Privacy Policy

BOHIO SYSTEMS LTD (“BOHIO”, “we”, “our”, “us”) operates the BOHIO real-estate financial modelling platform (“Service”). This Privacy Policy explains what personal data we collect, how we use it, and your rights in relation to it.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. For questions, contact us at hello@bohiotech.com.

2.1 Account Data

When you create an account we collect your name, email address, and encrypted password. This data is required to provide the Service.

2.2 User Content

We store the Excel models, documents, and files you upload, and the chat messages you send to the Karaya AI assistant. This content is necessary to provide the core features of the Service.

2.3 Usage and Technical Data

We automatically collect technical data about your use of the Service, including IP address, browser type, operating system, pages visited, and feature interactions. This data is used to maintain and improve the Service and to enforce rate limits.

2.4 Billing Data

When you subscribe to a paid plan, billing and transaction records are processed and stored by Airwallex. BOHIO receives confirmation of payment status but never receives or stores raw card data.

2.5 Communications

If you contact us for support or feedback, we retain those communications to help resolve your issue and improve the Service.

We use your personal data to:

• Provide, operate, and maintain the Service.
• Process subscriptions and send transactional emails (account confirmation, billing receipts, password resets).
• Transmit your User Content to Anthropic to generate AI responses (see Section 5).
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations, including tax and accounting requirements.
• Improve and develop the Service using aggregated, anonymised usage analytics.

We do not sell your personal data to third parties. We do not use your User Content to train AI models.

For users in the European Economic Area or United Kingdom, our legal bases for processing personal data are:

• Contract — processing your account data and User Content is necessary to perform our contract with you (the Terms of Service).
• Legitimate interests — technical data and usage analytics are processed on the basis of our legitimate interest in maintaining and improving the Service, where those interests are not overridden by your rights.
• Legal obligation — billing records are retained to comply with tax and accounting law.

The Karaya AI assistant is powered by Anthropic Claude. Content you submit via the chat interface — including messages and context drawn from your uploaded models — is transmitted to Anthropic as a subprocessor for the sole purpose of generating a response within your session.

Your content is not used to train Anthropic's foundation models under our API agreement. Anthropic's handling of API data is governed by their API data-use policy and our data-processing agreement with them.

By using Karaya, you acknowledge that your prompts and relevant model excerpts are processed by Anthropic in the course of generating a response.

BOHIO shares data with the following subprocessors under appropriate data-processing agreements:

We retain personal data for as long as your account is active or as needed to provide the Service. Upon account deletion:

• Your models, chat history, and profile data are removed from production systems within 30 days and from backup systems within 90 days.
• Billing and transaction records are retained for a minimum of 7 years as required by accounting and tax law.
• Aggregate anonymised usage statistics may be retained indefinitely.

BOHIO uses only essential cookies required for the Service to function:

• Authentication cookies — maintain your signed-in session. Expire on sign-out or after a rolling inactivity window.
• Security tokens — CSRF and replay-attack protection. Session-scoped.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify individual users. Essential cookies cannot be disabled without breaking the Service.

If you are located in the European Economic Area or United Kingdom, you have the following rights under the GDPR and UK GDPR:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate personal data. Profile information can be updated directly in Settings.
• Right to erasure — request deletion of your personal data. You can delete your account from Settings; billing records are retained as required by law.
• Right to data portability — request an export of your personal data in a machine-readable format.
• Right to restrict processing — request that we limit how we process your data in certain circumstances.
• Right to object — object to processing carried out on the basis of legitimate interests.
• Right to lodge a complaint — you have the right to lodge a complaint with your national data-protection supervisory authority.

To exercise any of these rights, contact hello@bohiotech.com. We will respond within 30 days. We may need to verify your identity before processing your request.

You may delete your account at any time from the Settings page within the Service. Account deletion permanently removes:

• Your profile and account credentials.
• All uploaded Excel models and associated workbook data.
• All Karaya chat history.

Deletion is irreversible. Billing records are retained as required by law and are not deleted alongside the account.

BOHIO implements industry-standard technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS) and at rest.
• Row-level security on all database tables containing personal data.
• Principle of least privilege: application services access only the data they require.
• Rate limiting and abuse detection via Upstash.

No method of transmission or storage is 100% secure. In the event of a data breach affecting your rights, we will notify you and applicable supervisory authorities as required by law.

BOHIO and its subprocessors may process your data in countries outside your country of residence, including the United States. Where personal data is transferred outside the EEA or UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact hello@bohiotech.com.

We may update this Privacy Policy periodically. We will notify you of material changes by email or by a prominent notice within the Service. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

The data controller for personal data processed in connection with the Service is: