Legal

Privacy Policy

Last updated July 9, 2026.

This is a starting template, not legal advice. Replace the bracketed placeholders and have it reviewed by qualified counsel before relying on it.

1. Overview

This Privacy Policy explains how [Your Company Legal Name] (“Ballast,” “we”) collects, uses, and shares information when you use the Ballast platform, websites, and APIs (the “Service”). For workspace and workflow content processed on behalf of a customer, we act as a processor; that customer is the controller.

2. Information we collect

  • Account data — name, email, hashed password, workspace membership and role, and (if you opt in) a phone number for SMS approvals.
  • Workflow content — the workflows, inputs, run outputs, evaluations, and logs you create or generate.
  • Usage & telemetry — run counts, cost attribution, timestamps, and an immutable audit log of actions.
  • Billing data — plan and subscription status. Card details are handled by Whop; we do not store full card numbers.
  • Technical data — IP address, request metadata, and device/browser information for security and reliability.

3. How we use information

To provide, secure, and improve the Service; to authenticate users and enforce access controls; to meter usage and process billing; to send transactional messages (including approval texts you opt into); to provide support; to detect abuse and comply with law.

4. Legal bases (EEA/UK)

Where GDPR applies, we process on the bases of contract (to deliver the Service), legitimate interests (security, product improvement), consent (e.g., SMS opt-in), and legal obligation.

5. Subprocessors & sharing

We share data with vendors that help us run the Service, under contract and only as needed:

  • Hosting / database[your hosting provider] and managed Postgres.
  • Model providers — Anthropic and/or OpenAI, when you configure them to run agent steps.
  • Payments — Whop.
  • Messaging & email — Twilio (SMS) and [your email provider].

We do not sell personal information. We may disclose information to comply with law or protect rights and safety.

6. Retention

We retain account data while your account is active. Runs and audit logs are retained per your plan’s retention window and then deleted by an automated sweeper. You may request earlier deletion, subject to legal and operational limits.

7. Security

We use industry-standard measures: encryption in transit, hashed passwords (scrypt), scoped API keys, role-based access control, tenant isolation, an SSRF guard on outbound tool calls, and audit logging. No system is perfectly secure; report concerns to security@ballastos.com.

8. International transfers

We may process data in [country/region]. Where required, we use appropriate safeguards such as Standard Contractual Clauses for transfers out of the EEA/UK.

9. Your rights

Depending on your location, you may have rights to access, correct, delete, port, or object to processing of your personal data, and to withdraw consent. To exercise them, contact us at the address below. Customers’ end-user data requests are handled through the customer as controller.

10. Cookies

The Service uses strictly necessary cookies/local storage for authentication and preferences. We default to privacy-preserving choices and do not use non-essential tracking without consent.

11. Children

The Service is not directed to children under 16, and we do not knowingly collect their personal data.

12. Changes & contact

We may update this Policy; material changes will be posted here with a new date. For privacy questions or a Data Processing Addendum, contact legal@ballastos.com · [Company address].