Start free trialLogin
FeaturesPricingContact
Start free trialLogin

Product Privacy Notice (Bayescase App)

Last updated: November 13, 2025

This notice explains personal data processing when you register for and use the Bayescase SaaS. It complements our Terms of Service and DPA.

1. Roles and contacts

  • Controller: Bayescase GmbH, Julius-Hatry-Straße 1, 68163 Mannheim, Germany; privacy@bayescase.com
  • For Customer Personal Data that we process only on your documented instructions within the Service, we act as Processor under the DPA: https://bayescase.com/dpa.

2. Categories of personal data

  • Account and profile: name, business email, organization, role, authentication identifiers.
  • Billing/administration: plan, billing contact details; payment is handled by Stripe (independent controller) and may include your contact and billing data.
  • Usage/telemetry: device/browser metadata, event logs, performance metrics, and interactions with features to maintain security and improve the Service.
  • Customer Data in projects: data you upload/enter (including financial and business case data) and related metadata.
  • Support communications: messages and attachments you send to support channels.

We do not intend to process special categories of data or children's data in the Service.

3. Purposes and legal bases

  • Provide and operate the Service (account creation, authentication, core features): Art. 6(1)(b) GDPR (contract).
  • Security, fraud/abuse prevention, service operation (logging, troubleshooting): Art. 6(1)(f) GDPR (legitimate interests).
  • Billing and account administration: Art. 6(1)(b) and (f) GDPR.
  • Service improvement and analytics (telemetry, Aggregated/Usage Data that do not identify a person): Art. 6(1)(f) GDPR.
  • AI features: processing of inputs and generation of outputs by our AI provider. During beta, certain processing occurs in the United States; see Section 6. Legal bases: Art. 6(1)(b) for provision of AI features and Art. 6(1)(f) for service safety/abuse prevention.
  • Model training/improvement by Bayescase (separate controller activity): Art. 6(1)(f) GDPR (legitimate interests). You may opt out; see Section 5.

4. Recipients and categories of recipients

Processors (Service data)

See: https://bayescase.com/subprocessors

Independent controllers

  • Payments: Stripe Payments Europe, Ltd. (and affiliates) for card payments and invoicing.
  • CRM: HubSpot Ireland Limited for our customer communications and account management.

5. Model training/improvement by Bayescase (opt out)

To improve and develop the Service, we may use your inputs and outputs to train, fine tune, or otherwise improve models and features. For this limited purpose, Bayescase acts as an independent controller and relies on legitimate interests with safeguards (e.g., de identification where feasible). You may opt out at any time by emailing privacy@bayescase.com. Opting out will not affect processing necessary to provide the Service.

6. International transfers

We primarily host and process data in the EU/EEA (AWS Frankfurt). During the beta phase and until we complete migration to Azure OpenAI in an EU region, certain AI processing of inputs/outputs may occur in the United States by OpenAI. We use the EU Standard Contractual Clauses (and UK/Swiss addenda where applicable) and supplementary measures. We will notify customers when EU region AI processing becomes available and provide an option to restrict processing to the EU/EEA.

7. Retention

  • Account data: retained for the life of the account, then deleted or anonymized after closure, subject to legal retention.
  • Customer Data in projects: retained for the Subscription Term and 30 days thereafter for export; then deleted from active systems; encrypted backups roll off within 35 days.
  • Logs/telemetry: retained for a limited period (typically 14–90 days) for security/operations and then deleted or anonymized.
  • Billing records: retained as required by law (generally up to 6 or 10 years under HGB/AO).

8. Your rights

You have rights under GDPR (Arts. 15–21) and may withdraw consent where applicable. If your organization is the Customer (controller) for data within the Service, please direct requests to your admin; we will support them under the DPA. You can also contact privacy@bayescase.com.

9. Security

We implement appropriate technical and organizational measures, including encryption in transit and at rest, access controls, MFA for privileged access, and regular backups. Details are in the DPA.

10. AI transparency and responsibility

AI features may produce non deterministic outputs that can be inaccurate or incomplete. You should review outputs before use and ensure compliance with law and third party rights. See our Terms for rate limits and disclaimers.

11. Changes and contact

We may update this notice; the latest version is available in-app and at https://www.bayescase.com. Contact: privacy@bayescase.com.