Skip to content
Book a call

Privacy Policy

Last updated: 2026-05-18

This policy explains what personal data Basetool collects when you visit basetool.ai, why we process it, how long we keep it, and how to exercise your rights. Basetool is operated by SC BASETOOL SRL, a Romanian limited liability company, and the processing described below is subject to the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and Romanian law no. 190/2018.

1. Data controller

The controller of your personal data is SC BASETOOL SRL, registered in Romania. For any privacy request — access, correction, deletion, objection, or withdrawal of consent — email privacy@basetool.ai. We respond within 30 days, as required by Article 12(3) GDPR.

2. What we collect, why, and for how long

We only collect data we genuinely need. Each integration below lists what is collected, the lawful basis, retention, and the processor handling the data on our behalf.

2.1 Calendly (meeting booking)

  • What: your name, email, timezone, the message you leave when booking, and meeting metadata.
  • Why / lawful basis: performance of pre-contractual measures at your request (Article 6(1)(b) GDPR) — scheduling the consultation you asked for.
  • Retention: until you ask us to delete, or 3 years after the last interaction, whichever comes first.
  • Processor: Calendly LLC (United States), under a GDPR Data Processing Addendum. Transfers to the US rely on the EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

2.2 Vercel Analytics & Speed Insights

  • What: aggregated page views, referrer, approximate country, and web vitals. No cookies. Visitors are identified by a short-lived, hashed identifier that does not allow re-identification.
  • Why / lawful basis: our legitimate interest (Article 6(1)(f) GDPR) in understanding traffic and performance. This is privacy-preserving analytics by design; you can still opt-out from the cookie banner under “Analytics”.
  • Retention: aggregated data indefinitely; raw session data less than 24 hours.
  • Processor: Vercel Inc. (United States), under a GDPR Data Processing Addendum and Standard Contractual Clauses.

2.3 Google Ads conversion tag (gtag.js)

  • What: when you grant marketing consent, Google may set cookies (including _gcl_*) to measure conversions from our advertising and link visits across Google services.
  • Why / lawful basis: your explicit consent via the cookie banner (Article 6(1)(a) GDPR). We implement Google Consent Mode v2: until you accept, all advertising and analytics signals are denied and Google receives only cookieless pings. We also set ads_data_redaction=true, so when marketing consent is denied, ad click identifiers are redacted from any outgoing pings.
  • Retention: cookies expire per Google’s schedule (typically 90 days for _gcl_au); conversion events are retained by Google per their policies.
  • Processor: Google Ireland Ltd. (EU) and Google LLC (United States), under Google’s Data Processing Terms, Standard Contractual Clauses, and the EU–US Data Privacy Framework.
  • Withdraw consent: click Cookie preferences in the footer at any time.

2.4 Google Analytics 4 (GA4)

  • What: when you grant analytics consent, GA4 collects page views, screen events, geographic location at the country/city level, device type, browser, language, and aggregated engagement metrics. GA4 does not store full IP addresses — IPs are used transiently to derive geography and then discarded by Google. We do not enable Google Signals or cross-device tracking.
  • Why / lawful basis: your explicit consent via the cookie banner (Article 6(1)(a) GDPR). Same Consent Mode v2 controls as section 2.3 apply: until you accept analytics, GA4 sends only cookieless modeled pings to Google.
  • Cookies: _ga (client identifier, expires after 2 years) and _ga_<container-id> (session state, expires after 2 years). Only set when you accept analytics consent.
  • Retention: event-level data retained in GA4 for 14 months (the shortest setting Google offers), after which it is automatically deleted. Aggregated reports persist longer per Google’s policies.
  • Processor: Google Ireland Ltd. (EU) and Google LLC (United States), under Google’s Data Processing Terms, Standard Contractual Clauses, and the EU–US Data Privacy Framework.
  • Withdraw consent: click Cookie preferences in the footer at any time.

2.5 Resend (transactional email)

  • What: your email address and delivery logs for transactional messages we send you (confirmation, replies).
  • Why / lawful basis: contract performance and our legitimate interest in reliable email delivery (Article 6(1)(b) and (f) GDPR).
  • Retention: delivery logs for 30 days; the email address remains until you unsubscribe or request deletion.
  • Processor: Resend, Inc. (United States), under a GDPR Data Processing Addendum and Standard Contractual Clauses.

2.6 Loops (email newsletter)

  • What: your email address and subscription status, collected only if you opt in via the subscribe form.
  • Why / lawful basis: your explicit consent (Article 6(1)(a) GDPR), confirmed by the consent checkbox on the subscribe form.
  • Retention: until you unsubscribe. One-click unsubscribe is included in every email we send.
  • Processor: Loops, Inc. (United States), under a GDPR Data Processing Addendum and Standard Contractual Clauses.

3. Cookies and similar technologies

We use the bare minimum needed to run the site, plus optional analytics and advertising measurement that only activate after you consent.

  • Strictly necessary (always on): a small localStorage entry that records your theme and language preference and your cookie consent choice. This data never leaves your browser.
  • Analytics (optional): Vercel Analytics + Speed Insights. Cookie-less by default; the consent toggle controls whether the script runs at all.
  • Analytics – GA4 (optional): Google Analytics 4, only with your analytics consent. Sets the _ga and _ga_* cookies described in section 2.4.
  • Marketing (optional): Google Ads conversion tag (gtag.js), only with your marketing consent. Sets the cookies described in section 2.3.

You can change or withdraw your consent at any time from the Cookie preferences link in the footer. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

4. International transfers

Some of the processors listed above are based in the United States. Where personal data leaves the European Economic Area, transfers rely on the European Commission’s Standard Contractual Clauses and, where the processor is self-certified, the EU–US Data Privacy Framework. We do not transfer personal data to countries without an adequate level of protection.

5. Your rights under GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you (Article 15).
  • Rectification — ask us to correct inaccurate data (Article 16).
  • Erasure — ask us to delete your data (Article 17).
  • Restriction — ask us to pause processing (Article 18).
  • Portability — receive your data in a structured, machine-readable format (Article 20).
  • Object — object to processing based on legitimate interest, including direct marketing (Article 21).
  • Withdraw consent — at any time, for any processing we do based on consent (Article 7(3)).
  • Lodge a complaint with a supervisory authority. In Romania this is ANSPDCP. You can also complain in the EU country where you live or work.

To exercise any of these rights, email privacy@basetool.ai. We respond within 30 days and may ask you to verify your identity before acting on the request.

6. How we keep data secure

All traffic to basetool.ai is served over HTTPS with HSTS. We apply a strict Content Security Policy and standard hardening headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy). API keys for processors live in server-side environment variables, never in client code. We do not sell or rent personal data to anyone.

7. Children

Basetool sells services to companies. The site is not directed at children and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us data, email privacy@basetool.ai and we will delete it.

8. Automated decision-making

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

9. Changes to this policy

When we change this policy in a non-trivial way, we update the “Last updated” date at the top and, if you are subscribed to our newsletter, we tell you in the next issue. Continued use of the site after a change means you accept the updated policy.

10. Contact

Privacy questions: privacy@basetool.ai.
General inquiries: hello@basetool.ai.

Cookie preferences

Pick which categories of cookies you're OK with. You can change this any time from the footer.