Privacy Policy

Contact Information: We may collect professional contact details such as first and last name, email address, phone number, company name, title and department, and other relevant information necessary for us to manage your account and business relationship.

Profile Data: We may collect information such as the username and password that you may set to establish an online account with us, biographical information, and any other information that you add or is associated with your account.

Payment Information: If you subscribe to our Services, we will ask you to provide your payment information, such as your credit card number and billing address, to process your payment. Payment processing is handled by our third-party payment processor, and we do not store complete credit card numbers.

User-Generated Content: Such as photos, images, music, videos, comments, questions, messages, correspondence, and other content or information that you generate, transmit, or otherwise make available on the Service to us or other persons, as well as associated metadata.

Communication Information: When you contact us via a contact form, email, or other means, you may provide us with communication information, such as your name, email address, company, and the content, date, and time of your message.

Support Information: When you request technical support services, we will process your contact information, communication information, as well as information on the reasons for your support request, and any additional information you may provide.

API Keys and Credentials: You may provide API keys for third-party services (such as Glyphic or Granola). These are stored encrypted on your local device and are not accessible to BaseFrame. Authentication tokens used by the Desktop Application are stored in your operating system's secure keychain (macOS Keychain or Windows Credential Manager) and are never transmitted to BaseFrame.

Third-Party Service Data: When you authorize connections to third-party services (such as email, messaging, calendars, file storage, development tools, or other applications), data from those services may be accessed and processed by the Desktop Application to enrich workflow analysis. This data may include: email and calendar metadata; contacts and address books; calendar events and scheduling information; files and documents; usage data from connected applications; and any other data accessible through the APIs of those services.

Note: Third-party service connections are brokered through Composio, an integration infrastructure provider. A per-user entity is created in Composio on your behalf when you connect a service. All Composio operations are proxied through BaseFrame's servers, so your credentials are never exposed to Composio directly.

Microsoft Account: When you connect a Microsoft account, an OAuth access token is stored encrypted in BaseFrame's cloud database to enable persistent access to Microsoft services (Outlook, Teams, OneDrive, etc.). This token is used only to fetch data for workflow analysis on your behalf.

Website Usage Information: When you use our website (baseframe.co), we may automatically collect information about your visit, including via cookies and similar technologies. This may include your IP address, web browser, device type, and the pages you visit. The Desktop Application does not send analytics events or usage telemetry. No product analytics data leaves your device from the Desktop Application.

Device and Log Information: We collect information about the devices you use to access the Services, including: IP address; browser type and version; operating system; device identifiers; and log data including access times and referring URLs. This applies to website and API usage; the Desktop Application does not generate server-side logs beyond what is required to authenticate requests.

Crash Reports: If the Desktop Application crashes, a report is saved locally containing an error stack trace and recent log data. File paths and other identifiable information are anonymized before saving. On the next launch, you will be explicitly asked for consent before any crash report is transmitted to BaseFrame. We use crash reports solely to identify and fix software defects. You may decline to submit them at any time.

Information from Other Sources: We may obtain information, including Personal Information, from third parties and sources other than our Services, such as our business customers and partners. If we combine or associate information from other sources with Personal Information that we collect through our Services, we will treat the combined information as Personal Information in accordance with this Policy.

The BaseFrame desktop app reads on-device data to find the workflows worth automating. The exact sources depend on which operating system you run.

macOS. We read passively from sources Apple already maintains: app-focus events from the Biome stream (Library/Biome), historical app usage from Screen Time (knowledgeC.db), Apple Mail / Calendar / Reminders / Contacts, browser history (Safari, Chrome, Arc, Brave, Edge, Firefox), and per-app SQLite caches (Slack, Notion, Microsoft Office, Linear, etc.). We never read message bodies. macOS Full Disk Access is required for these reads.

Windows.Windows has no equivalent passive app-focus stream, so we run a small background process that records the foreground window’s application name and title once per second. Window titles are scrubbed for emails, phone numbers, file paths, and other PII patterns before they are stored locally. You can disable title capture in Settings. We additionally read browser history (Edge, Chrome, Firefox), Outlook mail headers (subject, sender, recipients) and calendar entries via MAPI, and Microsoft Teams channel activity. We never read message bodies.

All raw local data stays on your device. To generate workflow recommendations, the Desktop Application constructs prompts from scrubbed activity metadata (app names, timestamps, and PII-scrubbed window titles) and sends them to BaseFrame's servers, which forward them to an AI provider for processing. No message bodies, file contents, email text, or unredacted personal data are included in these prompts. Activity data that has already been summarized into a workflow fingerprint is cached locally and is not re-sent.

Providing the Services: We may use your Personal Information to provide and personalize the Services, process payments, provide customer service, maintain or service accounts, verify customer information, operate the Desktop Application, facilitate AI workflow analysis, enable connections to third-party services, and undertake similar services.

Support: We use Personal Information to provide technical support, including diagnosing and resolving any issues you report.

Customer Relationship Management: We may process your Personal Information for customer relationship management purposes.

Communicating with You: We may use your email address and other Personal Information as necessary to contact you for administrative purposes, to manage your account, provide information you request, send service-related notices, updates, security alerts, and respond to your comments and questions.

Understanding Usage and Improving the Services: We use the information that we collect on the Services to understand and analyze usage trends and preferences, improve the Services, and develop new products, services, features, and functionality.

Marketing: We may use your email address and other Personal Information to send marketing communications, including updates on promotions and events relating to our products and services. You have the ability to opt out of receiving promotional communications as described below under Your Rights and Choices.

Crash Diagnostics: We use crash reports you consent to submit to identify, diagnose, and fix software defects in the Desktop Application.

Security and Fraud Prevention: We may use your Personal Information to detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activities.

Administrative and Legal Purposes: We may use your Personal Information to address administrative or legal issues, including but not limited to intellectual property infringements, defamation, or privacy rights, and to comply with applicable laws, regulations, legal processes, and governmental requests.

Aggregation:We may aggregate or otherwise de-identify Personal Information and use the resulting information (“De-identified Information”) for any lawful purpose. We will maintain and use De-identified Information in de-identified form and will not attempt to re-identify the information, except to verify our de-identification processes.

Service Providers: We may engage third-party service providers to assist in providing hosting services or other services necessary for the operation of the Services. These service providers may have access to or process your information as part of providing those services for us. They are contractually obligated to protect your information. Key service providers include:

AI Providers:When you use AI agents, your prompts and instructions may be processed by third-party AI providers (such as Anthropic, OpenAI, or other providers you select) pursuant to your API key and their terms of service. BaseFrame does not control how AI providers process this data, and such processing is governed by the applicable AI provider’s terms and privacy policy.

Connected Services: When you connect third-party services, information is shared with those services as necessary to enable the integration. Such sharing is governed by the terms and privacy policies of those services.

Business Purposes: We may make certain information available to third parties for various purposes, including compliance with reporting obligations or for our business purposes. Any such disclosure will be in accordance with applicable laws and regulations.

Legal Requirements: We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to comply with applicable laws, respond to a court order, judicial or other government subpoena or warrant, or to cooperate with law enforcement or other governmental agencies.

Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, we may transfer your information to the acquiring entity as part of the transaction.

Affiliates: We may share Personal Information with our affiliates, subsidiaries, and branch offices to which it is reasonably necessary or desirable for us to disclose Personal Information for the purposes mentioned above.

With Your Consent: We may share information with your consent or at your direction.

Local Analysis: The Desktop Application reads activity metadata from your device (app usage, browser history, calendar entries, etc.) as described in Section 1. This data is processed locally first to construct anonymized activity summaries.

AI Provider Processing: Activity summaries and workflow discovery prompts are transmitted to BaseFrame's servers and forwarded to a third-party AI provider (currently routed via OpenRouter) for analysis. No raw message bodies or file contents are included. Processing by the AI provider is governed by that provider's terms of service and privacy policy. BaseFrame does not control how AI providers handle data once transmitted, and different providers have different data retention policies.

Connected Service Data: When you connect third-party services (such as Gmail, Slack, or Linear), the Desktop Application may fetch metadata from those services (subject lines, event titles, channel names, record titles) to enrich workflow analysis. This metadata may be included in AI prompts. We do not include message bodies or file contents.

Workflow Sharing: You may choose to publish a workflow snapshot to a public URL. When you do, the workflow name, description, automation suggestion, and app list are stored on BaseFrame's servers and accessible to anyone with the link. Sharing is entirely opt-in.

Your Responsibility: You are responsible for ensuring you have authority to connect third-party services; obtaining any necessary consents from individuals whose data may appear in your activity; and complying with the privacy policies of any AI providers or connected services you use.

Essential Cookies: Necessary for the operation of the Services, including authentication and security.

Analytics Cookies: Help us understand how visitors interact with our website (baseframe.co). We use PostHog to collect and analyze website usage data. The Desktop Application does not use PostHog or any analytics service. No telemetry or usage events are collected from the Desktop Application.

Advertising and Marketing Pixels:On our website (baseframe.co), we use the following third-party advertising and marketing technologies. These are loaded by default and may be opted out of via the “Do Not Sell or Share My Personal Information” link in the footer or by enabling the Global Privacy Control signal in your browser. None of these technologies operate inside the Desktop Application.

You can decline all of the above marketing and analytics technologies by using the “Do Not Sell or Share My Personal Information” link in the footer or by enabling Global Privacy Control in your browser. When you opt out, we stop loading the Meta Pixel, RB2B, Maverick, Delivr AI, Rewardful, and PostHog; we clear the Meta browser cookies (_fbp, _fbc) and any stored marketing attribution from your device.

Preference Cookies: Remember your settings and preferences.

Cookie Choices: You can manage cookie preferences by customizing your browser settings to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable certain cookies, please note that some parts of our Services may not function properly.

Interest-Based Advertising: We may allow third parties to collect Personal Information to provide interest-based advertising. You can opt out of interest-based advertising through the Digital Advertising Alliance (optout.aboutads.info) or Network Advertising Initiative (optout.networkadvertising.org).

Selling Personal Information:While we do not sell Personal Information in exchange for monetary consideration, we do disclose Personal Information for other benefits that could be deemed a “sale” under various data protection laws. You may opt out as described in Section 6.

Access: The right to request access to and obtain a copy of any Personal Information we may have about you.

Deletion: The right to delete your Personal Information that we have collected or obtained, subject to certain exceptions.

Correction: The right to request that we correct any inaccuracies in your Personal Information, subject to certain exceptions.

Opt Out of Certain Processing: The right to opt out of the processing of your Personal Information for purposes of targeted or cross-context behavioral advertising and/or the sale of your Personal Information.

Objection/Restriction of Processing: The right to object to or restrict us from processing your Personal Information in certain circumstances.

Withdraw Consent: The right to withdraw your consent where we are relying on your consent to process your Personal Information.

Portability: The right to receive your Personal Information in a structured, commonly used, and machine-readable format.

Automated Decision-Making and Profiling: We do not, at this time, use Personal Information for automated decision making or for profiling in furtherance of decisions that produce legal or similarly significant effects. Thus, we do not fulfill requests to opt out of these uses.

Lodge a Complaint: The right to lodge a complaint with a supervisory authority or other regulatory agency if you believe we have violated any of the rights afforded to you under applicable data protection laws. We encourage you to first reach out to us so we have an opportunity to address your concerns directly before you do so.

Global Privacy Control (GPC): You may also exercise your opt-out rights by broadcasting an Opt-Out Preference Signal, such as the Global Privacy Control (GPC). We honor Opt-Out Preference Signals, including GPC. If you choose to use an Opt-Out Preference Signal, you will need to turn it on for each supported browser or browser extension you use.

Account Information: Retained for the duration of your account and for a reasonable period thereafter for legal, tax, and audit purposes.

Local Device Data: Activity data cached by the Desktop Application is stored encrypted on your device and is under your control. It can be removed by deleting the application's data directory or uninstalling the Desktop Application.

Cloud Account Data: Account-associated data stored on BaseFrame's servers (such as subscription status, connected service tokens, and shared workflow snapshots) is retained while your account is active. Following account closure, this data may be deleted within thirty (30) days.

Usage and Log Data: Server-side log data is retained for up to 1 month for security and debugging purposes.

Communication Records: Support communications may be retained for quality assurance and legal purposes.

Encryption in Transit: Data transmitted between the Desktop Application (or your browser) and BaseFrame's servers is encrypted using industry-standard TLS/SSL.

Local Data Encryption: Activity data cached by the Desktop Application on your device is encrypted at rest using AES-256-GCM. The encryption key is stored in a user-only file on your device and is never transmitted to BaseFrame.

Cloud Data Encryption: Sensitive data stored on BaseFrame's servers (such as Microsoft OAuth tokens) is encrypted at rest.

Access Controls: We maintain access controls to limit access to information to authorized personnel.

Security Monitoring: We monitor our systems for potential security threats and vulnerabilities.

With your consent: Where you have given us consent to process your Personal Information for specific purposes.

Where necessary to perform a contract: To provide the Services you have requested.

To comply with our legal obligations: Where we are legally required to process your data.

Where doing so is in our legitimate interests: Including the purposes described in this Policy, such as analytics, security, fraud prevention, and improvement of our Services, and such interests are not outweighed by your rights and freedoms.

Right to Know: The right to know what personal information we collect, use, disclose, and sell.

Right to Delete: The right to request deletion of personal information.

Right to Correct: The right to correct inaccurate personal information.

Right to Opt-Out: The right to opt out of the sale or sharing of personal information.

Right to Non-Discrimination: The right not to be discriminated against for exercising your privacy rights.

Data Controller: BaseFrame Inc. is the data controller for Personal Information processed in connection with the Services.

Data Protection Officer: Not applicable.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe we have violated your privacy rights. We encourage you to contact us first so we can address your concerns.