Bom Privacy Policy

1. Scope

This policy applies to the entire process of accessing Bom, creating an account, connecting the desktop agent, signing in with Google, and checking or approving sessions through the web or mobile UI.

2. Information We Collect or Process

2.1 Account Information

• Email address: Provided through the Google login process.
• Display name and profile information: Used for account display and user identification.
• Google account identifier: Used to link your Bom account with your Google account.

2.2 Service Operation Information

• Agent and device connection info: Connection time, heartbeat status, connected desktop/mobile device identifiers
• Tool execution and session metadata: Execution time, tool name, success/failure status, session state, approval events
• Notification info: If notifications are enabled, tokens and subscription data needed for mobile or browser notification delivery
• File transfer metadata: Filename, status, and connection info to maintain transfer flows during upload/download requests

2.3 Data Processed on Your Device

The Bom desktop agent performs file, browser, app, and system tasks directly on your device. Local file contents, clipboard, screenshots, and browser results may be processed on your device during requested operations. Only results needed for functionality or data explicitly sent by the user are transmitted to the server.

2.4 Google User Data

When you sign in with your Google account, Bom requests only basic profile information:

• Only basic profile information (name, email) is requested for sign-in. No Calendar, Sheets, Docs, or Slides API scopes are requested.
• Google services such as Calendar, Sheets, and Docs are accessed through browser automation on your desktop — not through Google APIs.
• privacy.s2.s2_4.items.2
• privacy.s2.s2_4.items.3
• privacy.s2.s2_4.items.4
• privacy.s2.s2_4.items.5

Bom does not request or use Google Workspace API scopes. All interactions with Google services happen through browser automation initiated by your explicit instructions.

3. Purpose of Information Use

• Service provision: User authentication, desktop agent connection, web/mobile sync, session recovery
• Execution delivery: Routing user-requested tasks to the correct agent and session, returning results
• Task execution: Performing desktop, browser, and web automation tasks that you explicitly request through chat instructions
• Security and approval: Sensitive operation approval, abuse prevention, rate limiting, session verification, audit trail
• Notifications and visibility: Delivering execution status, approval requests, and connection status to web and mobile
• Service improvement: Quality improvement and incident response through anonymous or aggregated usage metrics

4. Google API Services — Limited Use Disclosure

Bom's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

• Bom only uses access to Google user data (profile information obtained during sign-in) to provide the user-facing features described in this policy — namely, account authentication and identification.
• Bom does not transfer Google user data to third parties unless: (a) it is necessary to provide or improve user-facing features visible to you, (b) it is necessary for security purposes such as investigating abuse, (c) it is required to comply with applicable laws, or (d) you provide explicit consent.
• Bom does not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• Bom does not allow humans to read Google user data unless: (a) you have given affirmative consent, (b) it is necessary for security purposes, (c) it is required to comply with applicable law, or (d) the data has been aggregated and anonymized and used for internal operations.

5. Third-Party Sharing and External Services

We do not sell personal information. Information may be shared with external services within necessary scope in the following cases.

• Google: OAuth authentication for sign-in. Bom requests only basic profile information (name, email). Bom's access to Google data is governed by the Limited Use disclosure in Section 4.
• Microsoft Azure AI Speech: Voice-to-text transcription only. When you use voice commands, audio is sent to Azure AI Speech API for transcription. Audio is not stored by Bom after transcription.
• Firebase Cloud Messaging: Push notification delivery to your mobile device. Only notification tokens and message payloads (task status updates, not personal data content) are processed.
• Microsoft Azure: Temporary file storage for file transfers between your desktop and mobile. Files are automatically deleted within 2 hours.
• CLI AI providers (Claude, Codex): Your chat instructions and task results are processed through CLI agents running locally on your desktop. These CLI agents use your own AI subscription — Bom does not send your data to these providers' APIs directly.
• Legal obligations: When required by law, regulation, investigation requests, or rights protection.

6. Data Retention

• Agent session info: Up to 7 days after disconnection
• Command and tool execution logs: Up to 90 days
• Chat threads and messages: Up to 90 days
• Security and audit logs: Up to 365 days
• Google OAuth tokens: Stored until you revoke access or delete your account. Access tokens are short-lived (typically 1 hour) and refreshed as needed. Refresh tokens are stored securely and never exposed in API responses or logs.
• OAuth temporary auth states: Deleted after 5 minutes
• Mobile notification tokens and connection info: Deleted on logout, device removal, or after 90 days of inactivity

7. User Rights and Choices

• Account info review: You can check your profile and connection status at any time.
• Account deletion: You can request full account deletion via DELETE /api/profile. This permanently removes all your data, including stored Google tokens.
• Revoke Google access: You can revoke Bom's access to your Google account at any time by visiting your Google Account permissions page (https://myaccount.google.com/permissions) and removing Bom. This immediately invalidates all stored Google tokens.
• Connection and notification management: You can manage web/mobile connection status and notification preferences.
• Tool approval flow management: You can configure sensitive operation approval and tool usage scope.
• Inquiries: You can contact us below for access, correction, or deletion requests.

8. Security

• Google OAuth 2.0-based authentication with PKCE and state parameter validation
• TLS (HTTPS) transport encryption for all data in transit
• Google tokens are stored server-side and never exposed in API responses, logs, or client-side code
• Approval gates and destructive operation restrictions
• Session verification, rate limiting (per-IP sliding window), and security audit logs
• Content Security Policy (CSP) headers, SSRF prevention, and CSRF protection

9. Children's Privacy

Our service is not intended for children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under the applicable age, we will take steps to delete that information promptly.

10. International Data Transfers

Bom's servers are located in Korea (Azure Korea Central region). If you access the service from outside Korea, your information may be transferred to and processed in Korea. By using the service, you consent to this transfer. We apply the security measures described in Section 8 to protect your data regardless of your location.

11. Policy Changes

This policy may change as service features and legal requirements evolve. If significant changes are made, the date on this page will be updated and separate notice will be provided if necessary.

12. Contact

For privacy-related inquiries, please contact us below.

• Email: bomtobe.sw@gmail.com
• Website: https://www.bomtobe.com
• Related document: Terms of Service