Privacy Policy

BORING WORKFLOWS PTE. LTD. ("Boring Workflows," "Company," "we," "us," or "our"), a company incorporated in Singapore with its registered address at 380 Jalan Besar #06-02, Arc 380, Singapore 209000, operates the Boring OS platform and related services (collectively, the "Services") accessible via https://boringworkflows.ai.

This Privacy Policy describes how we collect, use, disclose, and protect personal data when you access or use our Services, including our web dashboard, APIs, messaging integrations (Slack, WhatsApp), and Voice AI interfaces. This Policy applies to all users of our Services, including enterprise clients, their authorized end users, and visitors to our website.

We are committed to protecting your privacy and processing personal data in compliance with applicable data protection laws, including the Singapore Personal Data Protection Act 2012 ("PDPA"), the European Union General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and the Australian Privacy Act 1988 ("APA").

Depending on how you interact with our Services, we may collect the following categories of Personal Data:

We collect Personal Data through the following means:

• Directly from you: When you register, configure, or interact with our Services, or contact our support team.
• From your employer/Client: When a Client provisions your access or provides data through system integrations.
• Through integrated systems: When our platform connects to Client BSS, OSS, CRM, billing, and network systems via APIs and connectors.
• Through messaging platforms: When you interact with our AI agents via Slack or WhatsApp integrations.
• Through Voice AI: When you use our voice interface for customer service or operational tasks.
• Automatically: Through cookies, log files, and similar technologies when you access our website or Services.

We process Personal Data for the following purposes and legal bases:

We may share Personal Data with the following categories of recipients:

As a Singapore-incorporated company serving Clients globally, Personal Data may be transferred to and processed in jurisdictions outside the data subject's country of residence, including Singapore, the United States, the European Economic Area, Australia, and other ASEAN countries.

For transfers from the EEA/UK, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Data Processing Agreements with appropriate technical and organizational measures

For transfers involving Australian data, we comply with Australian Privacy Principle (APP) 8 regarding cross-border disclosure of personal information.

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

• Account data: Retained for the duration of the Client's contract and for 12 months thereafter, unless a longer period is required by law.
• Voice recordings and transcripts: Retained in accordance with the Client's data retention policy, or for a maximum of 24 months if no policy is specified.
• API and usage logs: Retained for 12 months for operational and security purposes.
• Website analytics data: Retained for 26 months in anonymized/aggregated form.

Upon termination of a Client agreement, we will delete or return all Client Personal Data within 90 days, unless retention is required by applicable law.

We implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and multi-factor authentication
• Regular security assessments and penetration testing
• Audit logging and monitoring of all data access
• Secure development practices and code review processes
• Incident response and breach notification procedures
• Employee security training and confidentiality agreements

Where Clients deploy their own AI models within Boring OS, we maintain logical separation and access controls to ensure data isolation between tenants.

Our website and Services use cookies and similar technologies. We categorize these as:

• Strictly Necessary Cookies: Required for platform functionality, authentication, and security. These cannot be disabled.
• Analytical Cookies: Used to understand how users interact with our website and Services, helping us improve performance and user experience.
• Functional Cookies: Used to remember your preferences and provide enhanced features.

We do not use cookies for advertising or behavioral profiling. You may manage cookie preferences through your browser settings.

Depending on your jurisdiction, you may have the following rights regarding your Personal Data:

To exercise any of these rights, please contact us at privacy@boringworkflows.ai. We will respond within the timeframe required by applicable law (generally 30 days). If you are an End User of a Client, we may refer your request to the relevant Client as the data controller.

Our Services use artificial intelligence and machine learning to automate workflows, process natural language, and orchestrate actions across enterprise systems. Specifically:

• AI Agent Processing: Our AI agents process data from integrated systems to execute workflows, generate insights, and facilitate decision-making. Agents operate within governed access policies set by Clients.
• Natural Language Processing: We process text and voice inputs to understand user intent and translate it into system actions.
• Third-Party AI Models: We may process data through third-party AI model providers (such as Anthropic and OpenAI). Data sent to these providers is subject to our data processing agreements with them and is not used to train their general-purpose models.
• Customer-Provided Models: Where Clients deploy their own AI models, data processing is subject to the Client's own policies and our platform security controls.

We do not use Personal Data for fully automated decision-making that produces legal or similarly significant effects without human oversight, unless explicitly agreed with the Client and with appropriate safeguards in place.

You have the right to request information about the logic involved in automated processing and, where applicable, to request human review of automated decisions.

In most cases, our Clients are the data controllers and Boring Workflows acts as a data processor (or service provider under CCPA). This means:

• Clients determine the purposes and means of processing Personal Data
• Boring Workflows processes Personal Data only on the Client's documented instructions
• We enter into Data Processing Agreements (DPAs) with Clients that govern our processing obligations

Where we collect data directly (e.g., website visitors or prospective clients), we act as the data controller.

If you have questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us at:

For complaints regarding our handling of Personal Data, you may also contact the relevant supervisory authority in your jurisdiction, including the Personal Data Protection Commission (PDPC) in Singapore, the relevant Data Protection Authority in the EU/UK, the California Attorney General, or the Office of the Australian Information Commissioner (OAIC).