Privacy Policy
Last updated: May 3, 2026
Bai OS, Inc. — Delaware, USA
baios.ai · hey@baios.ai · hey@baios.ai
Executive summary (the essentials in 30 seconds)
This does not replace the full policy, but it does capture its essence:
- You decide what to tell BAI. What you entrust to it is stored as your personal workspace.
- Your memory is yours. You can consult, edit, export, and delete it at any time.
- We never use your data to train AI models, nor for commercial analysis, nor for targeted advertising, nor do we sell it to third parties.
- Your sensitive data (health, finances, intimacy, religion, etc.) receive the same enhanced protections, without exceptions.
- When you leave BAI, your data goes with you and is then deleted. Without active payment, it is deleted after 90 days. If you cancel, after 30 days.
- We work with serious, vetted providers (Anthropic, Google, WhatsApp, Stripe, Google Cloud, Resend) under contracts that strictly limit what they can do with your information.
- You have rights. Access, rectification, deletion, portability, and objection. Write to us at hey@baios.ai and we will respond.
The full policy that follows develops each of these points with the detail required by law.
1. Who we are
Bai OS, Inc. is a company incorporated in Delaware (United States), with contact addresses at hey@baios.ai and hey@baios.ai. We operate the BAI service ("Service"), a personal management workspace accessible by web and WhatsApp.
For the purposes of this Policy, Bai OS, Inc. acts as Data Controller (in GDPR terms), Controller (CCPA/CPRA), Responsable (Law 1581 Colombia, LFPDPPP Mexico), Controller (LGPD Brazil) and the equivalent figure in each applicable jurisdiction. This means we are the ones who decide how and for what your personal data is processed, within the limits established by law and by this Policy.
For privacy inquiries and to exercise your rights, contact our Data Protection Officer (DPO) at hey@baios.ai.
2. Who this Policy applies to
This Policy applies to:
- Users of the BAI Service (active accounts, in trial period, or in any state of the contractual relationship).
- Visitors to the baios.ai website and associated subdomains.
- People who communicate with us through the published contact channels.
It does not apply to third-party websites, applications, or services linked from BAI, which are governed by their own policies.
3. What data we collect
We collect personal data in three differentiated categories:
3.1 Data you give us directly
This is the data you decide to share with us, whether when registering, when using the Service, or when communicating with us:
- Registration and account data: name, email address, phone number associated with WhatsApp, preferred language, time zone and, where applicable, billing data (processed by Stripe — see section 6).
- Content you entrust to BAI: text messages, audios, images, files, links, and other content you send to the Service to be captured, organized, and remembered. This constitutes what we call your memory (section 5).
- Communications with us: messages you send us at hey@baios.ai, hey@baios.ai or other support channels.
- Information from integrations you authorize: when you connect BAI with Gmail, Google Calendar, Google Drive, or other tools, you authorize access to the information strictly necessary for the contracted function. You control which integrations you connect and can revoke access at any time from the workspace.
3.2 Data we generate from your use
As part of the normal operation of the Service:
- Internal technical representations: audio transcriptions, vector embeddings of your content, and generated summaries that enable search and retrieval functions.
- Notes, tasks, reminders, tags, and projects created by you or automatically derived from your content.
- Usage metadata: creation and edit dates, channel of origin (web/WhatsApp), internal account identifiers.
- Technical and security data: IP address, device type, browser, operating system, access and security event logs. This data is used to operate the Service, prevent fraud, and comply with legal obligations.
3.3 Data we receive from third parties
- From Meta/WhatsApp: when you connect your WhatsApp account by OTP, we receive the verified phone number and the messages you send to BAI through that channel. Use of WhatsApp is additionally governed by the policies of WhatsApp Inc. and Meta Platforms, Inc.
- From Stripe: payment confirmations, subscription status, and billing metadata. We do not receive or store complete credit card data.
- From integrations you authorize: the data that connected tools (Gmail, Google Calendar, Google Drive) share by virtue of the scope you authorize when connecting.
- From web analytics (with your consent): when you accept analytics cookies on baios.ai, Google Analytics gives us aggregated and pseudonymized statistics about site usage. When you accept advertising cookies, Meta Pixel allows us to measure the effectiveness of our campaigns. Detail in section 11.
4. What we use your data for (purposes and legal bases)
We only process your data for specific purposes, with an identified legal basis for each. The following table summarizes the picture (GDPR terminology; local equivalents apply):
| Purpose | Type of data | Legal basis |
|---|---|---|
| Provide the Service (capture, organize, remember, return) | Account data + user content + generated data | Performance of contract (art. 6.1.b GDPR) |
| Process sensitive data the user decides to share | Sensitive data (health, finances, religion, etc.) | Explicit consent (art. 9.2.a GDPR) |
| Process payments and issue invoices | Billing data + Stripe metadata | Performance of contract + legal obligation |
| Comply with tax and accounting obligations | Transaction records | Legal obligation (art. 6.1.c GDPR) |
| Operational communications (onboarding, reminders, Service updates, invoice) | Email + WhatsApp number + name | Performance of contract |
| Promotional email marketing to existing users (launches, discounts) | Email + name + usage | Legitimate interest, with easy right of objection |
| Web analytics for the baios.ai site | Cookies, IP, browser | Consent (cookie banner) |
| Advertising on Meta/Google (Pixel, audiences) | Cookies, site events | Explicit consent (banner) |
| Fraud prevention, abuse, and Service security | Logs, IP, usage patterns | Legitimate interest + legal obligation |
| Handle exercise of rights and legal requests | Identification data | Legal obligation |
| Service improvement (debugging, aggregated metrics) | Logs and pseudonymized data | Legitimate interest |
What we do NOT do with your data, regardless of purpose:
- We do not use it to train AI models, neither our own nor third parties'. This is expressly prohibited in our contracts with Anthropic and Google.
- We do not sell it. We do not commercialize personal data under any circumstances.
- We do not do targeted advertising based on your memory. We do not use the content you entrust to BAI to commercially profile you or to show you personalized ads.
- We do not process your sensitive data for any purpose other than providing the Service to you.
5. Persistent memory — your workspace
Persistent memory is the heart of BAI. Given its importance, this section develops in detail how we treat it.
5.1 What it is
BAI stores what you decide to entrust to it in order to return it to you when you need it. This includes messages you send us, transcriptions of your audios, derived content (notes, tasks, reminders), and internal technical representations (vector embeddings, summaries) necessary for search and retrieval functions to work.
5.2 Where it lives
Your memory is stored in infrastructure controlled by Bai OS, Inc. on Google Cloud Platform, us-central region (United States), and eventually in other regions where GCP operates if required to ensure continuity of service. This implies an international transfer of data when you reside outside the United States — more detail in section 7.
5.3 Who can see it
- You — always, through the web workspace.
- The Bai OS, Inc. technical team, only when strictly necessary to resolve technical incidents, prevent abuse, or comply with legal obligations. Internal access is subject to controls, audit logging, and confidentiality obligations.
- The AI Providers (Anthropic, Google), when they process your messages to generate responses, under contracts (DPA) that prohibit use for training and limit processing to the purpose of providing you the service.
- No one else.
5.4 How long
As long as your account is active and within the reasonable personal use defined in the Terms of Service, your memory is preserved without a predefined time horizon. The promise of continuity ("remembering across time") is an essential part of the product. Details on time periods in section 8.
5.5 Your control
You can:
- Consult the entirety of your memory at any time, via the workspace.
- Edit notes, tasks, reminders, and other objects.
- Delete specific memories granularly, without having to cancel the entire account.
- Delete the entirety of your memory by canceling the account.
- Export your memory in standard, portable format.
5.6 Continuity across technical changes
Your memory is independent of the AI Provider we use at any given time. If in the future we change from Anthropic to another Provider (or vice versa), your content remains intact. What may vary is the style, tone, or characteristics of responses — not what is stored.
6. Sensitive data
6.1 What we consider sensitive
Sensitive data means those that the applicable regulations in your jurisdiction define as such, including, without limitation: data on physical or mental health, sex life or sexual orientation, racial or ethnic origin, religious, philosophical, or moral convictions, political opinions, trade union membership, biometric and genetic data, and financial or credit information.
6.2 Why BAI may receive it
Given the nature of the Service (a personal workspace with memory), it is foreseeable that you will decide to voluntarily share sensitive data with BAI. For example:
- Medication or medical appointment reminders.
- Notes on therapy sessions.
- Religious or community events.
- Personal financial or investment information.
- Contacts associated with your intimate life.
This is legitimate use of the Service.
6.3 Your consent
By using BAI, you grant express and informed consent for us to process the sensitive data you decide to share, exclusively for the purpose of providing you the Service: storing it, organizing it, reminding you of it when you need it, and returning it to you when you search for it.
You can revoke this consent at any time, which means you stop sharing such data with BAI or delete it from your memory.
6.4 What we do not do with your sensitive data (enhanced commitment)
Bai OS, Inc. does not use your sensitive data for:
- Training AI models, our own or third parties'.
- Commercial analysis, market segmentation, or advertising profiles.
- Targeted advertising or commercial recommendations.
- Transfer, sale, or transfer to third parties other than the technical providers strictly necessary for the provision of the Service (section 6 on subprocessors).
- Any purpose other than providing the Service to you.
6.5 Sensitive data of third parties
If you share sensitive information about other people (for example, you note something about the health of a relative), you declare that you have a legal basis to do so — typically the domestic or personal use exception in article 2(2)(c) GDPR and equivalent provisions. You are responsible to those third parties for the information you share with BAI.
6.6 Compliance with External Circular 002 of 2024 (SIC, Colombia)
The processing of personal data carried out by the Service is governed by the principles of suitability, necessity, reasonableness, and proportionality established by External Circular 002 of 2024 of the Superintendency of Industry and Commerce of Colombia.
7. Who we share your data with (subprocessors)
To operate BAI we depend on a small set of specialized technical providers ("Subprocessors"). Each one processes your data under a data processing agreement (DPA) that strictly limits what they can do with the information, prohibits use for model training without your consent, and requires enhanced security measures.
7.1 List of current subprocessors
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Anthropic, PBC | AI model (message processing to generate responses) | Content of messages you send to the Service | United States |
| Google LLC | AI model (Gemini) and integrations (Gmail, Calendar, Drive when authorized) | Message content + data from integrations you connect | United States / multi-region |
| Google Cloud Platform | Infrastructure (servers, database, storage) | All Service information | us-central (USA) and other GCP regions when applicable |
| WhatsApp Inc. / Meta Platforms, Inc. | Messaging channel | Phone number and messages sent through that channel | United States / multi-region |
| Stripe, Inc. | Payment processing | Billing data, transactions (card never passes through our systems) | United States |
| Resend | Sending transactional emails and operational communications | Email, name, content of the email sent | United States |
| Google Analytics (Google LLC) | Analytics for the baios.ai website | Cookies, truncated IP, browser, site events (only with your consent) | United States / multi-region |
| Meta Pixel (Meta Platforms, Inc.) | Measurement of advertising effectiveness and audiences | Cookies, site events (only with your explicit consent) | United States / multi-region |
7.2 How this list is updated
This list may be updated when we incorporate or replace providers. Material changes will be notified at least thirty (30) days in advance. You can request the most up-to-date version and applicable DPAs by writing to hey@baios.ai.
7.3 What these providers do NOT do with your data
Under current DPAs, none of the Subprocessors may:
- Use your data to train their own AI models without explicit consent.
- Use your data for purposes other than those contracted by us.
- Subcontract to third parties without our prior consent.
- Retain your data beyond the period necessary for the provision of the contracted service.
7.4 Other recipients
In addition to Subprocessors, we may share personal data in specific circumstances:
- Professional advisors (lawyers, auditors, accountants) under a duty of confidentiality, when necessary.
- Competent authorities when legally required (court order, administrative request, regulatory obligation). In such cases, unless legally prohibited, we will inform you.
- In case of corporate operation (merger, acquisition, restructuring): the provisions of the Terms of Service (section 11.6) apply — notification 90 days in advance, export tools, no automatic transfer without renewed consent.
7.5 Agreement with Stripe (DPA and transfers)
Stripe processes payments under a Data Processing Agreement (DPA) signed with the Company. A copy of the DPA is available to users upon request to hey@baios.ai.
Personal data transfers to Stripe, Inc. (United States) are carried out on the basis of the Standard Contractual Clauses approved by the European Commission, and/or any other international transfer mechanism admitted by applicable law. See §8.2 for the general safeguards framework.
8. International data transfers
8.1 Why there are international transfers
Since Bai OS, Inc. is a Delaware (USA) company and our main infrastructure is on Google Cloud Platform us-central region (USA), most of your data is processed in the United States. This constitutes an international transfer from your jurisdiction of residence (especially if you are in the European Union, United Kingdom, Colombia, Mexico, Brazil, Argentina, Chile, or other countries with specific data protection regulations).
8.2 Safeguards applied
These transfers are carried out under the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), applicable to transfers from the European Economic Area and from jurisdictions that recognize this mechanism.
- Data Processing Agreements (DPAs) with each Subprocessor, which reproduce European protection standards.
- Compliance with international transfer requirements established by the applicable regulations in each country (Law 1581 + Decree 1377 Colombia, LFPDPPP Mexico, LGPD Brazil, Law 25,326 Argentina, etc.).
- Stripe-specific transfers: in addition to the above, transfers to Stripe, Inc. (United States) are governed by the DPA and SCCs detailed in §7.5.
8.3 Habitual processing countries and regions
- United States: main infrastructure (GCP us-central), Anthropic, Stripe, Resend.
- Google multi-region: Google services that may replicate data in different regions according to their architecture.
- Other GCP regions: eventually, if required for service continuity.
By using BAI, you grant informed consent for these international transfers under the terms described. You can request detailed information about the safeguards applied at hey@baios.ai.
9. How long we keep your data
We apply the principle of storage limitation from article 5.1.e) of the GDPR and equivalent provisions: we only keep your data for the time necessary to fulfill the purposes described in this Policy.
9.1 Periods by type of data
| Type of data | Retention period |
|---|---|
| User memory in active account with up-to-date payment | While the account is active, with no predefined horizon (see Section 4.3 of T&C) |
| User memory in account without active payment (arrears) | Up to 90 days from the start of arrears; notices at 30, 60, and 75 days; deletion on day 91 |
| User memory after voluntary cancellation | Deletion within 30 days from request, except for express request of immediate deletion |
| User memory after termination for breach | Deletion within 15 days, with prior export period |
| Manual deletion of specific memories | Immediate in production; backup copies are purged within up to 90 days |
| Billing data and transaction records | Applicable legal period (typically 5 to 10 years, depending on tax jurisdiction) |
| Security and audit logs | Up to 12 months, except for greater legal requirements |
| Support communications | Up to 24 months after case closure |
| Cookie data (web) | Depending on purpose — detail in section 11 |
The retention of billing data and transaction records prevails over the user's right to erasure pursuant to article 17(3)(b) of the GDPR (compliance with legal obligations) and equivalent provisions of local regulations.
9.2 Secure deletion
When data reaches its retention period, it is deleted through secure procedures that include immediate logical deletion in production and complete rotation of backup copies. The minimum legal retention after deletion is strictly limited to records necessary for tax, accounting, or information security compliance — it does not include the content of your memory.
10. Your rights
You have rights over your personal data. The exact extent depends on your jurisdiction of residence, but the base set we recognize universally for all users includes:
10.1 Universal rights (we recognize them for all users)
- Access: know what data of yours we have, how we use it, and with whom we share it.
- Rectification: correct inaccurate or incomplete data.
- Deletion / "right to be forgotten": request deletion of your data when it is no longer necessary or you withdraw your consent.
- Portability: receive your data in standard, portable format, or ask us to send it to another provider.
- Objection: object to processing based on legitimate interest or for direct marketing purposes.
- Restriction of processing: ask us to freeze the use of your data while a dispute is being resolved.
- Withdrawal of consent: withdraw consents at any time, without affecting the lawfulness of prior processing.
- Not be subject to automated decisions with significant legal effects: art. 22 GDPR applies. BAI does not make decisions of this type (see section 3.5 of T&C).
- File a complaint with the supervisory authority of your country (list in section 13).
10.2 Specific rights by jurisdiction
| Jurisdiction | Regulation | Additional rights or particularities |
|---|---|---|
| European Union / EEA | GDPR (Regulation 2016/679) | Full base set + complaint to national authority |
| United Kingdom | UK GDPR + Data Protection Act 2018 | Equivalent to GDPR; complaint to ICO |
| Colombia | Law 1581/2012, Decree 1377/2013, Circular 002/2024 SIC | Habeas Data, consultation, complaint, revocation; complaint to SIC |
| Mexico | LFPDPPP and Regulations | ARCO rights (access, rectification, cancellation, opposition); complaint to INAI |
| Brazil | LGPD (Lei 13.709/2018) | Full base set; complaint to ANPD |
| Argentina | Law 25.326 | Access, rectification, deletion, confidentiality; complaint to AAIP |
| Chile | Law 19.628 (and Law 21.719 when applicable) | Equivalent; complaint to competent authority |
| California, USA | CCPA / CPRA | Right to know, delete, correct, opt-out of sale/sharing, non-discrimination; complaint to CPPA |
10.3 How to exercise your rights
To exercise any of these rights:
- 1. Write to us at hey@baios.ai,
indicating:
- Your specific request (access, rectification, deletion, etc.).
- Your country of habitual residence.
- Sufficient data to identify you as the account holder (we will verify your identity to avoid impersonation).
- 2. Response time:
- GDPR/UK GDPR: one month, extendable to three months in complex cases.
- Colombia (Habeas Data): consultation up to 10 business days, complaint up to 15 business days.
- Mexico (ARCO): 20 business days, extendable for 20 additional days.
- Brazil (LGPD): 15 days.
- Argentina: 10 days for access, 5 days for rectification.
- CCPA/CPRA: 45 days, extendable to 90.
- 3. Cost: exercising your rights is free. Only in cases of manifestly unfounded or excessive (especially repetitive) requests could we charge a reasonable fee or refuse to act — this is exceptional.
- 4. Appeal: if you are not satisfied with our response, you can file a complaint with the supervisory authority of your country (list in section 13).
11. Cookies and similar technologies
11.1 What they are
Cookies are small files that a website saves on your device to remember information between visits. Similar technologies include pixels, browser local storage, and SDKs.
11.2 What cookies we use
| Category | Purpose | Providers | Legal basis | Typical duration |
|---|---|---|---|---|
| Strictly necessary | Session, language, authentication, basic security | Bai OS | Performance of contract (do not require consent) | Session / up to 12 months |
| Analytics | Aggregated site usage statistics | Google Analytics | Consent (banner) | Up to 14 months |
| Advertising | Campaign measurement, custom audiences, remarketing | Meta Pixel, Google Ads (when applicable) | Explicit consent (banner) | Up to 13 months |
11.3 How to manage your preferences
When you visit baios.ai for the first time you will see a cookie banner that lets you:
- Accept all cookies.
- Reject all non-necessary cookies.
- Configure preferences by category (analytics / advertising).
Strictly necessary cookies are always active — without them the site does not work. The rest are only loaded if you give your consent.
You can change your preferences at any time from the "Configure cookies" link available in the site footer.
You can also:
- Configure your browser to block or delete cookies.
- Use mechanisms such as Global Privacy Control (GPC) or Do Not Track, which we respect when they are technically identifiable.
- Opt out of Google Analytics: tools.google.com/dlpage/gaoptout
- Opt out of Meta advertising: facebook.com/settings/?tab=ads
12. Security of your data
We apply reasonable technical and organizational measures to protect your data:
- Encryption in transit (TLS 1.2+) and at rest for all data stored on GCP.
- Internal access controls based on the principle of least privilege: only strictly necessary personnel have access to production, with reinforced authentication.
- Audit logging of access to systems containing personal data.
- Account isolation: a user's memory is never accessible by another user.
- Rigorous selection of Subprocessors: we only work with providers that meet equivalent standards (SOC 2, ISO 27001, or equivalent).
- Incident response procedure with notification to the supervisory authority within less than 72 hours of becoming aware of a breach affecting your personal data (art. 33 GDPR), and direct notification to affected users when the breach poses a high risk to their rights and freedoms.
No security measure is infallible. If you detect or suspect a security incident related to your account, contact us immediately at hey@baios.ai.
13. Minors' data
The Service is not directed at minors under 18 years of age. We do not knowingly collect personal data of minors. If we discover that a minor has created an account, we will proceed to delete it.
If you are a parent or guardian and believe that a minor in your care has shared data with BAI, contact hey@baios.ai and we will proceed with immediate deletion.
14. Communications we send you
We send you different types of communications, with different regimes:
- Operational communications (onboarding, functional reminders, invoice, notices about your account, security notifications, material changes to T&C or Privacy): these are part of the Service. You cannot unsubscribe from these while you have an active account, except by canceling the account.
- Product communications (news, improvements, launches): we send these by virtue of legitimate interest. You can unsubscribe at any time from the link at the end of each email or by writing to hey@baios.ai.
- Promotional marketing (discounts, campaigns, content): we send these by virtue of legitimate interest in keeping existing users informed, with an easy right of objection. You can unsubscribe at any time from the link at the end of each email or by writing to hey@baios.ai. Unsubscribing from marketing does not affect operational communications.
15. Supervisory authorities and complaints
If you consider that we process your data incorrectly, we encourage you to contact us first at hey@baios.ai — most situations are resolved through direct conversation. If you are not satisfied, you have the right to file a complaint with the supervisory authority of your country:
- Colombia: Superintendencia de Industria y Comercio (SIC) — sic.gov.co
- Mexico: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) — inai.org.mx
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
- Argentina: Agencia de Acceso a la Información Pública (AAIP) — argentina.gob.ar/aaip
- Chile: Consejo para la Transparencia (and equivalent authority under Law 21.719 when applicable) — consejotransparencia.cl
- Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
- Other EU/EEA countries: respective national authority (list at edpb.europa.eu)
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
- California: California Privacy Protection Agency (CPPA) — cppa.ca.gov
16. Changes to this Policy
We may modify this Policy to reflect changes in the Service, in our providers, or in applicable regulations.
- Non-material changes (style corrections, clarifications): take effect upon publication at baios.ai/privacy.
- Material changes (new purposes, new subprocessors, changes in your rights): we notify you at least 30 days in advance by email and/or WhatsApp. If you do not agree, you can cancel your account without penalty before the entry into force.
Each version of this Policy indicates its number and date. Previous versions are available upon request to hey@baios.ai.
17. How to contact us
For any matter related to privacy and data protection:
- Data Protection Officer (DPO): hey@baios.ai
- General support (not privacy): hey@baios.ai
- Company: Bai OS, Inc.
- Jurisdiction of incorporation: Delaware, United States
- Website: baios.ai
To exercise rights, write to hey@baios.ai indicating your request and country of habitual residence. We respond within the legal periods applicable to your jurisdiction.