Privacy Policy

Last updated: 2026-05-15

The short version. BoostLayer.ai is a B2B SaaS landing site. The only personal data we actively collect is what you give us through the Early Access form — your name, work email, the plan and channel you're interested in, and an optional note. We also use light product analytics (PostHog) and bot protection (Cloudflare Turnstile) to keep the site working.

We don't sell your data. We don't run ad trackers. We don't share your information with third parties for marketing. We store form leads in a private Google Sheet for up to 24 months and respond to privacy requests within 30 days at privacy@boostlayer.ai.

Contents

Scope and who this policy covers
Who we are (data controller)
What we collect
Why we collect it
Legal basis (GDPR / UK GDPR)
How we share data and our sub-processors
International transfers
Cookies and similar technologies
Your rights by jurisdiction
How to exercise your rights
Children's privacy
Security
Data retention
Automated decision-making
Changes to this policy
Contact and complaints

1. Scope and who this policy covers

This Privacy Policy explains how BoostLayer.ai ("BoostLayer," "we," "us," or "our") handles personal data collected through the marketing website at https://boostlayer.ai/ (the "Site"), including the Early Access form. It applies to visitors and prospective customers worldwide.

This policy does not cover the BoostLayer product itself (cloud iPhone provisioning, agent runtimes, customer dashboards) — that's governed by a separate product Privacy Notice and a Data Processing Addendum provided when you become a customer.

2. Who we are (data controller)

The controller of personal data collected through this Site is BoostLayer.ai. For all privacy matters, contact privacy@boostlayer.ai.

Legal entity / registered address: [TBD: legal entity name, country of incorporation, and registered address]
EU representative (GDPR Art. 27): [TBD: name and address of EU representative, if one has been appointed; otherwise note that BoostLayer's processing does not meet the Art. 27 threshold]
UK representative (UK GDPR Art. 27): [TBD: same as above, for UK]
Data Protection Officer: [TBD: appointed DPO contact, or note that BoostLayer is not required to appoint one under GDPR Art. 37]

3. What we collect

3.1 Information you provide through the Early Access form

Field	Required	Description
Full name	Yes	Minimum 2 characters. Stored as you submit it.
Work email	Yes	Validated against a basic email pattern. Used to follow up.
Plan / tier	Yes	One of: Cloud Starter, Cloud Pro, Cloud Scale, Self-hosted. (Additional offerings such as managed or custom plans may appear in the form over time.)
Primary channel	Yes	One of: TikTok, Instagram, LinkedIn, X, YouTube Shorts, Cross-channel.
Notes	No	Free-text describing your company and what you want to automate. Maximum 2,000 characters. Don't paste sensitive data here — we don't need it.
Privacy Policy / account-owner checkbox	Yes	Confirms you've read this policy and that you are authorised to connect any social accounts you bring to the service.
Hidden anti-spam field (`website`)	n/a	A honeypot field that is invisible to humans. If it is filled in we silently discard the submission as a bot.

3.2 Information collected automatically when you submit the form

Field	Source	Description
Page URL	Browser	The page you were on when you submitted, including any query parameters.
Referrer	Browser	The URL of the page that linked you to us (if any).
UTM parameters	URL	`utm_source`, `utm_medium`, `utm_campaign` if present. Used for marketing attribution.
User-agent string	Browser	Browser and device identifier (e.g. "Mozilla/5.0 …").
Source / CTA	Site	Which button or section opened the form (e.g. hero, pricing card).
Cloudflare Turnstile token	Turnstile widget	A short-lived token proving you're not a bot. Verified once server-side and not stored after verification.

3.3 Information collected automatically through analytics

We use PostHog (US cloud) for product analytics. PostHog operates in identified_only mode, which means anonymous visitors are not given persistent person profiles — only people we explicitly identify (which on this Site is no one) are profiled. PostHog still records the following at the event level:

Pageviews and page-leaves ($pageview, $pageleave)
CTA clicks (cta_click)
Form opens (popup_open)
Lead submissions (lead_submit) — recorded with the chosen plan, channel and traffic source, but not with your name or email
Standard event metadata: page URL, referrer, browser, operating system, screen size, and an approximate location derived from your IP address (typically city or region level)

PostHog's privacy practices are described at posthog.com/privacy.

3.4 What we do NOT collect

We don't ask for phone numbers, postal addresses, payment details, government identifiers, or any special-category data.
We don't run advertising cookies, cross-site trackers, social-media pixels, or fingerprinting scripts.
We don't buy contact lists or enrich your submission with data from data brokers.

4. Why we collect it

To respond to your enquiry. If you submit the Early Access form, we use your name and email to follow up about onboarding, pricing and product fit.
To prioritise and qualify outreach. The plan, channel and notes you choose help us understand which prospects are the best fit and prepare a relevant first conversation.
To prevent abuse. Turnstile and the honeypot field block bot submissions; we keep the user-agent and source for fraud forensics.
To understand site usage. PostHog tells us which pages, CTAs and pricing tiers are working so we can improve the Site.
To measure marketing attribution. UTM parameters and referrer help us understand which channels send qualified traffic.
To comply with legal obligations (tax, accounting, responding to lawful requests).

5. Legal basis (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom or Switzerland, our legal basis for processing under Article 6 GDPR is:

Processing activity	Legal basis
Storing and replying to your Early Access submission (name, email, plan, channel, notes)	Art. 6(1)(b) — pre-contractual steps taken at your request; and Art. 6(1)(a) — your explicit consent given via the checkbox.
Marketing-attribution metadata (UTM, referrer, page URL, source)	Art. 6(1)(f) — legitimate interests in understanding which channels drive prospective customers; balanced against your privacy by collecting only attribution-relevant fields.
Bot protection (Turnstile, user-agent, honeypot)	Art. 6(1)(f) — legitimate interests in preventing fraud and abuse of our service.
Product analytics via PostHog (event-level, no persistent profile for anonymous visitors)	Art. 6(1)(f) — legitimate interests in measuring and improving the Site. Where local law (e.g. ePrivacy in the EU) requires consent for analytics cookies, your continued use after seeing this policy is not by itself consent; if you are in such a jurisdiction and would prefer not to be measured, see your rights.
Retention beyond active follow-up; compliance with legal/tax/audit obligations	Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interests in defending legal claims.

You can object to processing based on legitimate interests at any time (Art. 21 GDPR). You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6. How we share data and our sub-processors

We do not sell your personal data. We do not "share" your personal data for cross-context behavioural advertising as that term is defined under the California Privacy Rights Act (CPRA). We do not disclose form submissions to third parties for their own marketing.

We rely on the following sub-processors to operate the Site. Each is a US-based vendor with its own published privacy and security commitments.

Sub-processor	Purpose	Data processed	Location
Google LLC (Google Apps Script + Google Sheets)	Lead storage and team review	Full form submissions plus the automatically collected metadata in §3.2	United States
Cloudflare, Inc. (Cloudflare Pages)	Static-site hosting and edge delivery	HTTP request metadata (IP address, user-agent, request path, timing)	Global edge network, primary infrastructure in the United States
Cloudflare, Inc. (Cloudflare Turnstile)	Bot protection on the Early Access form	Turnstile challenge token (verified once and discarded), plus device signals processed by Cloudflare	United States
PostHog Inc.	Product analytics (US cloud at `us.i.posthog.com`)	Pageviews, events, click metadata, approximate IP-derived location, browser/OS, first-party cookie	United States

We may also disclose data:

To comply with law. If we receive a valid legal request (subpoena, court order, lawful regulatory request), we will disclose the minimum necessary information and, where legally permitted, notify you.
To protect rights and safety. Where we believe disclosure is necessary to investigate fraud, abuse, or threats to the integrity of our service.
In a corporate transaction. If BoostLayer is acquired, merged, or its assets transferred, your data may be part of that transfer; we will require the recipient to honour this policy or notify you of any material change.

We do not currently have signed Data Processing Addenda (DPAs) with every sub-processor under our own paper. [TBD: confirm DPA status with Google (Workspace customer terms), Cloudflare (DPA available on request), and PostHog (DPA + SCCs) and link signed copies here.]

7. International transfers

BoostLayer's sub-processors are based in the United States and your data is transferred there. If you access the Site from outside the US, your personal data will leave your country.

EEA, UK and Switzerland visitors. Transfers rely on the European Commission's Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and supplementary technical measures (TLS in transit, access controls). Where the recipient is certified under the EU–US Data Privacy Framework (DPF), the UK Extension to the DPF, or the Swiss–US DPF, we additionally rely on the relevant adequacy decision. [TBD: confirm current DPF certification status for Google, Cloudflare and PostHog and link to the certifications.]
Brazil (LGPD). Transfers rely on the controller's legitimate interest in providing the requested service, supported by contractual safeguards (Art. 33 LGPD).
Canada (PIPEDA). By using the Site you acknowledge that your data may be processed in the United States and subject to lawful access there.
India (DPDP Act). Cross-border transfer is permitted to countries not on a Government of India restricted list; we will update this section if and when a restricted list is published.

You can request a copy of the transfer mechanism in place for your data by emailing privacy@boostlayer.ai.

8. Cookies and similar technologies

The Site uses a deliberately small set of cookies and storage.

Name	Set by	Type	Purpose	Duration
`ph_*_posthog`	PostHog	First-party	Distinguishes browsers, links events into a session, persists feature-flag values	Up to 12 months from last visit
(none from Turnstile by default)	Cloudflare	—	Turnstile does not require cookies in its default invisible / managed modes; Cloudflare may use short-lived storage to remember a successful challenge	Session

We don't use Google Analytics, Meta Pixel, LinkedIn Insight Tag, X (Twitter) Pixel, TikTok Pixel, or any other cross-site advertising or social-tracking cookies. Self-hosted fonts (Inter) are served from our own domain and don't set cookies.

You can clear or block cookies in your browser settings. Doing so won't break the Site, but may affect the accuracy of internal analytics.

9. Your rights by jurisdiction

Depending on where you live, you have some or all of the following rights. We honour each right for any individual who asserts it, regardless of jurisdiction, except where doing so would violate another law.

9.1 EEA / UK / Switzerland (GDPR / UK GDPR / FADP)

Access — confirmation of whether we hold data about you, and a copy of it.
Rectification — correction of inaccurate or incomplete data.
Erasure ("right to be forgotten") — deletion where the legal basis no longer applies.
Restriction — temporary pause on processing while a dispute is resolved.
Portability — your form submission in a machine-readable format (JSON or CSV).
Objection — to processing based on legitimate interests, including profiling. We will stop unless we can show compelling legitimate grounds that override your interests.
Withdraw consent — for any processing based on consent, at any time, without affecting prior lawful processing.
Lodge a complaint — with a supervisory authority (see §16).

9.2 California (CCPA / CPRA)

Right to know — the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the categories of third parties with whom we share it.
Right to delete — your personal information, subject to legal exceptions.
Right to correct — inaccurate personal information.
Right to opt out of sale or sharing — we do not sell personal information for monetary consideration and we do not share personal information for cross-context behavioural advertising. You may still submit an opt-out request and we will record it.
Right to limit use of sensitive personal information — we do not knowingly collect any of the categories of "sensitive personal information" defined by the CPRA.
Right to non-discrimination — we will not deny service, charge different prices, or provide a different quality of service because you exercised your rights.
Authorised agents — you may use an authorised agent to submit a request, subject to identity verification.

Categories of personal information collected in the past 12 months, in the language of Cal. Civ. Code §1798.140: identifiers (name, email, IP address), internet or other electronic network activity (pageviews, clicks, referrer), geolocation data (approximate location from IP), and commercial information (chosen plan and channel). No biometric, sensitive, or children's data.

9.3 Brazil (LGPD)

Under Lei Geral de Proteção de Dados, you have the right to: (i) confirmation of processing; (ii) access; (iii) correction; (iv) anonymisation, blocking or deletion of unnecessary or excessive data; (v) data portability; (vi) deletion of data processed with consent; (vii) information about with whom we share data; (viii) information about the possibility of refusing consent and the consequences of doing so; (ix) revoke consent; and (x) review of automated decisions affecting your interests (we do not make such decisions — see §14).

9.4 Canada (PIPEDA)

You have the right to access the personal information we hold about you and to request correction of inaccuracies. You also have the right to withdraw consent, subject to legal or contractual restrictions and reasonable notice.

9.5 India (DPDP Act, 2023)

As a Data Principal you have the right to: (i) access information about personal data being processed; (ii) correction, completion, updating and erasure of personal data; (iii) grievance redressal — see §16; and (iv) nominate another individual to exercise rights in case of death or incapacity.

9.6 Everywhere else

If your jurisdiction grants rights that are not listed above, we will honour them in good faith. If you simply prefer that we delete your data, you can ask — no jurisdiction or legal citation required.

10. How to exercise your rights

Email privacy@boostlayer.ai with the subject line "Privacy Request" and tell us what you want (access, deletion, correction, opt-out, etc.).
We will respond within 30 days (extendable by a further 60 days for complex requests, in which case we'll tell you why).
Requests are free of charge. We may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive, and we'll explain why if we do.
Identity verification. To prevent unauthorised disclosure, we'll ask you to confirm your request from the email address you used to submit the form, or to provide enough information to match you to our records. We will not request more information than necessary.
California "Do Not Sell or Share" requests. Although we don't sell or share for cross-context behavioural advertising, you can still send a request to privacy@boostlayer.ai with the subject line "Do Not Sell or Share" and we will record and confirm it.

11. Children's privacy

BoostLayer is a business product. The Site is not directed to children and we do not knowingly collect personal data from anyone under the age of 16 (or the higher minimum age set by local law — for example, 13 in the United States under COPPA, or 18 under India's DPDP Act for any user identified as a child). If you believe a child has provided us with personal data, contact privacy@boostlayer.ai and we will delete it.

12. Security

We protect personal data with a layered set of controls:

Transport security. The Site is served over HTTPS only, with HSTS preload, modern TLS, and strict security headers (Content-Security-Policy, X-Frame-Options DENY, Referrer-Policy, Permissions-Policy).
Bot protection. Cloudflare Turnstile screens every form submission server-side before we accept it.
Restricted access. The Google Sheet that stores leads is private to the BoostLayer team; access is granted on a need-to-know basis with Google Workspace controls.
No plaintext secrets in code. Server-side secrets (e.g. the Turnstile verification key) live in Google Apps Script Script Properties, not in source control.
Minimisation. We collect only the fields described in §3 and limit free-text input to 2,000 characters per submission.

No system is perfectly secure. Despite reasonable safeguards, we cannot guarantee that personal data will never be accessed, disclosed, altered, or destroyed in a way that violates this policy. If we become aware of an incident that affects your data, we will notify you and the relevant authorities as required by law.

13. Data retention

Data	Retention
Early Access form submissions (name, email, plan, channel, notes, attribution metadata)	Up to 24 months from your last interaction with us, after which we delete or anonymise inactive records.
Privacy-request correspondence (proof of fulfilment)	Up to 24 months after the request is closed, then deleted, unless a longer period is required to defend legal claims.
PostHog analytics events	PostHog's default retention applies — see PostHog's data-retention documentation. Approximate location is derived per-event, not stored as a persistent profile (we run in `identified_only` mode for anonymous visitors).
Cloudflare edge logs (request metadata, IP, user-agent)	Cloudflare's default retention applies — see Cloudflare's privacy policy.
Turnstile tokens	Verified once at submission and discarded; never written to the Sheet.
Consent records (the Privacy Policy / account-owner checkbox)	Stored alongside the form submission and retained for the same 24 months.
Backups / incidental copies	Deleted within 60 days of the underlying record being deleted, unless legal obligations require longer.

14. Automated decision-making and profiling

We do not make decisions that produce legal or similarly significant effects about you using solely automated processing. We do not score, profile, or otherwise rank you using an algorithm. If we introduce agent-based personalisation in the future (for example, automatically routing your enquiry to a specific account executive based on the plan you chose), we will update this policy and, where required, give you the right to request human review.

15. Changes to this policy

We update this policy as our practices evolve. The "Last updated" date at the top reflects the most recent change. For material changes (new sub-processors, new categories of data, new purposes that wouldn't be reasonably expected), we will give at least 30 days' advance notice via a banner on the homepage and, where we have your email, by email. Continued use of the Site after the effective date of a change constitutes acceptance of the updated policy.

16. Contact and complaints

For any privacy question, request, or concern, email privacy@boostlayer.ai. We aim to acknowledge within 5 business days and resolve within 30 days.

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with a data-protection authority. Common authorities include:

United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
Ireland (lead authority for many EU complaints): Data Protection Commission — dataprotection.ie
France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
Germany: the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) or your relevant state DPA
Other EU member states: see the European Data Protection Board's list of national authorities at edpb.europa.eu
Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
California: California Privacy Protection Agency (CPPA) — cppa.ca.gov — and the California Attorney General
Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
India: Data Protection Board of India (once operational under the DPDP Act). Until then, you may also raise grievances under the Information Technology Act, 2000.

We'd rather hear from you first so we can fix things — but we respect your right to go straight to a regulator.

← Back to BoostLayer.ai