Privacy Policy

Version 2.0.0 · Last updated May 5, 2026

1. Introduction

This Privacy Policy (the “Policy”) describes how Boost Run, Inc. (“Boost Run,” “we,” “our,” or “us”) collects, uses, discloses, retains, and safeguards information in connection with your access to and use of our websites at boostrun.com and its sub-domains (the “Sites”), our customer-facing platform and API used to view, configure, and rent Equipment (the “Platform”), and any related products, software, hardware, and informational or promotional content (collectively with the Sites and Platform, the “Services”).

This Policy is part of, and incorporated by reference into, our Terms of Service and Security Policy. By accessing or using the Services, you agree to the practices described in this Policy. If you do not agree, please do not access or use the Services.

This Policy does not govern Customer Content. Customer Content is the data, models, code, datasets, files, prompts, outputs, and other materials that you, your employees, or your end users transmit to, store on, or process using Equipment you rent from Boost Run. We process Customer Content as a service provider or processor on your behalf and only in accordance with our Terms of Service and any applicable Data Processing Addendum (“DPA”) we have signed with you. If you are an individual whose personal information has been provided to Boost Run by a customer, please contact that customer directly to exercise your rights with respect to that information.

This Policy also does not apply to: (i) products, services, or content provided by third parties, even when accessed through our Sites or integrated with the Services, which are governed by their own privacy policies; or (ii) job applicants, where a separate applicant-privacy notice may be provided at the time of application.

2. Definitions

Capitalized terms not defined in this Policy have the meanings given to them in our Terms of Service. The following definitions apply throughout this Policy:

Boost Run, Inc. — referred to as “Boost Run,” “we,” “us,” or “our.”
User — a person or legal entity that accesses or uses the Services. Also referred to as “you” or “your.”
Equipment — GPU servers, CPU servers, storage servers, and other AI accelerator and infrastructure devices made available through the Platform.
Platform — the web user interface and API that allow a User to view, configure, provision, and rent Equipment.
Services — the Sites, the Platform, the Equipment, and all related Boost Run hardware, software infrastructure, and informational or promotional content.
Account — a User account on the Platform that grants permission to view pricing and inventory and to configure and rent Equipment.
Customer Content — data, models, code, datasets, files, prompts, outputs, and other materials transmitted to, stored on, or processed using Equipment by or on behalf of a User.
Personal Information — information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. For European, United Kingdom, Swiss, and Brazilian residents, “Personal Information” is used interchangeably with “personal data” as defined under the EU and UK General Data Protection Regulations (collectively, the “GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and Brazil’s General Personal Data Protection Act (“LGPD”), as applicable.
Platform Telemetry — metadata generated by the operation of the Platform and Equipment, such as authentication events, API call metadata, configuration choices, instance and cluster lifecycle events, billing and usage metrics, and system-level performance and health metrics. Platform Telemetry does not include the contents of Customer Content.

3. Our Role: Controller vs. Processor

Boost Run plays two distinct roles with respect to Personal Information.

Boost Run as Controller. When you visit our Sites, request information, sign up for an Account, communicate with us, apply for a position, or otherwise interact with us directly, Boost Run determines the purposes and means of processing your Personal Information. In these contexts, Boost Run is the controller (or, under U.S. law, the “business”) of that Personal Information, and this Policy describes our practices.

Boost Run as Processor. When you, as a customer, use rented Equipment to process Customer Content, including any Personal Information that you or your end users choose to load onto, transmit through, or generate using that Equipment, Boost Run acts as a processor (or, under U.S. law, a “service provider”) on your behalf. We process that Customer Content only in accordance with our Terms of Service, your written instructions, and any applicable DPA. This Policy does not describe our processing of Customer Content.

Third-party data you submit. If you provide Personal Information about another person or entity (for example, when adding a colleague to your Account, providing a billing or technical contact, or registering a colleague for an event), you represent and warrant that you have the authority and any necessary consents to do so and to permit Boost Run to process that information as described in this Policy.

4. Personal Information We Collect

We collect Personal Information in three primary ways: information you provide directly to us, information we collect automatically when you use the Services, and information we receive from third parties.

4.1 Information You Provide Directly

Account and registration information. Full name, business or company name, job title, industry, country, email address, postal address, phone number, login credentials, and any other information you submit during registration.
Third-party authentication. If you choose to sign in using a third-party identity provider (such as Google or GitHub), you authorize us to receive, store, and use the information that you have permitted that provider to share with us, which may include your name, email address, and profile picture.
Order, billing, and payment information. Billing contact details, billing address, tax/VAT identification information where required for invoicing, purchase order numbers, transaction records (dates, amounts, invoice or order numbers, and payment status), and limited payment-card metadata. Full payment-card numbers are collected and processed by our third-party payment processors and are not stored by Boost Run.
Verification and compliance information (KYC). To comply with our legal and regulatory obligations applicable to providing AI compute services, we may ask you to submit information needed to verify your identity, conduct sanctions and export-control screening, and detect or prevent fraud. This may include a partially obscured copy of a government-issued identification document showing only your photograph, full name, nationality, place and type of document, and the first four digits of the document number; beneficial-ownership information for business customers; and similar information.
Communications and support data. The contents of emails, support tickets, chat messages, web-form submissions, message-board posts, customer surveys, and feedback you send to us, together with any attachments and any account or contact information you include.
Career applications. If you apply for a position with Boost Run, we may collect your résumé/CV, education and employment history, professional certifications, references, work-authorization information, and any other information you choose to share.
Event and marketing information. Information you provide when you register for our events, webinars, or mailing lists, including your stated interests and preferences.

4.2 Information We Collect Automatically

When you interact with the Sites, the Platform, or other Services, we (and service providers acting on our behalf) collect certain information automatically:

Device and connection information. IP address, device identifiers, browser type and version, operating system, language settings, and referring and exit URLs.
Usage data. Pages and features you view, the order of those views, dates and times of access, links you click, search queries on our Sites, session identifiers, and similar diagnostic information.
Platform Telemetry. As defined above, this includes user and resource identifiers, authentication events, API call metadata, configuration details, instance and cluster lifecycle events, operational status (including software errors and crash reports), quality and performance metrics (such as latency, throughput, and uptime), and billing and usage metrics (such as GPU-hours consumed, storage allocated, and network throughput).
Approximate location. We may infer the general geographic region of your device (for example, country and region) from your IP address and similar signals.
Cookies and similar technologies. Information collected through cookies, pixels, web beacons, local storage, and similar technologies, as further described in Section 9.

4.3 Information We Receive from Third Parties

We may receive Personal Information about you from third parties, including:

Identity, fraud-prevention, and compliance providers that help us verify your identity, screen against sanctions and export-control lists, and detect or prevent fraud or abuse.
Payment processors and resellers that share order, billing, and reconciliation information.
Marketing, analytics, and advertising partners that share campaign-attribution and engagement data.
Social-media platforms when you interact with our pages or content on those platforms or use social-login or sharing features.
Publicly available sources and business-information providers, where permitted by applicable law.

4.4 Sensitive Information

We do not intentionally collect sensitive Personal Information through the Services (such as government identifiers other than tax IDs, financial-account credentials, precise geolocation, biometric or genetic data, health data, or information revealing race, ethnicity, religion, political opinions, trade-union membership, or sexual orientation), and we ask that you not submit such information to us. Where we do process information that constitutes “sensitive personal information” under applicable law (for example, identity-document information collected for KYC purposes), we will do so only as necessary for the limited purpose for which it was collected and as permitted by law. Customer Content that contains sensitive Personal Information is the customer’s responsibility and is governed by our Terms of Service and any applicable DPA.

5. How We Use Personal Information

We use Personal Information for the following purposes.

Provide, operate, and maintain the Services, including creating and administering Accounts, provisioning Equipment, processing orders and payments, providing customer support, finalizing agreements, and delivering service-related communications such as security, billing, and account notices.
Verify identity and prevent abuse, including completing KYC checks; screening against applicable sanctions, export-control, and other restricted-party lists; investigating suspected fraud, abuse, or violations of our Acceptable Use Policy; and protecting Boost Run, our customers, and third parties from unauthorized transactions, claims, or other liabilities.
Secure the Services, including monitoring for, detecting, investigating, and responding to security incidents, vulnerabilities, denial-of-service activity, unauthorized access, malicious code, and other threats to the confidentiality, integrity, or availability of the Services.
Maintain reliability and availability, which may include limited replication of metadata across data centers different from your selected primary region in order to ensure low latency, fault tolerance, and disaster recovery for the Services.
Improve and develop the Services, including analyzing aggregated and de-identified usage and Platform Telemetry to monitor capacity and performance, improve reliability and efficiency, develop new features and configurations, produce internal reports and business intelligence, and forecast infrastructure needs. We do not use the contents of Customer Content to train, fine-tune, or improve any general machine-learning model.
Communicate with you about products and offers, including sending you information about new Equipment, configurations, capacity, and other Services that may be of interest, where permitted by applicable law and your communication preferences. You may opt out of marketing communications at any time as described in Section 10.
Comply with legal obligations, including responding to lawful requests from public authorities, courts, and regulators; complying with tax, accounting, audit, export-control, anti-money-laundering, and recordkeeping requirements; and exercising or defending legal claims.
Enforce our agreements, including our Terms of Service, Acceptable Use Policy, and other contractual or policy commitments.
Carry out corporate transactions, including in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, as further described in Section 7.
For any other purpose disclosed at the time of collection or with your consent.

5.1 Legal Bases (EEA, UK, Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the legal bases on which we rely to process your Personal Information are described below, with examples.

Purpose of processing	Legal basis	Example
Provide, operate, and maintain the Services; finalize and perform contracts with you	Performance of a contract (GDPR Art. 6(1)(b))	Creating and administering your Account, provisioning Equipment you have rented, and charging your subscription fee
Marketing newsletters and promotional updates	Consent (GDPR Art. 6(1)(a))	Sending a monthly Boost Run newsletter only after you have opted in
KYC, sanctions and export-control screening, anti-money-laundering, and tax recordkeeping	Legal obligation (GDPR Art. 6(1)(c))	Verifying customer identity and screening against restricted-party lists before activating an Account
Security monitoring, fraud prevention, service improvement, business analytics, and direct B2B marketing where permitted	Legitimate interests (GDPR Art. 6(1)(f))	Analyzing aggregated Platform Telemetry to forecast capacity and improve reliability
Processing of any sensitive Personal Information that you choose to provide to us	Explicit consent or another applicable derogation (GDPR Art. 9)	Limited processing of an identity-document image you submit for KYC

In certain jurisdictions outside the EEA, local laws may require your explicit consent before we process your Personal Information. By using the Services, you agree to the processing of your Personal Information as outlined in this Policy. You may withdraw your consent at any time; withdrawal will not affect the lawfulness of any processing carried out before withdrawal.

6. Aggregated and De-Identified Information

We may create aggregated, anonymized, or de-identified information from Personal Information and Platform Telemetry. Once information has been aggregated, anonymized, or de-identified so that it cannot reasonably be linked to you, we may use and share it without restriction, for example, to publish industry benchmarks, capacity reports, security trend analyses, or research findings. We will maintain such information in a de-identified form and will not attempt to re-identify it except to test the effectiveness of our de-identification controls.

We do not sell Personal Information for monetary consideration. We may, however, share Personal Information in the following circumstances:

Within the Boost Run organization — with our affiliates and corporate group, where they support the Services or perform internal business functions consistent with this Policy.
With service providers and subprocessors — including data-center, hosting, networking, payment-processing, identity and fraud-prevention, customer-support, communications, analytics, marketing, recruiting, and professional-services providers that act on our behalf and are bound by appropriate confidentiality and data-protection obligations. A current list of subprocessors is maintained at trust.boostrun.com or available on request.
With business and channel partners — for example, resellers, distributors, and co-marketing partners, when you have engaged with us through one of those partners or have requested that we do so.
For legal, safety, and compliance reasons — when we believe in good faith that disclosure is required by law, legal process (such as a subpoena, court order, or governmental request), or applicable export-control, sanctions, or other regulatory obligations, or when disclosure is necessary to investigate or prevent fraud or abuse, enforce our agreements, defend against claims, or protect the rights, property, or safety of Boost Run, our customers, our personnel, or the public.
In connection with corporate transactions — to actual or prospective acquirers, investors, advisors, and their representatives in connection with a merger, acquisition, financing, reorganization, sale of all or a portion of our business or assets, bankruptcy, or similar transaction or due-diligence process. Any acquiring entity will be required to handle your Personal Information in a manner consistent with this Policy or as required by applicable law. Where a transaction will materially change how we process your Personal Information, we will notify you in advance.
With your direction or consent — to any other party at your direction or with your consent.

8. International Transfers

Boost Run is based in the United States, and the Services are operated from the United States. When you access or provide information to the Services, your Personal Information may be transferred to, stored in, and processed in the United States and in other countries where we, our affiliates, or our service providers operate. These countries may have data-protection laws that differ from those of your country of residence.

Where we transfer Personal Information from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, we rely on appropriate safeguards, including:

the European Commission’s Standard Contractual Clauses (and their approved equivalents for the United Kingdom and Switzerland);
encryption of Personal Information in transit;
internal access controls and policies designed to limit and monitor access to Personal Information; and
other approved transfer mechanisms where applicable.

You may request a copy of the relevant safeguards by contacting us as described in Section 16.

9. Cookies and Similar Technologies

Cookies are small text files placed on your device when you visit a website. We and our service providers use cookies, pixels, web beacons, local storage, and similar technologies (collectively, “Tracking Technologies”) to operate the Sites, recognize you when you return, remember your preferences, understand how the Sites are used, and support our marketing. We use both first-party Tracking Technologies (set by us) and third-party Tracking Technologies (set by our vetted partners).

We use the following categories of Tracking Technologies on our Sites:

Strictly necessary — required for the Sites and core Account functions to operate, including authentication, session management, and security. These cannot be disabled through our cookie controls.
Functional — remember your preferences (for example, language and region) and recognize you on return visits to provide a more consistent experience.
Analytics and performance — help us understand how the Sites are used so that we can measure and improve their performance, content, and design. We may use third-party analytics providers, such as Google Analytics, that set their own cookies and process information in accordance with their own privacy policies.
Marketing and advertising — collect information about your visit, such as the pages you view, the links you follow, and information about your browser, device, and IP address, and may be used by us or our advertising partners to deliver advertisements on our Sites or other sites that are more relevant to your interests.

Where required by applicable law, we collect Marketing and Analytics Tracking Technologies based on consent obtained through our cookie banner. You may modify or withdraw that consent at any time using the “Manage Cookies” control on our Sites. You can also control Tracking Technologies through your browser settings, which generally allow you to refuse some or all cookies or to be notified before a cookie is set. If you disable cookies, some features of the Sites may not function as intended.

Some browsers transmit “Do Not Track” or similar signals. Because there is no commonly agreed standard for interpreting these signals, our Sites do not currently respond to them. Where required by applicable law, we will honor recognized opt-out preference signals, such as the Global Privacy Control (GPC), as a request to opt out of “sales” and “sharing” of Personal Information for cross-context behavioral advertising on the browser used to send the signal.

10. Marketing Communications

We may send you marketing communications about our Services, events, and other content that may interest you. You can unsubscribe at any time by following the unsubscribe instructions included in those messages or by contacting us as described in Section 16. You cannot opt out of service-related communications (such as billing, security, and account notices), which are necessary for us to provide the Services.

11. Data Retention

We retain Personal Information only for as long as is reasonably necessary for the purposes for which it was collected, including:

for the duration of your Account and any active relationship with us;
to comply with our legal, tax, accounting, audit, sanctions, export-control, and anti-money-laundering obligations;
to resolve disputes and enforce our agreements; and
for legitimate business purposes such as security, fraud prevention, and recordkeeping.

Specific retention periods. We will dispose of customer Personal Information within thirty (30) days following a verified deletion request from a current or former customer, or otherwise in accordance with the customer’s agreement(s) with Boost Run, except where we are required by law, regulation, or legitimate business need to retain certain information for a longer period. Where we process partially obscured copies of an identity document for KYC purposes, we retain those copies for up to eighteen (18) months following collection in order to support our annual audits, and we then dispose of them in accordance with this Policy.

Our data-center, hosting, and infrastructure providers are responsible for ensuring secure removal of data from storage media allocated to Boost Run before such media are repurposed and for the secure destruction of decommissioned hardware in accordance with industry-standard practices. Aggregated, anonymized, or de-identified information may be retained without time limit as described in Section 6.

12. Data Security

We maintain a written information-security program with technical, administrative, and physical safeguards designed to protect Personal Information against unauthorized access, use, disclosure, alteration, loss, and destruction. These safeguards are described in more detail in our Security Policy and our Trust Center.

Shared responsibility. Cloud infrastructure security is a shared responsibility. Boost Run is responsible for the security of the underlying Equipment, network, and Platform that we provide. You are responsible for security in the Platform: your Account credentials and authentication settings, the workloads and Customer Content you run on the Equipment, your access controls and configurations, your encryption-key management above the Platform layer where applicable, and your compliance with applicable law for the data you process.

No system or method of transmission over the internet or storage is completely secure, and we cannot guarantee the absolute security of your Personal Information. Email sent to us may not be secure, and you should use special care in deciding what information to send via email (and please do not send us sensitive information such as full payment-card numbers or government-issued identification numbers via unencrypted email). To report a security concern or suspected vulnerability, please contact us at incidents@boostrun.com.

13. Children’s Privacy

The Services are intended for businesses and adult professional users. We do not knowingly collect Personal Information from children under sixteen (16) years of age (or any higher age threshold required by applicable law). If we become aware that we have collected Personal Information from a child without verified parental consent, we will take reasonable steps to delete that information. If you are a parent or guardian and believe that a child has provided Personal Information to us, please contact us as described in Section 16.

14. Your Rights and Choices

Depending on where you live, you may have certain rights with respect to the Personal Information we hold about you. We honor these rights in accordance with applicable law and may need to verify your identity before responding to a request. We will not discriminate against you for exercising these rights.

14.1 Rights Available to All Users

Subject to applicable law, you may have the following rights:

Right to access — to request confirmation that we process your Personal Information and a copy of that information. We may charge a reasonable fee where permitted by applicable law.
Right to rectification — to request that we correct inaccurate or incomplete Personal Information.
Right to erasure — to request that we delete your Personal Information, subject to certain conditions and exceptions.
Right to restrict processing — to request that we restrict the processing of your Personal Information in certain circumstances.
Right to object — to object to our processing of your Personal Information based on legitimate interests or for direct marketing. We will stop processing for direct marketing on request and will stop other objected processing unless we have compelling legitimate grounds.
Right to data portability — to request that we transfer your Personal Information to another organization or to you, where technically feasible.
Right to withdraw consent — where we rely on your consent, to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Right to appeal — if we deny a privacy-rights request, to appeal that decision in jurisdictions where appeal rights apply.

To exercise any of these rights, please contact us at the address in Section 16. We will acknowledge your request and respond within the timeframes required by applicable law (and in any event no later than thirty (30) days from receipt of a verified request, unless an extension is permitted by law). By submitting a request you confirm that you are the individual to whom the data relates, or that you are authorized to act on that individual’s behalf, and we may ask you to provide information to verify your identity.

14.2 Automated Decision-Making and Profiling

Boost Run does not engage in profiling that produces legal or similarly significant effects on consumers, as those terms are defined under U.S. state privacy laws. We may use automated tools to help determine whether a transaction or Account presents a fraud, sanctions, or export-control risk. In jurisdictions where applicable law gives you the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, you may request human review of such a decision by contacting us as described in Section 16.

14.3 California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), including:

Right to know what categories and specific pieces of Personal Information we have collected, the categories of sources, the purposes for collection, the categories of third parties with whom we share Personal Information, and the categories of Personal Information sold or shared for cross-context behavioral advertising.
Right to delete Personal Information we have collected from you, subject to certain exceptions.
Right to correct inaccurate Personal Information we maintain about you.
Right to opt out of “sales” and “sharing” of Personal Information for cross-context behavioral advertising. We do not sell Personal Information for monetary consideration. To the extent that any sharing for cross-context behavioral advertising constitutes a “sale” or “sharing” under California law, you may opt out using the cookie-preference controls on our Sites or by sending a recognized opt-out preference signal such as the Global Privacy Control.
Right to limit use and disclosure of sensitive personal information as defined by the CCPA.
Right to non-discrimination for exercising any of your CCPA rights.

California residents may also have rights under the “Shine the Light” law (Cal. Civ. Code § 1798.83) to request information once per year about disclosures of Personal Information to third parties for those third parties’ direct marketing purposes.

Authorized agents may submit verifiable requests on your behalf. We will require written proof of authorization, may contact you to confirm the agent’s authority, and will independently verify your identity. We do not knowingly sell or share the Personal Information of consumers under sixteen (16) years of age.

14.4 Other U.S. State Residents

Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, Virginia, and other U.S. states with comprehensive consumer-privacy laws may have rights similar to those described in Section 14.3, including:

Right to confirm whether we are processing your Personal Information.
Right to access or obtain a copy of your Personal Information.
Right to correct inaccurate Personal Information.
Right to delete Personal Information, subject to applicable exceptions.
Right to data portability in a commonly used format, where technically feasible.
Right to opt out of targeted advertising, the sale of Personal Information, and certain profiling, as applicable under your state’s law.
Right to appeal our denial of a rights request, where required by your state’s law.

Where required by applicable state law, we will conduct data-protection assessments for processing activities that present a heightened risk of harm to consumers.

14.5 Residents of the EEA, the UK, Switzerland, and Brazil

If you are located in the European Economic Area, the United Kingdom, Switzerland, or Brazil, you have the rights described in Section 14.1 above and the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement. The legal bases on which we rely are described in Section 5.1.

15. Accessibility of this Policy

If you have a disability and cannot access this Policy online, please contact us using the details in Section 16 to request a copy in an alternative, more accessible format. We will not collect or process any health-related or other sensitive Personal Information in connection with such a request.

16. How to Contact Us

If you have any questions, comments, or complaints about this Policy or our privacy practices, or if you would like to exercise any of your rights, please contact us at:

Email: incidents@boostrun.com Data Protection Officer: Harry Georgakopoulos

We will acknowledge your inquiry and respond within the timeframes required by applicable law. We may need to verify your identity before responding.

17. How to Contact a Supervisory Authority

If you are not satisfied with our response to a complaint or believe that we have not addressed your concern adequately, you may have the right to lodge a complaint with the appropriate supervisory authority.

United States: Federal Trade Commission, 1-877-382-4357, ftc.gov.
California: California Privacy Protection Agency, cppa.ca.gov.
European Economic Area, United Kingdom, and Switzerland: the data-protection authority of your country of residence, place of work, or place of the alleged infringement (a list of EEA authorities is available at edpb.europa.eu).
Brazil: Autoridade Nacional de Proteção de Dados (ANPD).

18. Third-Party Sites and Services

Our Services may contain links to, or integrations with, websites, products, or services operated by third parties. We are not responsible for the privacy practices or content of those third parties, and the inclusion of a link or integration is not an endorsement of any third party. We encourage you to review the privacy policies of any third party before providing them with any information.

19. Changes to this Policy

We may update this Policy from time to time. When we do, we will revise the “Last updated” date at the top of this Policy and post the updated Policy on our Sites. Where required by applicable law, we will provide additional notice of material changes (for example, by email or by posting a prominent notice on our Sites). A version history is also maintained at boostrun.com/changelog. Your continued use of the Services after an update becomes effective constitutes your acceptance of the revised Policy.