Privacy Resources
Last updated: November 24, 2023
Introduction
Boost respects the privacy of everyone that engages with our platform, and we are committed to being transparent about our privacy processes and policies. We are a platform that enables businesses globally, and in order to provide our services to our Business Users and End Users, we collect and process personal data.
These Privacy Resources contain the answers to frequently asked questions about how we collect and use personal data, the rights that individuals have in relation to personal data held by Boost, and how Boost complies with international data protection laws.
All materials have been prepared for general information purposes only. The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice.
These materials should be read in conjunction with, and as a reference to, our Privacy Policy.
How we collect and process personal data
Is Boost a data controller or a data processor?
The answer is both.
The “data controller” is the entity which determines the purposes and means of the data processing taking place. The “data processor” is an entity acting on behalf and under the instructions of a controller in processing personal data.
Boost is a data controller when it determines the purposes and means of the processing taking place. These data processing activities include (1) providing the Boost products and services, (2) monitoring, preventing and detecting fraudulent activity on the Boost platform, (3) complying with legal or regulatory obligations applicable to the business sectors to which Boost is subject, and (4) analysing, developing and improving Boost’s products and services. Boost’s controller activities are listed in full, below.
Boost is a data processor where it is facilitating transactions on behalf of and at the direction of a Business User. Our Business Users direct us to record orders and other transactions from End Customers.
Boost is considered a processor when directed to process these transactions (i.e. Boost receives instructions about the value of an order placed, and requests payment from the End Customer).
As a platform provider, we need to ensure consistency across our platform, and that includes consistency with respect to the commitments that we give about how we operate our platform. We contract with all of our Business Users on this basis.
Which Boost entities are involved?
For all of our services, Boost Technology Ltd, operating under UK law, is the data controller responsible for Personal Data collected and processed in relation to Boost Services.
In addition, the Boost entity responsible for your data will depend on your location or applicable jurisdiction, as outlined below.
| Location of user | Name of entity | Location of entity |
|---|---|---|
| Global | Boost Technology Ltd | UK |
| Ghana | ConvyPlus Ltd | Ghana |
| Nigeria | Uwaya Gbemiga Ltd | Nigeria |
| South Africa | Kasi Stocka (Pty) Ltd | South Africa |
Who are Boost’s subprocessors?
Personal Data is initially processed by Boost Technology Ltd. This data may then be transferred to other Boost entities for storage and as necessary to provide our services. We define these entities as core subprocessors, since these are subprocessors that we cannot offer our services without. This list of core subprocessors is the same as the entities defined in the list of Boost entities above.
Additionally, Boost may use third-party subprocessors in order to provide our services. Transfers to third-party subprocessors are conducted under contract. Our current list of third-party subprocessors is defined below.
| Subprocessor | Service provided | Location of entity | Data processed |
|---|---|---|---|
| Amazon AWS | Cloud hosting | Ireland | All platform data |
| Google Cloud Platform | Geolocation APIs | Ireland | Personal Data necessary to provide geolocation functionality |
| Google Maps | Mapping | Ireland | Personal Data necessary to provide mapping functionality |
| Workspace business apps | Ireland | Personal Data necessary to provide customer sales and support | |
| Meta | WhatsApp Business API (via Twilio, Vonage) | USA | Personal Data necessary to provide WhatsApp functionality |
| Sentry | Error logging | USA | Personal Data if necessary to log errors |
| Substack | Email transmission | USA | Personal Data necessary to provide email newsletters |
| Twilio | Communication APIs, including SMS and WhatsApp | USA | Personal Data necessary to provide messaging functionality |
| Vonage | Communication APIs, including SMS and WhatsApp | USA | Personal Data necessary to provide messaging functionality |
What are your data controller activities?
- Providing the Boost products and services to Business Users, including determining the third parties (fulfilment or payment method providers) to be utilised;
- Monitoring, preventing and detecting fraudulent activity on the Boost platform;
- Complying with legal or regulatory obligations applicable to the business sectors to which Boost is subject, including compliance with know-your-customer obligations; and
- Analysing, developing and improving Boost’s products and services.
As a Business User, what notice should I provide to my End Customers about Boost?
Under the terms of our agreements, Business Users are required to provide all necessary notices and obtain all necessary rights and consents from their End Customers to enable Boost to lawfully collect, use, retain and disclose the Personal Data as part of the Boost Services. Business Users, as data controllers, are responsible for the contents of their privacy notice and cookie banner. As an example, here is a paragraph that you can consider adding to your privacy notice (if you don’t already have such a disclosure):
We use Boost for order processing, analytics, and other business services. Boost collects and processes personal data, including identifying information about the devices that connect to its services. Boost uses this information to operate and improve the services it provides to us. You can learn more about Boost and its processing activities at https://withboost.co/legal/privacy where you can also contact Boost directly.
Please be aware that the disclosure above is for illustrative purposes only and is not legal advice. Please talk to your legal advisor to understand how to comply with your obligations under applicable law.
To comply with our transparency obligations, we explain how our cookies are used in our Cookie Policy and set out the list of cookies used. We remind our Business Users to review the cookies placed on their website and to update their cookie banners accordingly.
Boost legal bases
What legal basis does Boost rely on to process personal data as a data controller?
We rely upon a number of legal grounds to enable our use of your Personal Data. In short, we use Personal Data to facilitate the business relationships we have with our Business Users, to comply with our financial regulatory and other legal obligations, and to pursue our legitimate business interests. We also use Personal Data to complete transactions and to provide commerce-related services to our Business Users.
Our table below provides a detailed overview of why and how we use your Personal Data. For the purposes of the General Data Protection Regulation (GDPR) and similar laws, we rely upon a number of legal bases to enable our processing of your Personal Data.
End Customers
When you do business with, or otherwise transact with, a Business User (typically a distributor using Boost Services, e.g. when you buy stock from a distributor that uses Boost for order processing) but are not directly doing business with Boost, we refer to you as an “End Customer.”
| Processing purpose | Categories of personal data | Legal bases |
|---|---|---|
| Provide our Services to Business Users, including to process orders and transactions. If you are an End Customer, when you place orders with or otherwise transact with a Business User through Boost’s Services, Boost will receive your transaction information. Depending on how the Business User has integrated our Business Services, we may receive this information directly from you, the Business User or another service provider to you or the Business User. |
Transaction information. This includes: name, phone number, email address, billing and/or shipping address, payment method information (such as credit or debit card number, bank account information or mobile money number), tax-related information, distributor and location, purchase amount, date of purchase, and information about what you have purchased. | Our legitimate interests in providing the Boost products and services. Boost processes this personal data given its legitimate interest in improving the Services and where it is necessary for the adequate performance of the contract with the Business Users. |
| Provide our Services to Business Users in order to offer payment methods on a per-customer basis on behalf of the Business User or to implement limits set by the Business User. | Verification Information. Information about you being the person who is authorised to use a payment method. The information collected will be the information that you choose to share for these purposes, which may include your government ID, your photo, and Personal Data apparent from the payment method (e.g. credit or debit card or mobile money number). |
Our legal obligations in respect of our financial and regulatory obligations. |
| Reduce fraud and enhance security. We will use Personal Data about your identity, including information that you provide, to perform verification Services for Boost or for the Business Users that you are doing business with and to reduce fraud and enhance security. | Transaction information, as above. Signals collected via your browser. This includes web browsing information, usage data, referring URLs, location, cookies data, device data and identifiers. IP address and physical address. |
Based on consent in processing this personal information. Our legitimate interests in detecting, monitoring and preventing fraud and unauthorised payment transactions. |
| Compliance and Harm Prevention. We share Personal Data as we believe necessary: (i) to comply with applicable law, (ii) to comply with rules imposed by payment method in connection with use of that payment method; (iii) to enforce our contractual rights; (iv) to secure or protect the Services, rights, privacy, safety and property of Boost, you or others, including against other malicious or fraudulent activity and security incidents; and (v) to respond to valid legal process requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence. | Any Personal Data we process. | Our legal obligations where disclosures are necessary to comply with our legal obligations. Our legitimate interest in keeping Boost secure, preventing a breach of the law, harm or crime, enforcing or defending legal rights, claims, or obligations and prevention of fraud or preventing loss or damage. |
Representatives
When you are acting on behalf of an existing or potential Business User (e.g. you are a founder of a company, or administering an account for a distributor who is a Business User), we refer to you as a “Representative.”
| Processing purpose | Categories of personal data | Legal bases |
|---|---|---|
| Reduce fraud and enhance security. We will use Personal Data about your identity, including information that you provide, to perform verification Services for Boost or for the Business Users that you are doing business with and to reduce fraud and enhance security. | Transaction information, as above. Signals collected via your browser. This includes web browsing information, usage data, referring URLs, location, cookies data, device data and identifiers. IP address and physical address. |
Based on consent in processing this personal information. Our legitimate interests in detecting, monitoring and preventing fraud and unauthorised payment transactions. |
| Compliance and Harm Prevention. We share Personal Data as we believe necessary: (i) to comply with applicable law, (ii) to comply with rules imposed by payment method in connection with use of that payment method; (iii) to enforce our contractual rights; (iv) to secure or protect the Services, rights, privacy, safety and property of Boost, you or others, including against other malicious or fraudulent activity and security incidents; and (v) to respond to valid legal process requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence. | Any Personal Data we process. | Our legal obligations where disclosures are necessary to comply with our legal obligations. Our legitimate interest in keeping Boost secure, preventing a breach of the law, harm or crime, enforcing or defending legal rights, claims, or obligations and prevention of fraud or preventing loss or damage. |
Visitors
When you visit a Site without being logged into a Boost account or otherwise communicate with Boost, we refer to you as a “Visitor” (e.g. you send Boost a message asking for more information because you are considering being a user of our products).
| Processing purpose | Categories of personal data | Legal bases |
|---|---|---|
| Communications. We use any contact information that you provide to us to respond to any inquiries or requests for information you made; and if you have asked about us or our Services, to send you marketing emails by either asking for your consent or providing you an opt out in any messages we send. | Contact information such as your name, email address, phone number. Information you have provided to us, such as the products you are interested in. |
Based on consent in processing this personal information. Our legitimate interests in responding to inquiries, sending Service notices and providing customer support. |
| Advertising. When you visit our Sites, we (and our service providers) may use Personal Data collected from you and your device to target advertisements for Boost Services to you on our Sites and other sites you visit (“interest-based advertising”). | Information collected from cookies such as your device, browser ID, and pages on our website which you have visited. | Based on consent in processing this personal information. Our legitimate interest in undertaking marketing activities to offer you products or services that may be of interest to you. |
| Fraud Detection. We use your Personal Data collected across our Services to detect and prevent fraud against Boost, our Business Users and partners. | Signals collected via your browser. This includes web browsing information, usage data, referring URLs, location, cookies data, device data and identifiers. | Our legitimate interest in keeping Boost secure, preventing a breach of the law, harm or crime, enforcing or defending legal rights, claims, or obligations and prevention of fraud or preventing loss or damage. |