
- Prospective customers and partners who interact with us;
- End users of applications built by Customers using the BoundaryAI API ("End Users").
This Policy does not apply to third-party services linked from our platform. We encourage you to review their privacy notices separately.
Enterprise and contracted customers: If you have signed a separate Data Processing Agreement (DPA), Business Associate Agreement (BAA), or Enterprise Master Services Agreement (MSA) with BoundaryAI, the terms of that agreement govern to the extent of any conflict with this Policy.
2. Data Controller and Affiliated Entities
BoundaryAI, Inc., a Delaware corporation, is the data controller for personal data processed in connection with the Services. All customer contracts, billing, and data controller responsibilities are held by BoundaryAI, Inc.
| Entity | Role | Principal Office |
|---|---|---|
| BoundaryAI, Inc. | Data Controller — primary contracting entity for all customers globally | 1100 Av. du Docteur-Penfield #504, Montréal, QC H3A 1A8, Canada |
| BoundaryAI Analytics Canada Inc. | Affiliated sub-processor — R&D and certain data processing operations performed on behalf of BoundaryAI, Inc. | 1100 Av. du Docteur-Penfield #504, Montréal, QC H3A 1A8, Canada |
Note for EU and UK customers: BoundaryAI, Inc. is currently the contracting and controller entity for all customers, including those in the European Economic Area (EEA) and United Kingdom. We are reviewing our EU/UK corporate structure and will update this Policy accordingly. In the interim, EU/UK transfers are covered by Standard Contractual Clauses (SCCs) — see Section 8. If you require a specific EU-established controller arrangement for regulatory reasons, please contact legal@boundary-ai.com.
Privacy Officer: All privacy enquiries and data subject requests should be directed to:
BoundaryAI Privacy Officer
Email: privacy@boundary-ai.com
Postal: Privacy Officer, BoundaryAI, Inc., 1100 Av. du Docteur-Penfield #504, Montréal, QC H3A 1A8, Canada
Response time: We acknowledge all requests within 72 hours and respond fully within 30 days.
EU and UK data subjects have the right to contact their national supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, contact the supervisory authority in your Member State of habitual residence.
3. Infrastructure, Data Residency, and AI Architecture
BoundaryAI is built on Google Cloud Platform (GCP) with a deliberate data residency architecture designed to keep your data where you are. This section explains how our infrastructure works, because we believe transparency about AI data flows is essential.
3.1 Regional Isolation
We operate three fully isolated GCP environments — EU, Canada, and USA. When you sign up, your data is assigned to the environment that matches your region and remains there. Data does not flow between regional environments without your explicit instruction.
| Region | GCP Environment | Customer Data Stays In |
|---|---|---|
| European Union | Isolated EU GCP project | European Union (EEA) — never transferred to US or Canada without SCCs |
| Canada | Isolated Canada GCP project | Canada — covered by Canadian adequacy status |
| United States | Isolated US GCP project | United States |
3.2 AI Model Architecture — Your Data Stays Private
How BoundaryAI AI inference works:
BoundaryAI uses a combination of its own proprietary AI models and Google Gemini models deployed on private, customer-region-isolated Vertex AI infrastructure. This is a critically important distinction from standard AI APIs:
- Your data is processed within your regional GCP environment — it does not leave your region for AI inference.
- We use Google Vertex AI under our own GCP organisation — not the public Gemini API. This means Google processes data only on our instructions and under our Data Processing Agreement with Google Cloud.
- Google does not use data processed through our Vertex AI environment to train Google's own models. This is governed by Google Cloud's Data Processing Addendum.
- Our proprietary models run entirely on infrastructure we own and control within your region.
- No AI inference request routes through shared, multi-tenant third-party AI infrastructure.
Sub-processors for infrastructure: Google Cloud (as infrastructure sub-processor) and BoundaryAI Analytics Canada Inc. (for R&D processing) are listed in our sub-processor register at boundary-ai.com/sub-processors, along with all other third-party processors we engage.
4. Personal Data We Collect
We collect personal data in three ways: data you provide directly, data generated through your use of the Services, and data received from third parties.
4.1 Data You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account and identity | Name, email address, job title, company name, password (hashed) | Account creation and authentication |
| Billing information | Billing address, VAT/tax number. Payment card details are collected and processed directly by Stripe, Inc. — BoundaryAI never stores card data. | Processing subscriptions and invoices |
| Communications | Enquiries, support tickets, feedback, survey responses | Customer support and service improvement |
| Professional information | Organisation details, industry sector, use-case description | Service delivery and account management |
4.2 Data Generated Through Use of the Services
| Category | Examples | Purpose |
|---|---|---|
| Usage and interaction data | Features accessed, queries submitted, session duration, error logs | Platform performance and security |
| Technical data | IP address, browser type, device identifiers, operating system | Security, fraud prevention, diagnostics |
| Input and output content | Prompts, documents, and content you submit; AI-generated outputs | Delivery of the Services — never used for model training |
| Log and audit data | API call logs, authentication events, administrative actions | Security monitoring and compliance |
4.3 Data from Third Parties
We may receive personal data from: identity verification and fraud prevention services; publicly available professional directories for B2B outreach; and integration partners where you have authorised data sharing.
4.4 Special Categories of Data
We do not intentionally collect special category personal data (such as health, biometric, or racial/ethnic data). If your use of the platform involves such data, you are responsible for appropriate safeguards and must notify us at privacy@boundary-ai.com before doing so.
5. Legal Basis for Processing (GDPR / UK GDPR)
Where EU GDPR or UK GDPR applies, we rely on the following lawful bases:
| Lawful Basis | Processing Activities | Notes |
|---|---|---|
| Contract performance (Art. 6(1)(b)) | Account management, service delivery, billing, technical support | Necessary to provide the Services you have contracted for |
| Legitimate interests (Art. 6(1)(f)) | Security monitoring, fraud prevention, anonymised analytics, marketing to existing customers | Balanced against your rights. You may object at any time. |
| Legal obligation (Art. 6(1)(c)) | Tax and financial records, responding to lawful law enforcement requests | Required by applicable law |
| Consent (Art. 6(1)(a)) | Marketing to prospects; non-essential cookies | Freely given and withdrawable at any time without detriment |
Legitimate interests: Where we rely on legitimate interests, we have conducted a balancing test confirming our interests do not override your fundamental rights. You may request a copy of our Legitimate Interests Assessment at privacy@boundary-ai.com.
6. AI Model Training — Our Commitment
Your data is not our training data.
BoundaryAI does not use your input content, output content, or any personal data to train, fine-tune, or improve AI models — ours or anyone else's.
Specifically:
- Content of your queries, documents, prompts, and AI-generated outputs is never used for model training;
- AI inference on Google Vertex AI runs under our private GCP organisation — Google's Cloud DPA prohibits Google from using this data for its own model training;
- Our proprietary models are trained on curated datasets we control, not on customer data;
- Anonymised, aggregated usage telemetry (e.g. feature adoption rates, error frequencies) that cannot be linked to any individual or organisation may be used for platform performance analysis;
- Enterprise customers with DPAs containing explicit training prohibitions have contractual protection in addition to this policy default.
7. How We Use Personal Data
We use personal data only for the purposes described in this Policy.
| Purpose | Data Categories | Lawful Basis |
|---|---|---|
| Provide and deliver the Services | Account, usage, content, technical | Contract |
| Process payments via Stripe | Billing, account | Contract / Legal obligation |
| Authenticate users and prevent unauthorised access | Account, technical, log data | Contract / Legitimate interests |
| Detect and prevent fraud, abuse, and security incidents | Technical, log, account | Legitimate interests / Legal obligation |
| Provide customer support | Account, communications | Contract |
| Send transactional communications (receipts, alerts, policy updates) | Account, communications | Contract / Legal obligation |
| Send marketing to existing customers | Account, professional | Legitimate interests (opt-out available) |
| Send marketing to prospects | Account, professional | Consent |
| Analyse platform performance (anonymised/aggregated only) | Usage data | Legitimate interests |
| Comply with legal obligations and respond to lawful requests | All categories as required | Legal obligation |
8. Disclosure of Personal Data
We do not sell, rent, or trade your personal data. We may disclose personal data only in the following limited circumstances:
8.1 Sub-processors
All sub-processors are bound by data processing agreements requiring them to process data only on our instructions and to implement appropriate security measures. Our full sub-processor list is published at boundary-ai.com/sub-processors.
| Sub-processor | Role | Data Location |
|---|---|---|
| Google Cloud Platform | Cloud infrastructure and hosting; Vertex AI inference (private, region-isolated) | EU, Canada, or USA — matches customer region |
| BoundaryAI Analytics Canada Inc. | Affiliated sub-processor for R&D and certain data processing | Canada |
| Stripe, Inc. | Payment processing. Stripe processes card data directly — BoundaryAI does not store payment card details. See stripe.com/privacy. | USA (Stripe DPA covers EU transfers) |
| [Support platform] | Customer support and ticketing | See sub-processor list |
| [Identity / auth provider] | User authentication and MFA | See sub-processor list |
We will provide 30 days advance notice of new sub-processor additions via email and our sub-processor change log. Enterprise customers with contractual objection rights will be notified separately.
8.2 Corporate Transactions
In the event of a merger, acquisition, or asset sale, personal data may be transferred to the successor entity. We will give at least 30 days notice before your data becomes subject to a materially different privacy policy.
8.3 Legal Obligations
We may disclose personal data if required by law, court order, or governmental authority. We will notify affected customers of government data requests where legally permitted to do so, and publish an annual transparency report at boundary-ai.com/transparency.
9. International Data Transfers
Because BoundaryAI, Inc. is incorporated in the United States, transfers of personal data from the EEA or UK to BoundaryAI constitute international transfers under GDPR. We address this as follows:
| Transfer | Mechanism | Notes |
|---|---|---|
| EEA / UK to USA (BoundaryAI, Inc.) | EU Standard Contractual Clauses (2021 SCCs, Controller-to-Processor). UK IDTA for UK transfers. | Copies available on request at privacy@boundary-ai.com |
| EEA / UK to Canada (BoundaryAI Analytics Canada Inc.) | Adequacy Decision (Canada has EU adequacy for commercial organisations under PIPEDA) | No additional safeguards required |
| Within GCP regional environments | No transfer — data remains in customer's assigned regional GCP environment | EU data never leaves the EU GCP environment for processing |
Important note on AI inference: Because we use regional-isolated GCP environments and private Vertex AI (not the public Gemini API), EU customer data used for AI inference is processed within the EU GCP environment and does not transfer to the US for AI processing. The SCC mechanism covers administrative data flows (account management, billing, support) only.
You may request a copy of the applicable SCCs by contacting privacy@boundary-ai.com.
10. Data Retention
We retain personal data only as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, and resolve disputes.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account and profile data | Duration of contract + 12 months | Contract performance; fraud prevention |
| Input and output content | Duration of contract + 30 days, then permanently deleted | Service delivery only — not retained post-termination |
| Usage and analytics data | 24 months (anonymised after 12 months) | Platform improvement and security |
| Security and audit logs | 12 months | Security monitoring and incident response |
| Support communications | 3 years from resolution | Customer service quality; dispute resolution |
| Billing and financial records | 7 years | Legal obligation (US / Canadian tax and accounting law) |
| Marketing consent records | Until consent withdrawn + 3 years | Demonstrating lawful basis |
| Prospecting contact data | 24 months from last engagement | Legitimate interests (suppressed on opt-out) |
On account deletion or termination, we will delete or anonymise your personal data within 30 days, subject to legal retention obligations. You will have a 30-day window after termination to export Your Content before deletion.
11. Your Privacy Rights
Depending on your location, you have rights in relation to your personal data. We are committed to honouring these promptly and without charge except in limited circumstances.
11.1 Rights Under EU GDPR / UK GDPR
| Right | What It Means |
|---|---|
| Right of Access (Art. 15) | Request a copy of the personal data we hold about you and information about how we process it. |
| Right to Rectification (Art. 16) | Ask us to correct inaccurate or incomplete personal data. |
| Right to Erasure (Art. 17) | Request deletion of your personal data where there is no compelling reason to continue processing it. |
| Right to Restriction (Art. 18) | Ask us to suspend processing of your data in certain circumstances, e.g. while you contest its accuracy. |
| Right to Portability (Art. 20) | Receive a copy of data you have provided to us in a structured, machine-readable format. |
| Right to Object (Art. 21) | Object to processing based on legitimate interests, including direct marketing, at any time. |
| Rights re: Automated Decisions (Art. 22) | Not to be subject to decisions based solely on automated processing that produce significant legal effects. |
| Right to Withdraw Consent | Withdraw consent at any time where processing is consent-based, without affecting prior lawful processing. |
| Right to Complain | Lodge a complaint with your national data protection supervisory authority at any time. |
11.2 California Rights (CCPA / CPRA)
California residents have the following rights under the CCPA as amended by the CPRA:
| California Right | Description |
|---|---|
| Right to Know | Request disclosure of the categories and specific pieces of personal information collected about you, the purposes of collection, and third parties with whom we share it. |
| Right to Delete | Request deletion of personal information we have collected, subject to certain exceptions. |
| Right to Correct | Request correction of inaccurate personal information. |
| Right to Opt-Out of Sale/Sharing | BoundaryAI does not sell or share personal information for cross-context behavioural advertising. You may nonetheless submit a request at boundary-ai.com/privacy-choices. |
| Right to Limit Sensitive PI | Request that we limit use of sensitive personal information to what is necessary to provide the Services. |
| Right to Non-Discrimination | We will not discriminate against you for exercising any CCPA rights. |
Categories of personal information collected (CCPA):
- Identifiers (name, email, IP address, account ID);
- Commercial information (billing and transaction records);
- Internet or electronic network activity (usage logs, access records);
- Professional or employment-related information (job title, company name);
- Inferences drawn from the above to create a profile (usage patterns — never sold).
11.3 How to Exercise Your Rights
- Email: privacy@boundary-ai.com
- Online form: boundary-ai.com/privacy-request
- California Do-Not-Sell/Share: boundary-ai.com/privacy-choices
We acknowledge requests within 72 hours and respond fully within 30 days. For complex requests, we may extend by 60 days with notice. We may need to verify your identity before processing — verification data will not be used for any other purpose.
11.4 Authorised Agents (California)
California residents may designate an authorised agent to submit requests on their behalf. We will require written authorisation and may verify your identity directly before processing.
12. Data Security
BoundaryAI implements technical and organisational security measures appropriate to the risk of our processing activities, in accordance with GDPR Art. 32 and industry best practice.
- Encryption in transit using TLS 1.2 or higher for all data transmissions;
- Encryption at rest using AES-256 for all stored personal data and content;
- Role-based access controls, least-privilege principles, and multi-factor authentication for all administrative systems;
- Continuous security monitoring through Vanta, providing real-time compliance and control visibility;
- SOC 2 Type II certification in progress — our current security posture is available to enterprise customers under NDA;
- Regular penetration testing, vulnerability scanning, and code security review;
- Security incident response procedures with defined notification timelines;
- Employee security training and background checks for all personnel with access to personal data;
- Regional GCP isolation ensures that a security incident in one environment cannot affect others.
Data breach notification: In the event of a personal data breach likely to pose a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.
13. Cookies and Tracking Technologies
We use cookies and similar tracking technologies on our websites and platform. We obtain your consent before placing any non-essential cookies. You can manage preferences at any time via our Cookie Preference Centre at boundary-ai.com/cookie-settings.
- Strictly necessary cookies: Required for the operation of the Services (authentication, session management, security). These cannot be disabled.
- Functional cookies: Remember your preferences and personalisation settings. Enabled only with your consent.
- Analytics cookies: Help us understand how our Services are used in aggregate. Enabled only with your consent; we use anonymised/aggregated data only.
- Marketing cookies: Used only for targeted communications where you have opted in. We do not permit third-party advertising cookies.
For full details, see our Cookies Policy at boundary-ai.com/cookies.
14. Our Role as Data Processor for Customer Data
When you use BoundaryAI to process personal data of your own end users or employees, you are the data controller for that data and we are your data processor. In that capacity:
- We process End User data only on your documented instructions;
- We do not use End User data for our own purposes, including AI model training;
- We provide tools to help you respond to data subject rights requests from your End Users;
- We will assist you in complying with GDPR, UK GDPR, CCPA, and other applicable laws;
- We maintain records of processing activities on your behalf as required by GDPR Art. 30(2).
Enterprise customers should execute our standard DPA, available at boundary-ai.com/dpa or by contacting legal@boundary-ai.com. Public sector customers with specific regulatory requirements should contact us for tailored documentation.
15. Children's Privacy
The Services are designed for business users and professionals. We do not knowingly collect personal data from individuals under 18. If you believe we have inadvertently collected data from a minor, contact privacy@boundary-ai.com immediately and we will promptly delete that data.
16. Changes to This Policy
When we make material changes to this Policy — such as new processing activities, changes to your rights, or new data sharing — we will:
- Notify you by email at least 30 days before changes take effect;
- Display a prominent notice on our website and within the platform;
- Seek your explicit agreement where renewed consent is required by applicable law.
Non-material changes (corrections, clarifications, administrative updates) may be made without advance notice and are effective upon posting. The Last Revised date at the top of this Policy always reflects the most recent update.
17. Contact Us
| Matter | Contact |
|---|---|
| Privacy Officer / data subject requests | privacy@boundary-ai.com |
| Legal / DPA / enterprise contracts | legal@boundary-ai.com |
| General enquiries | info@boundary-ai.com |
| Postal address | BoundaryAI, Inc., 1100 Av. du Docteur-Penfield #504, Montréal, QC H3A 1A8, Canada |
| Privacy rights request form | boundary-ai.com/privacy-request |
| California Do-Not-Sell / Do-Not-Share | boundary-ai.com/privacy-choices |
You may also lodge a complaint with your supervisory authority:
- United Kingdom: Information Commissioner's Office (ico.org.uk)
- European Union: Your national Data Protection Authority (edpb.europa.eu/about-edpb/about-edpb/members)
- United States (California): California Privacy Protection Agency (cppa.ca.gov)
- Canada: Office of the Privacy Commissioner of Canada (priv.gc.ca)
BoundaryAI Privacy Policy v2.1 | Effective 1 August 2024 | Revised 31 March 2026 | © 2026 BoundaryAI, Inc.