Privacy Policy

In this policy, "Service" means the Bao web app, APIs, scanners, and integrations. "Customer" means the entity that signs up for a paid or free Bao account. "User" means an individual authorized to use the Service under a Customer account. "Personal Information" means information that identifies, relates to, or could reasonably be linked to a natural person, as defined under the laws applicable to you.

Bao operates a tiered Service: Free, Founder ($39/mo), Team ($59/active dev/mo), Business ($99/active dev/mo), and Enterprise. Different tiers expose different features (for example, SSO, audit-log export, region pinning, and self-hosting are Business/Enterprise features). Where features differ, this policy notes which tier they apply to.

We collect only what we need to operate Bao. We do not retain your source code, and we do not sell your data. Categories below are the complete list of what we collect and why.

• Account and identity information. Name, work email, organization, role, password hash (when not using SSO), and authentication identifiers from your OAuth provider (GitHub, Google, or Microsoft user id and email). We never see or store the password you use with your OAuth provider.
• OAuth tokens and integration credentials. Access and refresh tokens issued to Bao by the platforms you connect — GitHub, Vercel, Supabase, Stripe, Sentry, Cloudflare, Render, AWS, and any of the 2,000+ apps reachable through Pipedream Connect. Tokens are encrypted at rest with AES-256 and scoped read-only by default. Write scopes, where they exist, only execute via approval-gated actions you confirm.
• Repository, deployment, and infrastructure metadata. Names of repositories, services, environments, and deployments; commit SHAs and authors; CI/CD configuration files; environment variable keys (never values); error rates and incident metadata from Sentry; uptime and routing data from Cloudflare and Vercel. We do not retain repository source code beyond the duration of a scan.
• Scan findings and scores. The output of Bao scans: production-readiness scores, signals, severities, file paths, line numbers, the natural-language description of each finding, and any auto-fix proposals we generate. Findings persist according to the retention rules in Section 6.
• Auto-fix proposals and approval history. When you generate or approve auto-fix proposals, we store the proposal text, the diff we proposed, who approved it, when, and the status of the resulting pull request or write. This is the audit trail we expose to you and is required for traceability.
• Billing and payment information. Subscription tier, seat counts, billing email, billing address, tax ID, and invoice history. Card numbers, bank details, and payment instruments are processed and stored by Stripe, Inc. — Bao stores only the last four digits of the card, the brand, and the Stripe customer/subscription identifiers.
• Communications and support. Emails you send to hello@getbao.app, security@getbao.app, or press@getbao.app; support tickets; sales inquiries submitted through our contact page; and any attachments you send.
• Marketing email subscription. Email address, locale preference, and opt-in/opt-out timestamps for the changelog newsletter and product updates.
• Usage analytics and product telemetry. Aggregated, pseudonymous data about how users interact with Bao: page views, scan invocations, feature usage, performance timings, and error reports. We do not use third-party advertising networks and do not track you across other websites.
• Device, log, and security data. IP address, user-agent, request timestamps, route paths, response codes, and approximate geolocation derived from the IP — used for rate limiting, abuse prevention, audit logs, and incident investigation.
• Cookies and similar technologies. Strictly necessary cookies for authentication and session management, and a small number of first-party cookies for locale (zh-HK or en) and theme. We do not set third-party advertising cookies. See Section 11 for details.

We do not knowingly collect special categories of personal data (health, biometric, religious, political) and we ask Customers not to upload such data into Bao. If you discover that special-category data has been transmitted to Bao, contact us at privacy@getbao.app and we will delete it.

We use personal information for the following purposes, and only these purposes:

• Operate the Service. Authenticate you, run scans across your connected systems, generate readiness scores, render the dashboard, deliver scan results, and execute approval-gated writes you confirm.
• Provide auto-fix proposals. Generate and present remediation suggestions using AI models (described in Section 5). Auto-fix proposals are suggestions only; nothing is applied without your explicit approval.
• Billing and account administration. Process subscriptions through Stripe, send invoices and receipts, manage seat counts, enforce tier limits, and prevent abuse.
• Customer support. Respond to questions, debug issues, and improve the help we provide.
• Security, fraud, and abuse prevention. Detect anomalous behavior, rate-limit abusive traffic, investigate incidents, and notify you and authorities where required by law.
• Product improvement. Aggregate, de-identified usage telemetry to understand which signals matter and where the product needs work. We do not train models on your private code or scan findings without explicit written consent.
• Communications you opt into. Send the changelog newsletter and product updates to addresses that opted in. Every marketing email contains a one-click unsubscribe link that goes to getbao.app/unsubscribe.
• Legal compliance. Comply with applicable laws, respond to lawful government requests, defend our rights, and enforce our Terms of Service.

For users in the European Economic Area, the United Kingdom, and Switzerland, we process personal information under one or more of the following GDPR/UK GDPR legal bases:

• Performance of a contract. To deliver the Service to the Customer that signed our Terms of Service.
• Legitimate interests. To secure the Service, prevent abuse, improve product quality through aggregated telemetry, and operate our business — balanced against your rights and freedoms.
• Consent. For marketing email and any optional analytics; you may withdraw consent at any time.
• Legal obligation. To comply with tax, accounting, security-incident reporting, and other legal duties.

For users in Hong Kong, we comply with the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO") and its six Data Protection Principles. We collect personal data lawfully, for purposes directly related to a function of Dragonfly, and use it only for those purposes (or directly related ones) unless you give consent for another use.

We share personal information only as described below. We do not sell personal information, and we do not share it for cross-context behavioral advertising.

Sub-processors. The following sub-processors process personal information on our behalf to deliver the Service. Each is bound by a written data processing agreement, and the list reflects what we actually use today.

• Supabase, Inc. (US). Primary application database, authentication, and storage. Region-pinned to us-east-1 for US Customers and eu-west-1 for EU Customers (Business/Enterprise).
• Vercel Inc. (US). Hosting and edge delivery for getbao.app and the Bao web app.
• Cloudflare, Inc. (US). DNS, edge protection, and TLS termination for our domains.
• Stripe, Inc. (US). Payment processing, subscription management, and tax calculation. Stripe is the controller of the payment instrument data.
• Sentry (Functional Software, Inc.) (US). Error and performance monitoring for the Bao app and our Customers' connected services (when you grant the Sentry integration).
• Pipedream, Inc. (US). OAuth connection broker and workflow runtime that powers the 2,000+ third-party integrations available beyond our eight native integrations. Pipedream stores OAuth credentials for those long-tail integrations.
• Anthropic, PBC (US). Large-language-model inference for auto-fix proposals and explanation generation. Inputs are sent without zero-data-retention by default; Enterprise Customers may request a no-train, no-retention configuration via DPA.
• OpenAI, L.L.C. (US). Secondary model provider for fallback inference. Same retention posture as above.
• Google Cloud Platform (Vertex AI) (US/EU). Tertiary inference and embedding generation for vector search.
• Amazon Web Services, Inc. (US/EU). Object storage for region-pinned scan artifacts and audit-log exports (Business/Enterprise).
• Better Stack (Better Stack, s.r.o., EU). Application logs, uptime monitoring, and on-call paging.
• SendGrid (Twilio Inc.) (US). Transactional email (sign-in links, billing receipts, security notices) and marketing newsletter delivery.
• Doppler, Inc. (US). Internal secrets management for Bao's own infrastructure (does not store Customer data).
• GitHub, Inc. (US). Source-control integration and Bao's own engineering operations. We use GitHub OAuth to authenticate users who choose that sign-in path.
• Linear (Linear Orbit, Inc.) (US). Internal product and engineering tracking; receives no Customer personal data except support-ticket identifiers when escalated.
• Slack Technologies, LLC (US). Internal communications and Customer-facing shared channels for Business/Enterprise; only data Customers actively post is shared.
• Notion Labs, Inc. (US). Internal documentation; receives no Customer personal data.
• Render Services, Inc. (US). Optional integration target — only relevant if a Customer connects Render. We process metadata, never source code.

Other recipients. We may also share personal information with: (a) professional advisors (auditors, lawyers, accountants) under confidentiality; (b) acquirers, in connection with a merger, acquisition, financing, or sale of assets, with notice and continued protection; (c) law enforcement or government authorities, where required by valid legal process and only to the extent legally compelled — we will challenge overbroad requests and notify affected Customers unless legally prohibited.

We will publish material changes to our sub-processor list on this page at least 30 days before they take effect for Business/Enterprise customers, who may object by emailing privacy@getbao.app.

We retain personal information only as long as necessary for the purposes described in this policy. Specific retention periods:

• Source code. Not retained. Source code is fetched at scan time, processed in memory, and discarded.
• Scan findings, scores, and proposals. 90 days by default. Business/Enterprise Customers may configure 30, 60, 90, 180, or 365 days.
• Audit logs. 1 year by default. Business/Enterprise Customers may configure up to 7 years and may export at any time.
• Account information. For the lifetime of your account, plus 30 days after account closure to allow recovery. Then deleted, except where we have a legal duty to retain (e.g., tax records).
• Billing records. 7 years from the date of issuance, as required by tax and accounting regulations in Hong Kong and the United States.
• Marketing email lists. Until you unsubscribe; opt-out is honored within 10 business days. We retain a suppression-list record of unsubscribed addresses indefinitely so we don't accidentally email you again.
• Application logs. 30 days, unless flagged for security investigation.
• Backups. Encrypted backups are retained for up to 35 days and then permanently deleted.

We protect personal information with technical and organizational safeguards designed to prevent unauthorized access, alteration, disclosure, and destruction. Specifics:

• Encryption. AES-256 at rest. TLS 1.3 in transit. OAuth tokens are encrypted with envelope encryption using customer-specific keys.
• Access control. Least-privilege access for Dragonfly personnel. SSO + MFA required for production access. All production access is logged.
• OAuth posture. Read-only scopes by default. Write scopes are only used for approval-gated actions you explicitly confirm.
• Region pinning. Customer data is pinned to us-east-1 (US) or eu-west-1 (EU) on Business/Enterprise.
• Compliance program. SOC 2 Type II is in progress (target FY26). GDPR compliant. HIPAA is out of scope — do not upload PHI to Bao. ISO 27001 is on roadmap. Self-hosted deployment is available on Enterprise.
• Incident response. We maintain a written incident-response plan. We will notify affected Customers without undue delay, and in any event within 72 hours of confirming a personal-data breach where required by GDPR Art. 33 or comparable laws.
• Vulnerability disclosure. Email security@getbao.app. We respond within five business days. There is no paid bounty program today.

No security program is perfect. If you believe your account has been compromised, contact security@getbao.app immediately.

Dragonfly Interactive (HK) Limited is headquartered in Hong Kong SAR. Our infrastructure operates in the United States and the European Union, and we have personnel in Hong Kong and the United States. When personal information is transferred across borders, we use appropriate transfer mechanisms:

• EEA / UK to outside. European Commission Standard Contractual Clauses (Module 2 or 3 as applicable) and the UK International Data Transfer Addendum, supplemented by transfer-impact assessments where required.
• Hong Kong outbound. Compliance with PDPO Section 33 (currently not in force but prudent to comply with): we obtain prescribed consent or rely on a contractual mechanism with the recipient.
• Region pinning. Business and Enterprise Customers may pin data residency to us-east-1 (US) or eu-west-1 (EU). Data does not leave that region except for the LLM inference path, which is a separate sub-processor flow disclosable in the DPA.

Depending on where you live, you have rights under privacy law. We honor these rights for all users globally as a matter of policy, even where the law does not require it.

• Access. Request a copy of the personal information we hold about you.
• Correction / rectification. Ask us to correct inaccurate information.
• Deletion / erasure. Ask us to delete your personal information, subject to legal retention duties (e.g., billing records).
• Portability. Receive a machine-readable copy of the personal information you provided to us.
• Objection / opt-out. Object to processing based on legitimate interests; opt out of marketing email at any time.
• Restriction. Ask us to pause processing in defined circumstances.
• Withdrawal of consent. Where we rely on consent, withdraw it without affecting prior lawful processing.
• No automated decisions with legal effect. Bao does not make decisions that produce legal effects on you using purely automated processing.

CCPA/CPRA (California). California residents have additional rights to know, delete, correct, and limit the use of sensitive personal information, plus a right to opt out of "sale" or "sharing" — Bao does not sell personal information and does not share it for cross-context behavioral advertising. We do not discriminate against you for exercising these rights.

Hong Kong PDPO. Hong Kong residents may make a data-access or data-correction request under Sections 18 and 22 of the PDPO. We will respond within the 40-day statutory period and may charge a reasonable fee where permitted.

How to exercise your rights. Email privacy@getbao.app from the address associated with your account, or contact us at the address in Section 14. We may need to verify your identity before fulfilling a request. We will respond within 30 days for GDPR/UK GDPR requests, 45 days for CCPA requests, and 40 days for PDPO requests.

Bao is not intended for children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided personal information to Bao, contact privacy@getbao.app and we will delete it.

Bao uses a minimal set of first-party cookies and similar technologies. We do not use third-party advertising trackers and we do not load fingerprinting scripts.

• Strictly necessary. Authentication, session, and CSRF protection cookies. These are required to use the Service and cannot be disabled.
• Preference. Locale (en or zh-HK) and theme preferences.
• Analytics. Aggregated, pseudonymous product analytics. Where required by law, we ask for opt-in consent before setting analytics cookies.

You can clear cookies through your browser. If you clear authentication cookies, you will be signed out.

We will update this policy from time to time. When we make material changes, we will notify you by email (to the address on your account) or by a prominent notice on getbao.app at least 14 days before the change takes effect, and we will update the "Effective Date" and "Last Updated" at the top of the policy. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

For privacy questions, requests, or complaints:

• Privacy email. privacy@getbao.app
• Security email. security@getbao.app
• General email. hello@getbao.app
• Postal — Hong Kong. Dragonfly Interactive (HK) Limited, Hong Kong SAR. (Full registered office available on request to privacy@getbao.app.)
• Postal — United States. Dragonfly Interactive (HK) Limited, c/o Florida operations. (Full address available on request to privacy@getbao.app.)

EEA/UK Customers: if you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority in your country of residence. Hong Kong residents may complain to the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD).