Baarelybaarely← Back to home

Privacy policy

Last updated: 9 May 2026

The short version

Baarely tracks how AI assistants (ChatGPT, Claude, Gemini, etc.) talk about your brand. To do that we store the brand info you give us, the questions we ask AI on your behalf, and what the AI says back. We don’t sell your data. We don’t share it with anyone except the AI providers we have to query to do the job. You can delete everything in two clicks.

Who runs Baarely

Baarely is operated independently. Contact for any privacy question: hello@baarely.com.

What we store

The categories of data tied to your account:

  • Account identity: email + password hash (managed by Supabase Auth).
  • Brand profile: name, industry, location, website, services, keywords, brand facts you enter.
  • Prompts: the customer-style questions we ask AI engines about your category.
  • Scan results: the AI’s actual responses, parsed for mentions, sentiment, and hallucinations.
  • Action items + verification scans: recommendations we generate and the proof-of-work scans you trigger.
  • Operational metadata: when you logged in last, scan timestamps, plan + trial state.

We don’t collect anything we don’t need. No analytics fingerprinting, no third-party trackers, no advertising cookies.

Why we store it (lawful basis)

  • Performance of contract (GDPR Art. 6(1)(b)): storing brand profiles, running scans, generating actions — without these we can’t deliver the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): preventing fraud, enforcing rate limits, retaining data 30 days after deletion for support / dispute resolution.
  • Consent (Art. 6(1)(a)): only for things you opt into — e.g. transactional emails about your scans. You can opt out at any time.

Who else sees your data (sub-processors)

Baarely uses these third parties to run. Each sees a specific slice — never more.

  • Supabase — database + authentication. Sees everything you store with us. Hosted in EU regions.
  • Vercel — application hosting. Sees request metadata; doesn’t persist your data.
  • Anthropic (Claude), OpenAI (ChatGPT), Google (Gemini) — we send your prompts to these AI engines to do the actual visibility scans. We do NOT include your account email or other personal data in those API calls — only the prompt text + (for hallucination detection) your published brand facts. Each provider has its own privacy policy.
  • Resend — transactional email delivery. Receives recipient address + email body for trial reminders, scan-paused notifications, team invitations, and plan-activation confirmations after a paid upgrade.
  • Stripe — payment processing for paid plans. When you click an Upgrade button you’re sent to Stripe’s hosted checkout page; we never see or store your card details. Stripe receives your email (pre-filled to save typing), the plan you selected, and a Baarely account ID so we can match the payment to your account on our side. Stripe is the controller for any data you enter on their checkout page; their privacy policy applies to that step.
  • PostHog (EU region) — product analytics. Sees anonymous distinct IDs + your account user ID and email (so we know which user did what), plus the events you trigger in the app (signup, scan, action-done). No scan content, no AI responses, no brand facts. Used to understand the product funnel + fix UX bottlenecks. EU data residency.
  • Sentry — error tracking. Sees stack traces, request paths, and your account user ID when something breaks. We strip PII from error reports before they leave the server. Used to fix bugs faster than waiting for you to email us.

We don’t use any of these for advertising profiling. None of them is allowed to sell your data.

Where data lives

Primary storage is Supabase’s EU region (Frankfurt). Some sub-processors (the AI engines, Resend) process data in the United States as part of normal operation. Where required, transfers rely on the EU-US Data Privacy Framework or Standard Contractual Clauses.

Cookies

We use functional + analytics cookies only. No advertising, no cross-site tracking:

  • sb-* — Supabase auth session. Required to stay signed in.
  • baarely_active_brand — remembers which brand you’re viewing across pages. Cleared on sign out.
  • lang — your interface language preference.
  • theme — light or dark mode preference. Stored in localStorage, not actually a cookie.
  • ph_phc_*_posthog — PostHog analytics distinct ID. Lets us see funnel behaviour (signup, scan, action-done) without identifying you to anyone outside Baarely. EU-hosted.

How long we keep it

  • While your account is active: as long as you’re a customer.
  • After you delete a brand: 30 days, then permanently purged by an automated daily job.
  • After you delete your account: account, brands, and login identity (your auth row) all soft-delete and stay in a recovery state for 30 days. The dashboard hides them immediately, so you and your data are effectively offline. After 30 days the daily purge cron hard-deletes everything, including the auth row, which finally frees up the email for re-signup.
  • Backups: rolled forward 30 days, after which they age out.

Email hello@baarely.com within the 30-day window if you change your mind and want it back.

Your rights under GDPR

You can do all of these from your account settings, or by emailing us:

  • Access: “Export your data” in Account → Your data downloads everything we have on you as JSON (Article 15).
  • Rectification: edit your brand profile / brand facts / prompts directly in the dashboard (Article 16).
  • Erasure: “Delete account” in Account triggers deletion (Article 17).
  • Portability: the same JSON export is structured + machine-readable (Article 20).
  • Object / restrict: email us and we’ll pause processing while we work it out (Articles 18, 21).
  • Complain: if we’ve let you down, you can complain to your national supervisory authority. In Poland that’s UODO (uodo.gov.pl).

Security

Passwords are hashed via Supabase Auth (bcrypt). Connections are TLS. Database access is restricted by Row-Level Security policies — even if our application code had a bug, a logged-in user can’t reach another user’s rows. We use the service-role key (bypasses RLS) only for cron jobs and admin tooling, never to handle a regular user request.

We don’t offer SSO/SAML on standard plans yet — Enterprise customers can request it.

Children

Baarely is for businesses. We don’t knowingly collect data from anyone under 16. If you believe a minor signed up, email us and we’ll delete the account.

Changes

When we change this policy in a way that affects how we use your data, we’ll email everyone with an active account. The “Last updated” date at the top always reflects the current version.