01 At a glance
- We sell digital products and memberships. We are a "business" under the CCPA/CPRA and a "controller" under the GDPR/UK GDPR.
- We collect contact, billing, transaction, device, and usage data in order to deliver the products you buy, run our site, prevent fraud, comply with law, and improve the service.
- We do not sell your personal information for money. We do use the Meta (Facebook) Pixel for advertising measurement and retargeting, which may constitute "sharing" (and, on some interpretations, a "sale") under the CCPA/CPRA. You can opt out at any time on our Do Not Sell or Share My Personal Information page or by rejecting marketing cookies in our cookie banner, and we honor Global Privacy Control (GPC) signals as a valid opt-out.
- If you connect a Google or Microsoft account (or any other tool) to our automation Products, we access it only to run the automations you build, we store only an encrypted sign-in token, and we never use that data for advertising or to train AI models. Full details — including our Google API Services Limited Use commitment — are in §22 (Connected accounts & Google user data).
- You have rights. You can request access, deletion, correction, portability, and other rights described below. EU/UK/CA/other state residents have additional specific rights.
- You can reach us at hello@businessautomator.com.
02 Who we are & scope
The data controller (GDPR/UK GDPR) and business (CCPA/CPRA) responsible for your personal information is:
This Policy covers personal information processed in connection with (a) the Business Automator website and any subdomains, (b) all current and future Products, (c) our marketing emails and broadcasts, and (d) our customer support and account interactions (collectively, the "Service"). It does not apply to third-party websites, apps, or services linked from the Service — those are governed by the third party's own privacy policy.
03 Personal information we collect
We collect the following categories of personal information. The CCPA category codes (A through K, plus "sensitive PI") are listed for California-resident transparency under Cal. Civ. Code § 1798.140.
| Category | Examples | Source | Retained for |
|---|---|---|---|
| A. Identifiers | name, email address, postal address, IP address, browser session ID, Stripe customer ID, Supabase customer ID, account credentials (hashed) | You; automated when you use the site; Stripe; Supabase | As long as you have an active account or entitlement, plus retention periods in §11 |
| B. Customer records (Cal. Civ. Code § 1798.80(e)) | billing address, payment card brand and last‑4 digits, billing email (full card numbers are processed by Stripe and never stored on our servers) | You at checkout; Stripe | 7 years (tax/audit) |
| D. Commercial information | Products purchased, order bumps, upsells, subscription tier, refunds, chargebacks, cancellation history, entitlements | You; Stripe | 7 years (tax/audit) |
| F. Internet / network activity | pages visited, referring URL, UTM parameters, clicks on CTAs, time on page, scroll depth, device and browser identifiers, error logs, approximate session duration | Automated when you use the site; cookies/SDKs | Up to 26 months for analytics |
| G. Geolocation (approximate, IP‑derived) | country, region, city — never precise GPS coordinates | Automated from IP address; Vercel; Stripe Radar | 13 months |
| I. Professional or employment-related | self-reported industry, business type, role, niche (only if you provide it in a form, survey, support ticket, or community post) | You | As long as you have an active account, then 24 months |
| K. Inferences | likelihood to convert, abandoned-checkout status, lifecycle stage, lead score, segment | Derived by us from the data above | Up to 24 months |
| Audio / visual (only if you provide) | your testimonial video or screenshot if you submit one; profile photo if you upload one | You | Until you ask us to remove it |
| Communications content | support emails, replies to our newsletters, community posts, AI prompts and outputs you submit | You | 3 years (for service quality, training, dispute resolution) |
| Connected account data (only if you connect a tool) | OAuth refresh token (encrypted) or API key (encrypted) for services you connect to our automation Products, the connected account's email address and granted permissions, and the data your own automations retrieve from those services when they run (e.g., Gmail messages, calendar events, spreadsheet rows, document content, files saved to Drive) — see §22 | You; the services you choose to connect (e.g., Google, Microsoft) | Tokens/keys: until you disconnect. Retrieved data: processed transiently; bounded excerpts kept in your private run history until you delete the agent or your account |
Sensitive personal information. We do not intentionally collect "sensitive personal information" as defined under the CPRA (such as government IDs, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, contents of mail/email/SMS, genetic, biometric, health, or sex-life data). Payment account information you enter at checkout is transmitted directly to Stripe over an encrypted connection — we never see or store the full card number, CVC, or expiration. We do not "use or disclose" sensitive PI for any purpose other than those listed in Cal. Civ. Code § 1798.121(a) (servicing the request).
One exception — accounts you connect. If you connect an email or similar account (such as Gmail or Outlook) to our automation Products and direct an automation to read it, we will process the content that automation retrieves — which may include the contents of your email — strictly at your direction and only to execute that automation, as described in §22 (Connected accounts & Google user data). We never use that content for advertising, profiling, or model training, and you can disconnect at any time.
We do not knowingly collect or process the personal information of children under 18. See §19 (Children's privacy).
04 Sources we collect it from
- Directly from you — when you submit forms (email capture, checkout, account, support, community, surveys).
- Automatically — when you visit the Service, via cookies, log files, and similar technologies (see §9).
- From our service providers — Stripe (payment confirmations, fraud signals, customer IDs), Supabase (account records), Resend (delivery/bounce/complaint events), Vercel (request logs, IP, approximate geolocation).
- From advertising and analytics partners — e.g., the Meta (Facebook) Pixel, which (with your consent where required) sets cookies and receives online identifiers and behavior events from the Service for advertising measurement and retargeting.
- From public sources — occasionally, publicly available information for fraud prevention or to verify business contacts.
05 How and why we use it
We process personal information for the following business and commercial purposes (CCPA/CPRA terminology) and processing purposes (GDPR/UK GDPR terminology):
- Provide the Service: create your account, deliver the Products you purchased, process payments, grant and revoke entitlements, send order confirmations and receipts, support subscription billing and cancellation.
- Customer support: respond to inquiries, troubleshoot, process refunds, investigate disputes.
- Communicate with you: send transactional emails (receipts, scheduled "your spot is held" abandoned-checkout reminders, password resets, service updates), and — with your consent or where permitted by law — send marketing emails, broadcasts, drip sequences, and surveys.
- Operate and improve the Service: measure performance, debug, run A/B tests, analyze funnel conversion, develop new features, improve copy and design.
- Security and fraud prevention: detect and prevent unauthorized access, fraud, chargebacks, abuse, scraping, account-takeover; protect users and our business; verify identity.
- Legal and regulatory compliance: tax reporting, accounting, audit, anti-money-laundering, sanctions screening, responding to lawful requests from courts, regulators, or law enforcement.
- Enforce our Terms and protect rights: investigate Terms violations, defend or assert legal claims, protect the rights, property, and safety of users and others.
- Business transactions: in connection with a merger, financing, acquisition, sale of assets, reorganization, bankruptcy, or similar transaction.
- Aggregated or de-identified data: we may create aggregated or de-identified data that cannot reasonably be used to identify you and use it for any purpose without restriction.
06 Legal bases (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR / UK GDPR for processing your personal information:
| Processing activity | Legal basis |
|---|---|
| Performing the contract for a Product or Subscription you purchased; account management | Contract (Art. 6(1)(b)) |
| Sending transactional / service emails (receipts, password reset, "your spot is held" reminder) | Contract (Art. 6(1)(b)) and our legitimate interest in keeping you informed (Art. 6(1)(f)) |
| Marketing emails to existing customers about similar Products | Our legitimate interest in promoting our Products (Art. 6(1)(f)) and, where required (e.g., UK / Germany), your consent (Art. 6(1)(a)) |
| Marketing emails / newsletter to non-customers | Your consent (Art. 6(1)(a)) |
| Cookies and similar tech that aren't strictly necessary (analytics, ad pixels) | Your consent (Art. 6(1)(a)) via cookie banner where required |
| Tax, accounting, audit, fraud-prevention obligations | Legal obligation (Art. 6(1)(c)) and our legitimate interest in preventing fraud (Art. 6(1)(f)) |
| Improving and securing the Service; analytics | Our legitimate interest in maintaining and improving the Service (Art. 6(1)(f)) |
| Establishment, exercise, or defense of legal claims | Our legitimate interest in protecting our rights (Art. 6(1)(f)) and where applicable, legal obligation (Art. 6(1)(c)) |
| Business transactions (mergers, acquisitions) | Our legitimate interest in conducting our business (Art. 6(1)(f)) |
You can object to processing based on legitimate interests or withdraw your consent at any time (see §18 (How to exercise your rights)). Withdrawing consent does not affect the lawfulness of processing before the withdrawal.
07 Who we share it with
We do not rent or trade your personal information. We share personal information only as described below.
Service providers ("processors" / "service providers" / "contractors")
We disclose personal information to vendors who process it on our behalf under written agreements that restrict their use to providing services to us. Current vendors include:
| Vendor | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Payment processing, fraud prevention (Radar), subscription billing | Identifiers, billing info, payment card metadata (last 4, brand), commercial information, device/network info, IP, country |
| Supabase, Inc. | Database / authentication / account records | Identifiers, commercial information, entitlements, event logs |
| Vercel Inc. | Hosting, edge delivery, request logs, deployments, optionally Web Analytics / Speed Insights | Identifiers (IP), internet/network activity, approximate geolocation, performance metrics |
| Resend, Inc. | Transactional and marketing email delivery, audience management, deliverability events (opens, clicks, bounces, complaints) | Identifiers (email, IP), engagement events, email content |
| PostHog Inc. (US Cloud) | Product analytics, funnel measurement, autocapture of clicks/page-views, session replay (with input values masked), heatmaps, rage/dead-click detection | Identifiers (anonymous device id, email after sign-up), internet/network activity, click and navigation events, masked DOM recordings, approximate geolocation derived from IP |
| Microsoft Corporation (Clarity) | Behavioral analytics — heatmaps, scroll depth, click-recurrence and rage/dead-click clustering on customer-facing pages | Identifiers (anonymous device id), internet/network activity, masked input values, viewport size, approximate geolocation derived from IP |
| AI model providers (e.g., OpenAI, Anthropic, Google, or others — as enabled in the Products) | Powering the AI agents and AI tooling offered through the Products | Prompts and content you submit to the AI tools (which may include identifiers or content you choose to include), and — only when an automation you built routes it there — data that automation retrieved from an account you connected (see §22); never for the provider's model training |
| Sentry, Datadog, or similar (if enabled) | Error tracking and observability | Identifiers (IP, user ID), internet/network activity, error/diagnostic data |
Advertising partners ("third parties" for cross-context behavioral advertising)
Unlike the service providers above (which process data only on our behalf under written contract), the following is a "third party" under the CCPA/CPRA — it receives personal information to help measure and target advertising across other sites and apps. This is the "sharing" described in §08, and you can opt out at any time via the cookie banner, our Do Not Sell or Share page, or Global Privacy Control (GPC). For EU/EEA/UK/Swiss visitors, this third party receives nothing unless you opt in.
| Third party | Purpose | Data shared |
|---|---|---|
| Meta Platforms, Inc. (Meta / Facebook Pixel + Conversions API) | Cross-context behavioral advertising — ad measurement, optimization, and retargeting | A. Identifiers (cookie identifiers such as the Meta _fbp/_fbc cookies, IP address, and hashed email); F. Internet / network activity (pages viewed, clicks, and funnel events); D. Commercial information (products purchased, order value, subscription tier). Meta may derive its own inferences (K) from this data. |
Professional advisors and authorities
Lawyers, accountants, auditors, insurers, and bankers; courts, regulators, and law enforcement when we are required by law, subpoena, court order, or other valid legal process, or when we believe in good faith that disclosure is reasonably necessary to protect the rights, property, or safety of any person, prevent fraud, enforce our Terms, or comply with law.
Business transfers
In the event of a merger, acquisition, financing, reorganization, dissolution, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred as part of the transaction. We will use commercially reasonable efforts to notify you (e.g., via email or a notice on the Service) before your personal information becomes subject to a different privacy policy.
With your consent or at your direction
We will share personal information for any other purpose disclosed to you at the time we collect the information, or otherwise with your consent or at your direction (for example, when you ask us to share a testimonial publicly).
08 "Sale" or "sharing" of personal information
We do not sell personal information for monetary consideration. The CCPA/CPRA, however, defines "sale" and "sharing" broadly to include any disclosure of personal information for cross-context behavioral advertising — even when no money changes hands. Examples of activities that could qualify include allowing third-party advertising pixels (such as the Meta Pixel, Google Ads, TikTok Pixel, LinkedIn Insight Tag) to set cookies and receive identifiers and behavior events from the Service.
As of the Last updated date above, we use the Meta (Facebook) Pixel on the Service for advertising measurement and retargeting. Because it discloses online identifiers (such as cookie IDs and IP address) and your activity on the Service to Meta for cross-context behavioral advertising, this may constitute "sharing" (and, on some interpretations, a "sale") under the CCPA/CPRA — even though no money changes hands. Accordingly, we:
- disclose the categories of personal information shared — A. Identifiers (cookie identifiers such as the Meta
_fbp/_fbccookies, IP address, and hashed email), F. Internet / network activity (pages viewed, clicks, and funnel events), and D. Commercial information (products purchased and order value) — and the recipient, our advertising partner Meta Platforms, Inc. (a "third party," not a service provider — see §07); - provide a "Do Not Sell or Share My Personal Information" link in our website footer;
- honor opt-outs submitted via that link, and via the marketing-cookies toggle in our cookie banner;
- honor browser-based opt-out preference signals, including the Global Privacy Control (GPC), as a valid request to opt out of sale/sharing for the browser session and any linked account where reasonably feasible;
- for EU/EEA/UK/Swiss visitors, load the Pixel only after opt-in consent via the cookie banner;
- treat known minors under 16 as opted-out by default unless valid consent is obtained.
Other than the cross-context behavioral advertising performed via the Meta Pixel described above (enabled as of the Last updated date), we have not sold or shared the personal information of any consumer in the preceding 12 months, and we do not sell personal information for monetary consideration. We do not knowingly sell or share personal information of consumers under 16.
09 Cookies, analytics & tracking
We and our service providers use cookies, local storage, session storage, server logs, pixels, web beacons, SDKs, and similar technologies (collectively, "cookies") to operate, secure, and improve the Service. The cookies we currently use fall into these categories:
- Strictly necessary — required to deliver the Service you requested (e.g., maintaining your checkout state in
sessionStorage.ba_funnel_order, your remembered theme inlocalStorage.ba_funnel_theme, Stripe's fraud-prevention cookies on the checkout pages, our anti-abuse and security cookies). - Functional — remember choices you make (e.g., theme) to give you a better experience.
- Analytics — measure traffic and engagement so we can improve the Service. We use first-party logs from Vercel together with PostHog (autocapture, heatmaps, and session replay with all input values masked) and Microsoft Clarity (heatmaps and behavioral analytics). For EU/EEA/UK/Swiss visitors, both PostHog and Clarity are loaded only after you opt in via the cookie banner; for visitors outside those regions, they load by default subject to the controls described in §8 (including Global Privacy Control). Session replays never capture the values you type into form fields, and the Stripe payment fields run in a cross-origin frame that is excluded from recording.
- Advertising — we use the Meta (Facebook) Pixel (
fbevents.js, which sets the_fbpcookie) for advertising measurement and retargeting. For EU/EEA/UK/Swiss visitors it loads only after you opt in via the cookie banner; for visitors elsewhere it loads by default, subject to the controls in §8 (including Global Privacy Control). You can opt out at any time via the cookie banner, our Do Not Sell or Share page, or a GPC signal.
Most browsers let you control cookies through their settings. Disabling strictly-necessary cookies will break the Service (you may not be able to check out). For EU/EEA/UK visitors, where required by the ePrivacy Directive / PECR, we will request consent before placing non-essential cookies.
10 Email, marketing & SMS
If you submit your email through our forms (for example, the email capture on /ba before checkout), we add it to our newsletter audience (currently named "Business Automator — Subscribers" and managed in Resend). We may send you:
- transactional emails about purchases, accounts, subscriptions, and service updates;
- marketing emails about our own Products and offers;
- scheduled "your spot is held — finish checkout" reminders if you start a checkout and stop;
- educational drip sequences related to our Products.
You can unsubscribe at any time by clicking the unsubscribe link in any marketing email, by emailing hello@businessautomator.com, or via the List-Unsubscribe header in compliant email clients. Even after you unsubscribe from marketing, we may still send transactional emails related to your account, purchases, or refunds.
We send email in compliance with the CAN-SPAM Act, Canada's Anti-Spam Legislation (CASL), the EU ePrivacy Directive, and applicable analogous law. If you are in a jurisdiction that requires opt-in consent for marketing, we will obtain that consent before sending. If we ever send SMS, we will comply with the Telephone Consumer Protection Act (TCPA) and obtain prior express written consent where required; replying STOP will opt you out.
11 Data retention
We keep personal information only as long as necessary for the purposes described in this Policy, to comply with legal, tax, accounting, or reporting obligations, to resolve disputes, and to enforce our agreements. General retention windows:
| Type of data | Retention |
|---|---|
| Account records and entitlements | For the life of your account, plus up to 24 months after the account is closed (for renewal, restoration, fraud, dispute) |
| Order / transaction records, invoices, tax records | 7 years after the transaction (tax and audit) |
| Marketing / newsletter audience records | Until you unsubscribe; after unsubscribe, we retain a suppression list to ensure we don't email you again |
| Support and communications | 3 years from the date of last interaction |
| Server / request logs and analytics | Up to 26 months (logs typically less) |
| Cookie data | Per the lifetime set in the cookie itself or in session storage |
| Funnel event log | Up to 24 months (for analytics and conversion attribution) |
| Backups | Up to 90 days after deletion from production (rolling backup window) |
Where personal information is needed only to demonstrate compliance with a legal obligation, we may retain only the minimum necessary records for that purpose.
12 Security
We implement administrative, technical, and physical safeguards designed to protect personal information. Examples include: TLS encryption in transit; encryption at rest where available from our infrastructure providers; access control, role-separation, and the principle of least privilege for our staff; restricted secret-handling (no payment-card data ever touches our servers — it is processed directly by Stripe); application-level AES-256-GCM encryption of every integration credential you save (API keys and OAuth refresh tokens), held in a database table our web clients cannot read; Postgres row-level-security on databases; signed payment webhooks; idempotent server endpoints; pre-commit secret scanners that block accidental key disclosure; secure development practices.
However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. You are responsible for keeping your account credentials confidential, using a strong password (when accounts are available), and notifying us immediately at hello@businessautomator.com of any actual or suspected unauthorized access. In the event of a security incident that affects your personal information, we will notify you as required by applicable law.
13 International data transfers
We are headquartered in the United States. Our service providers may be located in the United States, the European Union, the United Kingdom, Canada, India, or other jurisdictions. If you access the Service from outside the United States, your personal information will be transferred to, stored in, and processed in the United States and in other countries that may not provide the same level of data protection as your home country.
For transfers of personal information out of the EEA, UK, or Switzerland, we rely on appropriate safeguards under Articles 44–49 of the GDPR / UK GDPR, including:
- the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where required, the UK International Data Transfer Addendum or UK International Data Transfer Agreement;
- the Swiss Addendum to the SCCs for transfers originating in Switzerland;
- certifications under the EU‑U.S. Data Privacy Framework, the UK Extension, and the Swiss‑U.S. Data Privacy Framework, where our vendors are self-certified to those frameworks;
- where required, derogations under Article 49 (e.g., performance of a contract you requested).
For details about a specific transfer or to request a copy of the relevant safeguards, contact us at hello@businessautomator.com.
14 California rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the "CCPA"), gives you the following rights, subject to verification and certain exceptions:
- Right to know. You can request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting or sharing, and the categories of third parties to whom we disclosed it.
- Right to delete. You can request that we delete personal information we have collected from you, subject to exceptions (e.g., to complete a transaction, detect fraud, comply with law).
- Right to correct. You can request that we correct inaccurate personal information we maintain about you.
- Right to opt out of sale / sharing. You can opt out of the "sale" or "sharing" of your personal information — including the cross-context behavioral advertising performed via the Meta Pixel — through our Do Not Sell or Share page, the marketing-cookies toggle in our cookie banner, or a GPC signal; see §8.
- Right to limit use of sensitive PI. You can request that we limit our use of sensitive personal information to those purposes permitted under Cal. Civ. Code § 1798.121(a). We do not currently use sensitive PI for any other purpose.
- Right to non-discrimination. We will not discriminate against you (for example, by denying service, charging different prices, or providing a different level of quality) for exercising any of your CCPA rights.
- Right to opt out of automated decision-making and profiling, once and as those rights are finalized in the CPRA regulations.
How to exercise. Submit a request to hello@businessautomator.com or via our Do Not Sell or Share My Personal Information page. You may use an authorized agent to submit a request on your behalf; we will require proof of authorization. We will respond within 45 days (extendable by another 45 days where reasonably necessary), confirm receipt within 10 business days, and verify your identity before fulfilling certain requests (typically by matching the email associated with your account or transaction).
California "shine the light" law (Cal. Civ. Code § 1798.83): California residents may request information once per year about our disclosures, if any, of personal information to third parties for those third parties' direct-marketing purposes. We do not make such disclosures.
15 Other US state privacy rights
If you reside in Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, your state's comprehensive consumer-privacy law gives you rights similar to those described in §14, including (depending on the state):
- the right to access or know what personal information we process about you;
- the right to correct inaccurate personal information;
- the right to delete personal information;
- the right to obtain a copy of your personal information in a portable, machine-readable format (data portability);
- the right to opt out of the sale of personal information, of targeted advertising, and of certain forms of profiling that produce legal or similarly significant effects;
- where the state law provides one, the right to appeal a denial of your request — submit appeals to hello@businessautomator.com;
- the right to be free from discrimination for exercising these rights.
To exercise these rights, contact us as described in §18. Where the law permits us to require verification, we will do so. If your state does not yet have a comprehensive privacy law in force, we still welcome requests and will respond on a courtesy basis where reasonable.
Nevada (NRS § 603A.340). Nevada residents have the right to direct us not to make any sale of certain "covered information." We do not sell covered information as defined under Nevada law, but you may still submit such a request to hello@businessautomator.com.
16 EU / UK / Switzerland rights (GDPR & UK GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR / UK GDPR / Swiss FADP, subject to certain conditions and exceptions:
- Right of access — confirm whether we are processing your personal data and, if so, receive a copy (Art. 15).
- Right to rectification — correct inaccurate or incomplete personal data (Art. 16).
- Right to erasure ("right to be forgotten") — request deletion in certain circumstances (Art. 17).
- Right to restriction of processing in certain circumstances (Art. 18).
- Right to data portability — receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller (Art. 20).
- Right to object — object to processing based on our legitimate interests, and to object to processing for direct marketing at any time (Art. 21).
- Right to withdraw consent at any time, where processing is based on consent (Art. 7(3)).
- Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (Art. 22).
- Right to lodge a complaint with your local supervisory authority (Art. 77). A list of EU SAs is available at edpb.europa.eu. The UK Information Commissioner's Office is at ico.org.uk. The Swiss FDPIC is at edoeb.admin.ch. We would, however, appreciate the opportunity to address your concerns first — please contact us before lodging a complaint.
EU / UK representative. If we are required to appoint an Article 27 representative for the EU and/or UK, we will identify them in this section once appointed. In the interim, you may contact us at hello@businessautomator.com regarding any GDPR / UK GDPR matter.
17 Canada, Brazil & other jurisdictions
Canada (PIPEDA + Québec Law 25). If you are in Canada, you may request access to, correction of, or information about our handling of your personal information by contacting us as described below. We respond in accordance with PIPEDA and Québec's Law 25 (where applicable).
Brazil (LGPD). If you are in Brazil, you have the rights described in Articles 18–22 of the Lei Geral de Proteção de Dados, including access, correction, anonymization or blocking, portability, deletion, information about sharing, and revocation of consent.
Other. If your jurisdiction grants additional rights that are not described here, contact us and we will endeavor to honor them where applicable.
18 How to exercise your rights
To exercise any right described in §§ 14–17:
- Email hello@businessautomator.com with the subject line "Privacy Request" and tell us which right you are exercising, the personal information at issue, and the state/country in which you reside.
- For opt-out-of-sale/sharing requests, you may also use our Do Not Sell or Share My Personal Information page or send a Global Privacy Control (GPC) signal from your browser.
- To withdraw consent to marketing, click "Unsubscribe" in any marketing email.
Verification. Before fulfilling certain requests, we may need to verify your identity, typically by asking you to confirm information already in our records (for example, the email used to make a purchase). We may decline a request or charge a reasonable fee if it is manifestly unfounded, excessive, or repetitive, to the extent permitted by applicable law.
Authorized agents. California, EEA/UK, and other-state law allow you to designate an authorized agent. We will require evidence of the agent's authority (e.g., a signed permission, power of attorney) and may require you to verify your own identity.
Response time. We will respond within the time required by your applicable law (45 days under the CCPA, extendable by 45 days; one month under the GDPR, extendable by two months for complex requests). If we deny your request, we will explain why; where the law provides an appeal right (e.g., Colorado, Connecticut, Virginia, Texas), we will explain how to appeal.
19 Children's privacy
The Service is intended for users 18 years of age and older. We do not knowingly collect, sell, or share personal information of children under 13 (in the United States) or under 16 (in the EEA / UK), or of any minor under 18 anywhere. If you believe we have collected personal information of a minor, contact us at hello@businessautomator.com and we will promptly delete it.
20 Do Not Track & Global Privacy Control
Most web browsers offer a "Do Not Track" (DNT) feature. Because there is no industry standard for how to respond to DNT signals, we do not currently respond to DNT signals.
We do, however, honor the Global Privacy Control (GPC) as a valid request to opt out of "sale" and "sharing" of personal information under the CCPA/CPRA and equivalent state laws, to the extent we engage in any such activity. The GPC signal is treated as an opt-out for the browser sending it and, where we can reasonably link the signal to an account, for that account.
21 Automated decisions, profiling & AI
We do not make decisions about you that produce legal or similarly significant effects (such as approving or denying a substantive Service feature) based solely on automated processing. We may use automated rules and machine-learning models for fraud prevention (e.g., Stripe Radar), spam filtering, marketing segmentation, and product personalization. Where required by law, we will provide additional information about the logic involved and the significance and consequences of the processing, and you have a right to object as described in §16.
AI prompts and outputs. When you use AI features in the Products, the prompts you submit (and any data you choose to include in those prompts) may be transmitted to an AI model provider. Do not include sensitive personal information in your prompts unless you have a lawful basis to do so. AI outputs may be inaccurate or biased and should not be relied upon without independent verification (see also Section 11 of our Terms of Use).
22 Connected accounts & Google user data
Some of our Products (for example, the BA Agents automation builder) let you connect third-party accounts so the agents and automations you build can act on your behalf — either by saving an API key or by signing in with the provider (OAuth). This section explains exactly what we access, why, how it is used, stored, and shared, and how to disconnect. It applies to every connected account and, in particular, to Google user data received through Google APIs (Gmail, Google Calendar, Google Sheets, Google Docs, Google Drive) and to Microsoft data received through Microsoft Graph (Outlook / Microsoft 365).
What we access, and why
We request access only when you choose to connect a specific tool, and only the permissions that tool needs. You will always see and approve the exact permissions on Google's (or Microsoft's) own consent screen before anything is connected, and we never see or store your Google or Microsoft password. The permissions we may request are:
| Permission (scope) | What it lets the automations you build do |
|---|---|
openid, email | Identify which account you connected, so your Connections page can show "Signed in as you@example.com" and route your automations to the right account. |
Gmail — gmail.send | Send emails that an automation you built composes — from your own address, only when your agent runs (for example, an automatic reply or a daily report you configured). |
Gmail — gmail.readonly | Not currently requested. This permission will be added only if and when inbox-reading automations launch. If active, it would let an automation you built read messages it needs (for example, "summarize new invoices in my inbox each morning") — and only what that specific automation requires to run. |
Google Calendar — calendar.events | Create and read events on your calendar when your agent runs (for example, booking an appointment an agent negotiated). |
Google Sheets — spreadsheets | Add rows to the spreadsheets your automation uses (for example, logging new leads to a sheet) — only the spreadsheets the automation you built points at. |
Google Docs — documents | Create documents, and read or append to the documents your automation uses (for example, turning meeting notes into a formatted doc, or reading a brief your agent should work from) — only the documents the automation you built points at. |
Google Drive — drive.file | Save files your automations produce into your Drive (for example, a weekly report or a CSV export), create folders to organize them, and list or read back those files. This is Google's per-file permission: it only ever covers files your automations created (or files you explicitly open with the app) — it cannot see, search, or touch anything else in your Drive. |
Microsoft — Mail.Send, Mail.Read, Calendars.ReadWrite | The Outlook / Microsoft 365 equivalents of the Gmail and Calendar permissions above. |
How we use it
Data received from your connected accounts is used solely to provide and improve user-facing features that you explicitly configure and invoke: running the agents and automations you build, showing you the results in your own private run history, and powering the in-product AI assistant when you ask it to build, test, or troubleshoot your agents. In line with Google's Limited Use requirements:
- No advertising, ever. Google user data is never used for advertising or ad targeting, never disclosed to advertising partners (the Meta Pixel described in §§8–9 receives no connected-account data), and never sold.
- No generalized AI/ML training. We do not use Google user data (or any connected-account data) to develop, improve, or train generalized artificial-intelligence or machine-learning models, and we do not permit any provider to do so on our behalf. When an automation you built routes retrieved content through an AI step, the AI provider configured for that agent processes it solely to generate that automation's output — not to train models.
- No human access. Our personnel do not read data obtained from your connected accounts, except (a) with your explicit permission (for example, a support request where you share a run with us), (b) as necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) in aggregated, anonymized form for internal operations.
How it is stored and protected
- When you sign in with Google or Microsoft, we persist only the OAuth refresh token, encrypted with AES-256-GCM in a database table that our web clients cannot read (server-side service role only), together with non-secret metadata (the connected email address and the permissions you granted) so your dashboard can show what is connected.
- Access tokens are never stored. A short-lived access token is obtained on demand each time your automation runs, held in memory only, and discarded.
- Content retrieved by a run (for example, messages a Gmail-reading automation fetched) is processed transiently to execute that run. Bounded excerpts of each step's result are saved to your private run history so you can review exactly what your agent did; that history is visible only to your account.
Sharing
We never sell connected-account data and never "share" it in the CCPA/CPRA cross-context-behavioral-advertising sense. It is disclosed only: (a) to the infrastructure service providers that host our systems under contract restricting their use of it (see §7 — for example, Supabase stores the encrypted token); (b) to the AI model provider configured for your agent, only when and because an automation you built sends content to an AI step; and (c) where required by law (see §7).
Retention, disconnection & deletion
- Disconnect in-app at any time: open Agents → Connections → the connected account → Disconnect. This immediately and permanently deletes the encrypted refresh token (or API key) from our systems.
- Revoke from the provider: you can also revoke Business Automator's access at myaccount.google.com/permissions (Google) or account.live.com/consent/Manage (Microsoft). Once revoked, our stored refresh token stops working and your automations can no longer access the account.
- Run history: deleting an agent permanently deletes its run history, including any retrieved-content excerpts. You can also request deletion of all of your data at hello@businessautomator.com (see §18).
23 Third‑party sites
The Service may contain links to third-party websites, services, or features (for example, social networks, payment portals, or AI model documentation). We do not control and are not responsible for the privacy practices of those third parties. We encourage you to read each third party's privacy policy before providing them with any information.
24 Changes to this Policy
We may revise this Policy from time to time. The "Effective" and "Last updated" dates at the top reflect the most recent revision. If we make material changes, we will use reasonable efforts to notify you (for example, by posting a notice on the Service or sending an email). Your continued use of the Service after the effective date constitutes your acknowledgment of the revised Policy. Prior versions are available on request.
25 Contact us
For any question, concern, request, or complaint about this Policy or our privacy practices: