Legal

Privacy Policy

Effective: July 13, 2026 Last updated: July 13, 2026 Version 1.2
This Privacy Policy explains how IBD Ventures LLC, a Wyoming limited liability company doing business as Business Automator ("Business Automator," "we," "us," or "our") collects, uses, discloses, and protects personal information when you visit our website at businessautomator.com, purchase or use any of our Products, or otherwise interact with us. By using our services, you acknowledge the practices described in this Policy. Defined terms have the meanings given in our Terms of Use.

01 At a glance

02 Who we are & scope

The data controller (GDPR/UK GDPR) and business (CCPA/CPRA) responsible for your personal information is:

IBD Ventures LLC (d/b/a Business Automator) 30 N Gould St, Ste R Sheridan, WY 82801 United States Email: hello@businessautomator.com

This Policy covers personal information processed in connection with (a) the Business Automator website and any subdomains, (b) all current and future Products, (c) our marketing emails and broadcasts, and (d) our customer support and account interactions (collectively, the "Service"). It does not apply to third-party websites, apps, or services linked from the Service — those are governed by the third party's own privacy policy.

03 Personal information we collect

We collect the following categories of personal information. The CCPA category codes (A through K, plus "sensitive PI") are listed for California-resident transparency under Cal. Civ. Code § 1798.140.

CategoryExamplesSourceRetained for
A. Identifiers name, email address, postal address, IP address, browser session ID, Stripe customer ID, Supabase customer ID, account credentials (hashed) You; automated when you use the site; Stripe; Supabase As long as you have an active account or entitlement, plus retention periods in §11
B. Customer records (Cal. Civ. Code § 1798.80(e)) billing address, payment card brand and last‑4 digits, billing email (full card numbers are processed by Stripe and never stored on our servers) You at checkout; Stripe 7 years (tax/audit)
D. Commercial information Products purchased, order bumps, upsells, subscription tier, refunds, chargebacks, cancellation history, entitlements You; Stripe 7 years (tax/audit)
F. Internet / network activity pages visited, referring URL, UTM parameters, clicks on CTAs, time on page, scroll depth, device and browser identifiers, error logs, approximate session duration Automated when you use the site; cookies/SDKs Up to 26 months for analytics
G. Geolocation (approximate, IP‑derived) country, region, city — never precise GPS coordinates Automated from IP address; Vercel; Stripe Radar 13 months
I. Professional or employment-related self-reported industry, business type, role, niche (only if you provide it in a form, survey, support ticket, or community post) You As long as you have an active account, then 24 months
K. Inferences likelihood to convert, abandoned-checkout status, lifecycle stage, lead score, segment Derived by us from the data above Up to 24 months
Audio / visual (only if you provide) your testimonial video or screenshot if you submit one; profile photo if you upload one You Until you ask us to remove it
Communications content support emails, replies to our newsletters, community posts, AI prompts and outputs you submit You 3 years (for service quality, training, dispute resolution)
Connected account data (only if you connect a tool) OAuth refresh token (encrypted) or API key (encrypted) for services you connect to our automation Products, the connected account's email address and granted permissions, and the data your own automations retrieve from those services when they run (e.g., Gmail messages, calendar events, spreadsheet rows, document content, files saved to Drive) — see §22 You; the services you choose to connect (e.g., Google, Microsoft) Tokens/keys: until you disconnect. Retrieved data: processed transiently; bounded excerpts kept in your private run history until you delete the agent or your account

Sensitive personal information. We do not intentionally collect "sensitive personal information" as defined under the CPRA (such as government IDs, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, contents of mail/email/SMS, genetic, biometric, health, or sex-life data). Payment account information you enter at checkout is transmitted directly to Stripe over an encrypted connection — we never see or store the full card number, CVC, or expiration. We do not "use or disclose" sensitive PI for any purpose other than those listed in Cal. Civ. Code § 1798.121(a) (servicing the request).

One exception — accounts you connect. If you connect an email or similar account (such as Gmail or Outlook) to our automation Products and direct an automation to read it, we will process the content that automation retrieves — which may include the contents of your email — strictly at your direction and only to execute that automation, as described in §22 (Connected accounts & Google user data). We never use that content for advertising, profiling, or model training, and you can disconnect at any time.

We do not knowingly collect or process the personal information of children under 18. See §19 (Children's privacy).

04 Sources we collect it from

05 How and why we use it

We process personal information for the following business and commercial purposes (CCPA/CPRA terminology) and processing purposes (GDPR/UK GDPR terminology):

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR / UK GDPR for processing your personal information:

Processing activityLegal basis
Performing the contract for a Product or Subscription you purchased; account managementContract (Art. 6(1)(b))
Sending transactional / service emails (receipts, password reset, "your spot is held" reminder)Contract (Art. 6(1)(b)) and our legitimate interest in keeping you informed (Art. 6(1)(f))
Marketing emails to existing customers about similar ProductsOur legitimate interest in promoting our Products (Art. 6(1)(f)) and, where required (e.g., UK / Germany), your consent (Art. 6(1)(a))
Marketing emails / newsletter to non-customersYour consent (Art. 6(1)(a))
Cookies and similar tech that aren't strictly necessary (analytics, ad pixels)Your consent (Art. 6(1)(a)) via cookie banner where required
Tax, accounting, audit, fraud-prevention obligationsLegal obligation (Art. 6(1)(c)) and our legitimate interest in preventing fraud (Art. 6(1)(f))
Improving and securing the Service; analyticsOur legitimate interest in maintaining and improving the Service (Art. 6(1)(f))
Establishment, exercise, or defense of legal claimsOur legitimate interest in protecting our rights (Art. 6(1)(f)) and where applicable, legal obligation (Art. 6(1)(c))
Business transactions (mergers, acquisitions)Our legitimate interest in conducting our business (Art. 6(1)(f))

You can object to processing based on legitimate interests or withdraw your consent at any time (see §18 (How to exercise your rights)). Withdrawing consent does not affect the lawfulness of processing before the withdrawal.

07 Who we share it with

We do not rent or trade your personal information. We share personal information only as described below.

Service providers ("processors" / "service providers" / "contractors")

We disclose personal information to vendors who process it on our behalf under written agreements that restrict their use to providing services to us. Current vendors include:

VendorPurposeData shared
Stripe, Inc.Payment processing, fraud prevention (Radar), subscription billingIdentifiers, billing info, payment card metadata (last 4, brand), commercial information, device/network info, IP, country
Supabase, Inc.Database / authentication / account recordsIdentifiers, commercial information, entitlements, event logs
Vercel Inc.Hosting, edge delivery, request logs, deployments, optionally Web Analytics / Speed InsightsIdentifiers (IP), internet/network activity, approximate geolocation, performance metrics
Resend, Inc.Transactional and marketing email delivery, audience management, deliverability events (opens, clicks, bounces, complaints)Identifiers (email, IP), engagement events, email content
PostHog Inc. (US Cloud)Product analytics, funnel measurement, autocapture of clicks/page-views, session replay (with input values masked), heatmaps, rage/dead-click detectionIdentifiers (anonymous device id, email after sign-up), internet/network activity, click and navigation events, masked DOM recordings, approximate geolocation derived from IP
Microsoft Corporation (Clarity)Behavioral analytics — heatmaps, scroll depth, click-recurrence and rage/dead-click clustering on customer-facing pagesIdentifiers (anonymous device id), internet/network activity, masked input values, viewport size, approximate geolocation derived from IP
AI model providers (e.g., OpenAI, Anthropic, Google, or others — as enabled in the Products)Powering the AI agents and AI tooling offered through the ProductsPrompts and content you submit to the AI tools (which may include identifiers or content you choose to include), and — only when an automation you built routes it there — data that automation retrieved from an account you connected (see §22); never for the provider's model training
Sentry, Datadog, or similar (if enabled)Error tracking and observabilityIdentifiers (IP, user ID), internet/network activity, error/diagnostic data

Advertising partners ("third parties" for cross-context behavioral advertising)

Unlike the service providers above (which process data only on our behalf under written contract), the following is a "third party" under the CCPA/CPRA — it receives personal information to help measure and target advertising across other sites and apps. This is the "sharing" described in §08, and you can opt out at any time via the cookie banner, our Do Not Sell or Share page, or Global Privacy Control (GPC). For EU/EEA/UK/Swiss visitors, this third party receives nothing unless you opt in.

Third partyPurposeData shared
Meta Platforms, Inc. (Meta / Facebook Pixel + Conversions API)Cross-context behavioral advertising — ad measurement, optimization, and retargetingA. Identifiers (cookie identifiers such as the Meta _fbp/_fbc cookies, IP address, and hashed email); F. Internet / network activity (pages viewed, clicks, and funnel events); D. Commercial information (products purchased, order value, subscription tier). Meta may derive its own inferences (K) from this data.

Professional advisors and authorities

Lawyers, accountants, auditors, insurers, and bankers; courts, regulators, and law enforcement when we are required by law, subpoena, court order, or other valid legal process, or when we believe in good faith that disclosure is reasonably necessary to protect the rights, property, or safety of any person, prevent fraud, enforce our Terms, or comply with law.

Business transfers

In the event of a merger, acquisition, financing, reorganization, dissolution, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred as part of the transaction. We will use commercially reasonable efforts to notify you (e.g., via email or a notice on the Service) before your personal information becomes subject to a different privacy policy.

With your consent or at your direction

We will share personal information for any other purpose disclosed to you at the time we collect the information, or otherwise with your consent or at your direction (for example, when you ask us to share a testimonial publicly).

08 "Sale" or "sharing" of personal information

We do not sell personal information for monetary consideration. The CCPA/CPRA, however, defines "sale" and "sharing" broadly to include any disclosure of personal information for cross-context behavioral advertising — even when no money changes hands. Examples of activities that could qualify include allowing third-party advertising pixels (such as the Meta Pixel, Google Ads, TikTok Pixel, LinkedIn Insight Tag) to set cookies and receive identifiers and behavior events from the Service.

As of the Last updated date above, we use the Meta (Facebook) Pixel on the Service for advertising measurement and retargeting. Because it discloses online identifiers (such as cookie IDs and IP address) and your activity on the Service to Meta for cross-context behavioral advertising, this may constitute "sharing" (and, on some interpretations, a "sale") under the CCPA/CPRA — even though no money changes hands. Accordingly, we:

Other than the cross-context behavioral advertising performed via the Meta Pixel described above (enabled as of the Last updated date), we have not sold or shared the personal information of any consumer in the preceding 12 months, and we do not sell personal information for monetary consideration. We do not knowingly sell or share personal information of consumers under 16.

09 Cookies, analytics & tracking

We and our service providers use cookies, local storage, session storage, server logs, pixels, web beacons, SDKs, and similar technologies (collectively, "cookies") to operate, secure, and improve the Service. The cookies we currently use fall into these categories:

Most browsers let you control cookies through their settings. Disabling strictly-necessary cookies will break the Service (you may not be able to check out). For EU/EEA/UK visitors, where required by the ePrivacy Directive / PECR, we will request consent before placing non-essential cookies.

10 Email, marketing & SMS

If you submit your email through our forms (for example, the email capture on /ba before checkout), we add it to our newsletter audience (currently named "Business Automator — Subscribers" and managed in Resend). We may send you:

You can unsubscribe at any time by clicking the unsubscribe link in any marketing email, by emailing hello@businessautomator.com, or via the List-Unsubscribe header in compliant email clients. Even after you unsubscribe from marketing, we may still send transactional emails related to your account, purchases, or refunds.

We send email in compliance with the CAN-SPAM Act, Canada's Anti-Spam Legislation (CASL), the EU ePrivacy Directive, and applicable analogous law. If you are in a jurisdiction that requires opt-in consent for marketing, we will obtain that consent before sending. If we ever send SMS, we will comply with the Telephone Consumer Protection Act (TCPA) and obtain prior express written consent where required; replying STOP will opt you out.

11 Data retention

We keep personal information only as long as necessary for the purposes described in this Policy, to comply with legal, tax, accounting, or reporting obligations, to resolve disputes, and to enforce our agreements. General retention windows:

Type of dataRetention
Account records and entitlementsFor the life of your account, plus up to 24 months after the account is closed (for renewal, restoration, fraud, dispute)
Order / transaction records, invoices, tax records7 years after the transaction (tax and audit)
Marketing / newsletter audience recordsUntil you unsubscribe; after unsubscribe, we retain a suppression list to ensure we don't email you again
Support and communications3 years from the date of last interaction
Server / request logs and analyticsUp to 26 months (logs typically less)
Cookie dataPer the lifetime set in the cookie itself or in session storage
Funnel event logUp to 24 months (for analytics and conversion attribution)
BackupsUp to 90 days after deletion from production (rolling backup window)

Where personal information is needed only to demonstrate compliance with a legal obligation, we may retain only the minimum necessary records for that purpose.

12 Security

We implement administrative, technical, and physical safeguards designed to protect personal information. Examples include: TLS encryption in transit; encryption at rest where available from our infrastructure providers; access control, role-separation, and the principle of least privilege for our staff; restricted secret-handling (no payment-card data ever touches our servers — it is processed directly by Stripe); application-level AES-256-GCM encryption of every integration credential you save (API keys and OAuth refresh tokens), held in a database table our web clients cannot read; Postgres row-level-security on databases; signed payment webhooks; idempotent server endpoints; pre-commit secret scanners that block accidental key disclosure; secure development practices.

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. You are responsible for keeping your account credentials confidential, using a strong password (when accounts are available), and notifying us immediately at hello@businessautomator.com of any actual or suspected unauthorized access. In the event of a security incident that affects your personal information, we will notify you as required by applicable law.

13 International data transfers

We are headquartered in the United States. Our service providers may be located in the United States, the European Union, the United Kingdom, Canada, India, or other jurisdictions. If you access the Service from outside the United States, your personal information will be transferred to, stored in, and processed in the United States and in other countries that may not provide the same level of data protection as your home country.

For transfers of personal information out of the EEA, UK, or Switzerland, we rely on appropriate safeguards under Articles 44–49 of the GDPR / UK GDPR, including:

For details about a specific transfer or to request a copy of the relevant safeguards, contact us at hello@businessautomator.com.

14 California rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the "CCPA"), gives you the following rights, subject to verification and certain exceptions:

How to exercise. Submit a request to hello@businessautomator.com or via our Do Not Sell or Share My Personal Information page. You may use an authorized agent to submit a request on your behalf; we will require proof of authorization. We will respond within 45 days (extendable by another 45 days where reasonably necessary), confirm receipt within 10 business days, and verify your identity before fulfilling certain requests (typically by matching the email associated with your account or transaction).

California "shine the light" law (Cal. Civ. Code § 1798.83): California residents may request information once per year about our disclosures, if any, of personal information to third parties for those third parties' direct-marketing purposes. We do not make such disclosures.

15 Other US state privacy rights

If you reside in Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, your state's comprehensive consumer-privacy law gives you rights similar to those described in §14, including (depending on the state):

To exercise these rights, contact us as described in §18. Where the law permits us to require verification, we will do so. If your state does not yet have a comprehensive privacy law in force, we still welcome requests and will respond on a courtesy basis where reasonable.

Nevada (NRS § 603A.340). Nevada residents have the right to direct us not to make any sale of certain "covered information." We do not sell covered information as defined under Nevada law, but you may still submit such a request to hello@businessautomator.com.

16 EU / UK / Switzerland rights (GDPR & UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR / UK GDPR / Swiss FADP, subject to certain conditions and exceptions:

EU / UK representative. If we are required to appoint an Article 27 representative for the EU and/or UK, we will identify them in this section once appointed. In the interim, you may contact us at hello@businessautomator.com regarding any GDPR / UK GDPR matter.

17 Canada, Brazil & other jurisdictions

Canada (PIPEDA + Québec Law 25). If you are in Canada, you may request access to, correction of, or information about our handling of your personal information by contacting us as described below. We respond in accordance with PIPEDA and Québec's Law 25 (where applicable).

Brazil (LGPD). If you are in Brazil, you have the rights described in Articles 18–22 of the Lei Geral de Proteção de Dados, including access, correction, anonymization or blocking, portability, deletion, information about sharing, and revocation of consent.

Other. If your jurisdiction grants additional rights that are not described here, contact us and we will endeavor to honor them where applicable.

18 How to exercise your rights

To exercise any right described in §§ 14–17:

Verification. Before fulfilling certain requests, we may need to verify your identity, typically by asking you to confirm information already in our records (for example, the email used to make a purchase). We may decline a request or charge a reasonable fee if it is manifestly unfounded, excessive, or repetitive, to the extent permitted by applicable law.

Authorized agents. California, EEA/UK, and other-state law allow you to designate an authorized agent. We will require evidence of the agent's authority (e.g., a signed permission, power of attorney) and may require you to verify your own identity.

Response time. We will respond within the time required by your applicable law (45 days under the CCPA, extendable by 45 days; one month under the GDPR, extendable by two months for complex requests). If we deny your request, we will explain why; where the law provides an appeal right (e.g., Colorado, Connecticut, Virginia, Texas), we will explain how to appeal.

19 Children's privacy

The Service is intended for users 18 years of age and older. We do not knowingly collect, sell, or share personal information of children under 13 (in the United States) or under 16 (in the EEA / UK), or of any minor under 18 anywhere. If you believe we have collected personal information of a minor, contact us at hello@businessautomator.com and we will promptly delete it.

20 Do Not Track & Global Privacy Control

Most web browsers offer a "Do Not Track" (DNT) feature. Because there is no industry standard for how to respond to DNT signals, we do not currently respond to DNT signals.

We do, however, honor the Global Privacy Control (GPC) as a valid request to opt out of "sale" and "sharing" of personal information under the CCPA/CPRA and equivalent state laws, to the extent we engage in any such activity. The GPC signal is treated as an opt-out for the browser sending it and, where we can reasonably link the signal to an account, for that account.

21 Automated decisions, profiling & AI

We do not make decisions about you that produce legal or similarly significant effects (such as approving or denying a substantive Service feature) based solely on automated processing. We may use automated rules and machine-learning models for fraud prevention (e.g., Stripe Radar), spam filtering, marketing segmentation, and product personalization. Where required by law, we will provide additional information about the logic involved and the significance and consequences of the processing, and you have a right to object as described in §16.

AI prompts and outputs. When you use AI features in the Products, the prompts you submit (and any data you choose to include in those prompts) may be transmitted to an AI model provider. Do not include sensitive personal information in your prompts unless you have a lawful basis to do so. AI outputs may be inaccurate or biased and should not be relied upon without independent verification (see also Section 11 of our Terms of Use).

22 Connected accounts & Google user data

Some of our Products (for example, the BA Agents automation builder) let you connect third-party accounts so the agents and automations you build can act on your behalf — either by saving an API key or by signing in with the provider (OAuth). This section explains exactly what we access, why, how it is used, stored, and shared, and how to disconnect. It applies to every connected account and, in particular, to Google user data received through Google APIs (Gmail, Google Calendar, Google Sheets, Google Docs, Google Drive) and to Microsoft data received through Microsoft Graph (Outlook / Microsoft 365).

Google API Services — Limited Use disclosure Business Automator's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What we access, and why

We request access only when you choose to connect a specific tool, and only the permissions that tool needs. You will always see and approve the exact permissions on Google's (or Microsoft's) own consent screen before anything is connected, and we never see or store your Google or Microsoft password. The permissions we may request are:

Permission (scope)What it lets the automations you build do
openid, emailIdentify which account you connected, so your Connections page can show "Signed in as you@example.com" and route your automations to the right account.
Gmail — gmail.sendSend emails that an automation you built composes — from your own address, only when your agent runs (for example, an automatic reply or a daily report you configured).
Gmail — gmail.readonlyNot currently requested. This permission will be added only if and when inbox-reading automations launch. If active, it would let an automation you built read messages it needs (for example, "summarize new invoices in my inbox each morning") — and only what that specific automation requires to run.
Google Calendar — calendar.eventsCreate and read events on your calendar when your agent runs (for example, booking an appointment an agent negotiated).
Google Sheets — spreadsheetsAdd rows to the spreadsheets your automation uses (for example, logging new leads to a sheet) — only the spreadsheets the automation you built points at.
Google Docs — documentsCreate documents, and read or append to the documents your automation uses (for example, turning meeting notes into a formatted doc, or reading a brief your agent should work from) — only the documents the automation you built points at.
Google Drive — drive.fileSave files your automations produce into your Drive (for example, a weekly report or a CSV export), create folders to organize them, and list or read back those files. This is Google's per-file permission: it only ever covers files your automations created (or files you explicitly open with the app) — it cannot see, search, or touch anything else in your Drive.
Microsoft — Mail.Send, Mail.Read, Calendars.ReadWriteThe Outlook / Microsoft 365 equivalents of the Gmail and Calendar permissions above.

How we use it

Data received from your connected accounts is used solely to provide and improve user-facing features that you explicitly configure and invoke: running the agents and automations you build, showing you the results in your own private run history, and powering the in-product AI assistant when you ask it to build, test, or troubleshoot your agents. In line with Google's Limited Use requirements:

How it is stored and protected

Sharing

We never sell connected-account data and never "share" it in the CCPA/CPRA cross-context-behavioral-advertising sense. It is disclosed only: (a) to the infrastructure service providers that host our systems under contract restricting their use of it (see §7 — for example, Supabase stores the encrypted token); (b) to the AI model provider configured for your agent, only when and because an automation you built sends content to an AI step; and (c) where required by law (see §7).

Retention, disconnection & deletion

The Service may contain links to third-party websites, services, or features (for example, social networks, payment portals, or AI model documentation). We do not control and are not responsible for the privacy practices of those third parties. We encourage you to read each third party's privacy policy before providing them with any information.

24 Changes to this Policy

We may revise this Policy from time to time. The "Effective" and "Last updated" dates at the top reflect the most recent revision. If we make material changes, we will use reasonable efforts to notify you (for example, by posting a notice on the Service or sending an email). Your continued use of the Service after the effective date constitutes your acknowledgment of the revised Policy. Prior versions are available on request.

25 Contact us

For any question, concern, request, or complaint about this Policy or our privacy practices:

IBD Ventures LLC (d/b/a Business Automator) Attn: Privacy 30 N Gould St, Ste R Sheridan, WY 82801 United States Email: hello@businessautomator.com