Privacy Policy
Last updated: May 2026 · Applies to: UK and EEA users
This Privacy Policy explains how [COMPANY NAME] Ltd ("base", "we", "us", "our") collects, uses, stores, and protects your personal data when you use our service at hellobase.com ("the Service").
We are the data controller for the purposes of UK GDPR and the Data Protection Act 2018. Our registered office is at [REGISTERED ADDRESS]. Our contact email for data matters is [CONTACT EMAIL].
1. What Data We Collect
Account data
- Name and email address provided at registration
- Company name and role (if provided)
- Billing information (processed and stored by Stripe - we do not store card details)
Usage data
- Commands you enter into the base interface
- Actions taken by base on your behalf via connected integrations
- Session data, page views, and feature usage (via PostHog)
- Error logs and diagnostic data
Integration data
When you connect a third-party tool (such as HubSpot, Xero, or Juro) to base, we access data from that tool only to the extent necessary to execute commands on your behalf. We do not copy or store this data beyond what is required for the immediate operation.
Communications
- Emails you send to us
- Feedback you submit through the Service
2. How We Use Your Data
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Providing the Service | Performance of a contract (Art. 6(1)(b)) |
| Processing payments | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (receipts, alerts) | Performance of a contract (Art. 6(1)(b)) |
| Product analytics and improvement | Legitimate interests (Art. 6(1)(f)) |
| Sending product update emails | Legitimate interests / consent (Art. 6(1)(a) or (f)) |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not use your data to train AI models. We do not sell your data to any third party.
3. Third-Party Processors
We share data with the following third-party service providers, all of whom process data on our behalf under appropriate data processing agreements:
| Processor | Purpose |
|---|---|
| Supabase | Database and authentication |
| Anthropic (Claude API) | AI command processing |
| Stripe | Payment processing |
| PostHog | Product analytics |
| Loops | Transactional and product email |
Your connected third-party integrations (HubSpot, Xero, Juro, etc.) are governed by their own privacy policies. We are not responsible for how those providers handle your data.
4. Data Retention
We retain your account data for as long as your account is active. If you close your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes (for example, financial records for tax compliance, which we retain for 7 years in accordance with UK law).
Command logs and usage data are retained for 12 months and then deleted or anonymised.
5. Cookies
We use the following types of cookies:
- Essential cookies: required for the Service to function (authentication, session management). You cannot opt out of these.
- Analytics cookies: used by PostHog to understand how users interact with the Service. You can opt out via your account settings under Privacy.
We do not use advertising or tracking cookies.
6. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access: request a copy of the data we hold about you
- Right to rectification: ask us to correct inaccurate data
- Right to erasure: ask us to delete your data ("right to be forgotten")
- Right to restriction: ask us to limit how we use your data
- Right to portability: receive your data in a machine-readable format
- Right to object: object to processing based on legitimate interests
- Right to withdraw consent: where processing is based on consent, withdraw it at any time
To exercise any of these rights, email us at [CONTACT EMAIL]. We will respond within 30 days.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encrypted data storage via Supabase, HTTPS for all data in transit, and access controls limiting who within our team can access user data.
No method of transmission over the internet is completely secure. If you believe your account has been compromised, contact us immediately at [CONTACT EMAIL].
8. International Transfers
Some of our third-party processors (including Anthropic and PostHog) may process data outside the UK or EEA. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the ICO, to protect your data in accordance with UK GDPR.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice in the Service at least 14 days before the changes take effect. The date at the top of this page reflects the most recent update.
10. Contact
For any questions or requests relating to this Privacy Policy:
- [CONTACT EMAIL]
- [COMPANY NAME] Ltd
- [REGISTERED ADDRESS]