Privacy Policy
Effective May 22, 2026 · Version 1.0
This policy explains what BAAM Review collects, how we use it, who we share it with, how long we keep it, and how you can get a copy or have it deleted. We tried to write it plainly. Where a section uses a legal term, we explain what it actually means.
Who this policy covers
BAAM Review (“we,” “us”) is operated by BAAM Platform Inc., a New York corporation. This policy covers our website at baamreview.com, the application at review.baamplatform.com, and any review-collection page we host at baamreview.com/r/<slug> on behalf of a business.
We use the term business owner to mean the person who signs up for a BAAM Review account, and reviewer (or customer) to mean the end customer the business owner is asking to leave a review.
What we collect
From business owners (the signed-up account)
- Account data: name, email, password hash, account role (owner / admin / staff).
- Business profile data: business name, address, website, social-media handles, brand color, logo image, your Google Business Profile ID (after you authorize the connection).
- Billing data: subscription tier, billing interval, current period end. Credit-card numbers are stored only by Stripe and never touch our servers; we store a Stripe customer ID.
- Usage logs: IP, user agent, the pages you visit inside the admin app, the actions you take (send invitation, reply to a review, etc.). We use these for operations, billing accuracy, and troubleshooting.
From customers (the people the business asks to review)
- Contact info that the business uploads to us:name, email, phone number, optional notes the business added. The business owner is the source — we don’t buy lists.
- Review-flow inputs: when the customer opens the review link, we record which services they tapped, what star rating they picked, the descriptor word, any free-text note they typed, and (if AI assist is used) the prompt text and the draft we generated.
- Outcome: whether the customer went to Google, left private feedback, or left the page. We do notsee the customer’s Google account; Google handles posting and shows the review publicly.
- Tracking-link metadata: when the customer opens the email or SMS, clicks the link, opens the share-card page, or shares it onward. We tag this to the original invitation so we can show the business what worked.
From visitors to baamreview.com
- Standard server logs (IP, user agent, requested path, referer). We retain these for 90 days for security and abuse detection.
- A handful of strictly-necessary cookies for the admin app session. We don’t use third-party advertising cookies or run a tracking pixel on the marketing site.
How we use it
- Run the service: send invitations, generate AI drafts, deliver share-cards, attribute referrals, render dashboards.
- Billing: charge subscriptions and produce receipts.
- Operations: monitor for abuse, prevent fraud, troubleshoot bugs.
- Improve the product:aggregated analytics about which features get used. AI draft prompts and completions may be used (in de-identified form) to improve drafting quality for the user’s own account.
- Required communication:account confirmations, billing receipts, service-incident notices. These go to the business owner’s email and are not optional while you have an account. Marketing emails are separate and unsubscribable in one click.
We do not sell customer data. We do notuse customer review-flow inputs to train any model outside of the AI-draft generation for that customer’s own session.
Sub-processors (who else touches the data)
BAAM Review is a thin layer over best-in-class infrastructure. The vendors below are the only third parties that receive your data, and only for the narrow purpose listed:
| Vendor | Purpose | Data they see | Where (region) |
|---|---|---|---|
| Supabase | Database & file storage | Everything above except payment cards | US (AWS us-east) |
| Vercel | App hosting | Server logs + request metadata | US (multi-region) |
| Resend | Transactional email | Recipient name, email, message body | US |
| Twilio | Transactional SMS | Recipient name, phone, message body | US |
| Stripe | Billing & payment processing | Business owner contact + payment card | US |
| Anthropic | AI draft generation | The review-flow inputs (de-identified) | US |
| Google (Business Profile API) | Authorized read of your reviews | Tokens scoped to your GBP | US |
We publish updates to this list on the Compliance page, and notify business-owner accounts by email at least 30 days before adding a new sub-processor that touches customer data.
Retention
- Active account data: kept for as long as the account exists.
- Customer recipient data: kept for 18 months from the invitation date, then deleted from operational systems and retained only in encrypted backups for an additional 30 days before final deletion.
- Server logs: 90 days.
- Billing records: 7 years (US tax-record requirement).
On account cancellation, we delete all customer recipient data within 30 days. Account data, business-profile data, and billing records are retained per the schedule above. You can request earlier deletion of any data not subject to a legal retention requirement.
Your rights
Regardless of where you live, you can ask us to:
- Send you a copy of your data in a portable format (JSON or CSV).
- Correct anything that is wrong.
- Delete data we don’t need for a legal/operational reason.
- Stop using your data for any specific purpose we use it for.
Email privacy@baamplatform.com with your account email. We’ll respond within 30 days and almost always within 7.
California residents have the additional CCPA / CPRA rights described on our Compliance page. EU/UK residents: we don’t market into the EU/UK, but if you signed up anyway you have the GDPR / UK GDPR rights described there too.
Customers who want to opt out
If you received an email or SMS from BAAM Review because a business added you to their list:
- Email: click the unsubscribe link at the bottom of any message, or email privacy@baamplatform.com. Unsubscribing removes you from thatbusiness’s list and the BAAM Review system. The business cannot re-add you without your consent.
- SMS: reply
STOPto any message. Per the US TCPA, this stops messages from that sender within 24 hours.
Children
BAAM Review is not directed to children under 13. We don’t knowingly collect data from children. If you believe a child’s data has been submitted to us, email privacy@baamplatform.com and we will delete it.
Security
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Our admin app enforces 2-factor authentication for staff with database access. Production database backups are encrypted and stored in a separate region. We use row-level security on all customer-facing tables. We monitor access via audit logs and alert on anomalies.
Despite this, no system is perfectly secure. We’ll notify any affected business owner via email within 72 hours of confirming a breach that involved their data.
International transfers
Our infrastructure is in the United States. If you access BAAM Review from outside the US, your data crosses to the US. For EU/UK customers, we rely on Standard Contractual Clauses; ask us for the executed copy.
Changes to this policy
We’ll post any material change here and email business-owner accounts at least 30 days before it takes effect. Minor wording clarifications get posted without notice. The “Version” line at the top tracks every revision.
How to contact us
BAAM Platform Inc.
90 North St, Middletown, NY 10940
privacy@baamplatform.com