Privacy Policy

Data Controller: BackApps.ai

Contact Email: privacy@backapps.ai

Data Protection Officer: dpo@backapps.ai

BackApps.ai acts as both a Data Controller (for your account and billing information) and a Data Processor (for data you store in your applications). When you use BackApps to build applications, you are the Data Controller for your end-users' data, and we process that data on your behalf according to your instructions.

We process your personal data under the following legal bases:

• Contractual Necessity: Processing necessary to provide the service you requested (account creation, API access, application hosting)
• Legitimate Interest: Security monitoring, fraud prevention, service improvement, and analytics
• Legal Obligation: Tax compliance, data breach notifications, law enforcement requests
• Consent: Marketing communications (you can withdraw consent anytime)

Service Delivery:

• Provide, maintain, and improve BackApps services
• Process API requests and manage database operations
• Authenticate users and manage access control
• Store and retrieve application data

Business Operations:

• Process payments and manage billing
• Send transactional emails (password resets, service notifications)
• Provide customer support
• Enforce our Terms of Service

Security and Compliance:

• Detect and prevent fraud, abuse, and security threats
• Monitor for unauthorized access
• Comply with legal requirements and law enforcement requests

Analytics and Improvement:

• Analyze usage patterns to improve service performance
• Develop new features based on user needs
• Conduct research and development

We do not sell your personal information. We share data only in the following circumstances:

BackApps operates globally. Your data may be transferred to and processed in countries outside your country of residence, including the United States and European Union.

Safeguards for EU Users:

• We use Standard Contractual Clauses (SCCs) approved by the European Commission
• Our service providers comply with applicable data protection requirements

We retain personal information for the following periods:

• Account Data: Retained while your account is active. Deleted 90 days after account deletion request (unless required by law).
• Application Data: Recoverable for 7 days after deletion request (soft delete), then permanently deleted after 23 additional days (30 days total from deletion request).
• API Logs: Retained for 90 days for operational purposes
• Billing Records: Retained for 7 years for tax and accounting compliance
• Security Logs: Retained for 1 year for security investigations
• Backup Data: Retained for 30 days in encrypted backups

After the retention period expires, personal data is permanently deleted from our systems and backups.

We implement industry-standard security measures:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Authentication: Multi-factor authentication (MFA) support, OAuth 2.0
• Access Control: Role-based access control (RBAC), principle of least privilege
• Network Security: Firewalls, intrusion detection, DDoS protection
• Monitoring: 24/7 security monitoring, automated threat detection
• Compliance: Regular security audits, penetration testing, vulnerability scanning

Important: No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your API keys and account credentials.

If you are in the EU/EEA, you have the following rights:

• Right to Access: Request a copy of your personal data we hold
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data (subject to legal obligations)
• Right to Restrict Processing: Limit how we use your data in certain circumstances
• Right to Data Portability: Receive your data in a machine-readable format (JSON export)
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for marketing or optional processing
• Right to Lodge a Complaint: File a complaint with your local data protection authority

How to Exercise Rights: Contact privacy@backapps.ai. We will respond within 30 days.

Identity Verification: To protect your privacy and security, we may require identity verification before processing data requests. This may include confirming your email address, account details, or other identifying information.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

How to Exercise Rights: Email privacy@backapps.ai or use the in-app settings. We may require verification of your identity before processing requests.

Disclosure for Business Purposes: We share data with service providers (Turso, Fly.io, payment processors) as described in Section 5. We do not sell personal information for monetary consideration.

BackApps is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@backapps.ai. We will delete such information within 30 days of verification.

For Users Under 16: If you are between 13-16 years old, you must have parental consent to use BackApps. By using our service, you represent that you have obtained such consent.

We use cookies and similar technologies for the following purposes:

Cookie Control: You can manage cookie preferences through your browser settings. Disabling essential cookies may affect service functionality.

In the event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of discovering the breach (GDPR requirement)
• Provide details about the nature of the breach, data affected, and mitigation steps
• Notify authorities as required by applicable law (data protection authorities in EU, state attorneys general in US)
• Offer assistance such as credit monitoring if sensitive financial data is compromised

We maintain an incident response plan and conduct regular security drills to minimize breach impact.

BackApps does not use automated decision-making or profiling that produces legal effects or significantly affects you.

We use limited automation for:

• Fraud detection (flagging suspicious activity for manual review)
• Spam filtering (in webhooks and API requests)
• Rate limiting (to prevent abuse)

All significant decisions (account suspension, billing disputes) involve human review.

BackApps may contain links to third-party websites or integrate with third-party services (OAuth providers, payment processors). We are not responsible for the privacy practices of these third parties.

Third-Party Privacy Policies:

• Google OAuth: Google Privacy Policy

We recommend reviewing third-party privacy policies before providing information to external services.

Important: If you use BackApps to build applications that collect personal data from your end-users, you are the Data Controller for that data. BackApps acts as a Data Processor on your behalf.

Your Obligations:

• Obtain necessary consents from your end-users before collecting their data
• Provide your own privacy policy to your end-users
• Comply with GDPR, CCPA, and other applicable privacy laws
• Implement appropriate security measures in your application
• Respond to data subject requests (access, deletion, etc.) from your users
• Enter into a Data Processing Agreement (DPA) with BackApps if required by law

DPA Request: A Data Processing Agreement for GDPR compliance is available upon request at legal@backapps.ai.

We may send you marketing emails about new features, product updates, or promotional offers. You can opt out at any time.

How to Opt Out:

• Click "Unsubscribe" in any marketing email
• Update preferences in your account settings
• Email privacy@backapps.ai with "Unsubscribe" in the subject

Note: You cannot opt out of transactional emails (password resets, security alerts, billing notifications) required for service operation.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

Notification of Changes:

• Minor Changes: Updated "Last Updated" date at the top of this page
• Material Changes: Email notification to registered users 30 days before the changes take effect
• Your Rights: If you disagree with material changes, you may delete your account within 30 days

We recommend reviewing this Privacy Policy periodically. Continued use of BackApps after changes constitutes acceptance of the updated policy.