Privacy Policy

1. Introduction & Data Controller

This Privacy Policy explains how BASECAMP LABS ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use the Hawkbase platform ("the Service"), accessible at hawkbase.co.

We are committed to protecting your privacy in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the French Data Protection Act (Loi Informatique et Libertés).

The data controller is:

• Company: BASECAMP LABS, SAS
• Registered office: 18 Rue du Bayle, 34000 Montpellier, France
• SIREN: 101 988 111
• Contact: [email protected]

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Data

When you create an account on Hawkbase, we collect information you provide directly, including your name, email address, password (stored in hashed form), and optional profile details such as a display name and avatar.

2.2 Usage Data

We automatically collect certain technical data when you use the Service, including your IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages, and the date and time of your visit. This data is collected to ensure the proper functioning of the Service and to improve user experience.

2.3 User-Generated Content

When you submit reviews, comments, or product listings, we collect and store the content you provide. This content is publicly visible on the platform and is associated with your user profile.

2.4 Import Data

If you use our import feature to add product information, we process the data you provide during the import process. This may include product names, descriptions, URLs, and metadata. We process this data solely to populate and update product listings on the Service.

2.5 Cookies

We use cookies and similar technologies as described in our Cookie Policy.

3. Purposes and Legal Bases

We process your personal data for the following purposes, each with its corresponding legal basis under Article 6 of the GDPR:

4. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: Retained for the duration of your account. Upon account deletion, your personal data is deleted within 30 days, except where legal obligations require longer retention.
• Usage data: Retained for a maximum of 13 months from the date of collection.
• User-generated content: Retained for the duration of your account. Upon deletion, your reviews and comments may be anonymized rather than fully deleted if they contribute to the public interest of the platform.
• Import data: Processed data is retained as part of the product listings. Source files uploaded during import are deleted within 7 days of processing completion.
• Legal obligations: Certain data may be retained for up to 5 years to comply with French commercial and tax law requirements.

5. Data Recipients & Processors

We may share your personal data with the following categories of recipients, acting as data processors on our behalf:

• Appwrite (self-hosted on Contabo): We use Appwrite as our backend-as-a-service solution, self-hosted on servers provided by Contabo GmbH (Aschauer Strasse 32a, 81549 Munich, Germany). Your account data and user-generated content are stored on these servers located in Germany.
• Contabo GmbH: Provides the server infrastructure on which Hawkbase is hosted. Contabo is a German hosting provider subject to EU data protection law.
• OpenRouter: We use OpenRouter as an AI processing intermediary for certain features such as product description enrichment and smart categorization. Data sent to OpenRouter is limited to product-related content and does not include personally identifiable information where possible.
• Trigger.dev: We use Trigger.dev for background job processing, including data import tasks. Trigger.dev processes task metadata and import data on our behalf.

We do not sell, rent, or trade your personal data to third parties. We may disclose your data if required to do so by law or in response to valid requests by public authorities.

6. International Transfers

Your personal data is primarily stored on servers located within the European Union (Germany). Some of our processors (OpenRouter, Trigger.dev) may process data outside the EU/EEA. In such cases, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions by the European Commission, where applicable.
• Any other lawful transfer mechanism under Articles 46-49 of the GDPR.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data and receive a copy.
• Right to rectification (Article 16): You have the right to request the correction of inaccurate personal data and to have incomplete data completed.
• Right to erasure (Article 17): You have the right to request the deletion of your personal data under certain conditions, for example when the data is no longer necessary for its original purpose.
• Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests, including profiling. You also have the right to object to processing for direct marketing purposes at any time.
• Right to restriction of processing (Article 18): You have the right to request the restriction of processing under certain conditions, for example when you contest the accuracy of your data.
• Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

8. How to Exercise Your Rights

To exercise any of the rights listed above, you may contact us by email at [email protected].

Please include sufficient information to identify yourself (your name and email address associated with your account). We will respond to your request within one month. This period may be extended by two additional months if the request is complex or if we receive a large number of requests, in which case we will inform you of the extension and the reasons for it.

You may also manage certain data directly through your account settings, including updating your profile information and deleting your account.

9. Right to Lodge a Complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In France, the competent authority is:

• Commission Nationale de l'Informatique et des Libertés (CNIL)
• 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
• Website: www.cnil.fr

10. Cookies

For detailed information about the cookies we use and how to manage your preferences, please refer to our Cookie Policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date below. We encourage you to review this policy periodically.

If changes materially affect how we process your personal data, we will provide prominent notice (for example, by email or via a notification on the Service) prior to the changes taking effect.