Privacy Policy
A small, honest accounting of what we know about you and what we do with it.
This policy explains how Boopmachine collects, uses, stores, and protects your personal data. We've written it to be readable, not to satisfy lawyers — but it is the binding policy, and it is structured to comply with the EU General Data Protection Regulation (GDPR).
1. Who we are
Boopmachine is operated by Niklas Weidel, a sole trader based in Gothenburg, Sweden. For the purposes of GDPR, Niklas Weidel is the data controller for the personal data described below.
Contact for any privacy-related question: privacy@boopmachine.com
2. What we collect, and why
We try to collect as little as possible. Here is everything:
| Data | Why we have it | Legal basis (GDPR) |
|---|---|---|
| Email address | To create your account, send check-in messages, and contact you about your account | Contract (Art. 6(1)(b)) |
| Your conversations with Boop | So Boop can remember context across sessions, and so you can read your own history | Contract (Art. 6(1)(b)) |
| Conversation-derived memories | Boop forms summarized memories from your conversations to maintain continuity. These are stored alongside your account. | Contract (Art. 6(1)(b)) |
| Payment information | To process subscription payments. We do not store card numbers — Stripe handles this directly. | Contract (Art. 6(1)(b)) |
| Usage data (message counts, timestamps, model used) | To track API costs, enforce free-tier limits, and improve the service | Legitimate interest (Art. 6(1)(f)) |
| IP address (briefly, in server logs) | Standard web security and abuse prevention; logs rotated regularly | Legitimate interest (Art. 6(1)(f)) |
3. Sensitive content
Boopmachine is a companion for personal reflection. Some users share information that is sensitive under GDPR — including emotional state, mental health, religious views, sexual orientation, or political opinions. We process this content only because you choose to share it with Boop, on the basis of your explicit consent (Art. 9(2)(a)) given when you create an account and accept this policy.
You can withdraw this consent at any time by deleting your account, which deletes your conversations and memories. See Section 7.
4. Who else sees your data
We use a small number of third-party services ("sub-processors") that handle parts of the system on our behalf. Each is bound by their own privacy policies and, where required, by Data Processing Agreements with us.
- NVIDIA Corporation (United States) — provides the large language model that generates Boop's responses. Your message content is sent to NVIDIA's API to produce a reply. NVIDIA Privacy Policy
- DreamHost LLC (United States) — hosts the Boopmachine application and database. DreamHost Privacy Policy
- Stripe Payments Europe, Ltd. (Ireland) — handles payment processing. Card data is sent directly to Stripe, not stored by us. Stripe Privacy Policy
- Clerk Inc. (United States) — handles user authentication. Clerk Privacy Policy
- Resend (Atlas Internet, Inc.) (United States) — sends transactional and check-in emails. Resend Privacy Policy
5. International data transfers
Several of our sub-processors are located in the United States. When your data is transferred outside the EU/EEA, we rely on:
- The EU–US Data Privacy Framework (where the recipient is certified), or
- Standard Contractual Clauses (SCCs) approved by the European Commission
These are the legal mechanisms permitted by GDPR for transfers to third countries. If you would like copies of the relevant SCCs, email privacy@boopmachine.com.
6. How long we keep your data
- Account data (email, settings): for the life of your account, plus up to 30 days after deletion to allow recovery if deletion was accidental.
- Conversations and memories: for the life of your account, then deleted within 30 days of account deletion.
- Payment records: 7 years, as required by Swedish bookkeeping law (Bokföringslagen).
- Server logs: up to 30 days, then rotated and deleted.
- Backups: deleted within 90 days, so deleted data may persist briefly in backup archives before being overwritten.
7. Your rights under GDPR
You have the right to:
- Access — get a copy of all personal data we hold about you
- Rectification — correct inaccurate data
- Erasure ("right to be forgotten") — delete your account and associated data
- Portability — receive your data in a machine-readable format
- Restriction or objection — restrict or object to our processing
- Withdraw consent — at any time, without affecting prior processing
To exercise any of these rights, email privacy@boopmachine.com. We respond within 30 days as required by GDPR.
You also have the right to complain to a supervisory authority. In Sweden, this is Integritetsskyddsmyndigheten (IMY). You may also complain to the authority in your own EU country of residence.
8. Security
We take reasonable steps to protect your data:
- The database storing your conversations is encrypted at rest with a key held only in server memory and entered manually at server start. This means an attacker with raw disk access cannot read your conversations without also having the encryption key.
- All connections to Boopmachine use HTTPS (TLS).
- Authentication is handled by Clerk, which provides standard security practices including password hashing and optional multi-factor authentication.
- Payment details never touch our servers; they go directly to Stripe.
That said, no system is perfectly secure. If a data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and notify affected users without undue delay, as required by GDPR Articles 33 and 34.
9. Cookies and analytics
Boopmachine uses minimal cookies — only what's strictly necessary to keep you logged in and to remember your session. We do not use third-party advertising cookies or trackers.
We use a self-hosted Matomo analytics instance to understand basic usage patterns (page views, signups, message counts). Matomo runs on our own servers; analytics data is not shared with third parties.
10. Children
Boopmachine is not intended for users under 16. We do not knowingly collect data from anyone under 16. If you believe a child has used Boopmachine, contact privacy@boopmachine.com and we will delete the account and associated data.
11. AI-specific considerations
You're talking to an AI, not a person. A few things worth knowing:
- Boop's responses are generated by a large language model. They can be inaccurate, made up, or wrong. Don't rely on Boop for medical, legal, financial, or other professional advice.
- The model that generates Boop's responses is operated by NVIDIA on their infrastructure. Your messages are sent to NVIDIA's API to produce a reply. NVIDIA's privacy policy applies to that transfer.
- Boop maintains "memories" — summarized impressions of past conversations — to keep continuity. These memories are stored with your account and visible to no one outside of you and our system.
- We do not use your conversations to train AI models — neither ours nor anyone else's. Your conversations are used to produce Boop's responses to you, and for nothing else.
12. Changes to this policy
If we change this policy in any material way, we'll notify you by email and ask you to acknowledge the change before continuing to use Boopmachine. Minor wording changes will simply be updated here with a new "last updated" date.
13. Contact
Questions, requests, complaints — privacy@boopmachine.com. We aim to respond within a few days.