Skip to content

Privacy Policy

Privacy Policy

Privacy Policy

Effective 13 July 2026

This Privacy Policy explains how The Boring AI Ltd, trading as Bily (Bily, we, us, or our), collects, uses, discloses, retains, and protects personal data through bily.ai, the Bily application, related services, and communications. The Boring AI Ltd is registered in England and Wales under company number 14704570. Registered office: Profile West, Suite 2 First Floor, 950 Great West Road, Brentford, United Kingdom, TW8 9ES.

This policy is written to make our roles and boundaries clear. It does not replace a customer’s own privacy notice or data-processing obligations, and it does not certify either Bily or a customer as compliant with every privacy law.

1. When Bily is a controller and when Bily is a processor

Bily generally acts as a controller for personal data used to operate our website, create and administer accounts, manage subscriptions and billing, provide support, communicate with prospects and customers, secure the Service, and understand our own business.

Bily generally acts as a processor or service provider when a customer instructs us to collect or process commerce events, customer and order data, advertising data, attribution data, or other information from the customer’s properties and connected accounts. In that role, the customer determines the purpose and lawful basis and is responsible for notices, consent, rights requests, and its instructions. Individuals connected to a Bily customer should usually contact that customer first; we assist verified customer instructions as required by the applicable agreement and law.

2. Personal data we collect

  • Account and organisation data. Name, business email, role, profile, organisation, team membership, account identifiers, permissions, authentication and session information.

  • Billing and transaction data. Plan, subscription, invoices, tax and billing status, and limited payment-related information. Full payment-card data is handled by specialist billing providers rather than stored by Bily.

  • Connected-account data. Store, advertising, analytics, or other account profiles, permissions, configuration, status, and credentials or tokens needed to maintain an authorised connection.

  • Commerce and customer-directed data. Page, product, search, cart, checkout, order and purchase events; customer or visitor identifiers; email, phone, name, city, region, postal code and country when supplied; product, discount, tax, shipping, order value, and related attributes.

  • Advertising and measurement data. Ad accounts, campaigns, spend, budgets, clicks, impressions, reach, conversions, video metrics, attribution dimensions, and destination-delivery status.

  • Device and usage data. IP address, user agent, browser, operating system, device characteristics, URLs, referrers, approximate location, visitor and session identifiers, timestamps, logs, and product interactions.

  • Support and communications. Messages, call or meeting details, feedback, requests, attachments, and information needed to investigate a question or incident.

  • AI feature data. Prompts, instructions, selected business context, tool inputs, and generated outputs when a user invokes an AI-assisted feature.

We receive data directly from users, from customers’ websites and commerce properties, from authorised connected services, from service providers, and automatically through use of our website and product. We ask customers not to submit special-category data, government identifiers, payment-card details, protected health information, or other highly sensitive information unless Bily has expressly agreed in writing to process it.

3. How and why we use personal data

  • Provide the Service. Create accounts, authenticate users, connect properties, collect and route events, produce reports, run requested workflows, provide AI-assisted features, and support customers. Our legal basis is contract or steps requested before contract; for customer-directed data, we act on the customer’s instructions.

  • Secure and operate Bily. Prevent abuse, validate requests, enforce permissions, diagnose faults, monitor reliability, investigate incidents, and maintain audit and operational records. Our basis is legitimate interests, contract, and legal obligations.

  • Billing and administration. Manage subscriptions, invoices, tax, account ownership, notices, and support. Our basis is contract and legal obligation.

  • Improve the product. Understand feature use, test changes, improve usability and data quality, and develop new capabilities using appropriate aggregation, minimisation, or de-identification. Our basis is legitimate interests, balanced against individual rights.

  • Communicate. Send transactional messages, service notices, requested information, and relevant product or commercial communications. Our basis is contract, legitimate interests, or consent where required.

  • Comply and protect. Meet legal duties, respond to lawful requests, establish or defend claims, enforce terms, and protect Bily, customers, platforms, and the public. Our basis is legal obligation and legitimate interests.

Where we rely on legitimate interests, those interests include providing a reliable business service, preventing fraud and abuse, improving the product, supporting customers, and running our business. You may object where applicable. Where we rely on consent, you may withdraw it at any time without affecting earlier processing.

4. AI-assisted processing

When a user deliberately invokes an AI-assisted feature, Bily may send the prompt and the minimum context reasonably needed to an AI inference provider so the feature can return a result. The context may include selected account, commerce, advertising, or operational information visible to that authorised user. Users should review outputs and avoid entering secrets or sensitive personal data unless expressly authorised. Bily’s AI-assisted features support human judgement and are not presented as making decisions that produce legal or similarly significant effects about individuals. Provider retention and model-use terms can vary by feature and contract. Bily does not make a blanket zero-retention or no-training promise on this public page; any such commitment must appear in the applicable signed agreement. Bily does not treat generated output as guaranteed fact or professional advice.

5. How we disclose personal data

We disclose personal data only as reasonably needed for the purposes above, subject to appropriate instructions and safeguards. Recipient categories may include infrastructure and hosting providers; data-processing and analytics providers; billing and payment providers; transactional email and communications providers; monitoring, security, and support providers; AI inference providers when a feature is invoked; professional advisers; and public authorities where lawfully required.

We also exchange data with customer-directed integrations, such as commerce, advertising, and analytics destinations selected by the customer. Those providers may act independently under their own terms and privacy notices. We may disclose data in connection with a merger, financing, reorganisation, or sale, subject to confidentiality and applicable law.

Bily does not sell personal data for money. Optional measurement and campaign-attribution technologies on our public site wait for your choice where consent is required. If applicable law treats a particular disclosure as sharing or targeted advertising, an eligible person may opt out through Cookie preferences, browser or device controls, or [email protected].

6. International transfers

Bily and its providers may process data in the United Kingdom, the European Economic Area, the United States, and other countries where a provider or customer-directed destination operates. Privacy protections can differ by location. Where required, Bily uses the transfer mechanism stated in the applicable contract package. For UK restricted transfers, this may be an adequacy regulation, the ICO-approved International Data Transfer Agreement, or the ICO-approved UK Addendum to the EU Standard Contractual Clauses, supported by the required transfer assessment and supplementary measures. For EEA restricted transfers, this may include an adequacy decision or the applicable EU Standard Contractual Clauses and transfer assessment. We do not promise that all data remains in one country or region unless a signed agreement expressly says so.

7. Retention

We retain personal data for the shortest period reasonably needed for the purpose, taking account of customer configuration, product function, security, legal duties, disputes, and contracts. Different records have different lifecycles.

  • Account and organisation data is generally kept while the account is active and for a limited administrative, security, or legal period afterwards.

  • Billing and tax records are retained for periods required by financial and tax law.

  • Connected credentials and tokens are kept while needed for an authorised connection and are invalidated or removed when the connection is removed, subject to operational and backup cycles.

  • Operational event data varies by store and function. Some live event stores are configured around 90 days, while derived records, customer-selected data, aggregated information, and legally required records may be retained differently. Ninety days is not a universal Bily retention period.

  • Transient caches and delivery tokens are generally kept for much shorter operational windows.

  • Support and security records are retained as needed to resolve the matter, prevent recurrence, establish claims, and meet legal obligations.

Deletion may not be immediate in immutable logs, fraud-prevention records, or backups. When data no longer needs to be retained, we delete, de-identify, or isolate it according to the applicable process. A customer’s deletion of a property removes associated application records and tenant resources within the supported workflow, but it does not automatically erase data held independently by a connected third party.

8. Security

We use technical and organisational practices designed to reduce unauthorised access, disclosure, alteration, and loss. These include scoped access controls, secure browser sessions, trusted-origin checks, request and permission validation, rate limits, cryptographic verification for supported signed webhooks, secret redaction in general telemetry, data minimisation, and controlled removal of connected properties. See the Security Overview for the current public description and its limitations. No system is completely secure.

9. Your choices and rights

Depending on your location and Bily’s role, you may have rights to access, correct, delete, restrict, or object to processing; receive a portable copy; withdraw consent; opt out of certain sharing or targeted advertising; limit certain uses of sensitive data; and appeal a refusal. You may also unsubscribe from non-essential marketing using the message link or by contacting us.

To make a request about data Bily controls, email [email protected]. We may ask for information needed to verify identity, authority, account, and jurisdiction. We will not discriminate against a person for exercising a privacy right. If Bily processes the data only for a customer, we may direct the request to that customer and assist the customer’s verified instructions. Some rights are subject to exemptions, identity checks, and retention duties.

Data protection complaints

You may complain about our handling of personal data by emailing [email protected] with the subject “Data protection complaint”. We will acknowledge the complaint within 30 days, make appropriate enquiries without undue delay, keep you informed of progress, and communicate the outcome without undue delay. This complaints process is separate from the statutory timetable for a rights request. You may also complain to your local data-protection authority. In the United Kingdom, the supervisory authority is the Information Commissioner’s Office at ico.org.uk. You do not have to contact us before approaching an authority.

10. Cookies and similar technologies

We use cookies, local storage, tags, and related technologies for authentication, security, preferences, campaign attribution, product operation, and website measurement. Optional public-site measurement and campaign-attribution technologies wait for consent where required. Details, including a first-party campaign-attribution cookie that may store UTM parameters and click identifiers after consent, are in our Cookie & Tracking Notice.

11. Children

Bily is a business service and is not directed to children. We do not knowingly collect personal data directly from children under 16 through our website or account sign-up. Customers must not use Bily to target children or submit children’s personal data without a lawful basis and any required written agreement.

12. Changes to this policy

We may update this policy as the product, law, or our practices change. We will publish the revised effective date and, where appropriate, provide additional notice of a material change. Earlier versions may be requested where reasonably available.

13. Contact

Privacy questions and rights requests: [email protected]. Legal and contractual questions: [email protected]. Security reports: [email protected]. Postal contact: The Boring AI Ltd, Profile West, Suite 2 First Floor, 950 Great West Road, Brentford, United Kingdom, TW8 9ES.