Privacy Policy

Effective Date: April 28, 2026

1. Introduction

Welcome to boundless.io. We build specialized workflow and compliance applications, including our flagship platform, Halo, designed to help startups scale securely. This Privacy Policy explains how we collect, use, protect, and handle data when you use our website, applications, and services.

2. Our Role: Data Controller vs. Data Processor

Under UK data protection laws (UK GDPR), there is a critical distinction between a Data Controller and a Data Processor.

• Data Controller: Our clients (the employers) are the Data Controllers. They decide why and how their employees' data is processed.
• Data Processor: boundless.io acts strictly as a Data Processor. We only process employee data on behalf of, and under the direct instructions of, our clients.

3. Information We Collect

To provide our compliance and workflow automation services, we collect specific data regarding our clients' employees. This includes:

• Identity & Contact Data: Employee names and email addresses.
• Biographical Data: Dates of birth.
• Immigration & Compliance Data: UK Home Office share codes and digital copies of Home Office certificates.

4. How We Use the Information

We operate on a principle of absolute data minimization and purpose limitation. The employee data we collect is used strictly and exclusively for the following purposes:

• Compliance Audits: Facilitating automated right-to-work and compliance checks for the employer.
• Renewal Reminders: Monitoring visa or certificate expiry dates and triggering automated renewal reminders to the relevant stakeholders.

We do not use this data for marketing, profiling, analytics, or any other unauthorized purpose.

5. Data Security and Encryption

Securing your sensitive compliance data is our foundational priority. We employ robust technical measures to prevent unauthorized access, disclosure, or alteration:

• AES-CBC Standard Encryption: All sensitive employee details, including Home Office certificates, names, emails, dates of birth, and share codes, are strictly encrypted at rest using Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode.
• Access Controls: Data is isolated and can only be accessed programmatically by the authorized client account that supplied it.

6. Data Sharing and Disclosure

We never sell, rent, or trade client or employee data. Data is only shared under the following limited circumstances:

• Sub-processors: We may use trusted, secure cloud infrastructure providers to host our encrypted databases. These providers are bound by strict Data Processing Agreements (DPAs) and cannot access the raw data.
• Legal Obligation: We may disclose information if explicitly required to do so by UK law enforcement or regulatory bodies.

7. Data Retention

We retain employee compliance data only for as long as the client maintains an active account with boundless.io, or as required to fulfill the specific audit and renewal purposes outlined above. Upon contract termination or a direct request from the Data Controller (the employer), all associated employee data and encrypted certificates are permanently and securely deleted from our systems.

8. User Rights (UK GDPR)

While boundless.io acts as a Data Processor, we fully support our clients in fulfilling their employees' data rights under the UK GDPR. Employees have the right to access, rectify, erase, or restrict the processing of their personal data. Employees wishing to exercise these rights should contact their employer (the Data Controller) directly. We will rapidly comply with any instructions passed down to us by the client regarding these requests.

9. Contact Us

If you have any questions about this Privacy Policy or our encryption standards, please contact our compliance team:

• Email: privacy@boundless.io
• Location: boundless.io, Wallington, London, United Kingdom