Privacy Policy

Last updated: April 2, 2026

1. Introduction

Hackmamba Inc., a Delaware corporation doing business as Boki (“Boki,” “we,” “us,” or “our”), is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you visit our website at boki.io, use our application at app.boki.io, or interact with any of our related services (collectively, the “Service”).

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service. This Privacy Policy should be read in conjunction with our Terms of Service.

2. Information We Collect

We collect information from and about you in the following ways:

2.1 Information You Provide Directly

  • Account information: When you register for an account, we collect your name, email address, profile image (optional), and timezone. If you sign up with a password, your credentials are stored securely by our authentication provider, Supabase.
  • Content: Articles, documents, briefs, plans, comments, reactions, media uploads, and any other materials you create or store through the Service.
  • Workspace and team data: Workspace names, descriptions, member email addresses, roles, and workspace invite information.
  • Expert and insight data: If you use our insights features, we may collect names, email addresses, LinkedIn URLs, professional bios, and Q&A responses of experts you add or interact with.
  • Billing information: When you subscribe to a paid plan, your payment details (credit card number, billing address) are collected and processed directly by Stripe. We store your Stripe customer ID, subscription status, and usage metrics but never store raw payment card numbers.
  • Communications: When you contact us for support, submit feedback, or respond to surveys, we collect the information you provide, including your message content and contact details.
  • Marketing preferences: If you subscribe to our newsletter or marketing communications, we collect your name, email address, and subscription preferences.

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, actions taken, timestamps, referral URLs, and interaction patterns within the Service.
  • Device and browser information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
  • Session recordings: We use PostHog to capture anonymized session recordings that help us understand how users interact with the Service and identify usability issues. These recordings may capture mouse movements, clicks, scrolls, and page content displayed during your session.
  • Cookies and similar technologies: We use cookies, local storage, and similar technologies to maintain your session, remember your preferences, and collect analytics data. See Section 6 for details.
  • Log data: Server logs that record requests made to the Service, including IP addresses, timestamps, HTTP methods, and response codes.

2.3 Information from Third-Party Sources

  • OAuth and social sign-in: If you authenticate using Google, we receive your name, email address, and profile image from your Google account.
  • Connected social accounts: When you connect X (Twitter) or LinkedIn for content distribution, we receive your profile information, handle, profile image, and platform-specific identifiers. We store OAuth access and refresh tokens to act on your behalf.
  • Cloud storage integrations: When you connect Google Drive or Dropbox, we receive limited profile information and access tokens necessary to read and write files on your behalf.
  • Short-link analytics: Our short-link provider (Dub.co) may collect click-level data including referrer, geographic location, device type, and browser information.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and operate the Service: Create and manage your account, enable workspace collaboration, process and store your content, facilitate real-time editing, and deliver the features described in your Subscription Plan.
  • Process payments: Manage subscriptions, process billing transactions, send invoices, and handle refund requests through Stripe.
  • AI-powered features: Process content you submit to our AI features (such as content analysis, technical reviews, and marketing reviews) using third-party AI providers to generate outputs. We do not use your content to train third-party AI models.
  • Content distribution: Publish and schedule social media posts to connected platforms, generate and track short links, and manage distribution workflows on your behalf.
  • Communications: Send transactional emails (account verification, password resets, workspace invites, notifications), respond to support requests, and deliver product updates.
  • Marketing: With your consent, send newsletters and promotional communications about new features, content, and offers. You may opt out at any time.
  • Analytics and improvement: Analyze usage patterns, diagnose technical issues, monitor performance, conduct A/B testing through feature flags, and improve the Service.
  • Security and fraud prevention: Detect, prevent, and respond to security incidents, unauthorized access, and fraudulent activity.
  • Legal compliance: Comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your personal data under the following legal bases:

  • Contract performance: Processing necessary to provide the Service as described in our Terms of Service (account management, content storage, collaboration, billing).
  • Legitimate interests: Processing for purposes such as improving the Service, analytics, security, and fraud prevention, where such interests are not overridden by your data protection rights.
  • Consent: Processing based on your explicit consent, such as marketing communications, session recordings, and optional integrations. You may withdraw consent at any time.
  • Legal obligation: Processing required to comply with applicable laws, regulations, or legal processes.

5. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

5.1 Service Providers

We engage trusted third-party companies and individuals to perform services on our behalf. These providers are contractually obligated to use your information only as necessary to provide their services and in compliance with this Privacy Policy. Our key service providers include:

  • Supabase — Authentication, database hosting, and backend infrastructure. Privacy Policy
  • Stripe — Payment processing and subscription management. Privacy Policy
  • Amazon Web Services (AWS) — Cloud storage (S3) for uploaded files and media assets. Privacy Policy
  • PostHog — Product analytics, session recordings, and feature flags. Privacy Policy
  • Resend — Transactional email delivery. Privacy Policy
  • MailerLite — Marketing email campaigns and newsletter distribution. Privacy Policy
  • Novu — In-app notification delivery. Privacy Policy
  • Dub.co — Short-link generation and click analytics. Privacy Policy
  • Google (Generative AI) — AI-powered content analysis and review features. Privacy Policy
  • Upstash — Redis-based job queue infrastructure. Privacy Policy

5.2 Third-Party Platforms You Connect

When you connect Third-Party Services (such as X/Twitter, LinkedIn, Google Drive, or Dropbox), your data is shared with those platforms in accordance with the actions you initiate (e.g., publishing a social media post). Your use of those platforms is governed by their respective privacy policies.

5.3 Workspace Collaborators

Content and profile information (name, email, profile image) are visible to other members of the Workspaces you belong to. Workspace administrators can view member activity and manage access.

5.4 Public Sharing

If you use the Service’s public sharing features (such as public document links, public brief links, or public insight tokens), the shared content becomes accessible to anyone with the link. We do not control how third parties who access public links use the information.

5.5 Legal and Safety Disclosures

We may disclose your information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, or legal process, (b) enforce our Terms of Service, (c) protect the rights, property, or safety of Boki, our users, or the public, or (d) detect, prevent, or address fraud, security, or technical issues.

5.6 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity. We will notify you via email or prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service. The types of cookies we use include:

  • Essential cookies: Required for the Service to function, including authentication session cookies managed by Supabase, CSRF protection tokens, and user preference storage. These cannot be disabled.
  • Analytics cookies: Used by PostHog to collect anonymized usage data, including page views, feature interactions, and session recordings. These help us understand how the Service is used and identify areas for improvement.
  • Feature flag cookies: Used to manage the rollout of new features and A/B tests through PostHog.

Most web browsers allow you to control cookies through their settings. Please note that disabling essential cookies may impair the functionality of the Service. We do not use third-party advertising cookies or serve targeted advertisements.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

  • Account data: Retained for the duration of your account and for up to 30 days after account deletion to allow for recovery, unless you request immediate permanent deletion.
  • Content: Retained for the duration of your account. Upon account deletion, Content is permanently removed within 30 days, except where retention is required for legal or compliance purposes.
  • Billing records: Retained for up to 7 years after the transaction date as required by tax and accounting regulations.
  • Usage and analytics data: Retained in anonymized or aggregated form for up to 24 months.
  • OAuth tokens: Revoked and deleted when you disconnect a Third-Party Service or delete your account.
  • Marketing data: Retained until you unsubscribe or request deletion.
  • Support communications: Retained for up to 3 years after the last interaction for quality assurance and dispute resolution.

8. Data Security

We implement industry-standard technical and organizational measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS/SSL and at rest where supported by our infrastructure providers.
  • Secure authentication through Supabase with support for OAuth 2.0 and encrypted session management.
  • Role-based access controls within Workspaces to limit data visibility.
  • Regular security reviews and monitoring of our systems and infrastructure.
  • Encrypted storage of sensitive credentials, including Third-Party Service OAuth tokens.

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords and enable any available security features on your account.

9. International Data Transfers

Boki is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers maintain facilities. These countries may have data protection laws that differ from those in your jurisdiction.

Where we transfer personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms to ensure an adequate level of data protection.

10. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

10.1 All Users

  • Access and portability: Request a copy of your personal information in a structured, commonly used, and machine-readable format.
  • Correction: Update or correct inaccurate personal information through your account settings or by contacting us.
  • Deletion: Request deletion of your account and associated personal information, subject to our retention obligations.
  • Marketing opt-out: Unsubscribe from marketing emails by clicking the “unsubscribe” link in any marketing email or by contacting us. Transactional emails (such as billing confirmations and security alerts) are not affected.
  • Disconnect integrations: Revoke Boki’s access to connected Third-Party Services at any time through your account settings.

10.2 EEA, UK, and Swiss Residents

Under the General Data Protection Regulation (GDPR), you additionally have the right to:

  • Restrict processing: Request that we limit the processing of your personal data in certain circumstances.
  • Object to processing: Object to processing based on our legitimate interests, including profiling.
  • Withdraw consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint: File a complaint with your local data protection supervisory authority.

10.3 California Residents

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have the following additional rights:

  • Right to know: Request details about the categories and specific pieces of personal information we have collected, the sources of collection, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete: Request deletion of the personal information we have collected from you, subject to certain exceptions.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell your personal information or share it for cross-context behavioral advertising.
  • Non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

In the preceding 12 months, we have collected the categories of personal information described in Section 2. We have not sold personal information and do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA/CPRA.

10.4 How to Exercise Your Rights

To exercise any of the above rights, please contact us at hi@hackmamba.io. We will respond to your request within the timeframe required by applicable law (typically 30 days for GDPR, 45 days for CCPA). We may ask you to verify your identity before fulfilling your request.

11. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe that we have inadvertently collected information from a child under 18, please contact us at hi@hackmamba.io.

12. Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. There is currently no universally accepted standard for how online services should respond to DNT signals. At this time, the Service does not respond to DNT signals. We will revisit this practice if a uniform standard is adopted.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will update the “Last updated” date at the top of this page and notify you by email or through a prominent notice within the Service at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically.

Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the revised Privacy Policy, you must stop using the Service and may request deletion of your account.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Hackmamba Inc. (d/b/a Boki)

1111B S Governors Ave

Dover, DE 19904

United States

Email: hi@hackmamba.io

If you are located in the EEA and have concerns about our data practices that we have not adequately addressed, you have the right to lodge a complaint with your local data protection supervisory authority.