Your data, your business.

BABA collects three categories of information:

• Account information. Your name, email address, and Google account ID when you sign in with Google OAuth.
• Business data you enter. Anything you type into BABA — employee records, KPIs, goals, project notes, contractor details, contracts, check-in responses, and conversations with the BABA AI. This is your operational data; we store it so the product works.
• Usage metadata. Which features you use, when, and roughly how much AI processing each request required (for cost management — not sold or profiled).

We do not collect payment card data directly — that goes through Stripe, which has its own data practices.

For engineers and compliance officers: the full GDPR Article 30 personal data inventory documents every table, field classification, and retention rule.

Production database: Supabase Pro, EU-hosted (eu-west-1, Ireland). Your data never leaves the EU at rest. Supabase provides a Data Processing Agreement (DPA) for GDPR compliance.

Encryption at rest: AES-256. All data stored in the Supabase database is encrypted at rest using AES-256.

Encryption in transit: TLS. All traffic between your browser and BABA is encrypted in transit via TLS. No data moves over plain HTTP.

Application servers: AWS EC2 (eu-west-1, Ireland). The web application itself runs in the same EU region as the database. We are planning to migrate to Vercel edge infrastructure before the first paying customer onboards; that region configuration will be documented here when it changes.

AI conversations are processed through Anthropic's API. Anthropic's data handling is governed by Anthropic's Privacy Policy. We do not send identifiable personal data (names, emails) to Anthropic — only the content of what you type into the BABA AI.

You and your team.Data is org-scoped. Only people you invite to your BABA organization can see your organization's data. Row-level security (RLS) enforces this at the database layer — not just in application code.

BABA staff. We can access your data only when you explicitly share a conversation with us (e.g., for a support request), or when required by law. We do not browse customer data routinely.

Nobody else. We do not share your data with third parties for advertising, analytics resale, or any other commercial purpose. The subprocessors we use (Supabase, AWS, Anthropic, Stripe) each have their own data handling obligations; we are the data controller.

Within your organization, role-based access applies: owners see everything, admins see their department scope, staff see their own records. This is enforced in both application logic and database policy.

If you are located in the EU or UK, GDPR gives you the following rights. We honor them for all users, regardless of location.

• Access. You can request a copy of all data BABA holds about you.
• Correction. You can update or correct inaccurate data directly inside the app, or ask us to correct it.
• Deletion (“right to be forgotten”). You can request deletion of your personal data. Deleting your organization deletes all associated data from the database. We process data subject requests (DSRs) within 30 days.
• Export. You can request an export of your data in a machine-readable format.
• Objection. You can object to specific processing activities. Reach out to discuss.

To exercise any of these rights, contact us directly. We do not require a form or a legal threat.

• We do not sell your data.Ever. To anyone. This is not a "we don't sell data as defined by California law" hedge — we mean it literally.
• We do not train AI models on your business data. Your conversations with the BABA AI are used to generate responses in your session. They are not used to retrain or fine-tune any AI model — ours or anyone else's.
• We do not share data with investors or advisors without explicit opt-in. Investor updates about BABA as a company contain aggregate, anonymized metrics only — never individual customer data.
• We do not use dark patterns to make deletion hard. If you want to leave, we make it straightforward.

BABA does not store Protected Health Information (PHI). The current product (Track 1) is for business operations — team management, goals, KPIs, contracts. It is not an Electronic Health Record (EHR) and does not touch clinical data.

What's coming: BABA for Healthcare Practices (Track 2). This track will allow BABA to read operational signals from your EHR (caseload, intake, scheduling patterns) via API integration — with your explicit consent. BABA does not become your EHR; your EHR stays your EHR.

Track 2 infrastructure will be self-hosted on AWS (EC2 + RDS) in a HIPAA-eligible configuration. A Business Associate Agreement (BAA) will be available before any PHI flows through BABA integrations. Target availability: Q4 2026.

If you run a healthcare practice and want to understand the data boundary in detail before then, reach out directly.

Every claim on this page is a promise we keep in code. If something here doesn't match your experience, or you want to exercise a data right, or you just have a question — reach out. We respond personally.

elise@elisepriceconsulting.com

We aim to respond to all data-related inquiries within 2 business days, and to process data subject requests within 30 days as required by GDPR.