Boei is GDPR-first by design, EU-hosted on Hetzner (Nuremberg, Germany), and ships a signed Data Processing Agreement on every paid plan, including the $19/mo Starter tier. This page is the single source of truth for how we handle your data, who we share it with, and where we honestly cannot help yet.
17,000+
Businesses use Boei
EU/EEA
Primary hosting (Hetzner, Nuremberg)
Free
DPA on every paid plan
30 days
Advance notice on subprocessor changes
Most chatbot vendors bury their DPA behind an enterprise sales call, hide their subprocessor list, and slap a HIPAA logo on the homepage without signing a Business Associate Agreement. That may look reassuring, but it fails the first procurement review at any regulated buyer.
Boei takes the opposite approach: everything on this page is verifiable in one click, our DPA is free on every paid plan, and where we cannot honestly claim a certification (HIPAA is the big one), we say so in plain English.
The rest of this page walks through the five things procurement and privacy teams actually ask about: GDPR, our Data Processing Agreement, subprocessors, EU data residency, and our honest HIPAA stance.
One card per topic. Every claim links back to its source-of-truth page.
EU/EEA hosting, data-subject rights (access, erasure, portability, export) exposed in the dashboard, configurable retention windows, and cookie-less analytics on our own marketing site (Plausible).
The Boei Data Processing Agreement is a public document. Sign it via /data-processing-agreement/ or your procurement can request a mutually countersigned copy. No enterprise-only gating.
Every third party that processes personal data on your behalf is listed on /legal/subprocessors/ with registered office, purpose, and processing region. Additions get 30 days advance notice.
Primary application servers, database, and backups run on Hetzner Online GmbH in Nuremberg, Germany. Static assets sit in AWS S3 EU-West (Ireland). No US region processing by default for Controller data.
We do NOT hold a HIPAA certification and do NOT sign BAAs at standard tiers. For non-PHI scheduling and FAQ the widget works fine; for chatbot-mediated PHI, contact us before onboarding.
Every conversation is logged and exportable. Your admin can review AI answers, correct patterns, tune escalation, and satisfy internal audit trails without a support ticket.
Boei is a GDPR data processor for the personal data your visitors submit through the chatbot widget (name, email, phone, message content). You (the site owner) are the controller. We invest continuously in maintaining GDPR compliance and helping you comply with the framework you owe your users.
Full detail is on the Security page.
Boei's Data Processing Agreement is a public, standalone document. You do not need to be on a specific tier, hit a seat threshold, or talk to sales to get one. The DPA is live at /data-processing-agreement/ and by using the Service under a paid subscription you are already covered by it.
The DPA references our subprocessors page as Annex 1, so any new subprocessor is automatically covered by the same agreement (with the 30-day advance-notice mechanism preserving your right to object).
The authoritative list lives at /legal/subprocessors/ and is versioned via our legal changelog. Here is a snapshot as of 2026-04-17 grouped by purpose so you can see the scope at a glance:
The AI model your chatbot actually uses depends on your account settings. EU-only setups can pin Mistral and never touch a US-region provider for LLM inference.
If a subprocessor changes we post it to /legal/subprocessors/ at least 30 days in advance and notify DPA-holding customers per the agreement.
Boei production services run on Hetzner Online GmbH infrastructure in Nuremberg, Germany. All Controller personal data processed by the Service is stored inside the EU/EEA. Backups sit on a separate Hetzner Storage Box, also in Nuremberg, and are retained up to 90 days.
Hetzner's data centers are ISO/IEC 27001 certified and operate with 24/7 on-site staff, video surveillance, biometric and multi-factor access control, redundant power and cooling, and fire suppression.
Static assets served alongside the widget (images uploaded through the admin) sit in the EU-West (Ireland) region of AWS S3 via Amazon Web Services EMEA SARL, with server-side encryption enabled.
Public-facing traffic to boei.help, app.boei.help, and the widget is served through Cloudflare's global edge (EU-first routing where available). Cloudflare processes minimal metadata (IP for routing, TLS termination) - it does not persist Controller personal data.
For teams that need to point to a specific procurement checklist item: this configuration satisfies the standard EU/EEA data-residency requirement most European public-sector and healthcare procurement bodies apply.
Boei is not currently HIPAA-certified and does not sign Business Associate Agreements at standard tiers. Some competitor sites display a HIPAA badge without ever signing a BAA, which is misleading. We prefer to be direct.
See /for/healthcare/ for the vertical write-up aimed at clinics evaluating Boei.
The compliance-posture questions procurement actually asks.
Start the 7-day free trial (no credit card) or send our compliance stance to your privacy team first.