This Privacy Policy describes how Capisso ("we", "us", or "our") collects, uses, and protects information when you use the BOSS — Business Operating System Suite ("Service"). We are committed to protecting your privacy and handling your data with care and transparency.
Who We Are
The Service is operated by Capisso. For any privacy-related questions or requests, you can contact us at info@capisso.com.
Information We Collect
We collect the following categories of information:
| Category | Examples | Source |
|---|---|---|
| Account information | Name, email address, organisation name | You, directly |
| Authentication data | OAuth tokens, session identifiers | Microsoft identity platform |
| Microsoft 365 data | Emails, calendar events, contacts, files — within authorised scopes only | Microsoft Graph API, with your explicit consent |
| Usage data | Actions taken within the Service, feature usage, timestamps | Automatically collected |
| Technical data | IP address, browser type, device information, log data | Automatically collected |
Microsoft 365 Integration
BOSS connects to Microsoft 365 via OAuth 2.0 using the Microsoft identity platform. When you authorise this connection, we may access data through the following Microsoft Graph API scopes, depending on the features you enable:
- User.Read — your basic profile and account information
- Mail.Read / Mail.ReadWrite — reading and, where enabled, sending emails on your behalf
- Calendars.Read / Calendars.ReadWrite — reading and managing calendar events
- Contacts.Read — reading contact information to assist with communications
- Files.Read — accessing files in OneDrive relevant to active workflows
You can revoke BOSS's access to your Microsoft 365 account at any time via your Microsoft account permissions page.
How We Use Your Information
We use the information we collect to:
- Provide, operate, and improve the Service
- Authenticate you and maintain the security of your account
- Execute automated workflows and tasks you configure
- Respond to your requests and provide customer support
- Monitor for fraud, abuse, or security threats
- Comply with our legal obligations
- Send you service-related communications (not marketing, unless you opt in)
Data Sharing and Disclosure
We do not sell your personal data. We may share your information only in the following limited circumstances:
- Service providers: trusted third parties who assist us in operating the Service (hosting, infrastructure, analytics) under strict data processing agreements
- Legal compliance: when required by law, court order, or governmental authority
- Business transfers: in the event of a merger, acquisition, or sale of assets, with advance notice to you
- With your consent: for any purpose you explicitly authorise
Our infrastructure is hosted on Hetzner (EU-based servers). Subprocessors are selected to ensure your data remains within the European Economic Area wherever possible.
Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. If you close your account, we will delete or anonymise your data within 30 days, except where we are required to retain it for legal or regulatory purposes.
Microsoft 365 data cached by the Service for operational purposes is retained only for the duration required to complete the relevant workflow, and no longer than 90 days.
Data Security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, disclosure, alteration, or destruction. These include encryption in transit (TLS), encryption at rest, access controls, and regular security reviews.
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to a commercially reasonable standard.
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: request a copy of the data we hold about you
- Rectification: request correction of inaccurate data
- Erasure: request deletion of your data ("right to be forgotten")
- Portability: receive your data in a structured, machine-readable format
- Restriction: request that we limit how we process your data
- Objection: object to processing based on legitimate interests
- Withdraw consent: withdraw consent at any time where processing is consent-based
To exercise any of these rights, please contact us at info@capisso.com. We will respond within 30 days.
Cookies and Tracking
We use strictly necessary cookies to maintain your session and authenticate your identity. We do not use third-party advertising or tracking cookies. You can control cookie preferences through your browser settings, although disabling session cookies will prevent you from using the Service.
Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the date at the top of this page and, where appropriate, by email. Continued use of the Service after changes become effective constitutes acceptance of the revised policy.
Contact and Complaints
If you have any questions about this Privacy Policy or our data practices, please contact us:
If you are located in the European Economic Area and believe we have not addressed your concern adequately, you have the right to lodge a complaint with your local data protection authority.