This Privacy Policy explains how BOBOART (the "Platform") collects, uses, and protects your personal information. The Platform is currently a non-commercial internal collaboration tool. We follow a "minimum necessary" principle when collecting data.
Account information: a username we issue, or — if you sign in with Google — only the following three fields:
- your email address (email);
- display name (name; falls back to email if Google does not provide one);
- Google user identifier (sub; used to recognize the same account on subsequent sign-ins).
We do not receive, store, or request your Google password, profile picture, contacts, calendar, Drive files, gender, birthday, or any other Google account information. The OAuth scopes we request are strictly limited to those required for standard sign-in; we do not request any additional permissions.
Session information: most recent sign-in time, browser language preference.
Content you produce: region annotations, comments, replies, and reactions. Images under review are uploaded by administrators only; regular users do not upload any images.
Local preferences: language and UI state stored in cookies and localStorage of your browser, used to maintain your session and continuity of experience — not for tracking.
- To allow you to sign in and collaborate (annotate, comment, view history);
- To display collaborative output within your team, and to revise visual designs based on the team's feedback;
- To maintain platform security (abuse prevention, error diagnostics).
We do not use your data for advertising, nor do we sell it to any third party.
All infrastructure is hosted in Frankfurt, within the European Union:
- Database (MySQL): Frankfurt;
- Image object storage (COS): Frankfurt;
- Application servers: Frankfurt.
Your data therefore stays within the EU and is not transferred outside the EU. We use TLS-encrypted transport and private-bucket access control to safeguard data.
- Google Identity Services: used for Google sign-in. Google processes data under its own privacy policy.
Apart from sign-in, your images and comments are not automatically forwarded to any third party.
- Account information: kept for the lifetime of your account;
- Annotations and comments: kept alongside their parent compare group, until that compare group is deleted;
- Uploaded images: alongside their parent compare group.
If you request account deletion, we remove your personal identifiers (email, display_name) within 30 days. We may retain anonymized contributions (already-published comments and annotations) to preserve the integrity of the collaborative record.
If you are in the EU, you have the right to:
- Access the data we hold about you;
- Rectify incorrect personal information;
- Erasure ("right to be forgotten");
- Restrict processing;
- Data portability (receive your data in a machine-readable format);
- Object to processing;
- Lodge a complaint with your national data protection authority.
To exercise any of these rights, email info@odysbo.com. We will respond within 30 days.
Identity verification: to prevent impersonation, we verify your identity before acting on a request:
- Please send the request from the email address associated with your account (for Google sign-in users, the email tied to your Google account);
- If we still have reasonable doubt, we may request limited additional verification, such as the approximate time of your most recent sign-in, or recognizable content you produced on the Platform (the text of a specific annotation or comment);
- We will never ask for your password, ID document, or other sensitive personal information as part of identity verification.
If we cannot reasonably verify your identity, we may refuse to act on the request and will explain why (GDPR Article 12(6)).
The Platform uses only strictly necessary cookies and localStorage:
- session: keeps you signed in (necessary);
- bobo-locale: remembers your language (necessary);
- A few UI state items (expand/collapse, etc.).
We do not use analytics, advertising, or third-party tracking cookies. Accordingly, the Platform does not display a cookie consent banner — all cookies in use fall under the "strictly necessary" category of the ePrivacy Directive.
The Platform is not intended for children under 13.
We may update this policy. Updates take effect on publication on this page; the "Last updated" date is revised accordingly. Material changes will be highlighted at your next sign-in.
Data controller contact: info@odysbo.com.