Privacy policy

1. Scope and who we are

This Privacy Policy applies to BayStore websites, public documentation, sales intake, demo requests, customer account administration, checkout, billing, support communications, product-instance services, security operations, and related service communications. It does not replace a customer agreement, Data Processing Addendum, or product-specific privacy terms approved in writing.

For the personal information BayStore handles as a controller, the responsible entity is BayStore, 1455 3rd Street, San Francisco, CA 94158, USA. You can reach BayStore's privacy team at [email protected].

2. Roles: controller and processor

BayStore generally acts as an independent controller for visitor, sales, account, billing, security, support, and service-administration information. For personal data submitted by a customer into a product instance or processed under customer instructions, BayStore generally acts as a processor or service provider under the customer's instructions and the Data Processing Addendum.

If you are an end user of a BayStore customer, that customer is usually responsible for its own privacy notice and instructions. Please contact that customer first for requests about data it controls.

3. Information we collect

Depending on your interaction with BayStore, we may collect:

• Identifiers and account data: name, work email, company, role, account identifiers, authentication identifiers, administrator status, and billing contact details.
• Commercial and payment information: selected products, berths, orders, subscriptions, invoices, payment status, payment method metadata, tax information, refunds, disputes, and sales communications. Full payment card numbers are handled by approved payment processors such as Stripe, PayPal, or another approved provider rather than stored by BayStore unless a separate approved payment arrangement applies.
• Service metadata: product key, instance id, lifecycle state, access metadata, credential reference, audit correlation id, backup metadata, provisioning events, recovery requests, support priority, and operator-action records.
• Technical, usage, and security information: IP address, device and browser data, logs, timestamps, page views, diagnostic events, API activity, error events, fraud signals, abuse signals, and security alerts.
• Support and communications: messages, demo requests, procurement details, security questions, and feedback.
• Customer content and configuration: content, configuration, files, environment settings, access instructions, and product-instance data submitted by or for a customer where BayStore operates the service.

4. Sources

We collect information directly from you, from your organization, from customer users, from product-instance activity, from checkout, account, support, and security interactions, from payment processors such as Stripe, PayPal, or another approved provider, from identity, infrastructure, security, observability, analytics, and support providers, and from public or business-contact sources used for sales and support.

5. How we use information

BayStore uses information to:

• respond to demo, sales, support, legal, and security requests;
• create accounts, authenticate users, process orders, manage subscriptions, collect payments, issue invoices, and provide customer access;
• provision, operate, monitor, recover, suspend, resume, upgrade, or retire product instances;
• maintain audit trails, correlation identifiers, billing records, and lifecycle evidence;
• secure the service, investigate abuse, prevent fraud, manage risk, and enforce terms;
• comply with legal, tax, accounting, security, and contractual obligations;
• improve product quality, documentation, support, reliability, user experience, and operational tooling.

6. Legal bases where required

Where GDPR-style legal bases apply, BayStore may process personal information to perform a contract, take steps before entering into a contract, comply with legal obligations, protect legitimate interests such as service security and business operations, or based on consent where required, including for optional analytics or marketing communications.

7. Disclosures

We may disclose information to:

• infrastructure, hosting, database, security, observability, email, support, payment, and authentication providers;
• professional advisors, auditors, insurers, and legal representatives;
• affiliates, acquirers, or successors in a merger, financing, acquisition, restructuring, or sale of assets;
• government, law-enforcement, or regulatory authorities where required by law or necessary to protect rights, safety, or security;
• customer administrators or authorized users according to account permissions.

8. Sale, sharing, and targeted advertising

BayStore does not sell personal information, and does not share personal information for cross-context behavioral advertising or use targeted advertising. BayStore loads non-essential analytics only after you opt in, and honors Global Privacy Control and similar opt-out preference signals. Because no non-essential tracking runs without your affirmative consent, there is no sale or sharing of personal information to opt out of. If BayStore ever adopts a practice that qualifies as a "sale," "sharing," or "targeted advertising" under applicable law, BayStore will provide the required notices, an opt-out mechanism, and any required consent controls before doing so.

9. Customer Data processed as a processor

When BayStore processes customer-controlled personal data as a processor or service provider, BayStore uses that data to provide, secure, support, recover, and improve the contracted services according to the customer's documented instructions. The Data Processing Addendum describes subprocessors, assistance, breach notice, deletion, audits, and transfer mechanisms for that processing.

10. Cookies, local storage, and analytics

BayStore may use cookies, local storage, pixels, tags, and similar technologies for security, authentication, checkout, consent management, preferences, support, analytics, and approved marketing. Non-essential analytics or marketing technologies should be controlled through legally required consent or opt-out mechanisms. See the Cookie Policy.

11. Retention

BayStore retains information for as long as needed to provide the services and for the periods below, after which it is deleted or de-identified unless a longer period is required by law or to resolve disputes or enforce agreements:

• Visitor analytics: aggregate, privacy-friendly metrics retained for up to 24 months.
• Sales and lead records: until you opt out or up to 24 months after the last interaction.
• Account records: for the term of the relationship and up to 24 months after the account closes.
• Billing, tax, and accounting records: up to 7 years, as required by law.
• Support records: up to 24 months after resolution.
• Security and audit logs: up to 24 months.
• Product-instance records and lifecycle evidence: for the service term plus the retention period in the applicable Order or Data Processing Addendum; backups expire on normal backup cycles.
• Deleted-instance records: minimal metadata retained as needed for audit, security, and legal purposes.

12. International transfers

BayStore may process information in countries where BayStore, its affiliates, or subprocessors operate, including the United States. Where BayStore transfers personal information out of the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, BayStore relies on a lawful transfer mechanism, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and, where applicable, the EU-U.S., UK Extension to the EU-U.S., and Swiss-U.S. Data Privacy Framework, together with supplementary measures where needed. You can request information about these mechanisms at [email protected].

13. Security

BayStore uses administrative, technical, and organizational measures designed to protect personal information, including access controls, least-privilege permissions, logging, tenant-isolation boundaries, encryption where appropriate, secure development practices, vulnerability management, incident response, backup controls, and subprocessor review. No method of transmission or storage is completely secure.

14. Your privacy rights

Depending on your location and relationship to BayStore, you may have rights to request access, correction, deletion, portability, restriction, objection, withdrawal of consent, or information about disclosures. California residents may have rights to know, delete, correct, opt out of sale or sharing, limit use of sensitive personal information, and be free from discrimination for exercising rights. BayStore will respond according to applicable law and may need to verify your request.

15. Regional notices

Region-specific rights apply where required. Residents of the European Economic Area, the United Kingdom, and Switzerland have the rights described in Section 14 and may lodge a complaint with their local supervisory authority. California residents have the rights described in Section 14 under the CCPA/CPRA, including the right to know, delete, correct, and opt out of sale or sharing; as stated in Section 8, BayStore does not sell or share personal information. Residents of other U.S. states with comprehensive privacy laws have equivalent rights where those laws apply. BayStore does not engage in profiling that produces legal or similarly significant effects, and does not process sensitive personal information for purposes that require an additional opt-in beyond what is described here.

16. Customer-controlled data

If BayStore processes personal information on behalf of a customer, the customer may be the controller or business and BayStore may be the processor or service provider. End users should contact the relevant customer first when exercising privacy rights about customer-controlled data.

17. Marketing communications

BayStore may send product or commercial communications where permitted by law. Recipients can opt out of non-transactional emails using the unsubscribe mechanism or by contacting BayStore. Service, security, billing, and account notices may still be sent where necessary.

18. Children

BayStore services are intended for business use and are not directed to children. BayStore does not knowingly collect personal information from children through the public site.

19. Changes

BayStore may update this Privacy Policy by posting a revised version with a new effective date. Material changes will be communicated through reasonable channels where customer accounts are affected.

20. Contact

Send privacy requests to [email protected]. Security reports should go to [email protected]. Legal notices should go to [email protected] or to BayStore, 1455 3rd Street, San Francisco, CA 94158, USA.