Privacy Policy
Bol.ai converts Bill of Lading documents into structured data. This policy explains what personal data we process when you use bol.ai, why, where it is stored, and the rights you have under the GDPR.
1. Data we process
| Category | Examples | Purpose / legal basis |
|---|---|---|
| Account data | Email address, hashed password, API key hashes | Providing the service (contract, art. 6(1)(b)) |
| Documents & extracted data | Bills of Lading you upload, email in, or submit via API; the structured fields extracted from them; your corrections | Providing the service (contract). Documents may contain personal data of third parties (e.g. names in shipper/consignee fields); you are responsible for being entitled to process those documents. |
| Billing data | Subscription status, purchases, usage counts. Card details are processed by Stripe and never touch our servers. | Contract and legal (tax) obligations |
| Technical & error data | IP address (rate limiting), error reports and feedback you submit (Sentry, EU region) | Security and service quality (legitimate interest, art. 6(1)(f)) |
2. Our role: controller and processor
For your account, billing, and technical data, Dutchcode B.V. is the data controller. For the personal data contained inside the documents you submit — for example names and addresses in shipper, consignee, or notify-party fields — you are the controller and we act as your processor under article 28 GDPR. As your processor we:
- process that data only to provide the Service and on your documented instructions (your use of the Service, together with our Terms, constitute those instructions);
- ensure the people who process it are bound by confidentiality;
- apply appropriate technical and organisational security measures (art. 32), including EU-only storage and encryption in transit;
- engage only the sub-processors listed below, and give you reasonable advance notice of any new sub-processor so you can object;
- assist you, where the nature of the processing allows, with data-subject requests and with your own security and breach-notification obligations (art. 32–36); and
- delete the documents and extracted data when your account ends, as described under “Retention”.
3. Where your data lives
Documents and extracted data are stored exclusively in the European Union: our database runs in Western Europe and file storage is under EU jurisdiction (Cloudflare R2, EU). Extraction runs on Cloudflare Workers AI; documents are sent to the model on-demand for inference only. Error monitoring uses Sentry's EU (Frankfurt) ingestion region. We do not sell personal data, and your documents are never used to train our models or any third-party provider's models.
4. Third-party services we rely on
We engage the sub-processors below to run the Service. Each receives only the data needed for its role.
| Provider | What they receive | Privacy policy |
|---|---|---|
| Cloudflare, Inc. | IP address, browser user-agent, request metadata; documents and extracted data for hosting, storage and AI inference | cloudflare.com/privacypolicy |
| Stripe, Inc. | Email address, billing address, payment method (card data handled solely by Stripe), subscription and purchase metadata | stripe.com/privacy |
| Functional Software, Inc. (Sentry) | IP address, browser user-agent, error stack traces and optional feedback text you submit | sentry.io/privacy |
| Resend, Inc. | Email address and message content for transactional email (password resets) and founder outreach (marketing, with unsubscribe) | resend.com/legal/privacy-policy |
| Google LLC | IP address, browser user-agent (web fonts loaded from fonts.googleapis.com / fonts.gstatic.com) | policies.google.com/privacy |
| Apollo.io (ZenLeads, Inc.) | Business contact data (name, title, company, email) when our team searches or imports sales prospects in the admin console — not used in the customer-facing product | apollo.io/privacy-policy |
We give reasonable advance notice before adding or replacing a sub-processor.
5. Retention
Documents and extractions are retained while your account is active so you can access your history. You can delete individual documents from the app at any time. You can delete your entire account from Account settings in the app (email confirmation and password required) or by emailing support@bol.ai; we delete personal data immediately on self-service deletion. Billing records required for tax law may be retained without personal identifiers. Error data in Sentry is retained for 90 days.
6. Your rights
Under the GDPR you can request access, correction, deletion, restriction, portability, and object to processing based on legitimate interest. Email support@bol.ai. You can also lodge a complaint with the Dutch DPA (Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag).
7. Data breaches
In the event of a personal data breach that is likely to affect your rights, we will notify the Dutch DPA within 72 hours and inform affected users without undue delay, as required by GDPR art. 33–34.
8. Cookies
Bol.ai uses one strictly necessary cookie: the session cookie that keeps you signed in. We set no advertising or cross-site tracking cookies.
9. Changes
We will update this policy as the service evolves and note the date above. Material changes will be announced in the app.