We collect the minimum. We encrypt what we keep. We never train on your customers. Here's the long version, with all the receipts.
BABAV.CO is operated by BABAV LLC ("BABAV," "we," "us," or "our"), a Delaware limited liability company that runs an omnichannel AI-driven CRM and marketing automation platform. We provide software that helps you manage customer conversations, generate content, and run outbound campaigns across social platforms and email.
This Privacy Policy explains what data we handle, why we handle it, how we protect it, and what control you have over it. It applies to anyone using BABAV.CO — visitors, trial users, paying customers, and the customers of our customers whose data flows through our pipes.
Controller and processor. For the personal data of our own customers and site visitors — your account, billing, and usage information — BABAV acts as the data controller. For the content that flows through the service on your behalf — the messages, comments, emails, and contact records of the people you interact with — BABAV acts as a data processor, and you (our customer) are the controller. If you need a Data Processing Agreement (DPA) to meet GDPR Article 28 or similar obligations, we make a standard DPA available on request at support@babav.co.
We split data into three buckets so it's clear what's what.
When you connect a channel (Threads, Instagram, Facebook, WhatsApp, YouTube, Gmail, Telegram, X, Discord, LinkedIn, Twitch), we receive whatever the platform's OAuth scope or bot connection grants. That typically includes incoming messages, comments, profile metadata for people interacting with you, post performance, and the ability to publish on your behalf. We only request the scopes we actually need for the features you've enabled. Google user data is covered in more detail in Section 05.
We use the data we collect to:
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
For the data of the people you reach through the service, you determine the legal basis as the controller; BABAV processes it only on your documented instructions.
This is the part people usually want clarity on, so we'll be specific.
BABAV uses Google's Gemini 2.5 Flash via Vertex AI to generate text replies, summarize threads, and score sentiment. We use VEO 3.1 (standard and fast variants) via Vertex AI for video generation. All inference runs in Google Cloud, region us-west1.
Per our agreement with Google Cloud and Vertex AI, your inputs and outputs are not used to train any Google or third-party model. Vertex AI's data-use terms apply, which is why we picked it.
We also do not train our own models on your content. We don't have a foundation model. We're a tooling layer on top of Vertex AI, and that's it.
For diagnostics, we log AI request metadata (token counts, latency, error codes) but we strip message bodies and outputs from those logs within 24 hours unless a specific request has been flagged for debugging by you or our support team.
Because BABAV connects to Gmail and YouTube through Google's APIs, this section sets out exactly what Google user data we access, how we use it, and the commitments we make under Google's API Services User Data Policy. It supplements — and where Google data is concerned, takes precedence over — the rest of this policy.
When you connect your Google account, we request only the scopes needed for the features you turn on:
gmail.send): to send the outbound emails and replies you compose or approve in BABAV. This is a send-only scope — it does not grant access to read your inbox.youtube.upload): requested only if you connect a YouTube channel, to publish videos you generate in BABAV to your own channel.openid, email, profile): to sign you in and identify your account.We request these scopes incrementally — only when you enable the feature that needs them — and never more than the feature requires. You can review and revoke BABAV's access at any time from your Google Account permissions page.
OAuth tokens for your Google account are encrypted at rest (AES-256-GCM, keys in Google Cloud KMS) and wiped within minutes of you disconnecting the channel. We do not use Gmail or any Google user data to serve advertising, and we do not sell or rent it.
In plain terms, that commitment means:
We share data in a small number of well-defined situations:
We do not share data with advertisers, data brokers, or anyone else for marketing purposes. There is no scenario where your customer messages end up in someone else's product.
Concrete measures, not vibes:
No system is unbreakable. If we ever experience a breach affecting your data, we'll notify you within 72 hours of confirmation, with what we know, what's affected, and what we're doing about it.
We keep data only as long as we need it. Specifically:
You can request earlier deletion at any time. See Section 10.
Our primary infrastructure is in the United States (Google Cloud us-west1). If you're accessing BABAV from outside the US, your data is transferred to and processed in the US.
For users in the EU, UK, and Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
Regional residency for EU and Asia-Pacific customers is on our 2026 roadmap.
Depending on your location, you may have the right to:
To exercise any of these, email support@babav.co. We'll respond within 30 days. We won't charge you for these requests unless they're clearly abusive.
For California residents: we do not "sell" personal information as defined by the CCPA. You have rights to know, delete, correct, and opt out, as described above.
BABAV is built for businesses and is not directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe we have, contact us and we'll delete it.
We use a minimal cookie setup:
Analytics and other non-essential cookies stay off until you accept them via our cookie banner — decline and none are set. You can also disable cookies in your browser without breaking the app, and change your choice anytime by clearing the babav_consent cookie.
The integrations you connect (Threads, Instagram, Facebook, WhatsApp, YouTube, Gmail, Telegram, X, Discord, LinkedIn, Twitch) are governed by their own privacy policies. We send and receive data with these services on your authorization, but we're not responsible for how those companies handle data on their end.
When you connect a channel, the OAuth flow shows you exactly what permissions you're granting. Review them. Revoke them from your platform settings at any time.
We update this policy when we change how we handle data. Material changes get emailed to account owners at least 30 days before they take effect. Minor edits (typos, link fixes, clarifying language) happen without notice. The "Last updated" date at the top reflects the most recent change.
We keep a changelog of every version. Email us if you want a copy.
For anything privacy-related — questions, requests, complaints, suggestions — or general support, email support@babav.co.
If you prefer postal mail, contact us first via email and we'll provide a current mailing address. We're remote-first and don't maintain a public office.
We use privacy-respecting analytics to see which pages are useful. Nothing tracks you until you accept. See our Cookie Policy.