Privacy Policy

Effective date: TBD — set at v2 launch.

This Privacy Policy explains how AngryBoss ("we", "us", or "our") collects, uses, discloses, and protects personal data when you visit our marketing website and use our software-as-a-service platform (the "Service"). It also describes your rights and choices.

We provide the Service globally; our primary data hosting location is in the European Union (Ireland). All data is encrypted at rest and in transit.

If any translated version of this Policy conflicts with the English version, the English version controls.

Table of Contents

1. Who we are and how to contact us
2. Scope
3. Personal data we collect
4. How we use personal data
5. Payment processing
6. Where your data is processed
7. How we share personal data
8. Security
9. Data retention and deletion
10. Cookies, pixels, and analytics
11. Your rights, choices, and data exports
12. Roles and responsibilities (Controller vs. Processor)
13. Third-party services and links
14. Children
15. Changes to this Policy
16. How to delete your account
17. Contact

1. Who we are and how to contact us

Data controller: Sole Proprietor (Individual Entrepreneur / ФОП) Tserkovnyi Daniil Albertovych (Ukrainian: ФОП Церковний Данііл Альбертович), operating under the trade name "AngryBoss".

Registered address: Hvardiitsiv-Shyronintsiv St., bldg. 63a, apt. 21, Kharkiv, Ukraine (Ukrainian: вул. Гвардійців-Широнінців, буд. 63а, кв. 21, м. Харків, Україна).

Tax identifier: Individual Tax ID (RNOKPP / ІПН) 333414951. Not registered as a VAT payer.

Contact:

• Email: alert@angryboss.io — single mailbox during MVP for privacy requests, legal correspondence, abuse reports, and DPO inquiries. We may add specialized addresses (e.g., dpo@, legal@) later; this Policy will be updated when that happens.
• Phone: +380 50 164-1157 (Ukrainian business hours).

If we act as a processor on your behalf (see Section 12), your organization is the controller for those datasets.

2. Scope

This Policy covers:

(a) our marketing website (including contact forms, newsletters, and public marketing pages described in BLOCK-14); (b) our web application where customers register, create projects, connect advertising / analytics / messaging accounts, and receive notifications and analytics; (c) optional features that publish anonymized market statistics (see Section 4) and optional public marketer-profile pages (see Section 3 H, opt-in).

Certain features analyze advertising campaigns, web analytics, and business messaging that you choose to connect, and send alerts via channels you configure (e.g., email or a messaging bot).

3. Personal data we collect

We collect the following categories of data, depending on how you interact with the Service:

A. Account & profile data

Identifiers (name, email, password hash), language and timezone, organization / company name, roles, and preferences.

B. Subscription, billing, and tax data

Plan tier, status, invoices, tax country, currency, and limited payment metadata. Card details are processed by our payment processors (see Section 5); we do not store full card numbers.

C. Service content you connect or submit

When you connect external platforms, we process the data categories you authorize. Today this typically includes (list may evolve as we add platforms — see integrations.md for the live list):

• Meta (Facebook Ads, Instagram Business / Creator accounts, Page Messenger, Instagram Direct);
• Google Ads, Google Analytics 4;
• Microsoft Clarity;
• TikTok Ads Manager (post-MVP);
• Telegram Business (post-MVP);
• Pinterest / Amazon / LinkedIn / Microsoft Ads / Shopify (Phase 2, when added).

For each connected platform we may process: account / page identifiers, campaign and ad metadata, performance metrics, creative assets (images / video frames / captions), conversation content and metadata, and audience or attribution data — limited to scopes you grant. Access is revocable at any time in the connected platform's settings or in our app.

D. Analytics inputs

Text and media content (including conversation transcripts you connect, ad creatives, web pages, and similar) that you ask us to analyze with automated tools, including AI-based classifiers, embeddings, and language models. We store such inputs only as long as needed to generate analytics results, then delete them, keeping only derived results and non-identifying aggregates. See Section 9.

E. Usage, device, and log data

IP address, device / browser information, pages viewed, timestamps, referring / exit URLs, diagnostic logs, and security / performance events.

F. Cookies and similar technologies

We use cookies and similar technologies to remember settings and measure performance. See Section 10.

G. Communications

Your messages to us (support, feedback) and the channels you configure for alerts (e.g., email or messaging bots).

H. Optional public profile (Phase 2 feature)

If you choose to publish a public marketer profile page (planned post-MVP), you control which honest, real-data aggregates from your workspaces are made publicly visible (e.g., "managed >$100K in Meta Ads spend over the last 12 months"). Each dimension is opt-in and independently toggleable. The profile is an identity artifact, not a marketplace. Data shown on the profile is derived from your own workspace data — we do not expose your customers' or competitors' raw data.

I. Mandatory ToS-based data harvest consent

By signing up for and continuing to use the Service, you grant us a perpetual, irrevocable, royalty-free right to use anonymized and aggregated derivatives of the data flowing through your workspaces (advertising metrics, messaging quality metrics, web analytics metrics, and similar) for the purpose of building, maintaining, and publishing market-standard datasets and forecast models (per Section 4 and Section 7). This consent is granted at signup as part of accepting our Terms of Service. The aggregation pipeline strips identifiers, applies k-anonymity ≥ 5, and is technically locked (see Section 9). You cannot opt out of contribution to anonymized aggregates while you maintain an active account, but you can delete your account at any time (Section 16); pre-aggregation data tied to your workspaces is then purged. Already-anonymized aggregates (which by design no longer identify you or your customers) remain in the market dataset.

We do not intentionally collect special categories of data (e.g., health, religion) through the Service.

4. How we use personal data

We use personal data for the following purposes and on the following legal bases (EEA / UK):

• Provide and secure the Service — create and manage accounts, authenticate users, operate features, provide customer support, prevent abuse, and ensure continuity (contract, legitimate interests, legal obligations).
• Process connected-platform data on your behalf — ingest, analyze, and present metrics, deviations, and alerts from data sources you connect (contract; we typically act as processor for this item — see Section 12).
• AI-assisted insights — transform your authorized inputs into analytics, classifications, and summaries; identify anomalies; surface notifications (contract, legitimate interests, or consent where required). AI outputs are accompanied by source citations and confidence indicators (see Terms §6).
• Customer-owned AI agent foundation — structure the data flowing through your workspaces so that you, the customer, can later export it for training your own AI agents and assistants (see Section 11). We do not use your raw customer data to train AngryBoss-owned production models. We may use de-identified or aggregated data to improve the Service.
• Market-standard datasets and forecasts — produce anonymized, k-anonymized (≥ 5 records per cell, with hierarchical geographic fallback when the cell is too small) aggregates per (industry × geography × time period × metric) for publication as market benchmarks and forecasts (legitimate interests; data harvest consent per Section 3 I).
• Billing and subscription management — process payments, detect fraud, handle taxes (contract, legal obligations, legitimate interests).
• Lifecycle communications — send activation, onboarding, re-engagement, billing, and product-update emails (contract for transactional; legitimate interests or consent for educational / re-engagement). Every non-transactional email contains a one-click unsubscribe link.
• Product analytics and improvement — understand feature usage, fix issues, improve user experience (legitimate interests; de-identification / aggregation wherever possible).
• Marketing (limited) — measure campaign performance on our site and reach audiences in permitted regions (consent where required; opt-out options in Section 11 and Section 10).

We do not make decisions that produce legal or similarly significant effects based solely on automated processing. Alerts, severity scores, and AI-generated insights are for operational guidance and remain subject to human oversight.

5. Payment processing

Payments are processed by one or more independent payment processors, currently including WayForPay, WesternBid, and Hutko (the specific processor depends on your billing currency, region, and the plan you select). Each payment processor acts as an independent controller for payment card data. We receive only limited billing metadata from them (e.g., card brand, last four digits, transaction status, billing country) to manage your subscription, invoices, and refunds.

For details on how each processor handles personal data, please refer to their respective privacy documentation. Links are surfaced at checkout time.

6. Where your data is processed

Hosting: Primary application and database storage is located in the European Union (Ireland, AWS eu-west-1, via Supabase). Background workers run in the European Union (Germany / Falkenstein, Hetzner). Static frontend assets and edge functions are served globally via Vercel's CDN.

International transfers: Some service providers, payment processors, or support personnel may be located outside your country. Where we transfer personal data from the EEA / UK / Switzerland to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) and additional safeguards.

7. How we share personal data

We share personal data only with:

• Service providers (processors) that host our infrastructure (Supabase, Hetzner, Vercel), send communications, provide customer support, anti-abuse, and similar operational services. We require contracts imposing confidentiality, security, and data protection obligations.
• Payment processors (WayForPay, WesternBid, Hutko, and any successor / additional provider we add) for billing and fraud prevention.
• AI providers (currently Anthropic and OpenAI, accessed via the Vercel AI Gateway) for AI-assisted analysis. These providers process content under zero-data-retention contracts and do not train their foundation models on our customer content. See Terms §6.
• Analytics and measurement tools on our marketing site and app (see Section 10) where permitted by law.
• Third-party platforms you connect — we access and process data from those platforms based on your authorization and their terms; we are not affiliated with them.
• Public market datasets and forecasts — anonymized, k-anonymized (≥ 5) aggregates per (industry × geography × period × metric) that are derived from data flowing through customer workspaces under the mandatory data-harvest consent in Section 3 I. These aggregates by construction do not identify any individual customer or end-user.
• Public marketing artifacts — when you (a) choose to publish a public marketer profile (Section 3 H) or (b) generate and share a shareable notification card or achievement artifact, the content you choose to share becomes publicly accessible at the URL you share. You control what is shared and can revoke each share at any time from your account.
• Legal and compliance recipients — if required by law, court order, or to protect rights, safety, and integrity.
• Business transfers — in connection with a merger, acquisition, financing, or sale of assets. We will continue to protect data consistent with this Policy and provide notice of any material changes.

We do not sell personal information, and we do not share it for cross-context behavioral advertising where prohibited by law. Where applicable (e.g., in certain U.S. states), you may opt out of "sharing" via the controls described in Section 11 and your cookie preferences in Section 10.

8. Security

We use administrative, technical, and organizational measures designed to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256); secrets management; network isolation.
• Access controls (least privilege, multi-factor authentication for internal staff, logging and monitoring).
• Row-level security on the database such that each workspace's data is logically isolated and access is gated by authenticated workspace membership.
• Data minimization and separation of environments (development / staging / production).
• Vulnerability management and periodic risk assessments.
• Automated dependency scanning and infrastructure-as-code reviews.

No system is 100% secure; if we learn of a breach, we will inform affected users and regulators as required by law (within the statutory time limits set by GDPR Art. 33–34 and equivalent regimes).

9. Data retention and deletion

We retain personal data only for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

Analytics inputs (content you submit for analysis and intermediate artifacts such as extracted frames, parsed text, AI prompts, and embeddings) are kept only as long as needed to produce analytics results and quality checks, after which they are deleted. We retain derived results, scores, and aggregates that no longer identify you or your customers.

System logs and backups are kept for limited periods consistent with security and continuity needs and are then deleted or anonymized. Specific retention schedules per data category are defined in our internal Data Retention Policy and are enforced by automated cleanup jobs.

Market-standard aggregates that have already passed through our locked anonymization pipeline (described below) are retained indefinitely as part of the market dataset, since by construction they no longer identify any individual or workspace.

Anonymization pipeline (technically locked)

The pipeline that produces market-standard aggregates is technically locked and cannot be disabled. It performs, in order: (a) strip workspace and user identifiers; (b) redact PII patterns from free-text fields; (c) normalize currency to USD using daily exchange rates; (d) bucket numerical values into ranges; (e) trim statistical outliers; (f) apply k-anonymity ≥ 5 with hierarchical geographic fallback (city → region → country → global) when a (industry × geo × period) cell has fewer than 5 contributing sources. The resulting aggregates do not support reverse lookup to any individual customer.

Account deletion

You can delete your account and associated data at any time in Profile → Settings → Delete account. Deletion will remove active copies of your personal data from production systems. Residual copies may remain in backups for a limited period and will be purged according to our backup schedule. We may retain certain information where required by law (e.g., invoices, tax records, financial transaction logs).

Already-anonymized aggregates derived from your data before deletion remain in the market dataset because they no longer identify you or your customers (per the technically-locked pipeline above).

10. Cookies, pixels, and analytics

We use cookies and similar technologies to run the Service and measure performance. Our marketing site is designed to favor privacy-respecting, first-party analytics by default. Third-party measurement is only enabled where it materially helps us serve you (e.g., conversion attribution for paid acquisition campaigns) and, where required by law, only with your consent.

The current list of cookies and similar technologies in use, with their purposes and durations, is available at the Cookie Settings link on our site. The list may evolve over time.

Where required by law, we obtain your consent before setting non-essential cookies. Consent is collected through our own self-hosted cookie consent component built into the marketing site — we do not rely on a third-party consent management platform, so your consent data never leaves our infrastructure. You can manage preferences via the Cookie Settings link in the site footer at any time, and through your browser settings (e.g., blocking third-party cookies or using Global Privacy Control, where supported). Disabling certain cookies may impact functionality.

11. Your rights, choices, and data exports

Your rights depend on your location but may include:

EEA / UK / Switzerland (under GDPR / UK GDPR): the rights to access, rectify, erase, restrict, object, and data portability; and to withdraw consent at any time (without affecting prior lawful processing). You may also lodge a complaint with your supervisory authority.

Certain U.S. states (e.g., California / CPRA): the rights to know / access, delete, correct, and to opt out of sale / sharing (including cross-context behavioral advertising). We do not sell your personal information. To exercise rights or opt out, use the in-product controls, your cookie preferences (Section 10), or email alert@angryboss.io. We do not discriminate against you for exercising your rights.

Brazil (LGPD) and other jurisdictions: similar rights may apply. Contact us to exercise them.

Data exports (AngryBoss-specific)

In addition to legally mandated portability, we offer the following first-class data exports designed for customer-owned AI agent training and analytics:

1. Structured JSON — full workspace data dump in our public schema.
2. JSONL fine-tuning format — conversation transcripts and metadata pre-formatted for fine-tuning open-weight or commercial LLMs.
3. Vector dump — embeddings of your messaging and content data, ready for ingestion into a vector database.
4. Anthropic Skill package — a directory structured per the Anthropic Agent Skills specification, ready to load into a Claude-based agent.
5. Knowledge graph — entity-relationship graph of your workspace data (campaigns, creatives, conversations, leads, outcomes) in JSON-LD.

Exports are available from Profile → Settings → Export data, subject to plan-tier limits.

How to make a request

To make a rights request, contact alert@angryboss.io from the email associated with your account. We may ask for information to verify your identity and respond within the time limits set by law (typically one month under GDPR).

12. Roles and responsibilities (Controller vs. Processor)

For account, billing, product telemetry, our own marketing data, and market-standard datasets, we act as a data controller.

For data ingested from third-party platforms you connect (e.g., business pages, ad accounts, messaging data) and customer content you submit for analysis, we generally act as a data processor and process such data solely on your documented instructions, to provide the Service.

A Data Processing Addendum (DPA) incorporating the applicable Standard Contractual Clauses is available upon request. If you require a signed DPA, contact alert@angryboss.io.

13. Third-party services and links

The Service integrates with third-party platforms at your request. Your use of those platforms is governed by their own terms and privacy policies. We are not responsible for their practices. You can revoke our access to those platforms at any time in their settings or in our app.

14. Children

Our Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, contact alert@angryboss.io and we will take appropriate steps to delete it.

15. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new effective date and, if changes are material, notify you via the Service or by email. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy. A running list of material changes is maintained in our public _changelog.md.

16. How to delete your account

At any time, go to Profile → Settings → Delete account to permanently delete your account and associated data from active systems. You may also email alert@angryboss.io for assistance.

17. Contact

If you have questions about this Policy or our data practices, contact alert@angryboss.io.

Summary of key points (non-contractual)

• Global service, EU hosting (Ireland), encryption at rest and in transit.
• Multi-payment-provider model (WayForPay / WesternBid / Hutko depending on currency and region); we never store full card numbers.
• Privacy-respecting first-party analytics by default; third-party measurement only with consent.
• We do not train AngryBoss-owned production AI models on your raw customer data.
• We do build anonymized, k-anonymized (≥ 5) market-standard aggregates from data flowing through customer workspaces (data-harvest consent at signup).
• Five first-class export formats for your own AI agent training.
• Delete your account and data at any time in settings; pre-anonymization workspace data is purged.
• Analytics inputs are stored only as long as necessary; we keep only aggregated / derived results thereafter.