Legal

Privacy Policy

Last updated: April 10, 2026

1. Introduction

Borromic ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, and related services (collectively, the "Service").

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, and password when you create an account.
  • Profile Information: Optional details such as company name, role, and profile photo.
  • Content: Data, objects, processes, metrics, and other content you create or upload within the Service.
  • Communications: Information you provide when contacting support or communicating with us.
  • Payment Information: Billing details processed through our third-party payment processor. We do not store full payment card numbers.

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, actions taken, timestamps, and session duration.
  • Device Information: Browser type, operating system, device identifiers, and screen resolution.
  • Log Data: IP address, access times, referring URLs, and error logs.
  • Cookies & Similar Technologies: We use essential cookies for authentication and session management. See Section 7 for details.

2.3 Information from Integrations

When you connect third-party services (e.g., CRM, payment processors, analytics platforms) via our integration connectors, we access only the data necessary to provide the requested functionality. Each integration requires your explicit authorization via OAuth or API key.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Authenticate users and manage access control (RBAC) per your project settings.
  • Process transactions and send related communications (invoices, receipts).
  • Provide customer support and respond to your requests.
  • Send product updates, security alerts, and administrative messages.
  • Monitor and analyze usage patterns to improve performance and user experience.
  • Detect, prevent, and address technical issues, fraud, or security threats.
  • Comply with legal obligations and enforce our terms.

4. How We Share Your Information

We do not sell your personal data. We may share information in the following circumstances:

  • Service Providers: With trusted third parties who assist in operating the Service (hosting, analytics, payment processing), bound by confidentiality obligations.
  • Within Your Workspace: With other users in your workspace or project, according to the roles and permissions you configure.
  • AI Agents: When you enable AI agent integrations (via MCP), those agents access your ontology data according to the same RBAC rules as human users. All agent actions are logged in the audit trail.
  • Legal Requirements: When required by law, legal process, or government request.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users.

5. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Project-scoped access control with five-role RBAC (Owner, Admin, Contributor, Viewer, Guest).
  • Complete audit trail on all mutations — every change is logged with actor, timestamp, and context.
  • Regular security assessments and vulnerability testing.
  • Time-bound access for guest users with automatic expiration.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., audit logs required for compliance).

Content within workspaces is retained according to your workspace settings. Workspace owners can export or delete project data at any time.

7. Cookies

We use the following types of cookies:

  • Essential Cookies: Required for authentication, session management, and security. Cannot be disabled.
  • Analytics Cookies: Help us understand how users interact with the Service. You can opt out via your browser settings or our cookie preferences panel.

We do not use advertising cookies or share cookie data with advertisers.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to processing of your data for certain purposes.
  • Restriction: Request restriction of processing in certain circumstances.

To exercise any of these rights, contact us at privacy@borromic.com.

9. International Transfers

Your data may be processed in countries other than your own. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required by applicable data protection law.

10. Children's Privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: