Bowmark AI
Sign inAdd to your agent

Bowmark — Privacy Policy

Last updated: June 16, 2026

This Privacy Policy explains how Bowmark AI Inc. ("Bowmark", "we", "us"), a company incorporated in British Columbia, Canada, collects, uses, discloses, and protects personal information in connection with the Bowmark website, API, and MCP service (the "Service"). It applies to our users and visitors and is incorporated into our Terms of Service. Bulk data exports are governed separately by the Data License Agreement.

We handle personal information in accordance with British Columbia's Personal Information Protection Act (BC PIPA) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to our interprovincial and international activities. Where applicable, we also address Quebec's Act respecting the protection of personal information in the private sector (Law 25), the EU/UK GDPR, and the California CCPA/CPRA.


1. What we collect

We aim to collect the minimum information needed to run the Service. We collect:

Account information (via our authentication provider, Clerk): your name, email address, and authentication identifiers when you sign up or sign in.

Records of your agreement to these terms. When you accept our legal terms, we keep a record of which version you agreed to and when (and your browser's user-agent string), as the record of your consent.

Usage and session information. We record how the Service is used, including: the requests you make to the Service (such as the sites and tasks you query), timestamps, which Cheatsheets or endpoints were returned, outcome/feedback signals you report, error events, performance and diagnostic telemetry, and account/session identifiers.

We do not log or store your IP address in the authenticated Service (the API, the MCP server, and your account). The other session and usage information described above is collected. (Separately, our public marketing website uses a third-party visitor-analytics tool that may collect site visitors' IP addresses — see §6. That applies to the marketing website only, not to the Service.)

Communications. If you contact us, we keep the content of your messages and our responses.

Billing information. When you purchase a paid plan (such as the Pro plan or the Data subscription), our third-party payment processor, Stripe, collects and processes your payment details through its hosted checkout and billing portal. We do not receive or store your full payment-card number. We retain limited billing records — such as your Stripe customer and subscription identifiers, your plan and subscription status, the billing period, and the email associated with billing.

Hugging Face account (Data subscribers). If you subscribe to Bowmark Data, we collect the Hugging Face username you connect (either by signing in with Hugging Face or by entering it) so that we can grant your account access to the gated dataset repository and revoke it when your subscription ends. We share that username with Hugging Face for this purpose (see §6).

We do not intentionally collect special-category/sensitive personal information, and you should not submit it to the Service.


2. A note on indexed third-party sites

The Service observes publicly accessible third-party websites to produce Cheatsheets. In doing so, the Service may incidentally encounter information published on those sites, which can include personal information about third parties placed there by the site operators or others. This Policy governs our handling of our users' personal information. Our handling of content derived from indexed sites — including any bulk Dataset — is addressed in the Data License Agreement and in Section 9 below.


3. How we use information

We use personal information to: provide, operate, secure, and improve the Service; authenticate users and manage accounts; process payments and manage subscriptions; provision and revoke access to purchased datasets; prevent fraud and abuse; monitor performance, debug, and maintain reliability; communicate with you about the Service; and comply with legal obligations and enforce our Terms.

We do not sell your account information. (See Section 10 for the CCPA-specific meaning of "sell/share" and how it relates to our Dataset product.)


4. Legal bases (where GDPR applies)

Where the GDPR applies, we rely on: performance of a contract (to provide the Service you request); legitimate interests (to secure, improve, and operate the Service, and to prevent abuse), balanced against your rights; consent (where required, e.g. certain communications or cookies); and legal obligation (to comply with law).


5. Cookies and similar technologies

We use strictly necessary cookies and tokens to keep you signed in and to operate the Service securely. Our public marketing website also uses a non-essential third-party visitor-analytics tool (see §6); where required by law (for example for visitors in the EEA/UK) we obtain consent before setting non-essential cookies or trackers. You can control cookies through your browser; disabling essential cookies may break the Service.


6. How we share information — service providers (sub-processors)

We share personal information only as needed to run the Service, with providers acting on our instructions under contract, including:

  • Authentication — Clerk (account sign-in and identity management).

  • Object storage — Cloudflare R2 (operational data and artifacts).

  • Network / DNS / CDN — Cloudflare (traffic routing, security, and content delivery).

  • Hosting / infrastructure — GTHost (the dedicated-server provider whose infrastructure hosts the Service). Operational telemetry runs on a self-hosted SigNoz instance on that infrastructure, so usage diagnostics are not sent to a third-party analytics service.

  • AI model and embedding providers — to generate Output and to match your requests to the right Cheatsheet, the content of your requests (such as your task query) may be processed by third-party model providers, which may include: OpenAI (text embeddings), Anthropic, Google (Gemini), OpenRouter (an aggregator that routes requests to underlying model providers), and DeepSeek. The specific provider used at a given time depends on our configuration. These providers process your request content under their own terms, which we do not control. We cannot guarantee how each provider handles submitted content, and some providers may retain it or use it to improve or train their models. Do not submit information through the Service that you would not want shared with these providers, and review the relevant provider's terms for details.

  • Payment processing — Stripe (hosted checkout, billing portal, and subscription management for paid plans). Stripe receives the information needed to process your payment (such as your name, email, and payment-card details) and processes it under its own privacy policy. We do not receive or store your full payment-card number — we retain only limited billing records (see §1).

  • Dataset delivery — Hugging Face (for Bowmark Data subscribers, the dataset is delivered through a gated Hugging Face repository). We share the Hugging Face username you connect with Hugging Face so we can grant and revoke your access to that repository; your use of Hugging Face is also subject to its own terms and privacy policy.

  • Marketing-website visitor analytics — lemlist (a visitor-tracking script on our public website at bowmark.ai, used for marketing attribution). It may collect site visitors' IP addresses and browsing activity. This applies to the public marketing website only, not to the authenticated Service.

We may also disclose information: to comply with law, legal process, or lawful requests; to enforce our Terms; to protect the rights, safety, and security of users, the public, or us; and in connection with a merger, acquisition, financing, or sale of assets (with notice where required).


7. International transfers

To provide the Service, we and our providers may process personal information outside your province and outside Canada — including in the United States (for example OpenAI, Anthropic, Google, OpenRouter, Cloudflare, Stripe, and Hugging Face), the European Union and other regions (for example lemlist, and Stripe), and, depending on our configuration, other countries including China (DeepSeek). Privacy laws in those countries may differ from, and offer less protection than, those in your jurisdiction, and personal information may be subject to lawful access by foreign authorities. Where personal information is transferred across borders we take steps required by applicable law (such as appropriate contractual safeguards), and under BC PIPA and PIPEDA we remain accountable for it. By using the Service you consent to these transfers; do not submit information you do not want processed in these locations.


8. Retention

We keep personal information only as long as needed for the purposes described here, to comply with legal, tax, and accounting obligations, and to resolve disputes and enforce our agreements, after which we delete or de-identify it. Our retention periods are:

  • Account information — kept for the life of your account. When you ask us to delete your account or your information (contact privacy@bowmark.ai), we delete or de-identify it within 90 days of your request, except records we are required to keep longer for legal, tax, or dispute-resolution purposes.
  • Usage and request records stored in our systems (such as your task queries, outcome signals, session metadata, and derived embeddings) — kept while your account is active. We delete or de-identify them within 90 days of a valid deletion or account-closure request.
  • Diagnostic and performance telemetry (traces and logs in our self-hosted SigNoz) — automatically deleted after up to 30 days.
  • Backups — database backups are retained for up to 60 days; system and configuration backups follow a rolling schedule (recent daily, weekly, and monthly snapshots) retained for up to six (6) months. Information you delete persists in backups only until those backups age out of the cycle.
  • Billing records (such as invoices, transaction and subscription identifiers, and billing status held by us; full payment details are held by Stripe) — retained for at least six (6) years, as required by Canadian tax law.
  • Support communications — retained for up to 24 months.

9. Security

We use reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including access controls, encryption in transit, and scoped credentials. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.


10. Your rights

Subject to applicable law, you may request to: access the personal information we hold about you; correct inaccurate information; delete information; withdraw consent; and, where applicable, port information. To exercise a right, contact privacy@bowmark.ai. We will respond within the time required by law and may need to verify your identity.

  • BC PIPA / PIPEDA (Canada). You have rights of access and correction and the right to withdraw consent (subject to legal/contractual limits). You may complain to the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) or, for matters under PIPEDA, the Office of the Privacy Commissioner of Canada.
  • Quebec (Law 25). Quebec residents have additional rights, including data portability and the right to complain to the Commission d'accès à l'information.
  • GDPR (EEA/UK). You also have rights to restriction, objection, and to lodge a complaint with your supervisory authority.
  • CCPA/CPRA (California). You have rights to know, delete, correct, and to opt out of "sale" or "sharing."

Note on the Dataset product and "sale/share": With respect to your account and usage information, we do not sell or share it as those terms are defined under the CCPA. Our separate Dataset product concerns data derived from publicly accessible third-party sites, not your account information; if any Dataset includes California personal information such that the CCPA applies, the required disclosures and an opt-out mechanism will be provided through the Data License process.


11. Children

The Service is not directed to children and is intended for business and adult users. We do not knowingly collect personal information from children. If you believe a child has provided information, contact us and we will delete it.


12. Automated processing

The Service uses automated systems and AI models to generate Output. We do not use your account information to make decisions producing legal or similarly significant effects on you without a lawful basis and, where required, appropriate safeguards and the ability to request human review.


13. Changes to this Policy

We may update this Policy. We will revise the "Last updated" date and, for material changes, provide notice where required. Where a change involves a new collection, use, or disclosure of your personal information that requires your consent, we will ask for that consent; you may decline, and you may stop using the Service. We condition continued use of the Service only on the processing that is necessary to provide it — we do not require you to consent to unnecessary or secondary processing as a condition of using the Service. Continued use of the Service after a non-material change takes effect means you accept the updated Policy.


14. Contact and person responsible for privacy

For privacy questions or to exercise your rights, contact the person responsible for the protection of personal information at Bowmark:

Privacy Officer, Bowmark AI Inc. 9371 Dolphin Ave, Richmond, BC, Canada privacy@bowmark.ai

Bowmark AI

Faster agents. Lower bills.

Add to your agent
Works withClaude
Bowmark AI
© 2026 Bowmark AI.
All rights reserved.
Bowmark on X
Terms of ServicePrivacy PolicyData License AgreementSupport
© 2026 Bowmark AI. All rights reserved.
Terms of ServicePrivacy PolicyData License AgreementSupport