1. Who We Are (Data Controller)
This Privacy Policy describes how Your Company ("we", "us", "our"), operating the website Baaed FREE SEO Suite at https://baaed.com, collects, uses, and protects your personal information when you use our website, tools, and services (collectively the "Service").
For the purposes of the EU/UK GDPR, the data controller is:
Your Company
Privacy contact: info@baaed.com
EU Representative (GDPR Art. 27): we operate from the United States and have not appointed an EU representative at this time. EU/EEA data subjects may exercise all of their GDPR rights by contacting our privacy team directly at info@baaed.com. See our GDPR Rights page for the full statement of position and the rights available to you.
By using our Site, you agree to the practices described in this Privacy Policy. If you disagree, please do not use the Service.
2. Information We Collect
2.1 Information You Provide Directly
- Account registration: email address, display name, and password (stored as a bcrypt hash — we never store plain-text passwords). Some social-login flows also provide your public profile picture and full name.
- Tool inputs: URLs, text, files, or other content you submit to our tools for analysis or transformation. This data is processed in real time and is not retained beyond your session unless explicitly stated for a specific tool (e.g. saved Website Reviewer reports, saved YouTube summaries).
- Billing information: when you subscribe to a paid plan, our payment processors (Stripe and PayPal) collect billing details. We receive and store only the customer identifier, plan, last-four card digits, and billing email — never the full card number.
- Support enquiries: any information you include when contacting us via email or the contact form.
2.2 Information We Collect Automatically
- Log data: IP address, user-agent string (browser and operating system), referring URL, pages visited, timestamps, and time spent on pages.
- Device data: device type, screen resolution, and browser language settings.
- Usage data: which tools you use, run counts, error events, and aggregate patterns that help us improve the service. Stored at the country level (not city or precise location).
- Cookies and similar technologies: see Section 6 and our standalone Cookie Policy.
2.3 Information from Third Parties
- If you sign in via Google, Facebook, or Twitter/X, we receive your public profile information (name, email, profile picture) from that provider, subject to your settings on their platform.
- We do not purchase or rent personal data from data brokers.
2.4 Sensitive Personal Information (CPRA term)
We do not collect "sensitive personal information" within the meaning of the CPRA — we do not collect government identifiers (SSNs, driver's-licence numbers), precise geolocation, race or ethnicity, religion, union membership, genetic or biometric data, health data, or sexual orientation. If we ever start, this section will be updated and you will be notified.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service.
- Create and manage your account, including authentication and account recovery.
- Process payments and manage subscriptions (handled by Stripe and PayPal — we do not store full card numbers).
- Send transactional emails (account verification, password reset, billing receipts, security alerts).
- Send marketing emails — only if you have opted in (see Section 17).
- Personalise your experience (e.g. dark-mode preference, recently used tools).
- Monitor for abuse, fraud, and security threats, including DDoS mitigation and IP-based rate limiting.
- Analyse aggregate usage trends to improve and expand the service.
- Comply with applicable laws and respond to lawful legal process.
We do not sell your personal data. We do not use your data for automated decision-making that produces legal or similarly significant effects without your explicit consent.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the service and managing your account | Contract performance (Art. 6(1)(b) GDPR) |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f) GDPR) |
| Aggregate analytics and service improvement | Legitimate interests (Art. 6(1)(f) GDPR), or consent where required (Art. 6(1)(a)) |
| Marketing emails (only if opted in) | Consent (Art. 6(1)(a) GDPR) |
| Tax records, legal compliance and dispute resolution | Legal obligation (Art. 6(1)(c) GDPR) |
5. Data Sharing and Disclosure
We do not sell, trade, or rent your personal data. We may share your information only in these circumstances:
- Sub-processors: trusted third parties who help us operate the Service (hosting, email delivery, payment processors, AI providers). They act as data processors under contractual safeguards (Standard Contractual Clauses where appropriate) and may not use your data for their own purposes. See our Sub-processors page for the current list.
- Legal requirements: if required by valid legal process (court order, subpoena, regulatory request), we may disclose information necessary to comply. Where legally permitted, we will notify you first.
- Safety and rights: to investigate fraud, abuse, or threats to the safety of any person, or to enforce our Terms.
- Business transfers: in the event of a merger, acquisition, restructuring, or sale of assets, your data may be transferred. We will notify affected users via the Site or by email and continue to honour this Privacy Policy.
- With your consent: for any other purpose with your explicit consent.
6. Cookies and Tracking Technologies
We use cookies and similar technologies to operate and improve the Site. For complete details — including a per-cookie table, third-party cookies, and how to manage them — see our Cookie Policy.
6.1 Categories at a Glance
| Category | Purpose | Examples |
|---|---|---|
| Essential | Required for the Site to function. Cannot be disabled. | Session cookie, CSRF token, authentication cookie |
| Preference | Remember your settings across sessions. | Dark-mode preference, language selection |
| Analytics | Understand how visitors use the Site (aggregate, anonymised). Loaded only after consent in regions that require it. | Google Analytics 4 (_ga, _gid) |
| Advertising | Deliver relevant ads via Google AdSense and partner networks. Loaded only after consent in regions that require it. | Google AdSense cookies (__gads) |
6.2 Honouring Privacy Signals
We honour the Global Privacy Control (GPC) signal as a valid opt-out from "sale" or "sharing" of personal information for users in California and other US states whose laws recognise GPC. See our Do Not Sell or Share page for details.
7. Data Retention
- Account data: retained for as long as your account is active. After deletion, residual data may persist in encrypted backups for up to 90 days.
- Log data: retained for up to 12 months for security and abuse-prevention purposes.
- Tool inputs: processed in real time and not stored beyond the current session unless you save results explicitly (e.g. Website Reviewer reports, YouTube summaries).
- Tool-run telemetry: per-tool, per-country aggregate counts kept for 180 days, then pruned.
- Payment records: retained for 7 years to comply with financial regulations.
- Support emails: retained for 24 months unless a longer period is required for legal reasons.
8. Security
We implement industry-standard safeguards, including:
- TLS/HTTPS encryption for all data in transit.
- bcrypt password hashing.
- HTTP-only, SameSite=Lax session cookies to mitigate CSRF and XSS.
- Rate limiting and DDoS mitigation at the application layer.
- Two-factor authentication (TOTP) available on every account.
- Encrypted database backups with restricted access.
- Principle of least privilege for staff access; access logs are retained.
No method of transmission or storage is 100% secure. We take all reasonable precautions but cannot guarantee absolute security.
9. Personal Data Breach Notification
In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority (e.g. the ICO for UK incidents, the lead EEA DPA for EU incidents) within 72 hours of becoming aware of the breach (Art. 33 GDPR).
- Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR).
- Comply with US-state breach-notification laws (including California Civil Code §§ 1798.29 / 1798.82 and equivalents).
Notifications will describe the nature of the breach, the likely consequences, the measures taken, and the steps you can take to protect yourself.
10. Your Rights Under GDPR (EEA / UK Residents)
If you reside in the EEA or UK, you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, the right to withdraw consent at any time, and the right to not be subject to automated decision-making. For complete detail and how to exercise each right, see our dedicated GDPR Rights page.
11. Your Rights Under CCPA / CPRA (California Residents)
California residents have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA):
- Right to know what personal information we collect, the categories of sources, the business purposes for collection, and the third parties with whom we share it.
- Right to access a copy of the personal information we hold about you.
- Right to correct inaccurate personal information.
- Right to delete personal information we hold about you, subject to legal exceptions.
- Right to opt out of "sale" or "sharing" of personal information — see our Do Not Sell or Share My Personal Information page.
- Right to limit use of sensitive personal information — we do not collect SPI for inference or advertising; details on the Do-Not-Sell page.
- Right to non-discrimination — we will not deny service, charge a different price, or downgrade quality because you exercised a right.
To exercise any of these rights, email info@baaed.com from the address on your account. We will respond within 45 days, with one 45-day extension where reasonably necessary.
11.1 CCPA "Shine the Light" (California Civil Code § 1798.83)
California residents may request a list of personal information we have disclosed to third parties for their direct-marketing purposes during the prior calendar year. We do not disclose personal information to third parties for their direct marketing.
12. Other US-State Privacy Rights
Residents of the following states have privacy rights similar to (and in some cases broader than) the CCPA/CPRA. You may exercise them through the same channels as California residents:
- Virginia — Virginia Consumer Data Protection Act (VCDPA).
- Colorado — Colorado Privacy Act (CPA), including the right to opt out via a Universal Opt-Out Mechanism.
- Connecticut — Connecticut Data Privacy Act (CTDPA).
- Utah — Utah Consumer Privacy Act (UCPA).
- Texas — Texas Data Privacy and Security Act (TDPSA).
- Oregon, Montana, Tennessee, Iowa, Indiana, Florida and other states whose comprehensive privacy laws are in force.
If you reside in a state not listed but with comparable rights, contact us — we will honour them.
13. Children's Privacy
The Service is not directed to children under the age of 13 (or 16 in the EEA), and we do not knowingly collect personal information from children. We do not require government identifiers to verify age; we rely on the user representation made at registration.
If you believe we may have collected personal information from a child under 13 (or 16 in the EEA) without verifiable parental consent, please contact us at info@baaed.com and we will:
- Promptly delete the account and any associated personal information.
- Confirm the deletion to the parent or guardian.
- Take additional steps as required by COPPA (15 U.S.C. § 6501 et seq.) and equivalent laws.
14. Third-Party Services and Sub-processors
We use a small number of third-party providers to deliver the Service. The complete and current list, with each provider's role, region, and applicable safeguards, lives on our Sub-processors page. Top-level summary:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Cloudflare | CDN and DDoS protection | cloudflare.com |
| AWS | Hosting and storage | aws.amazon.com/privacy |
| Stripe | Payments | stripe.com/privacy |
| PayPal | Payments | paypal.com |
| SendGrid | Transactional email | twilio.com |
| Google Analytics 4 | Aggregate analytics | policies.google.com |
| Google AdSense | Advertising | policies.google.com |
| Anthropic, OpenAI, OpenRouter | AI tool back-ends (see Section 15) | See Sub-processors |
| Google / Facebook / Twitter OAuth | Optional social login | See each provider |
15. AI Tools and Model Providers
Some of our tools are powered by large-language-model APIs from Anthropic, OpenAI, and (where you configure it) OpenRouter. When you use an AI tool, the prompt you submit (and any text you ask the tool to operate on) is sent to the chosen provider's API to generate a response. Specifically:
- We send only the inputs needed to fulfil your request — not your account profile, IP address, or browsing history.
- We use the providers' API offerings (not their consumer products). Anthropic and OpenAI contractually commit to not training on API data by default.
- Where the provider supports it, we use zero-retention mode so prompts are not stored beyond the duration of the request.
- You are responsible for not pasting confidential or regulated data (e.g. PHI, PCI, classified information) into AI tools.
- AI outputs may contain errors or "hallucinations" and should not be the sole basis for important decisions. See our Terms of Service, Section 11.
16. International Data Transfers
Our primary infrastructure is located in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US (and other countries where our sub-processors operate).
For transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards under Chapter V of the GDPR, including:
- Standard Contractual Clauses (Commission Decision 2021/914) with our processors.
- EU–US Data Privacy Framework certification, where the recipient is enrolled.
- Adequacy decisions for transfers to countries the European Commission has deemed adequate (Andorra, Argentina, Canada, Israel, Japan, New Zealand, South Korea, Switzerland, the UK, Uruguay, Faroe Islands, Guernsey, Isle of Man, Jersey).
17. Marketing Communications
We send transactional emails (account verification, password reset, billing receipts, security alerts) regardless of preference because they are necessary to deliver the Service.
We send marketing emails (product updates, tips, occasional promotional offers) only if you have opted in. Every marketing email contains an unsubscribe link in the footer that takes effect within 10 business days, as required by CAN-SPAM Act § 5. You may also unsubscribe at any time from your account → Notification preferences, or by emailing info@baaed.com.
18. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify users by email and/or a prominent banner on the Site, at least 30 days before the changes take effect.
- Where the law requires it (e.g. expanded use of personal data, new categories of recipients), seek fresh consent.
Continued use of the Service after the effective date of a revised policy constitutes acceptance of that policy.
19. Contact Us
For any questions, requests, or concerns about this Privacy Policy or our data practices, please contact:
We aim to respond to all legitimate privacy requests within 30 days. For complex requests, we may extend this by a further 60 days but will notify you of the extension.