Privacy Policy.

Section 01Who we are.

BABAV.CO ("BABAV," "we," "us," or "our") operates an omnichannel AI-driven CRM and marketing automation platform. We're a Delaware corporation. We provide software that helps you manage customer conversations, generate content, and run outbound campaigns across social platforms and email.

This Privacy Policy explains what data we handle, why we handle it, how we protect it, and what control you have over it. It applies to anyone using BABAV.CO — visitors, trial users, paying customers, and the customers of our customers whose data flows through our pipes.

Section 02Information we collect.

We split data into three buckets so it's clear what's what.

2.1 — Information you give us directly

• Account details: name, work email, password (hashed), workspace name, role
• Billing information: company name, tax ID, billing address — credit card data is handled by our payment processor, never touches our servers
• Brand configuration: your tone settings, knowledge-base entries, silence rules, per-channel preferences
• Support communication: anything you email or message us

2.2 — Information from connected platforms

When you connect a channel (Threads, Instagram, Facebook, WhatsApp, YouTube, Gmail), we receive whatever the platform's OAuth scope grants. That typically includes incoming messages, comments, profile metadata for people interacting with you, post performance, and the ability to publish on your behalf. We only request the scopes we actually need for the features you've enabled.

2.3 — Information collected automatically

• Usage data: pages viewed, features used, action counts, error logs
• Device data: browser, OS, screen size, IP address (truncated after 30 days)
• Performance telemetry: API latency, queue depth, channel sync health

Section 03How we use it.

We use the data we collect to:

• Operate the service — auto-reply, content generation, lead scoring, all of it
• Bill you accurately, which requires counting your action credits
• Detect abuse, fraud, and security incidents
• Improve product reliability — debugging from anonymized logs, never customer message bodies
• Send you operational email (receipts, security notices) and product updates (which you can opt out of)
• Comply with legal obligations when we actually have one

Section 04AI processing.

This is the part people usually want clarity on, so we'll be specific.

BABAV uses Google's Gemini 2.5 Flash via Vertex AI to generate text replies, summarize threads, and score sentiment. We use VEO 3.1 (standard and fast variants) via Vertex AI for video generation. All inference runs in Google Cloud, region us-central1.

Per our agreement with Google Cloud and Vertex AI, your inputs and outputs are not used to train any Google or third-party model. Vertex AI's data-use terms apply, which is why we picked it.

We also do not train our own models on your content. We don't have a foundation model. We're a tooling layer on top of Vertex AI, and that's it.

For diagnostics, we log AI request metadata (token counts, latency, error codes) but we strip message bodies and outputs from those logs within 24 hours unless a specific request has been flagged for debugging by you or our support team.

Section 05How we share data.

We share data in a small number of well-defined situations:

• Service providers — Google Cloud (hosting, AI inference, storage), our payment processor, our email-delivery vendor, our error-monitoring vendor. Each is bound by a data processing agreement.
• Connected platforms — when you publish content or send replies, we transmit that content to the platform you've connected (Meta, Google, etc) on your behalf.
• Legal compliance — if we receive a valid subpoena, court order, or government request, we'll comply with what's legally required and notify you unless prohibited.
• Corporate transactions — if BABAV is acquired or merges, your data may transfer to the acquirer under terms at least as protective as this policy. We'll notify you in advance.

We do not share data with advertisers, data brokers, or anyone else for marketing purposes. There is no scenario where your customer messages end up in someone else's product.

Section 06Security.

Concrete measures, not vibes:

• OAuth tokens for all connected channels are encrypted at rest using AES-256-GCM with keys managed in Google Cloud KMS
• All traffic between you and BABAV uses TLS 1.3
• Database backups are encrypted and stored in a separate Cloud region
• Production access is restricted to a small number of engineers, requires hardware MFA, and is logged
• We run automated dependency scanning and pen-test before major releases
• SOC 2 Type II audit is in progress — expected completion Q3 2026

No system is unbreakable. If we ever experience a breach affecting your data, we'll notify you within 72 hours of confirmation, with what we know, what's affected, and what we're doing about it.

Section 07Data retention.

We keep data only as long as we need it. Specifically:

• Active account data — for the life of your account, plus 30 days after cancellation in case you change your mind
• OAuth tokens — wiped within minutes of you disconnecting a channel
• Billing records — 7 years, as required by US tax law
• Anonymized analytics — indefinitely, but stripped of any personal identifiers
• Backups — rolling 35-day window, after which they're cryptographically destroyed

You can request earlier deletion at any time. See Section 09.

Section 08International transfers.

Our primary infrastructure is in the United States (Google Cloud us-central1). If you're accessing BABAV from outside the US, your data is transferred to and processed in the US.

For users in the EU, UK, and Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. We've also published a transfer impact assessment available on request.

Regional residency for EU and Asia-Pacific customers is on our 2026 roadmap.

Section 09Your rights.

Depending on your location, you may have the right to:

• Access — request a copy of personal data we hold about you
• Correct — fix anything that's wrong
• Delete — ask us to erase your data, subject to legal retention requirements
• Export — get your data in a portable format (JSON or CSV)
• Restrict or object — limit how we process your data
• Withdraw consent — for anything we process on consent basis
• Lodge a complaint — with your local data protection authority

To exercise any of these, email privacy@babav.co. We'll respond within 30 days. We won't charge you for these requests unless they're clearly abusive.

For California residents: we do not "sell" personal information as defined by the CCPA. You have rights to know, delete, correct, and opt out, as described above.

Section 10Children's privacy.

BABAV is built for businesses and is not directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe we have, contact us and we'll delete it.

Section 11Cookies & tracking.

We use a minimal cookie setup:

• Essential cookies — for authentication and security. These can't be disabled.
• Preference cookies — for things like dark-mode and last-viewed dashboard tab
• Analytics cookies — first-party only, no Google Analytics, no Facebook Pixel, no ad networks. We use a self-hosted analytics service that doesn't track individuals across sites.

You can disable non-essential cookies in your browser without breaking the app. We don't show a cookie banner because we don't think one is required for this minimal set, but you can email us if you want it added.

Section 12Third-party services.

The integrations you connect (Threads, Instagram, Facebook, WhatsApp, YouTube, Gmail) are governed by their own privacy policies. We send and receive data with these services on your authorization, but we're not responsible for how those companies handle data on their end.

When you connect a channel, the OAuth flow shows you exactly what permissions you're granting. Review them. Revoke them from your platform settings at any time.

Section 13Changes to this policy.

We update this policy when we change how we handle data. Material changes get emailed to account owners at least 30 days before they take effect. Minor edits (typos, link fixes, clarifying language) happen without notice. The "Last updated" date at the top reflects the most recent change.

We keep a changelog of every version. Email us if you want a copy.

Section 14Contact us.

For anything privacy-related — questions, requests, complaints, suggestions — email privacy@babav.co. For general support, use support@babav.co.

If you prefer postal mail, contact us first via email and we'll provide a current mailing address. We're remote-first and don't maintain a public office.