Privacy Policy

Who we are

This policy describes how TRADE ESTATE SE (hereinafter "BASE", "we", "our") collects, uses and protects your personal data when you use the BASE service at app.base-ai.app and the marketing site at www.base-ai.app.

BASE is the data controller for personal data you provide when using our service, as defined under the EU General Data Protection Regulation (GDPR).

Company information and legal contact: see Imprint.

What we collect

Account & profile

Email, name, interface language, country, currency and account settings you choose. Authentication credentials (password) are stored as a salted hash and never readable in plaintext.

Data you add yourself

Content you create or upload to BASE: tasks, documents, receipts, expenses, wellness notes, call preparation, agent messages, goals and check-ins. This data is stored in the agent's permission-scoped surface and is not visible to other agents unless you confirm a hand-off.

Files

When you upload a document, photo or scan, BASE stores the original file together with extracted text and metadata (title, dates, parties, amounts) needed to make it searchable.

Voice & call data

If you use the Action agent's call features, we store: the call brief you authored, the transcript, call outcome and summary. Voice recordings, where retained, are encrypted at rest and scoped strictly to the Action agent.

Technical events

Standard log data (IP address, user agent, timestamps, request paths) used for reliability, abuse prevention, security monitoring and customer support. Stored for a limited operational window (typically up to 90 days).

How we use your data

Provide the service: store, organize and act on the information you give us, through the six BASE agents.
Improve the service: diagnose bugs, optimize performance, develop new features. We do not use your private content (documents, finance, wellness, mentor conversations) to train external AI models.
Communicate with you: service notifications, security alerts, account changes, and (with your explicit opt-in) product updates.
Comply with law: respond to lawful requests from regulators or courts where required.

BASE never sells your data to advertisers, brokers, or third parties.

Permission-first agent sharing

BASE is built around the principle that each agent operates as a separate permission surface.

The six core agents — Document, Finance, Wellness, Organizer, Mentor, Action — handle different categories of sensitive personal information. Sensitive details from one agent's scope are not passed to another agent automatically. Cross-agent hand-offs (for example: "Finance found a recurring payment, should it become an Organizer reminder?") only occur after you explicitly confirm the action in the app.

This permission-first model is fundamental to BASE. It is described in product copy, applied in the user interface, and enforced in the backend code that routes data between agents.

Legal basis (GDPR Article 6)

We process your personal data on the following legal bases:

Performance of a contract (Art. 6(1)(b)): processing necessary to deliver the BASE service you signed up for.
Legitimate interest (Art. 6(1)(f)): security, fraud prevention, service reliability and protection of our users.
Consent (Art. 6(1)(a)): for optional features such as voice call recording, marketing communications, or third-party integrations. You can withdraw consent at any time.
Legal obligation (Art. 6(1)(c)): tax, accounting, and lawful requests from authorities.

Where we process special category data such as health information (Wellness agent), the processing is based on your explicit consent (Art. 9(2)(a)). You can withdraw that consent and delete the data at any time from Profile.

Service providers & sub-processors

BASE uses third-party service providers to deliver the service. Each is contractually bound to handle your data only on our instructions and to maintain appropriate security and confidentiality.

Current categories of sub-processors:

AI model providers — for processing user requests (e.g. extracting fields from documents, drafting call scripts).
Hosting, database and storage infrastructure — EU-based.
Security infrastructure — DDoS protection, WAF, monitoring.
Email delivery — transactional and notification emails.
Calling and transcription providers — only invoked when you use Action's call features.
Payment processing — only when subscriptions launch; payments handled by approved providers.

A current sub-processor list is available on request to privacy@base-ai.app. We will publish the full list publicly before general availability launch.

International transfers

BASE infrastructure is primarily hosted within the European Union. Where data is transferred to a sub-processor outside the EU/EEA, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission;
Adequacy decisions where applicable;
Additional technical and organizational measures (encryption in transit, minimum-necessary data principle).

Retention & deletion

We retain personal data only as long as necessary for the purposes described above, or as required by law.

Account data: retained while your account is active.
Content you create (documents, receipts, notes): retained while your account is active, or until you delete it.
Technical logs: typically up to 90 days.
Billing records: retained as required by applicable Czech accounting and tax law.

When you delete your account from Profile, your active content is removed promptly. Some backup copies may persist for a limited window (up to 30 days) before being permanently erased.

Your rights (GDPR Articles 12–22)

You have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — delete your account and stored content from Profile, or by contacting support.
Restriction — limit how we process your data in specific circumstances.
Data portability — export your account data in a machine-readable format from Profile.
Object — object to processing based on legitimate interest.
Withdraw consent — at any time, where processing is based on consent.
Complaint — file a complaint with your local data protection authority. In the Czech Republic: Úřad pro ochranu osobních údajů (uoou.gov.cz).

To exercise these rights, use the relevant controls in Profile, or contact privacy@base-ai.app.

Cookies

BASE uses a minimal set of cookies:

Strictly necessary: authentication session, security, language preference. No consent required under EU ePrivacy rules.
Analytics: privacy-respecting usage statistics (no personal identifiers, no cross-site tracking). Opt-in via the cookie banner.

We do not use advertising cookies, social-media tracking pixels, or third-party tracking technologies.

Children

BASE is intended for users 18 years or older. We do not knowingly collect personal data from children under 16 without parental consent. If we become aware that we have inadvertently collected such data, we will delete it promptly.

Changes to this policy

We may update this Privacy Policy from time to time. The version number and "Last updated" date at the top of this page reflect the current version. Material changes will be communicated by email to registered users at least 14 days in advance.

Contact

For privacy-related questions or requests:

Email: privacy@base-ai.app
Postal: see Imprint for our registered address.

For security vulnerabilities or responsible disclosure: Security page.