HydroBoa Privacy Policy

Version: 1.0 · Effective: April 2026 · Last updated: 3 July 2026

In short: We collect the data needed to run your account, execute your models, and secure the Platform. We do not sell your data, and we do not use your files or models to train AI. Your project files stay private unless you ask us to look at them for support. You have rights over your data, and you can contact us at privacy@hydroboa.com to exercise them.

This Privacy Policy explains how HydroBoa collects, uses, stores, processes, and protects information when you use the HydroBoa ecosystem — cloud services, desktop and web applications, APIs, mobile applications, plugins, and associated infrastructure (collectively, the "Platform").

Data controller. The controller of your personal data is HydroBoa Ltd, Kathmandu, Nepal. Contact: privacy@hydroboa.com.

EU / UK representatives. HydroBoa Ltd is established in Nepal, outside the EEA and the UK. Where Article 27 of the GDPR or UK GDPR requires it because we offer services to individuals in those regions, we will appoint EU and UK representatives and name them here. Until then, individuals in the EEA and the UK may contact us directly at privacy@hydroboa.com for any data-protection matter.

This Policy should be read together with our Terms of Service and Support Access Consent Policy.


1. Information We Collect

1.1 Account Information

When you create an account, we may collect your name, email address, organization name, billing information (processed by our payment provider — see Section 4), and authentication credentials.

1.2 Project and Model Data

We may collect and store the models, project files, simulation inputs and outputs, logs, configuration files, version histories, and asset metadata you upload or generate. This data remains owned by you, and we access it only as described in Section 3.

1.3 Usage Data

We may collect technical information such as device information, operating system, browser type, API usage, compute consumption, error logs, crash reports, and session diagnostics, to operate, secure, and improve the Platform.

1.4 Cloud Execution Metadata

When simulations run on HydroBoa cloud infrastructure, we may collect execution duration, resource consumption, solver logs, runtime diagnostics, failure traces, and container metadata, for service delivery, billing, and debugging.


Where the GDPR or UK GDPR applies, we process personal data on these bases:

  • Performance of a contract — creating and managing your account, running simulations, storing your files, and processing payments.
  • Legitimate interests — securing the Platform and preventing fraud and abuse (including via reCAPTCHA Enterprise and App Check), diagnosing failures, and improving the service. Where we rely on legitimate interests, we balance them against your rights, and you may object (see Section 8).
  • Legal obligation — tax, accounting, and responding to lawful requests.
  • Consent — only where we ask for it, such as non-essential cookies or optional marketing. You may withdraw consent at any time.

3. How We Use Information

We use collected information to provide Platform functionality, execute simulations, store project assets, maintain version histories, improve performance, diagnose failures, deliver support, secure infrastructure, process payments, and enforce our Terms.

We do not sell your personal data. We do not use your project files, models, inputs, or outputs to train HydroBoa's or any third party's AI models.


4. File Access and Support Authorization

HydroBoa respects the confidentiality of your engineering and project files. By default, HydroBoa personnel do not access your project files, and your files remain private to your account and authorized collaborators.

Our staff may access your files only with your explicit authorization for a support request, limited to what is needed to resolve the issue. The full terms — including how consent is given and revoked — are set out in the Support Access Consent Policy at https://hydroboa.com/legal/support-access, which is the single source of truth for support access.


5. Sub-Processors and Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the service providers necessary to operate the Platform, and with legal authorities where required by law. Our current sub-processors are:

Sub-processorPurposeData involved
Google LLC / Google Cloud & FirebaseAuthentication, database, cloud compute, and storage (Firebase Auth, Firestore, Cloud Run, Cloud Storage)Account data, project data, usage and execution metadata
Google reCAPTCHA Enterprise & Firebase App CheckBot, fraud, and abuse preventionIP address, device and browser signals, and interaction data, shared with Google for this purpose
Paddle.com Market LimitedMerchant of Record — payment processing, tax, invoicing, and billingName, email, billing and transaction data (Paddle acts as an independent controller for payment data)

A current list is maintained at https://hydroboa.com/legal/subprocessors. Third-party providers are limited to the access necessary to perform their function, and are bound by contract to protect your data.


6. Third-Party Model Engines

HydroBoa integrates external computational engines such as SWMM, EPANET, and HEC-RAS. We pass the model data necessary for execution into these engines, which run on HydroBoa's cloud infrastructure. Attribution and license notices are published at https://hydroboa.com/legal/oss-attributions. See the Terms of Service, Sections 6 and 8, for how engines are operated.


7. International Data Transfers

HydroBoa and its sub-processors (including Google Cloud) may process data outside your country, including outside the EEA and the UK.

Where personal data is transferred out of the EEA or the UK, we rely on an appropriate safeguard, namely: the EU–U.S. Data Privacy Framework where the importer is certified; and/or the EU Standard Contractual Clauses (2021/914) together with the UK International Data Transfer Addendum (IDTA), with supplementary measures such as encryption and access controls. We do not rely on your consent as the transfer mechanism. You may request a copy of the relevant safeguards at privacy@hydroboa.com.


8. Your Rights

Subject to applicable law (including the GDPR, UK GDPR, and other regional laws), you may:

  • Access the personal data we hold about you;
  • Correct inaccurate data;
  • Delete your data ("right to erasure");
  • Export / port your data;
  • Restrict or object to processing, including processing based on legitimate interests and any direct marketing;
  • Withdraw consent where processing is based on consent; and
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (our AI features are advisory, not solely-automated decisions).

To exercise these rights, contact privacy@hydroboa.com. We will verify your identity and respond within one month (extendable by two months for complex requests, with notice). Exercising your rights is free unless a request is manifestly unfounded or excessive.

Right to complain. You may lodge a complaint with your local data protection supervisory authority (for example, the UK Information Commissioner's Office, or your EEA member-state authority). We ask that you contact us first so we can try to resolve your concern.

8.1 U.S. State Privacy Rights (California and others)

If you are a resident of California or another U.S. state with a comprehensive privacy law, you have the right to know, access, correct, and delete your personal information, and to be free from discrimination for exercising these rights.

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA). We do not use or disclose sensitive personal information beyond the purposes permitted without a right to limit. Where any configuration could constitute a "sale" or "share," we honor opt-out preference signals such as Global Privacy Control. To exercise these rights, contact privacy@hydroboa.com.


9. Cookies and Similar Technologies

We use cookies and similar technologies in these categories:

  • Strictly necessary — authentication and session (Firebase Auth) and integrity (App Check). These are required for the Platform to function.
  • Security — abuse and fraud prevention (reCAPTCHA Enterprise), which shares signals with Google as described in Section 5.
  • Analytics / preferences — we currently use no third-party advertising or analytics cookies. If this changes, we will update this section and, where consent is required, request it before setting such cookies.

In the EEA and UK, non-essential technologies are set only after you consent through our cookie banner, and you can change your choices at any time via "Cookie Settings."


10. Data Storage and Retention

We store project data on secure infrastructure and retain personal data only as long as necessary for the purposes described here:

CategoryRetention
Account dataFor the life of your account, then deleted within 90 days of account closure
Project files, models, outputsUntil you delete them; purged from live systems within 30 days and from backups within 90 days
Logs and diagnosticsApproximately 90 days
Billing and tax recordsAs required by law (typically ~7 years)
Support-access copiesDeleted on resolution of the support issue (see the Support Access Consent Policy)

You may delete projects at any time, subject to backup retention cycles above.


11. Security

We use reasonable technical and organizational safeguards, including encryption in transit, access controls, authentication systems, infrastructure isolation, audit logging, and role-based permissions. No system is completely secure, and you are responsible for securing your own credentials.

Breach notification. If a personal-data breach occurs, we will notify the competent supervisory authority within 72 hours where required (GDPR Art. 33), and affected users without undue delay where the breach is likely to result in a high risk to their rights (Art. 34). We require our sub-processors to notify us of breaches without undue delay.


12. AI-Assisted Features

Our AI-assisted features (model preparation, diagnostics, and optimization assistance) process portions of your Content solely to generate outputs for you. We do not use your Content to train HydroBoa's or any third party's AI models. Where an AI feature uses a third-party AI provider, that provider is a sub-processor bound not to retain your Content or use it for training, and is transferred under the safeguards in Section 7. AI outputs are advisory only (see Terms of Service, Sections 10 and 15A).


13. Enterprise and Confidential Projects

Enterprise users may request dedicated infrastructure, custom retention policies, non-disclosure agreements, isolated execution environments, and restricted support workflows. A separate written agreement may modify this Policy for those users; where it does, it controls to the extent of any conflict for those users.


14. Changes to This Policy

We may update this Policy from time to time. For material changes, we will provide notice (by email or in-app) and update the "Last updated" date above. Continued use after the effective date constitutes acceptance, to the extent permitted by law.


15. Contact

For privacy inquiries or to exercise your rights:

HydroBoa — Privacy Email: privacy@hydroboa.com Website: https://hydroboa.com

By using HydroBoa, you acknowledge that you have read and understood this Privacy Policy.

© 2026 HydroBOA. All rights reserved.

Capabilities

Professional SWMM online modeling & stormwater analysis

EPANET web-based simulation for water distribution

HEC-RAS cloud execution for river hydraulics

Browser-based flood optimization & model calibration

PWA-enabled hydraulic engineering workflows

Native EPA-SWMM 5.2.4 & EPANET 2.3 engine support