Privacy Policy

Book of Spells ("bos," "we," "us," or "our") operates the bos mobile application and the bethebos.ai website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your phone number (in E.164 format), display name, username, chosen avatar color, and timezone. Your phone number is used for SMS-based verification — we send a one-time verification code to authenticate your identity. We do not store passwords; account access is managed entirely through phone-based verification.

1.2 Voice Data

When you use the speak feature, your device records audio and converts it to text using Apple's on-device Speech Recognition framework (SFSpeechRecognizer). The resulting text transcript is sent to our servers for intent processing. We do not store raw audio recordings from the speak feature on our servers.

For Portal voice messages, audio recordings are uploaded to our servers and stored to enable message playback by the recipient. Portal audio is stored using encrypted-at-rest storage.

1.3 Items and Content

We store the items you create (reminders, notes, events, lists, timers, answers) including titles, descriptions, due dates, locations, and metadata. This data is necessary to provide the core functionality of the Service.

1.4 Contacts and Social Data

If you use the contacts or friends features, we store contact names, nicknames, phone numbers, and relationship context that you provide. If you grant permission, we may access your device's address book to help you find friends on bos. We only look up phone numbers for matching purposes and do not store your full address book on our servers.

1.5 Messages

Messages sent through the Service (text, voice, and shared items) are stored on our servers to enable delivery and conversation history. Voice messages may be summarized using AI for convenience; both the original transcript and the summary are stored.

1.6 Device Information

We collect your device's push notification token (APNs token) to deliver notifications. We also collect your device's timezone setting to display times correctly.

1.7 Location Data

If you enable weather in your dashboard, we request approximate location access (via Apple CoreLocation) solely to fetch local weather data from Apple WeatherKit. We do not store your location on our servers. Location access is entirely optional and the app functions fully without it.

1.8 Calendar Data

If you enable Apple Calendar sync, we access your calendar via Apple EventKit to create and manage events and reminders. Calendar data is synced between the app and your local Apple Calendar. Calendar event IDs are stored locally on your device — not on our servers.

1.9 Usage Data

We track daily API request counts per user for rate-limiting purposes. We also log request types and token usage for service monitoring and cost management. We do not use third-party analytics or advertising SDKs.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process your voice commands and create items on your behalf
• Deliver messages and portal voice messages between users
• Send push notifications (reminders, messages, daily summaries)
• Display weather information on your dashboard
• Sync events and reminders with your Apple Calendar
• Enforce rate limits and subscription tiers
• Respond to your support inquiries
• Detect and prevent fraud, abuse, and security incidents
• Improve and optimize the Service

3. AI Processing

Your voice transcripts are processed by AI models to understand your intent (e.g., creating a reminder, answering a question). We use Anthropic's Claude API for cloud-based AI processing. On supported devices (iOS 26+), some intents may be processed entirely on-device using Apple Foundation Models, in which case no data is sent to external servers.

We do not use your personal data to train AI models. Your transcripts are processed in real-time and are not retained by our AI providers beyond the duration needed to generate a response.

4. Third-Party Services

We integrate with the following third-party services to provide our functionality:

• Anthropic (Claude API) — AI-powered intent parsing, question answering, and message summarization. Processes text transcripts only. Subject to Anthropic's Privacy Policy.
• Apple WeatherKit — Weather data for dashboard display. Uses approximate device location. Subject to Apple's Privacy Policy.
• Apple Push Notification service (APNs) — Delivery of push notifications to your device.
• RevenueCat — Subscription management and in-app purchase processing (when available). Subject to RevenueCat's Privacy Policy.
• Twilio — SMS delivery for phone number verification during account authentication. Your phone number is shared with Twilio solely to deliver one-time verification codes. Subject to Twilio's Privacy Policy.
• Fly.io — Cloud infrastructure hosting for our backend servers.

We do not sell your personal information to third parties. We do not use third-party advertising networks or tracking SDKs.

5. Data Storage and Security

Your data is stored on secured servers hosted by Fly.io. We use industry-standard security measures including:

• Encrypted data transmission (HTTPS/TLS for all API communication)
• Encrypted-at-rest storage for audio files
• Cryptographic password hashing (bcrypt)
• Stateless JWT authentication with JTI-based token revocation
• API rate limiting to prevent abuse
• Authentication tokens stored in the iOS Keychain (not in plaintext storage)

While we implement safeguards to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your account data for as long as your account is active. Items, messages, and portal audio are retained until you delete them or delete your account. Archived items are soft-deleted (hidden from active views) but retained for your access in history.

Usage logs (request counts) are retained for billing and rate-limiting purposes and are reset daily.

When you delete your account, we schedule permanent deletion of all your data from our servers. This process may take up to 30 days to complete across all systems and backups.

7. Your Rights and Choices

7.1 Access and Export

You can request a copy of your data at any time through the app's Settings > Data & Privacy > Export Data feature.

7.2 Deletion

You can delete your account and all associated data through Settings > Data & Privacy > Delete Account. This action is irreversible.

7.3 Permissions

You can revoke microphone, contacts, location, calendar, and notification permissions at any time through your device's Settings app. Revoking permissions may limit certain features but will not affect core functionality.

7.4 Communication

You can disable daily summary notifications and other notification categories through the app's settings or your device's notification settings.

8. Rights for European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain rights under the General Data Protection Regulation (GDPR), including:

• Right of Access — request a copy of your personal data
• Right to Rectification — request correction of inaccurate data
• Right to Erasure — request deletion of your personal data
• Right to Restriction — request limitation of processing
• Right to Data Portability — receive your data in a portable format
• Right to Object — object to processing based on legitimate interests

Our legal basis for processing your personal data is: (a) performance of our contract with you (providing the Service), (b) your consent (for optional features like location and contacts), and (c) our legitimate interests (security, fraud prevention, service improvement).

To exercise these rights, contact us at privacy@bethebos.ai.

9. Rights for California Users (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to Know — what personal information we collect, use, and disclose
• Right to Delete — request deletion of your personal information
• Right to Opt-Out — opt out of the sale of personal information (we do not sell your data)
• Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights

We do not sell personal information as defined by the CCPA. To exercise your rights, contact us at privacy@bethebos.ai.

10. Children's Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@bethebos.ai.

11. International Data Transfers

Your data may be processed on servers located in the United States. By using the Service, you consent to the transfer of your information to the United States and other jurisdictions where we or our service providers operate. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Effective Date" and, where appropriate, through in-app notification. Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@bethebos.ai
• General Support: support@bethebos.ai
• Website: bethebos.ai