Baserok

Legal

Privacy Policy

Effective 28 April 2026

This Privacy Policy explains what personal data Baserok (“Baserok”, “we”, “us”) collects when you use usebaserok.com and the Baserok web application (collectively, the “Service”), how we use it, and the rights you have over it. We try to keep this document plain and specific. If anything is unclear, write to us at privacy@baserok.com.

1. Who is the data controller

Baserok is the data controller for personal data collected via the Service. Contact for privacy queries: privacy@baserok.com.

2. What we collect

Account data

  • Email address
  • Hashed password (managed by Supabase Auth; we never see your password in plain text)
  • Optional full name, if you choose to provide one
  • Account creation and last-activity timestamps

Usage data

  • The product descriptions and prompts you submit
  • The builds, personas, features, and citations the Service generates for you
  • Credit transactions, subscription tier, and billing status
  • IP address and request metadata, used solely for rate-limiting, fraud prevention, and basic security logging
  • Server logs (request paths, status codes, error traces) retained for up to 90 days

Payment data

Payments are processed by Stripe. We do not store card numbers, CVCs, or full bank details on our servers. We receive from Stripe only the customer identifier, subscription status, and the payment-event metadata required to grant credits and reconcile the ledger.

Email subscribe form (landing page)

If you submit your email on the public landing page, we collect the email address and the request IP (used for rate-limiting). We use the email only to contact you about Baserok’s launch and product updates; you can unsubscribe at any time.

Cookies

The Service sets the following cookies, all of which are strictly necessary:

  • Supabase auth cookies (names beginning with sb-) — used to keep you signed in. Lifetime: session and refresh-token expiry per Supabase defaults.
  • sidebar_state — remembers whether the dashboard sidebar is collapsed. Lifetime: 7 days. No personal data.

We do not use cookies for advertising, marketing analytics, or cross-site tracking. We do not embed third-party analytics scripts. Because we set only strictly-necessary cookies, no consent banner is required under the UK Privacy and Electronic Communications Regulations or the EU ePrivacy Directive. If we add non-essential cookies in the future, we will introduce a consent mechanism before doing so.

3. Why we use it (lawful bases)

  • Performance of contract — to operate the Service, run the AI pipeline, deliver Outputs, and provide customer support.
  • Legitimate interests — to secure the Service (rate-limiting, abuse prevention), to maintain operational logs, and to improve product quality. We balance these interests against your rights and only rely on this basis where the processing is proportionate and expected.
  • Consent — for optional marketing emails. You can withdraw consent at any time.
  • Legal obligation — to keep payment and tax records for the period required by applicable law.

4. Sub-processors

We rely on the following service providers to operate the Service. Each is bound by a Data Processing Agreement and only processes personal data on our instructions.

  • Supabase (Auth, Postgres database, file storage) — primary database hosting region: EU-West (Ireland).
  • Stripe (payments) — stores payment instruments and processes transactions; data may be transferred to the United States under appropriate safeguards.
  • Resend (transactional and lifecycle emails).
  • Anthropic(large-language-model inference for the AI pipeline). Your prompts and the public source content retrieved for your build are sent to Anthropic for processing. Per Anthropic’s API terms in force at the effective date, Anthropic does not use this content to train its models. Data may be transferred to the United States under appropriate safeguards.
  • Netlify (web and edge hosting; a migration to Vercel is planned and this notice will be updated when complete).
  • Railway (AI pipeline hosting).
  • GitHub (source-control operations triggered by authenticated maintainers; no end-user data is sent here).

We read publicly available content from third-party sources (Reddit, Bluesky, the Apple App Store, Google Trends and similar) as inputs to the analysis. We do not share your personal data with those sources.

5. International transfers

Some of our sub-processors are based outside the UK and EEA (notably the United States). Where personal data is transferred outside the UK or EEA, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy decision, as appropriate.

6. How long we keep it

  • Account data: while your account is active.
  • Builds and citations: while your account is active. Soft-deleted builds are retained for up to 30 days to permit recovery, then permanently deleted.
  • Server logs: up to 90 days, then deleted or aggregated.
  • Payment records: retained for the period required by UK and EU tax law (typically up to 7 years), held by us and by Stripe.
  • Email-subscribe records: until you unsubscribe or until 24 months of inactivity, whichever comes first.

7. Your rights

Under the UK GDPR and EU GDPR, where applicable, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Request erasure (“the right to be forgotten”)
  • Restrict or object to certain processing
  • Receive a portable copy of your data in a machine-readable format
  • Withdraw consent at any time, where consent is the lawful basis
  • Lodge a complaint with a supervisory authority — in the UK, the Information Commissioner’s Office (ico.org.uk)

You can export your data and delete your account from the settings page. Data exports are limited to one self-service download per 30 days; this matches the regulatory response window in Article 12(3) and is consistent with our position under Article 12(5) on repetitive requests. If you have a legitimate reason to need another export sooner — for example, you have lost the previous file — write to privacy@baserok.com and we will action the request manually within 30 days as required by Article 12(3).

8. Automated decision-making

Outputs (personas, features, evidence-strength scores) are generated by AI models, but they do not produce legal or similarly significant effects on you. Evidence-strength scores reflect the breadth and recency of cited evidence and are advisory; we do not use them to make decisions about you.

9. Children

The Service is not intended for, and we do not knowingly collect data from, children under 16. If you believe a child has registered an account, contact us and we will remove the account.

10. Security

We use TLS in transit, hashed passwords (managed by Supabase Auth), and Row Level Security policies on every database table. Only service-role keys held server-side can bypass these policies, and they are scoped to the smallest set of operations required. We review access controls and notable incidents on an ongoing basis.

If a personal-data breach materially affecting your rights occurs, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, as required by the UK GDPR.

11. Changes to this policy

We may update this policy from time to time. The effective date at the top of this page reflects the most recent revision. If the change is material, we will notify you by email or via a prominent notice in the Service before it takes effect.

12. Contact

Privacy queries: privacy@baserok.com. General contact: hello@baserok.com.