Privacy Policy

Controller: David Hurtado y Ruben Bautista, bootnstrap@gmail.com
Scope: data from customers and users who contact BootandStrap.

Data processed

• Contact data (name, email, phone)
• Billing and payment data (managed by Stripe)
• Browsing and site usage data (Google Analytics, web-vitals, and first-party technical analytics)
• Chat usage data for sales/support (messages, functional context, and minimal technical metadata)
• End-user data when the customer activates modules (BootandStrap acts as Processor)

Purposes and legal basis

• Contract management (contract performance)
• Website usage analysis and service improvement (consent — Google Analytics)
• Support, security, and service improvement (legitimate interest)
• Marketing communications (consent where applicable)

Role as Data Processor

When the customer uses the platform to manage their own end-users' data, BootandStrap acts as Data Processor under GDPR. The customer is the Data Controller. BootandStrap will only process this data according to the customer's documented instructions and service purposes.

Recipients and international transfers

We may share data with providers essential to delivering the service:

• Google (web analytics — Google Analytics, Search Console) — USA — Data Privacy Framework
• Stripe (payments) — USA — Data Privacy Framework
• Supabase (database) — USA/EU — Standard Contractual Clauses
• OpenAI (AI, if module active) — USA — Data Privacy Framework
• Resend (transactional email) — USA — Standard Contractual Clauses

For international transfers outside the EEA, appropriate safeguards under GDPR will apply (Standard Contractual Clauses, adequacy decisions, or Data Privacy Framework, as applicable).

Retention

Data is retained for the duration of the contractual relationship and applicable legal retention periods.

Rights

Access, rectification, deletion, restriction, objection, and portability. Contact: bootnstrap@gmail.com.

Detailed legal basis by processing activity

• SaaS service delivery and account management: contract performance.
• B2B lead qualification and sales response: pre-contractual steps and B2B legitimate interest.
• Website analytics (Google Analytics) and performance metrics: consent.
• Security, abuse prevention, and technical logs: legitimate interest and legal obligation where applicable.
• Invoicing, accounting, and tax compliance: legal obligation.

Retention matrix

• Commercial leads without conversion: up to 12 months from last interaction.
• Contractual customer data: contract term plus statutory commercial/tax retention periods.
• Security and anti-abuse logs: up to 12 months unless a formal investigation requires longer retention.
• Chat usage records and first-party analytics events: up to 12 months from collection.
• Consent evidence (versions, timestamp, IP hash): during the contractual relationship and as long as claims may be raised.

Rights and response timelines

We respond to data subject rights requests within 30 calendar days, extendable where permitted by GDPR due to complexity. We may request additional information to verify identity.

Supervisory authorities and complaint channels

If you believe processing does not comply with applicable law, you may file a complaint with Switzerland's FDPIC (Federal Data Protection and Information Commissioner). If you are located in the EU/EEA, you may also complain to your national data protection authority.