Legal

Privacy Policy

Last updated 22 June 2026

This Privacy Policy explains how BOMBALYX LTD (“Bombalyx”, “we”, “us”) collects, uses, and protects personal data when you use the Bombalyx platform or visit our website. We are the data controller for the personal data described here. Our registered office is 167–169 Great Portland Street, 5th Floor, London W1W 5PF, United Kingdom.

1. Data we collect

  • Account data: name, work email, company, role, and team size.
  • Usage data: flag configurations, evaluation metadata, and logs needed to operate the Service.
  • Technical data: IP address, browser type, and device information.
  • Billing data: handled by our payment processors; we do not store full card numbers.

2. How we use data

  • to provide, secure, and improve the Service;
  • to communicate about your account, support, and service updates;
  • to comply with legal obligations and enforce our Terms of Service;
  • with your consent, to send product news you can opt out of at any time.

3. Legal bases

Where the UK GDPR or EU GDPR applies, we rely on: performance of a contract; our legitimate interests in operating and securing the Service; compliance with legal obligations; and consent where required.

4. We never sell your data

We never sell personal information to third parties. We share data only with sub-processors who help us run the Service (such as hosting and analytics providers), under contracts that require them to protect it, or where required by law.

5. Your GDPR rights (EEA & UK residents)

If you are located in the European Economic Area or the United Kingdom, you have the right to:

  • access the personal data we hold about you;
  • request rectification of inaccurate data;
  • request erasure (“right to be forgotten”);
  • restrict or object to certain processing;
  • data portability in a structured, machine-readable format;
  • withdraw consent at any time; and
  • lodge a complaint with a supervisory authority, such as the UK ICO.

6. Your CCPA rights (California residents)

If you are a California resident, you have the right to:

  • know what personal information we collect and how it is used;
  • request deletion of your personal information;
  • correct inaccurate personal information;
  • opt out of the “sale” or “sharing” of personal information — though, as noted, we do not sell it; and
  • not be discriminated against for exercising your rights.

7. Children

Children under 16 — this service is not intended for anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

8. Data retention

We retain personal data only as long as necessary to provide the Service and meet legal obligations. On account closure you may export your data within 30 days, after which we delete or anonymise it in the ordinary course.

9. Security

We protect data with encryption in transit and at rest, access controls, and regular review. No method of transmission is perfectly secure, but we work continuously to safeguard your information. See our Security overview for details.

10. International transfers

Where data is transferred outside the UK or EEA, we rely on appropriate safeguards such as Standard Contractual Clauses. You can choose your data residency region on eligible plans.

11. Changes & contact

We may update this Policy from time to time and will post the revised version here. For any privacy request, contact contact@bombalyx-tech.com.

Questions about this policy? Contact contact@bombalyx-tech.com. BOMBALYX LTD, 167–169 Great Portland Street, 5th Floor, London W1W 5PF, United Kingdom.