Version: 1.3
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
While we use industry-standard security practices, no method of transmission over the internet or electronic storage is 100% secure. We are committed to protecting your personal data and implementing security measures appropriate for our service.
We collect information you voluntarily provide to us, including:
We automatically collect certain information when you use our service:
Under GDPR, we process your personal data based on the following legal bases:
Processing necessary for the performance of our contract with you or to take steps at your request prior to entering into a contract:
Processing necessary for our legitimate interests, where these interests are not overridden by your fundamental rights:
Processing based on your explicit consent, which you can withdraw at any time:
We work with the following third-party services to provide and improve our service:
Purpose: Product analytics, user behavior tracking, service optimization, and technical support
Legal Basis: Legitimate interest for guests (with opt-out rights), Performance of contract for registered users
Data Location: International infrastructure with GDPR compliance measures
Data Processed: Usage patterns, feature interactions, performance metrics, error tracking
Purpose: Marketing attribution, conversion tracking, advertising measurement, and campaign optimization
Legal Basis: Explicit consent (required)
Data Location: International transfers with appropriate safeguards including EU-US Data Privacy Framework coverage where applicable
Data Processed: Website interactions, conversion events, advertising interactions, marketing campaign performance
Purpose: Affiliate referral tracking and commission management
Legal Basis: Legitimate interest (required for affiliate program functionality)
Data Location: International transfers with appropriate contractual safeguards
Data Processed: Anonymous referral codes, conversion attribution, affiliate tracking data
Purpose: Application hosting, database services, authentication, and content delivery
Legal Basis: Performance of contract
Data Location: International infrastructure with GDPR compliance safeguards
Data Processed: All account and service data, system logs, performance metrics
Purpose: Payment processing and subscription management
Legal Basis: Performance of contract
Data Location: International transfers with adequate safeguards
Data Processed: Payment information, billing details, transaction records
Purpose: AI-powered content generation and processing using both proprietary and third-party AI systems
Legal Basis: Performance of contract
Data Location: Processing may occur across multiple locations with appropriate safeguards as required by applicable data protection laws
Data Processed: User-submitted content for service delivery purposes
Important Data Protection: User content processed through AI systems is not used for model training and is handled solely for providing our service functionality
We provide customized privacy settings based on your relationship with our service:
Analytics: Based on legitimate interest - you can opt out of analytics tracking
Marketing: Requires explicit consent - you can choose whether to allow marketing tracking
Rights: You can object to legitimate interest processing and withdraw consent for marketing
Essential Services: Core functionality and affiliate tracking remain active for service delivery
Analytics: Required for performance of your account contract - cannot be disabled
Reasoning: Analytics help us optimize the service, prevent abuse, ensure fair usage, improve features that benefit all users, and are crucial to providing support
Marketing: Still requires explicit consent - you maintain full control over marketing tracking
Rights: You can withdraw consent for marketing but not for analytics required for service delivery
Some of our service providers are located outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:
Google services (Analytics, Ads) are covered by the EU-US Data Privacy Framework, providing adequate protection for data transfers to the United States.
For non-EU service providers (Stripe, PostHog, Supabase production, Reddit Pixel), we use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection.
Our production services are hosted in the United States with appropriate data protection safeguards including encryption, access controls, and contractual protections.
Under GDPR, you have the following rights regarding your personal data:
You can request a copy of the personal data we hold about you, including information about how we process it.
How to exercise: Email us at support@ba-copilot.com with "Data Access Request" in the subject line.
You can request correction of inaccurate or incomplete personal data.
How to exercise: Update your account settings or contact support@ba-copilot.com.
You can request deletion of your personal data in certain circumstances, such as when it's no longer necessary for the original purpose.
How to exercise: Delete your account through settings or contact support@ba-copilot.com.
You can request your personal data in a structured, machine-readable format to transfer to another service.
How to exercise: Email support@ba-copilot.com with "Data Portability Request" in the subject line.
You can withdraw consent for marketing tracking at any time without affecting other services.
How to exercise: Use our privacy preferences banner or account settings.
We will respond to your privacy rights requests within one month of receiving your request. In complex cases, we may extend this by an additional two months with explanation.
We retain your personal data only as long as necessary for the purposes for which it was collected:
Support tickets and communications retained for 3 years for quality assurance and legal compliance.
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make significant changes:
If you have any questions about this privacy policy or how we handle your personal data, please contact us:
Email: support@ba-copilot.com
Subject Line for Privacy Requests: Include "Privacy Request" to ensure prompt handling
Response Time: We aim to respond to privacy inquiries within 5 business days
For formal complaints about our data processing, you also have the right to lodge a complaint with your local data protection authority.
The data controller responsible for your personal data is:
Company: BA Copilot
Registered Address: United Kingdom
Email: support@ba-copilot.com
Privacy Contact: For all data protection and privacy inquiries, please contact support@ba-copilot.com with "Privacy Request" in the subject line
You have the right to lodge a complaint with the relevant supervisory authority if you believe we have not handled your personal data in accordance with data protection laws.
Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113
Address: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
EU residents can contact their local data protection authority. You can find your local authority at: European Data Protection Board - Members