Privacy Policy

GDPR & UK GDPR transparency · Skip to policy

Privacy Policy

Last updated:

This policy describes how BIModular EIRL (“we”, “us”) processes personal data when you use the BOMSync platform. It is designed to meet transparency requirements under the GDPR (EU) and, where applicable, the UK GDPR.

1. Controller

BIModular EIRL, 75007 Paris France, privacy@BOMSync.com, is the data controller for personal data processed via BOMSync.

2. What we collect

  • Account data: name, email, company, role.
  • Usage/technical data: logs, device/browser info, IP address (security, fraud prevention, and service operation).
  • Customer Data: project/BOM content you or your organization upload (processed under your instructions when you are the controller).
  • Communications data: email/SMS/chat metadata (timestamps, delivery status, sender/recipient) when we send notifications primarily via Azure Communication Services (“ACS”). Legacy SMTP may apply only when ACS is not configured (for example, some local development setups).

3. Purposes & legal bases (GDPR / UK GDPR)

  • Provide and secure the service (Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests in security).
  • Account management, support, billing (Art. 6(1)(b)).
  • Transactional communications (password resets, invitations, security alerts) via ACS in production, or SMTP only when ACS is not configured (Art. 6(1)(b),(f)).
  • Improve features and analytics using aggregated or pseudonymised data where possible (Art. 6(1)(f)).
  • Legal compliance and enforcement (Art. 6(1)(c) legal obligation; Art. 6(1)(f)).

4. Sharing

We share personal data with processors under contract (Article 28 GDPR), including:

  • Microsoft Azure & Azure Communication Services (EU regions where feasible; global fallback) for hosting, storage, logging, and email/SMS/chat delivery.
  • Stripe for payment processing, subscriptions, and Checkout (see DPA Schedule B).
  • Other support or monitoring tools as necessary (listed in our Data Processing Addendum sub-processor schedule).

We do not sell personal data.

5. International transfers

Where personal data is transferred outside the EEA or UK, we rely on appropriate safeguards under GDPR Chapter V and UK law (e.g., EU Standard Contractual Clauses, UK International Data Transfer Agreement / Addendum, adequacy decisions). Details of sub-processors and safeguards are described in the DPA.

6. Retention

We retain personal data only as long as needed for the purposes above or to meet legal obligations. Communications metadata may be retained for deliverability, fraud prevention, and audit.

7. Your rights

If the GDPR or UK GDPR applies, you may request access, rectification, erasure, restriction of processing, data portability, and may object to certain processing. You may lodge a complaint with a supervisory authority—for example, the CNIL in France or the ICO in the United Kingdom, depending on your place of residence.

To exercise rights: privacy@BOMSync.com.

8. Security

We maintain appropriate technical and organizational measures (encryption in transit and at rest where appropriate, access controls, logging). No method of transmission or storage is completely secure.

9. Cookies & similar technologies

We use necessary cookies for authentication and session management. Where we use optional analytics or non-essential cookies, we do so in line with applicable consent requirements.

10. Sub-processors

Our current sub-processors are listed in the Data Processing Addendum and include Microsoft Azure, Azure Communication Services, Syncfusion, Stripe, and others as updated on that page.

11. Children

The service is not directed to children under 16.

12. Changes

We may update this policy; material changes will be notified in-app or by email where appropriate.

13. Contact

privacy@BOMSync.com · BIModular EIRL, 75007 Paris France.