BABABA

Legal

Privacy Policy

Effective date: July 16, 2026

This Privacy Policy explains how BABA(“we,” “us,” or “our”) collects, uses, stores, and shares personal data when you use the BABA platform and related services (the “Service”). We are the data controller for the personal data described in this policy.

1. Who We Are

BABA is an HR analytics platform operated by Elise Price Consulting, LLC. If you have questions about this policy or want to exercise your privacy rights, contact us at privacy@babamethod.com.

2. Data We Collect

We collect data in the following categories:

Account and profile data

Name, email address, and authentication credentials when you create an account. Profile settings and preferences you configure in the Service.

Workforce and HR data

Information about employees, contractors, and team members entered by organization administrators — including names, job titles, departments, performance goals, project assignments, and compensation data. This data is entered by your organization; BABA processes it on behalf of your organization (which is the controller of that workforce data).

AI conversation data

Messages you send to the Ask Baba AI assistant (“conversation content”) are stored and processed to provide the Service. Conversation content may include names, HR observations, or other personal details you type. Conversations are retained for 30 days (standard plans) or up to 6 years (HIPAA plans) and are then permanently deleted. You may delete a conversation at any time.

AI usage and feedback

We record which AI features you use, estimated compute costs per session, and optional feedback ratings or comments you submit on AI responses. Usage records are retained until your organization is deleted.

AI working-style memory

To behave like a consistent assistant across conversations, Ask Baba may remember short facts about how you prefer to work (for example, “prefers bullet-point summaries” or “reports figures in EUR”). These memories are tied to your individual user account and are not shared with your organization — your organization’s administrators and owners cannot see them. You can view, edit, and delete your remembered facts at any time from your account settings. They are retained until you delete them or close your account; they are not aged out on the conversation-retention schedule.

Conversation shares

If you share a conversation via a link, a snapshot or AI-generated summary of that conversation is stored and made accessible to anyone with the link until the share expires (default 90 days) or you revoke it. You can revoke a share at any time by deleting the link.

Consent records

When you choose to allow BABA staff to view a conversation to help you (for example, for support purposes), we record your explicit consent. That record is retained for compliance purposes.

Client and CRM data

If your organization uses BABA’s CRM features, contact information for your clients (name, email, phone number) and revenue data synced from Stripe are stored on your behalf. Your organization is the controller of that client data; BABA processes it as a data processor.

Document uploads

If your organization uploads contract documents or other files, those files are stored in a private storage bucket. Parsed text extracted from those documents (for AI analysis) may be sent to our AI sub-processor — see Section 5.

Attribution and analytics data

When you visit our website, we may collect UTM parameters and referral source information to understand how users find us. We also collect product-usage events (page views, feature interactions) using pseudonymous identifiers that do not directly identify you.

Technical data

IP addresses, browser type, and error reports collected automatically when you use the Service. Error reports may incidentally contain technical context; we take measures to minimize personal data in these reports (see Section 5 — Sentry).

3. How We Use Your Data

We process personal data for the following purposes and legal bases:

  • Providing the Service — to operate your account, process AI queries, surface workforce analytics, and fulfil your subscription (legal basis: contract performance, Art. 6(1)(b) GDPR).
  • Improving the Service — to understand how features are used and improve them using aggregated, anonymized signals; individual message content is never used for model training without explicit consent (legal basis: legitimate interests, Art. 6(1)(f) GDPR).
  • Security and fraud prevention — to detect abuse, prevent unauthorized access, and maintain audit logs (legal basis: legitimate interests, Art. 6(1)(f)).
  • Legal and compliance obligations — to retain financial records, respond to data subject requests, and meet applicable legal requirements (legal basis: legal obligation, Art. 6(1)(c)).
  • Communications — to send transactional notifications (account alerts, subscription updates) necessary for the Service (legal basis: contract performance).

No automated employment decisions. BABA informs human decisions — it does not make them. BABA does not make automated employment decisions; a human always reviews and acts on any insight BABA surfaces.

No use of protected-class data. BABA does not use or surface employee medical, disability, or other protected-class information for any recommendation.

4. Data Retention

We retain personal data for as long as needed to provide the Service or as required by law:

  • AI conversations — retained for 30 days (standard plan) or up to 6 years (HIPAA plan), then permanently deleted. You can delete conversations at any time.
  • Conversation shares — expire and are permanently deleted after 90 days (default), or immediately when you revoke them.
  • Account and profile data — retained while your account is active; deleted when your organization is removed from the Service.
  • Contracts and financial records — may be retained beyond an account closure when required for legal record-keeping obligations.
  • Access and compliance logs — retained indefinitely as an audit trail; not subject to deletion on individual erasure requests.

5. Sub-Processors and International Transfers

We share personal data with the following sub-processors to operate the Service. Where data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) or adequacy decisions as the transfer mechanism.

  • Anthropic (Claude API)— US. Your AI conversation messages and parsed document content are sent to Anthropic’s Claude API for inference. Anthropic processes this data under a Data Processing Agreement and Standard Contractual Clauses. Under our zero-retention agreement, Anthropic does not retain or train on your data beyond the duration of the request.
  • Supabase — EU (AWS eu-west-1 for production). Your database and file storage. Production data is hosted in the EU.
  • Sentry — EU (de.sentry.io). Error tracking. Session replays mask all on-screen text and form input before transmission. Error events use pseudonymous user IDs; no message content is included.
  • Axiom — EU. Structured application logs. Logs contain pseudonymous UUIDs only; no message content is logged.
  • PostHog — EU (eu.i.posthog.com). Product analytics. Events use pseudonymous identifiers; no message content is recorded.

6. Cookies and Tracking

BABA uses essential cookies required for authentication (session tokens) and user-preference storage. We do not use advertising or cross-site tracking cookies. Analytics events (PostHog) use pseudonymous identifiers stored in browser local storage.

7. Your Rights

Depending on where you are located, you may have the following rights regarding your personal data:

  • Access (Art. 15 GDPR) — request a copy of the personal data we hold about you.
  • Rectification (Art. 16) — ask us to correct inaccurate data.
  • Erasure (Art. 17) — ask us to delete your personal data, subject to legal retention obligations.
  • Data portability (Art. 20) — receive your data in a machine-readable format.
  • Restriction (Art. 18) — ask us to restrict processing in certain circumstances.
  • Objection (Art. 21) — object to processing based on legitimate interests.

To exercise any of these rights, email privacy@babamethod.com. We will respond within 30 days. At MVP, requests are handled by our team directly; a self-service portal is on our roadmap. You also have the right to lodge a complaint with your local data protection authority.

8. Data Security

We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, row-level security policies in our database, and strict access controls. All data access by BABA staff to user conversations is logged and requires an explicit written justification.

9. Children

The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be notified by email or in-product notice at least 30 days before they take effect. The effective date at the top of this page reflects the most recent revision.

11. Contact

Questions about this policy or your personal data? Contact us at privacy@babamethod.com.

Terms of ServiceEULA
← Back to BABA