Skip to content
LABS

Privacy Policy

Last updated: 2026-06-25

This policy explains what personal data Basetool Labs collects when you visit basetool.ai, why we process it, how long we keep it, and how to exercise your rights. Basetool Labs is operated by Basetool Labs SRL, a Romanian limited liability company, and the processing described below is subject to the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and Romanian law no. 190/2018.

1. Data controller

The controller of your personal data is Basetool Labs SRL, registered in Romania. For any privacy request (access, correction, deletion, objection, or withdrawal of consent), email office@basetool.ai. We respond within 30 days, as required by Article 12(3) GDPR.

2. What we collect, why, and for how long

We only collect data we genuinely need. Each integration below lists what is collected, the lawful basis, retention, and the processor handling the data on our behalf.

2.1 Calendly (meeting booking)

  • What: your name, email, timezone, the message you leave when booking, and meeting metadata.
  • Why / lawful basis: performance of pre-contractual measures at your request (Article 6(1)(b) GDPR): scheduling the consultation you asked for.
  • Retention: until you ask us to delete, or 3 years after the last interaction, whichever comes first.
  • Processor: Calendly LLC (United States), under a GDPR Data Processing Addendum. Transfers to the US rely on the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

Google Maps

  • We embed a Google Map on our office page so you can find us. It loads only after you click "Load map" (or if you have already accepted marketing cookies); the address and a direct link to Google Maps work without it. Once loaded, Google may set cookies and receive your IP address and your interactions with the map.

2.2 Vercel Analytics & Speed Insights

  • What: aggregated page views, referrer, approximate country, and web vitals. No cookies. Visitors are identified by a short-lived, hashed identifier that does not allow re-identification.
  • Why / lawful basis: our legitimate interest (Article 6(1)(f) GDPR) in understanding traffic and performance. This is privacy-preserving analytics by design; you can still opt-out from the cookie banner under “Analytics”.
  • Retention: aggregated data indefinitely; raw session data less than 24 hours.
  • Processor: Vercel Inc. (United States), under a GDPR Data Processing Addendum and Standard Contractual Clauses.

2.3 Google Ads conversion tag (gtag.js)

  • What: when you grant marketing consent, Google may set cookies (including _gcl_*) to measure conversions from our advertising and link visits across Google services.
  • Why / lawful basis: your explicit consent via the cookie banner (Article 6(1)(a) GDPR). We implement Google Consent Mode v2: until you accept, all advertising and analytics signals are denied and Google receives only cookieless pings. We also set ads_data_redaction=true, so when marketing consent is denied, ad click identifiers are redacted from any outgoing pings.
  • Retention: cookies expire per Google’s schedule (typically 90 days for _gcl_au); conversion events are retained by Google per their policies.
  • Processor: Google Ireland Ltd. (EU) and Google LLC (United States), under Google’s Data Processing Terms, Standard Contractual Clauses, and the EU-US Data Privacy Framework.
  • Withdraw consent: click Cookie preferences in the footer at any time.

2.4 Google Analytics 4 (GA4)

  • What: when you grant analytics consent, GA4 collects page views, screen events, geographic location at the country/city level, device type, browser, language, and aggregated engagement metrics. GA4 does not store full IP addresses. IPs are used transiently to derive geography and then discarded by Google. We do not enable Google Signals or cross-device tracking.
  • Why / lawful basis: your explicit consent via the cookie banner (Article 6(1)(a) GDPR). Same Consent Mode v2 controls as section 2.3 apply: until you accept analytics, GA4 sends only cookieless modeled pings to Google.
  • Cookies: _ga (client identifier, expires after 2 years) and _ga_<container-id> (session state, expires after 2 years). Only set when you accept analytics consent.
  • Retention: event-level data retained in GA4 for 14 months (the shortest setting Google offers), after which it is automatically deleted. Aggregated reports persist longer per Google’s policies.
  • Processor: Google Ireland Ltd. (EU) and Google LLC (United States), under Google’s Data Processing Terms, Standard Contractual Clauses, and the EU-US Data Privacy Framework.
  • Withdraw consent: click Cookie preferences in the footer at any time.

2.5 PostHog (product analytics)

  • What: when you grant analytics consent, PostHog captures page views and on-page interactions (clicks, form submissions, "autocapture"), device, browser, language, and country-level location, and basic error reports (the type and location of JavaScript errors, to help us fix bugs), so we can understand how the site is used and improve it. We run PostHog on its EU cloud, served first-party through our own domain. Session/screen recording is not enabled.
  • Why / lawful basis: your explicit consent via the cookie banner (Article 6(1)(a) GDPR). PostHog does not load, make any request, or set any storage until you accept analytics.
  • Cookies: a first-party ph_* cookie and localStorage entry holding a pseudonymous visitor identifier. Set only after you accept analytics consent.
  • Retention: event data is retained per our PostHog project settings; you can request deletion at any time.
  • Processor: PostHog, Inc., with data stored in the European Union (EU cloud), under a GDPR Data Processing Addendum.
  • Withdraw consent: click Cookie preferences in the footer at any time; we stop capturing and clear the identifier.

2.6 Resend (transactional email)

  • What: your email address and delivery logs for transactional messages we send you (confirmation, replies).
  • Why / lawful basis: contract performance and our legitimate interest in reliable email delivery (Article 6(1)(b) and (f) GDPR).
  • Retention: delivery logs for 30 days; the email address remains until you unsubscribe or request deletion.
  • Processor: Resend, Inc. (United States), under a GDPR Data Processing Addendum and Standard Contractual Clauses.

2.7 Loops (email newsletter)

  • What: your email address and subscription status, collected only if you opt in via the subscribe form.
  • Why / lawful basis: your explicit consent (Article 6(1)(a) GDPR), confirmed by the consent checkbox on the subscribe form.
  • Retention: until you unsubscribe. One-click unsubscribe is included in every email we send.
  • Processor: Loops, Inc. (United States), under a GDPR Data Processing Addendum and Standard Contractual Clauses.

2.8 Meta Pixel & Conversions API

  • What: when you grant marketing consent, the Meta Pixel loads and sets first-party _fbp (and, after you arrive from a Meta ad, _fbc) cookies to measure ad performance. We also send matching conversion events server-side via the Meta Conversions API: your email in irreversibly hashed (SHA-256) form, your IP address, and your user-agent. Browser and server events share one event ID, so Meta deduplicates them into a single conversion.
  • Why / lawful basis: your explicit consent via the cookie banner (Article 6(1)(a) GDPR). Nothing loads, sets a cookie, or is sent to Meta until you accept marketing. When marketing consent is denied, no Pixel loads and no server event (and no hashed data) is sent.
  • Cookies: _fbp (first-party browser identifier) and _fbc (ad-click identifier, set only when you arrive from a Meta ad). Set only with marketing consent; they expire per Meta’s schedule (typically 90 days).
  • Retention: event data is retained by Meta per their policies; hashed identifiers are used only for matching and we do not store them in raw form.
  • Processor: Meta Platforms Ireland Ltd. (EU) and Meta Platforms, Inc. (United States), under Meta’s data processing terms, Standard Contractual Clauses, and the EU-US Data Privacy Framework.
  • Withdraw consent: click Cookie preferences in the footer at any time.

2.9 Ahrefs Web Analytics

  • What: aggregated page views, referrer, approximate country, device type, and browser. No cookies, no fingerprinting, and no cross-site tracking. Ahrefs does not collect personal data or allow re-identification of visitors.
  • Why / lawful basis: our legitimate interest (Article 6(1)(f) GDPR) in measuring traffic and search performance. This is privacy-preserving analytics by design; you can still opt-out from the cookie banner under “Analytics”.
  • Retention: aggregated traffic statistics retained by Ahrefs per their analytics policy; no raw personal data is stored.
  • Processor: Ahrefs Pte. Ltd. (Singapore), under their Data Processing Agreement and Standard Contractual Clauses.

3. Cookies and similar technologies

We use the bare minimum needed to run the site, plus optional analytics and advertising measurement that only activate after you consent.

  • Strictly necessary (always on): a small localStorage entry that records your theme and language preference and your cookie consent choice. This data never leaves your browser.
  • Analytics (optional): Vercel Analytics + Speed Insights. Cookie-less by default; the consent toggle controls whether the script runs at all.
  • GA4 analytics (optional): Google Analytics 4, only with your analytics consent. Sets the _ga and _ga_* cookies described in section 2.4.
  • PostHog analytics (optional): product analytics on PostHog’s EU cloud, only with your analytics consent. Loads only after consent and sets a first-party ph_* identifier; session recording is not enabled. See section 2.5.
  • Marketing (optional): Google Ads conversion tag (gtag.js), only with your marketing consent. Sets the cookies described in section 2.3.
  • Meta Pixel marketing (optional): the Meta Pixel, only with your marketing consent. Sets the first-party _fbp (and _fbc after a Meta-ad click) cookies described in section 2.8, and we mirror conversions to Meta’s Conversions API with hashed identifiers.

You can change or withdraw your consent at any time from the Cookie preferences link in the footer. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

4. International transfers

Some of the processors listed above are based in the United States. Where personal data leaves the European Economic Area, transfers rely on the European Commission’s Standard Contractual Clauses and, where the processor is self-certified, the EU-US Data Privacy Framework. We do not transfer personal data to countries without an adequate level of protection.

5. Your rights under GDPR

You have the right to:

  • Access: request a copy of the personal data we hold about you (Article 15).
  • Rectification: ask us to correct inaccurate data (Article 16).
  • Erasure: ask us to delete your data (Article 17).
  • Restriction: ask us to pause processing (Article 18).
  • Portability: receive your data in a structured, machine-readable format (Article 20).
  • Object: object to processing based on legitimate interest, including direct marketing (Article 21).
  • Withdraw consent: at any time, for any processing we do based on consent (Article 7(3)).
  • Lodge a complaint with a supervisory authority. In Romania this is ANSPDCP. You can also complain in the EU country where you live or work.

To exercise any of these rights, email office@basetool.ai. We respond within 30 days and may ask you to verify your identity before acting on the request.

6. How we keep data secure

All traffic to basetool.ai is served over HTTPS with HSTS. We apply a strict Content Security Policy and standard hardening headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy). API keys for processors live in server-side environment variables, never in client code. We do not sell or rent personal data to anyone.

7. Children

Basetool Labs sells services to companies. The site is not directed at children and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us data, email office@basetool.ai and we will delete it.

8. Automated decision-making

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

9. Changes to this policy

When we change this policy in a non-trivial way, we update the “Last updated” date at the top and, if you are subscribed to our newsletter, we tell you in the next issue. Continued use of the site after a change means you accept the updated policy.

10. Contact

Privacy questions: office@basetool.ai.
General inquiries: office@basetool.ai.

Pick which categories of cookies you're OK with. You can change this any time from the footer.