Privacy Policy

1. Introduction

Baseframe ("we," "us," or "our") operates at base-frame.com and builds custom business platforms for wholesale and distribution companies. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our marketing website, use our Platform, or interact with us.

By using our services, you consent to the data practices described in this policy. If you do not agree with the terms of this policy, please do not access or use our services.

2. Information We Collect

2.1 Information You Provide Directly

• Contact form submissions: Name, email address, company name, and message content when you reach out through our website
• Account information: Name, email, and organizational role as provided through Microsoft Entra ID during SSO authentication
• Business data: Customer records, invoices, tickets, inventory data, and other operational information you enter into the Platform
• Payment information: Billing details for Baseframe services. For your wholesale customers, payment card information is tokenized through Authorize.net and never stored on our servers
• Communications: Email correspondence and support requests

2.2 Information Collected Automatically

• Log data: IP address, browser type and version, operating system, referring URLs, pages visited, and access timestamps
• Device information: Device type, screen resolution, and language preferences
• Usage data: Features accessed, actions performed within the Platform, and session duration

2.3 Information From Third-Party Services

• Microsoft Entra ID: User profile information, group memberships, and role claims used for authentication and authorization
• Shopify: Product data, inventory levels, order history, and customer records synced from your Shopify store
• Authorize.net: Transaction status, payment profile IDs (tokens only — no raw card data), and transaction history
• ShipStation: Shipping rates, tracking information, and shipment status

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Platform and its features
• To process transactions and manage billing for our services
• To authenticate users and enforce role-based access controls
• To power AI features including ticket response suggestions, smart search, and customer intelligence
• To send transactional emails (invoice delivery, ticket notifications, payment confirmations)
• To respond to your inquiries and provide customer support
• To maintain the audit trail recording all data mutations
• To monitor and improve Platform performance, security, and reliability
• To comply with legal obligations and enforce our Terms of Service

We do not sell your personal information. We do not use your business data to train AI models for other clients. Each Platform's AI features operate exclusively on that client's data.

4. Cookies and Tracking Technologies

We use the following types of cookies:

We do not use advertising or marketing tracking cookies. We do not use Google Analytics or similar third-party analytics platforms on the Platform.

5. Third-Party Services

Our Platform integrates with the following third-party services, each with their own privacy practices:

6. Data Retention

We retain your information for as long as necessary to provide our services and fulfill the purposes described in this policy:

• Platform data: Retained for the duration of your service agreement plus ninety (90) days after termination for data export
• Audit trail: Retained for a minimum of seven (7) years to satisfy regulatory and compliance requirements
• Contact form submissions: Retained for two (2) years or until the inquiry is resolved, whichever is longer
• Server logs: Retained for ninety (90) days
• Backup data: Database backups are retained for thirty (30) days and then securely destroyed

Upon termination of services, we will provide a complete data export in a standard format upon request and delete your data from our systems within ninety (90) days, except where retention is required by law.

7. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in transit via TLS 1.3
• Encryption at rest via AES-256
• OWASP ASVS Level 2 compliance across all Platform builds
• PCI DSS SAQ A compliance for payment processing
• Microsoft Entra ID with tenant-locked OIDC for authentication
• Append-only audit trail with JSONB before/after snapshots for all data mutations
• Role-based access controls with principle of least privilege
• Annual penetration testing by a CREST-accredited firm
• Automated vulnerability scanning and dependency monitoring

While we use commercially reasonable measures to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete personal information
• Deletion: Request deletion of your personal information, subject to legal retention requirements
• Portability: Request a machine-readable copy of your data for transfer to another service
• Restriction: Request that we limit processing of your personal information in certain circumstances
• Objection: Object to processing of your personal information for specific purposes

California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to request deletion, and the right to non-discrimination for exercising your privacy rights. We do not sell personal information as defined under the CCPA.

To exercise any of these rights, please contact us through our contact form. We will respond to verified requests within thirty (30) days.

9. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

10. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers and third-party service providers are located. If you are accessing our services from outside the United States, please be aware that your information may be transferred to, stored, and processed in a jurisdiction with different data protection laws than your home jurisdiction.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through a prominent notice on our website at least thirty (30) days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.