Privacy policy

1. Some key terms

In our Privacy Policy, when we refer to “Customers”, we mean parties who contract with us for the use of our Services.  Our Customers may authorize or instruct individuals to register for an account on and use our Services.  These individuals are referred to herein as “Users”.  Users may use the Services to collect and share data related to third parties.  These third parties are referred to herein as “Subjects” and the data related to such Subjects are referred to as “Subject Data”. Any other capitalized terms not defined in this Privacy Policy have the meanings in our User Agreement, Customer Agreement, and Acceptable Use Covenants (all four of which are collectively referred to as BAO Systems’ “Terms”).

When we refer to “BAO Systems,” “we,” or “us” in this policy, we mean BAO Systems, LLC, which controls the collected information. We own and operate a number of websites and offer related services, like support. We refer to all of these products, together with our other services and websites as “Services” in this policy.

2. How does this Privacy Policy apply?

This Privacy Policy describes what we do with personal information that we collect and use for our own purposes (i.e., where we are a controller), such as a Customer’s account information and information about how such Customer and its Users use and interact with our Services, including information submitted to our customer support as well as certain information relating to such Customer’s Users. If you do not agree with this policy, do not access or use our Services or interact with any other aspect of our business.

In providing the Services, we host and process Subject Data and User information on behalf of our Customers.  Each Customer determines what it does with its Subject Data and User information.  The Customer controls such Subject Data and User information and, under the European General Data Protection Regulation (“GDPR”), is deemed the controller of such Subject Data and User information.  This Privacy Policy does not describe what we do with Subject Data and User information on our Customers’ instructions (i.e., as their processor under the GDPR). If you are a User or Subject and want to know how a Customer handles your information, you should check its privacy policy.

If you want to know about what we do with information we collect for our own purposes, read on.

If you are a Customer or User in the European Economic Area, United Kingdom or Switzerland (the “EEA”) or if the GDPR is otherwise applicable to your personal data or the data you collect, please see our Data Processing Agreement to learn more about how we process such data.

At BAO Systems we respect your privacy. When it comes to your personal information, we believe in transparency, not surprises. That’s why we’ve set out here what personal information we collect, what we do with it and your choices and rights.

By using the Services, you confirm you have agreed to our Terms and read and understood this Privacy Policy.

3. Personal information we collect

We collect various personal information regarding you or your device. This can include the following:

– Information you provide to create an Account, specifically email address, first name and last name. If you sign up for paid Services, we may receive a portion of your payment information from our payment processor (such as the last four digits, the country of issuance and the expiration date of the payment card).

– Your marketing preferences.

– The emails and other communications that you send us or otherwise contribute, such as customer support inquiries.

– Information you share with us in connection with surveys, events or promotions.

– Information from your use of the Services. This includes: preferences, web pages you visited prior to coming to our website, information about your browser, network or device (such as browser type and version, operating system, internet service provider, and other regional settings), and information about how you interact with the Services (such as problems you may encounter, for example loading errors). We also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We may use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience. How much of this information we collect depends on the type and settings of the device you use to access the Services.

– Information we get from our partners to support our marketing initiatives, improve our Services and better monitor, manage and measure our marketing campaigns.

– Other information you submit to us directly or through third-party services if you use a third-party service to create an account (based on your privacy settings with such third-party service).

4. How we collect personal information

We obtain personal information from various sources. We do this in three main ways:

– You provide some of it directly (such as by registering for an account on our Services).

– We record some of it automatically when you use our Services (including with technologies like cookies).

– We receive some of it from third parties (like when you make payments to us using our payment processor).

We’ve described this in more detail below.

a. Personal information you provide

When you use our Services, we collect information from you in a number of ways.  For instance, we ask you to provide your name and email address to register and manage your account. We also maintain your marketing preferences and the emails and other communications that you send us or otherwise contribute, such as customer support inquiries or posts to our social media accounts. You might also provide us with information in other ways, including by responding to surveys, submitting a form or participating in BAO Systems events.

Sometimes we require you to provide us with information for contractual or legal reasons. We’ll normally let you know when information is required, and the consequences of failing to provide it. If you do not provide personal information when requested, you may not be able to use our Services if that information is necessary to provide Services to you or if we are legally required to collect it.

b. Personal information obtained from your use of our Services

When you use our Services, we collect information about your activity on and interaction with the Services, such as your device and browser type, the web page you visited before coming to our sites, what pages on our sites you visit and for how long and identifiers associated with your devices. If you’ve given us permission through your device settings, we may collect your location information in our mobile apps.

If you are a User, we also get information about your interactions with the Customer’s account, including their projects, though we use this in anonymous, aggregated or pseudonymized form which does not focus on you individually. We use this data to evaluate, provide, protect or improve our Services (including by developing new products and services).

c. Personal information obtained from other sources

Customers of our Services may provide information about you when they submit content through the Services. For example, we may receive your email address from another User when they provide it in order to invite you to the Services.

We may also receive information about you when you or your account administrator link a third-party service with our Services. For example, you may authorize our Services to access and display files from a third-party document-sharing service within the Services interface. Or you may authorize our Services to sync a contact list or address book so that you can easily connect with those contacts within the Services or invite them to collaborate with you on our Services. The information we receive when you link or integrate our Services with a third-party service depends on the settings, permissions and privacy policy controlled by that third-party service. You should always check the privacy settings and notices in these third-party services to understand what data may be disclosed to us or shared with our Services.

If you sign up for Paid Services, we obtain limited information about your payment card from our payment processor. Currently, our payment processor is Stripe. Stripe uses and processes your complete payment information in accordance with Stripe’s privacy policy.

5. How we use your personal information

How we use the information we collect depends in part on which Services you use, how you use them, and any preferences you have communicated to us. We may use the personal information we obtain about you to:

Provision of the Services. Create and manage your account, provide and tailor our Services, process payments and respond to your inquiries.

Communicating with you. Communicate with you, including by sending you emails about your transactions and Service-related announcements.

Surveys. Administer surveys.

Promotion. Promote our Services and send you tailored marketing communications about products, services, offers, programs and promotions of BAO Systems and measure the success of those campaigns. For example, we may send different marketing communications to you based on your subscription plan or what we think may interest you based on other information we hold about you.

Advertising. Analyze your interactions with our Services and third parties’ online services so we can tailor our advertising to what we think will interest you. For example, we may decide not to advertise our Services to you on a social media site if you already signed up for Paid Services or we may choose to serve you a particular advertisement based on your subscription plan or what we think may interest you based on other information we hold about you.

Improving our Services. We are always looking for ways to make our Services smarter, faster, more secure, integrated and useful to you. We use collective learnings about how people use our Services and feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and areas for integration and improvement of the Services. In some cases, we apply these learnings across BAO Systems to improve and develop similar features or to better integrate the Services you and others use. We also test and analyze certain new features with some Customers before rolling out the feature to all Customers. We usually do this based on anonymous, pseudonymized or aggregated information which does not focus on you individually. For example, if we learn that most Customers of subscription services use a particular integration or feature, we might wish to expand on that integration or feature.

Security. Ensure the security and integrity of our Services.

Third-party relationships. Manage our vendor and partner relationships.

Enforcement. Enforce our Terms and other legal terms and policies.

Protection. Protect our and others’ interests, rights and property (e.g., to protect our Customers and their Users from abuse).

Complying with law. Comply with applicable legal requirements, such as tax and other government regulations and industry standards, contracts and law enforcement requests.

We process your personal information for the above purposes when:

Consent. You have consented to the use of your personal information in a particular way. When you consent, you can change your mind at any time.  We use information about you where you have given us consent to do so for a specific purpose not listed above. For example, we may publish testimonials or featured customer stories to promote the Services, with your permission.

Performance of a contract. We need your personal information to provide you with the Services or to respond to your inquiries. In other words, so we can perform our contract with you or take steps at your request before entering into one. For example, we need your email address so you can sign into your BAO Systems account.

Legal obligation. We have a legal obligation to use your personal information, such as to comply with applicable tax and other government regulations or to comply with a court order or binding law enforcement request.

Legitimate interests. We have a legitimate interest in using your personal information. In particular, we have a legitimate interest in the following cases:

– To operate the BAO Systems business and provide you with tailored communications to develop and promote our software-as-a-service.

– To analyze and improve the safety and security of our Services – we do this as it is necessary to pursue our legitimate interests in ensuring BAO Systems products and services are secure, such as by implementing and enhancing security measures and protections and protecting against abuse.

– To provide and improve the Services, including any personalized services – we do this as it is necessary to pursue our legitimate interests of providing an innovative and tailored offering to our Customers on a sustained basis.

– To share your personal information with other BAO Systems affiliated entities that help us provide and improve the Services.

– To anonymize and subsequently use anonymized information.

Legal bases for processing: If you are an individual in the EEA, we collect and process information about you only where we have legal bases for doing so under applicable EU laws. The legal bases depend on the Services you use and how you use them. This means we collect and use your personal information only where:

– We need it to provide you the Services, including to operate the Services, provide customer support and personalized features and to protect the safety and security of the Services;

– It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services and to protect our legal rights and interests;

– You give us consent to do so for a specific purpose; or

– We need to process your data to comply with a legal obligation.

6. How we share your personal information

We share personal information in the following ways:

Customers. We share with our Customers data regarding usage by their Users. For example, we provide our Customers with information about how their Users interacted with our software, including project data entry components and related functionalities associated with the Customer’s account. This is so Customers can analyze the usage of their accounts.

Service providers. We share personal information with our vendors, consultants, and other service providers who perform services on our behalf. For example, we may use third parties to help us provide customer support, send marketing and other communications on our behalf, or assist with data storage.

Following the law or protecting rights and interests. We disclose your personal information if we determine that such disclosure is reasonably necessary to comply with the law, protect our or others’ rights, property or interests (such as enforcing our Terms or prevent abuse of BAO Systems or our Customers or Users). In particular, we may disclose your personal information in response to lawful requests by public authorities, such as to meet national security or law enforcement requirements.

Business transfers. If we’re involved in a reorganization, merger, acquisition or sale of some or all of our assets, your personal information may be transferred as part of that deal.

7. Your rights and choices

Where applicable law requires (and subject to any relevant exceptions under law), you may have the right to access, update, change or delete personal information. In such cases, you can access, update, change or delete certain personal information (or that of your Users) either directly in your account or by contacting us at security@baosystems.com to request the required changes. You can exercise your other rights (including deleting your account) by contacting us at the same email address.

You can also elect not to receive marketing communications by following the unsubscribe instruction in such communications.

Please note that, for technical reasons, there is likely to be a delay in deleting your personal information from our systems when you ask us to delete it. We also will retain personal information in order to comply with the law, protect our and others’ rights, resolve disputes or enforce our legal terms or policies, to the extent permitted under applicable law.

You may have the right to restrict or object to the processing of your personal information or to exercise a right to data portability under applicable law. You also may have the right to lodge a complaint with a competent supervisory authority, subject to applicable law. If you are subject to the GDPR, we suggest you lodge any such complaints with your local data protection authority within the EEA.

Additionally, if we rely on consent for the processing of your personal information, you have the right to withdraw it at any time and free of charge. When you do so, this will not affect the lawfulness of the processing before your consent withdrawal.

If you are a User or Subject of one of our Customer’s accounts, you should contact them to exercise your rights with respect to any information they hold about you.

8. How we protect your personal information

We use data hosting service providers in the EEA to host the information we process, and we use technical measures to secure your data. While no service is completely secure, we have a security team dedicated to keeping personal information safe. We maintain administrative, technical and physical safeguards that are intended to appropriately protect against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse and any other unlawful form of processing of the personal information in our possession.

9. How we retain your personal information

We retain your personal information regarding you or your use of the Services for so long as your Account is active or for as long as needed to provide you or your Users with the Services. We also retain personal information for as long as necessary to achieve the purposes described in this Privacy Policy, for example, to comply with our legal obligations, to protect us in the event of disputes and to enforce our agreements and to protect our and others’ interests.

The precise periods for which we keep your personal information vary depending on the nature of the information and why we need it. Factors we consider in determining these periods include the minimum required retention period prescribed by law or recommended as best practice, the period during which a claim can be made with respect to an agreement or other matter, whether the personal information has been aggregated or pseudonymized, and other relevant criteria. For example, the period we keep your email address is connected to how long your account is active, while the period for which we keep a support message is based on how long has passed since the last submission in the thread.

As Customers may have seasonal projects or come back to us after an account becomes inactive, we don’t immediately delete your personal information when your trial expires, or you cancel all paid or subscription Services. Instead, we keep your personal information for a reasonable period of time, so it will be there for you if you come back.

You may delete your account by contacting us at security@baosystems.com and BAO Systems will delete the personal information it holds about you (unless we need to retain it for the purposes set out in this Privacy Policy).

Please note that in the course of providing the Services, we collect and maintain aggregated, anonymized or de-personalized information which we may retain indefinitely.

10. Data Privacy Framework

BAO Systems complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce BAO Systems has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. BAO Systems has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

Data Privacy Framework questions should be directed to BAO Systems at security@baosystems.com.

BAO Systems has further committed to refer unresolved Data Privacy Framework complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, BAO Systems commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

In the context of an onward transfer to third parties, BAO Systems has responsibility for the processing of your information it receives. BAO Systems shall remain liable under the EU-U.S. DPF, the UK-U.S. DPF, and Swiss-U.S. DPF if a third party processes your information in a manner inconsistent with the EU-U.S. DPF, the UK-U.S. DPF, and the Swiss-U.S. DPF, unless proven that BAO Systems is not responsible for any processing inconsistent with EU-U.S. DPF, the UK-U.S. DPF, and the Swiss-U.S. DPF. . BAO Systems liability extends only to trusted third parties and analytics partners that BAO Systems relies on to deliver our Services. BAO Systems shall not be liable for third parties that you independently select or use in conjunction with BAO Systems Services.

The EU-U.S. DPF, the UK-U.S. DPF and the Swiss-U.S. DPF, also provides the option for EU, UK and Swiss individuals to invoke binding arbitration to determine whether BAO Systems has violated its obligations under the EU-U.S. DPF Principles and whether any such violation remains fully or partially unremedied («residual claims»). As a self-certified organization in the EU-U.S. DPF, the UK-U.S. DPF and the Swiss-U.S. DPF, BAO Systems is required to arbitrate claims pursuant to EU-U.S. DPF, the UK-U.S. DPF and the Swiss-U.S. DPF,’s Recourse, Enforcement and Liability Principle.

BAO Systems is subject to oversight by the U.S. Federal Trade Commission.

11. Users’ personal information

Our Customers who have created an account on BAO Systems are responsible for what they and their Users do with the User information and Subject Data they collect.  This section is directed to such Customers.

a. Your relationship with Users

If you’re one of our Customers, you will collect personal information about your Users. For example, name and email address so that you can add them to teams and projects.

You’re solely responsible for complying with any laws and regulations that apply to your collection and use of your Users’ information, including personal information you collect about them.

We’re not liable for your relationship with your Users or how you collect and use personal information about them and we won’t provide you with any legal advice regarding such matters.

b. Your relationship with Subjects

Where the Services are made available through a Customer, that Customer is responsible for the Users and Subjects over which it has control. All Subject Data at an individual level is controlled by the Customer. We are not responsible for the privacy or security practices of a Customer, which may be different from this policy.

12. Our policy towards children

The Services are not directed to individuals under 13 years of age. We do not knowingly collect personal information from children under 13. We will direct potential users under 13 years of age not to use the Services. If we learn that personal information of persons less than 13 years of age has been collected without verifiable parental consent, then we will take the appropriate steps to delete this information. To make such a request, or if there are any questions or concerns about the Privacy Policy for the Service or its implementation, please contact us at security@baosystems.com.

13. Updates to this Privacy Policy

We’ll update this Privacy Policy from time to time to reflect changes in technology, law, our business operations or for any other reason we determine is necessary or appropriate. When we make changes, we’ll update the “Effective Date” at the top of the Privacy Policy and post it on our sites. If we make material changes to it or the ways we process personal information, we’ll notify you (by, for example, prominently posting a notice of the changes on our sites or directly sending you a notification).

We encourage you to check back periodically to review this Privacy Policy for any changes since your last visit.  This will help ensure you better understand your relationship with us, including the ways we process your personal information.

14. How to contact us

Your information is processed by BAO Systems, LLC. If you have questions or concerns about how your information is handled, please direct your inquiry to BAO Systems, LLC, as set forth below or, if you are a resident of the EEA, please contact our EU Representative.

BAO Systems, LLC

2900 K St. NW
Suite 506
Washington, DC 20007, USA

Email: security@baosystems.com

EU Representative:

BAO Systems LLC – Sucursal em Portugal

R. Gregório Lopes
Lote 1639, Loja
1400-414 Lisboa
Portugal

Email: security@baosystems.com