Privacy Policy

Version: 1.3

Table of Contents
  1. Security Measures
  2. Information We Collect
  3. Legal Bases for Processing
  4. Third-Party Services
  5. User Type Tailored Settings
  6. International Data Transfers
  7. Your Privacy Rights
  8. Data Retention
  9. Contact Information
  10. Data Controller Information
  11. Supervisory Authority and Complaints

1. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: HTTPS encryption for data transmission to protect data in transit
  • Access Controls: Role-based access controls and authentication systems with session management
  • Infrastructure Security: Secure cloud hosting with enterprise-grade data protection safeguards

While we use industry-standard security practices, no method of transmission over the internet or electronic storage is 100% secure. We are committed to protecting your personal data and implementing security measures appropriate for our service.


2. Information We Collect
2.1 Information You Provide

We collect information you voluntarily provide to us, including:

  • Account Information: Name, email address, password when you create an account
  • Payment Information: Billing details processed through Stripe (we do not store payment card details)
  • Content: Chat messages, flowchart diagrams, and other content you create using our service
  • Communications: Messages you send to our support team or feedback you provide
2.2 Information We Collect Automatically

We automatically collect certain information when you use our service:

  • Usage Data: How you interact with our service, features used, time spent
  • Technical Data: IP address, browser type, device information, operating system
  • Performance Data: Error logs, page load times, API response times
  • Referral Data: Affiliate codes and marketing campaign attribution data

Under GDPR, we process your personal data based on the following legal bases:

3.1 Necessary for Service Delivery (Article 6(1)(b))

Processing necessary for the performance of our contract with you or to take steps at your request prior to entering into a contract:

  • Account creation and authentication
  • Providing the AI flowchart generation service
  • Payment processing and billing
  • Customer support and service communications
  • Analytics for registered users (required for service optimization and contract performance)
3.2 Legitimate Interest (Article 6(1)(f))

Processing necessary for our legitimate interests, where these interests are not overridden by your fundamental rights:

  • Analytics for guest users: Understanding how our service is used to improve functionality and user experience
  • Affiliate tracking: Managing our affiliate program and ensuring proper commission payments to partners
  • Security and abuse prevention: Protecting our service through authentication controls and monitoring for malicious activity
3.3 Consent (Article 6(1)(a))

Processing based on your explicit consent, which you can withdraw at any time:

  • Marketing analytics (Google Analytics when used for marketing attribution)
  • Advertising tracking (Google Ads conversion tracking, Reddit Pixel)
  • Marketing communications and promotional content

4. Third-Party Services

We work with the following third-party services to provide and improve our service:

4.1 Analytics Services

Purpose: Product analytics, user behavior tracking, service optimization, and technical support

Legal Basis: Legitimate interest for guests (with opt-out rights), Performance of contract for registered users

Data Location: International infrastructure with GDPR compliance measures

Data Processed: Usage patterns, feature interactions, performance metrics, error tracking

4.2 Marketing and Advertising Services

Purpose: Marketing attribution, conversion tracking, advertising measurement, and campaign optimization

Legal Basis: Explicit consent (required)

Data Location: International transfers with appropriate safeguards including EU-US Data Privacy Framework coverage where applicable

Data Processed: Website interactions, conversion events, advertising interactions, marketing campaign performance

4.3 Affiliate and Referral Services

Purpose: Affiliate referral tracking and commission management

Legal Basis: Legitimate interest (required for affiliate program functionality)

Data Location: International transfers with appropriate contractual safeguards

Data Processed: Anonymous referral codes, conversion attribution, affiliate tracking data

4.4 Cloud Infrastructure Providers

Purpose: Application hosting, database services, authentication, and content delivery

Legal Basis: Performance of contract

Data Location: International infrastructure with GDPR compliance safeguards

Data Processed: All account and service data, system logs, performance metrics

4.6 Payment Processors

Purpose: Payment processing and subscription management

Legal Basis: Performance of contract

Data Location: International transfers with adequate safeguards

Data Processed: Payment information, billing details, transaction records

4.7 AI Content Processing

Purpose: AI-powered content generation and processing using both proprietary and third-party AI systems

Legal Basis: Performance of contract

Data Location: Processing may occur across multiple locations with appropriate safeguards as required by applicable data protection laws

Data Processed: User-submitted content for service delivery purposes

Important Data Protection: User content processed through AI systems is not used for model training and is handled solely for providing our service functionality


5. User Type Tailored Settings

We provide customized privacy settings based on your relationship with our service:

5.1 Guest Users (Unregistered Visitors)

Analytics: Based on legitimate interest - you can opt out of analytics tracking

Marketing: Requires explicit consent - you can choose whether to allow marketing tracking

Rights: You can object to legitimate interest processing and withdraw consent for marketing

Essential Services: Core functionality and affiliate tracking remain active for service delivery

5.2 Registered Users (Account Holders)

Analytics: Required for performance of your account contract - cannot be disabled

Reasoning: Analytics help us optimize the service, prevent abuse, ensure fair usage, improve features that benefit all users, and are crucial to providing support

Marketing: Still requires explicit consent - you maintain full control over marketing tracking

Rights: You can withdraw consent for marketing but not for analytics required for service delivery


6. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:

6.1 EU-US Data Privacy Framework

Google services (Analytics, Ads) are covered by the EU-US Data Privacy Framework, providing adequate protection for data transfers to the United States.

6.2 Standard Contractual Clauses

For non-EU service providers (Stripe, PostHog, Supabase production, Reddit Pixel), we use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection.

6.3 Service Hosting

Our production services are hosted in the United States with appropriate data protection safeguards including encryption, access controls, and contractual protections.


7. Your Privacy Rights

Under GDPR, you have the following rights regarding your personal data:

7.1 Right of Access (Article 15)

You can request a copy of the personal data we hold about you, including information about how we process it.

How to exercise: Email us at support@ba-copilot.com with "Data Access Request" in the subject line.

7.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

How to exercise: Update your account settings or contact support@ba-copilot.com.

7.3 Right to Erasure (Article 17)

You can request deletion of your personal data in certain circumstances, such as when it's no longer necessary for the original purpose.

How to exercise: Delete your account through settings or contact support@ba-copilot.com.

7.4 Right to Data Portability (Article 20)

You can request your personal data in a structured, machine-readable format to transfer to another service.

How to exercise: Email support@ba-copilot.com with "Data Portability Request" in the subject line.

7.6 Right to Withdraw Consent

You can withdraw consent for marketing tracking at any time without affecting other services.

How to exercise: Use our privacy preferences banner or account settings.

7.7 Response Timeframes

We will respond to your privacy rights requests within one month of receiving your request. In complex cases, we may extend this by an additional two months with explanation.


8. Data Retention

We retain your personal data only as long as necessary for the purposes for which it was collected:

8.1 Account Data
  • Active Accounts: Retained while your account is active and for 3 years after account deletion
  • Deleted Accounts: Most data deleted within 30 days, with some records retained for legal compliance
8.2 Payment Data
  • Billing Records: Retained for 7 years for tax and accounting purposes
  • Payment Details: Not stored by us (handled directly by Stripe)
8.3 Support Communications

Support tickets and communications retained for 3 years for quality assurance and legal compliance.


9. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make significant changes:

  • We will update the effective date at the top of this policy
  • We will provide notice of any material changes through our website or via email

10. Contact Information

If you have any questions about this privacy policy or how we handle your personal data, please contact us:

Email: support@ba-copilot.com

Subject Line for Privacy Requests: Include "Privacy Request" to ensure prompt handling

Response Time: We aim to respond to privacy inquiries within 5 business days

For formal complaints about our data processing, you also have the right to lodge a complaint with your local data protection authority.


11. Data Controller Information

The data controller responsible for your personal data is:

Company: BA Copilot

Registered Address: United Kingdom

Email: support@ba-copilot.com

Privacy Contact: For all data protection and privacy inquiries, please contact support@ba-copilot.com with "Privacy Request" in the subject line


12. Supervisory Authority and Complaints

You have the right to lodge a complaint with the relevant supervisory authority if you believe we have not handled your personal data in accordance with data protection laws.

For UK Residents

Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

Address: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

For EU Residents

EU residents can contact their local data protection authority. You can find your local authority at: European Data Protection Board - Members