Book a demoLogin
Features
Resources
Case StudiesSoonBest Practices
Use Cases
ExecutivesFinanceSalesProduct PortfolioConsultants
CompanyContact
Book a demoLogin

LEGAL

PRODUCT PRIVACY NOTICE

Last updated: March 11, 2026

This notice explains personal data processing when you register for and use the Bayescase SaaS. It complements our Terms of Service and DPA.

1. Roles and contacts

  • Controller: Bayescase GmbH, Julius-Hatry-Straße 1, 68163 Mannheim, Germany; privacy@bayescase.com
  • For Customer Personal Data that we process only on your documented instructions within the Service, we act as Processor under the DPA: https://bayescase.com/dpa.

2. Categories of personal data

  • Account and profile: name, business email, organization, role, authentication identifiers.
  • Billing/administration: plan, billing contact details; payment is handled by Stripe (independent controller) and may include your contact and billing data.
  • Usage/telemetry: device/browser metadata, login and event logs, feature usage signals, performance metrics, model/version identifiers, token usage, and interactions needed to maintain security, reliability, abuse prevention, and service operation.
  • Customer Data in projects: data you upload or enter (including financial and business-case data), related metadata, and any personal data you choose to include.
  • AI inputs and outputs: if you use AI features, prompts, contextual materials, and generated outputs may be processed to provide the requested functionality.
  • Support communications: messages and attachments you send to support channels.

We do not intend to process special categories of data, biometric data, genetic data, or children's data in the Service.

3. Purposes and legal bases

  • Provide and operate the Service (account creation, authentication, core features): Art. 6(1)(b) GDPR.
  • Security, fraud/abuse prevention, service operation (logging, troubleshooting, reliability): Art. 6(1)(f) GDPR.
  • Billing and account administration: Art. 6(1)(b) and 6(1)(c) GDPR, and where applicable Art. 6(1)(f) GDPR.
  • Service improvement and analytics (telemetry, Aggregated/Usage Data that do not identify a person): Art. 6(1)(f) GDPR.
  • AI features: processing of prompts, context, uploaded materials, and generation of outputs by our AI provider to provide the requested feature: Art. 6(1)(b) GDPR for provision of the requested functionality and Art. 6(1)(f) GDPR for security, abuse prevention, and service reliability.

4. Recipients and categories of recipients

Processors (Service data)

See: https://bayescase.com/subprocessors

Where you use AI features, prompts, contextual materials, and outputs may be processed by our authorized AI processing provider solely to provide the requested AI functionality. Current subprocessors are listed on our Subprocessors page.

Independent controllers

  • Payments: Stripe Payments Europe, Ltd. (and affiliates) for card payments and invoicing.
  • CRM: HubSpot Ireland Limited for our customer communications and account management.

5. Model training/improvement by Bayescase (opt out)

To improve and develop the Service, we may use your inputs and outputs to train, fine tune, or otherwise improve models and features. For this limited purpose, Bayescase acts as an independent controller and relies on legitimate interests with safeguards (e.g., de-identification where feasible). You may opt out at any time by emailing privacy@bayescase.com. Opting out will not affect processing necessary to provide the Service.

5. International transfers

We primarily host and process data in the EU/EEA (AWS Frankfurt). Certain AI-related processing of prompts, context, uploaded materials, and outputs may be carried out outside the EU/EEA, including in the United States, by our AI processing provider where necessary to provide the requested AI functionality. Where required, we use the EU Standard Contractual Clauses (and UK/Swiss transfer addenda where applicable) together with supplementary measures.

6. Retention

  • Account data: retained for the life of the account, then deleted or anonymized after closure, subject to legal retention.
  • Customer Data in projects: retained for the Subscription Term and 30 days thereafter for export; then deleted from active systems; encrypted backups roll off within 35 days.
  • Operational logs and telemetry: retained only for as long as reasonably necessary for security, abuse prevention, troubleshooting, billing support, and service reliability, and then deleted or anonymized.
  • AI prompt/output logging: unless content is intentionally saved in the Service, we do not intentionally retain prompt or output content in application logs after request completion, except where temporary retention is strictly necessary for security, abuse prevention, troubleshooting, or legal compliance.
  • Billing records: retained as required by law (generally up to 6 or 10 years under HGB/AO).

7. Your rights

You have rights under GDPR (Arts. 15–21) and may withdraw consent where applicable. If your organization is the Customer (controller) for data within the Service, please direct requests to your admin; we will support them under the DPA. You can also contact privacy@bayescase.com.

8. Security

We implement appropriate technical and organizational measures, including encryption in transit and at rest, access controls, MFA for privileged access, and regular backups. Details are in the DPA.

9. AI transparency and responsibility

AI features in Bayescase are assistive tools. They may generate suggestions, summaries, narrative text, and other non-deterministic outputs that can be inaccurate, incomplete, or unsuitable for your intended use. You should review outputs before relying on them. Where applicable, Bayescase may label or mark AI-generated or AI-transformed outputs.

10. Changes and contact

We may update this notice from time to time; the latest version is available in-app and at https://www.bayescase.com. Contact: privacy@bayescase.com.