Privacy Policy

Last updated: 2026-04-19 (rev 5 — slow-follow legal additions)

1. Who we are

Boogie is a native JMAP email and calendar client published by KTP Digital Pty Ltd (ABN 85 648 755 980, ACN 648 755 980), an Australian private company registered in Victoria, Australia, and GST-registered. In this policy, "KTP Digital", "we", "us", and "our" all refer to KTP Digital Pty Ltd. Contact: support@boogie.digital.

Boogie runs on macOS, iOS, iPadOS, watchOS, and Android (beta).

2. What data the Boogie app processes

Boogie is a client. It connects directly from your device to a JMAP-compatible mail server that you choose (Stalwart Mail Server you host yourself, Fastmail, or any other RFC 8620-compliant server). Your email, calendar events, attachments, and contacts flow between your device and that server. They do not pass through KTP Digital or boogie.digital infrastructure.

Data the app processes on your device (locally, not transmitted to KTP Digital):

• Account credentials — stored in the platform Keychain (macOS/iOS) or Android Keystore with hardware-backed encryption. Synchronised across your own Apple devices via iCloud Keychain if you have that enabled.
• Cached email, calendar, contacts — stored in a local SQLite (GRDB) database in the app's sandbox on your device. Deleted when you delete the app.
• Spotlight / search index — up to 10,000 recent emails indexed into the operating system search (Spotlight on macOS/iOS). This is a local system index; it is not transmitted anywhere.
• Draft messages, scheduled sends, templates, signatures — stored locally until you send, discard, or delete them.

2A. Subscription and purchase data

When you purchase a subscription or lifetime licence through the App Store or Google Play, Apple or Google share transaction data with KTP Digital, including: transaction identifier, product purchased, purchase date, subscription status, and an anonymised account identifier. We use this data solely to verify your entitlement and manage your subscription. We do not correlate it with your email content (which we never receive). We retain this data for the duration of your subscription plus 24 months for refund and dispute resolution. It is not used for marketing or profiling.

3. What boogie.digital (this website) logs

The website boogie.digital is a separate service from the Boogie app. When you visit the website, standard web server logs record:

• IP address (used to derive approximate country for traffic analytics, then stored with the log entry)
• User-Agent string (browser, operating system)
• Requested URL and HTTP referrer
• Timestamp

These logs are retained for up to 90 days. They are used for traffic analytics and security (bot detection, abuse mitigation). They are not shared with third parties and are not correlated with any Boogie app identity.

A session cookie (PHPSESSID) is set only on requests to the administration area (/admin/) and to API endpoints (/api/) that require session state. Informational pages (the home page, this privacy policy, terms, pricing, and downloads) do not set any cookie. When set, PHPSESSID is used solely to maintain authenticated administrator state or to prevent duplicate form submissions, is marked Secure, HttpOnly, and SameSite=Lax, expires after 24 hours of inactivity, and does not track you across visits. This narrow scope is designed to satisfy the "strictly necessary" carve-out of the EU ePrivacy Directive 2002/58/EC without requiring a consent banner.

4. Third-party services used by the app

Boogie deliberately minimises third-party dependencies. The ones it does use:

• Apple iCloud Keychain (macOS, iOS, watchOS) — used to sync account credentials between your own Apple devices. Governed by Apple's privacy policy.
• Apple Push Notification Service (iOS, watchOS) — may be used by your JMAP server to deliver new-mail notifications to your device. Governed by your server operator's policies and Apple's privacy policy. Your email content does not pass through APNs.
• Android Keystore / Google Play Services (Android) — used for credential storage and (when applicable) for push notifications. Governed by Google's privacy policy.
• Sparkle Project (macOS direct-download builds) — Sparkle is the open-source auto-update framework. When the app checks for updates, your IP address and User-Agent are logged by the update-serving web server (boogie.digital). See §3.

Boogie does not use Google Analytics, Firebase Analytics, Crashlytics, Sentry, AdMob, Facebook SDK, or any advertising or analytics SDK.

5. Third-party services used by this website

Two third-party services run in your browser when you interact with specific pages on boogie.digital:

• Cloudflare Turnstile — a CAPTCHA alternative used only on the /updates/ (downloads) page to prevent automated abuse. Turnstile may use cookies and device signals to issue its challenge. Governed by Cloudflare's privacy policy. Turnstile is loaded only on pages where a challenge is required; it is not present on the home page, pricing page, or this privacy policy page.
• Route 53 and Let's Encrypt — DNS and SSL certificate issuance for boogie.digital. These do not run in your browser.

The website does not use Google Analytics, Facebook Pixel, LinkedIn Insight, HotJar, Intercom, or any similar tracking service.

6. Email you send to us

If you email support@boogie.digital or similar addresses, your message is stored in the KTP Digital email system for support and record-keeping. You can ask us to delete any correspondence at any time.

7. Your rights

Because we collect nothing about you as a Boogie user, there is no KTP Digital-held record to access, correct, or delete. If you want to clear data the app holds on your device, uninstall the app — the sandboxed local storage is removed automatically by the operating system.

If you have corresponded with support@boogie.digital or you have an in-app purchase record held by Apple or Google, those records are held by Apple, Google, or KTP Digital support (via email) respectively. You can:

• Request a copy of any email correspondence we hold about you
• Request deletion of that correspondence
• Request deletion of IP-address log entries identifiable as yours from the web server logs
• Request the name and contact details of the data controller (that's KTP Digital, support@boogie.digital)

Send such requests to privacy@boogie.digital. We respond within 30 days.

7A. Data breach notification

If we become aware of a data breach that is likely to cause serious harm to any individual whose personal information we hold (for example, support correspondence or subscription records supplied to us by the App Store or Google Play), we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) promptly, following the approach set out in Part IIIC of the Privacy Act 1988 (Cth) and the OAIC's Notifiable Data Breaches (NDB) guidance.

At current scale, KTP Digital Pty Ltd is below the $3 million annual turnover threshold that makes the NDB scheme mandatorily applicable under s 26WE of the Privacy Act 1988 (Cth), and does not engage in activities (credit reporting, health services, trading in personal information) that would trigger the scheme regardless of turnover. We nonetheless commit to the above notification approach as a matter of good practice. If the NDB scheme later becomes mandatorily applicable, this commitment continues unchanged.

For users in the European Union or United Kingdom, we will additionally comply with Article 33 of the GDPR / UK GDPR (notification to the supervisory authority within 72 hours where feasible) and Article 34 (notification to affected individuals) in respect of personal data we hold about those users.

8. Children

Boogie is not directed at children under 13. We do not knowingly collect information about anyone because we do not collect information from users generally — but we will not market Boogie as a product for children, and parents should supervise minors' use of email clients regardless.

9. International transfers and regulatory compliance

KTP Digital is based in Melbourne, Australia. Website servers are located in the United States. Email correspondence is stored on a KTP Digital-operated Stalwart Mail Server. When you email support, your message crosses international borders consistent with standard internet email routing.

We support the rights described in the EU GDPR, UK GDPR, California CCPA/CPRA, and the Australian Privacy Act. Because Boogie does not collect personal data about its users through the app, most of these rights are trivially satisfied — there is no data for us to forget, correct, or transfer.

California residents (CCPA/CPRA): We do not sell, share (as defined by the CCPA/CPRA), or use for cross-context behavioural advertising any personal information. We do not have actual knowledge that we sell or share personal information of consumers under 16 years of age.

10. Changes to this policy

If we change this policy in a way that materially affects what data we collect or how we use it, we will update the "Last updated" date at the top of this page and, when the change is significant, announce it on the Boogie site and via an in-app notice. Review this page periodically for the latest version.

11. Contact

Questions about privacy, data requests, or this policy:

• Email: privacy@boogie.digital
• Support: support@boogie.digital
• Post: KTP Digital, Melbourne, Victoria, Australia (exact address available on request)

---

This policy is offered in plain language. It is our good-faith attempt to explain how Boogie and boogie.digital handle your information. Nothing here alters the technical reality of the product: Boogie is a client, your data lives on your server, we are not in the middle.