Privacy Policy

1. Information We Collect

1.1 Account Information

• Email address and password — used for authentication and account access. Passwords are securely hashed; we never store plaintext passwords.
• Name — if added to your profile
• Role and permissions — your access level within your brand's account (owner, admin, or member)

1.2 Brand Profile

• Brand name, logo, and primary color — used to identify your brand across the platform
• Support URL and phone number — displayed to consumers who register your products

1.3 Product Data

• Product names, descriptions, and images
• UPCs and other identifiers
• Warranty terms and durations
• Incentive configurations (coupon codes, gift details, warranty extensions)
• QR code batch information

1.4 Team Data

• Email addresses of invited team members
• Invitation status and acceptance dates
• Role assignments and permission levels

1.5 Usage Data

• Dashboard activity (pages visited, features used, reports generated)
• API request logs (endpoints called, timestamps, response codes)
• Webhook delivery logs (events triggered, delivery status)

2. How We Use Your Information

We use the information we collect to:

• Provide the Services — operate the Dashboard, process registrations, and deliver analytics
• Authenticate your identity — verify your credentials and manage sessions
• Manage your team — process invitations and enforce role-based access controls
• Deliver customer data — display registration data, enrichment insights, and analytics
• Process API requests — authenticate and respond to your API calls
• Deliver webhooks — send real-time registration events to your configured endpoints
• Improve our Services — understand usage patterns and improve the platform
• Communicate with you — send transactional emails about your account, team invitations, and service updates
• Enforce our terms — detect abuse and enforce acceptable use policies

3. How We Share Your Information

3.1 With Your Team

Team members with appropriate permissions can view brand settings, products, registrations, and customer data within your brand's account.

3.2 With Consumers

When a consumer scans your product's QR code, they see your brand name, logo, product information, warranty terms, and any incentives you have configured. Support URLs and phone numbers you provide are displayed to consumers who register your products.

3.3 With Service Providers

We use the following third-party service providers to operate our Services:

• Supabase (database, authentication, edge functions) — hosted on AWS in the United States
• Vercel (application hosting, edge network) — United States
• Resend (email delivery) — United States

These providers process data on our behalf and are bound by their own privacy policies. We do not sell your information to any third party.

3.4 As Required by Law

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4. Customer Data Processing

4.1 Bawte as Processor

When consumers register your products through the Bawte platform, Bawte collects and processes their personal information on your behalf. This includes the consumer's email address, phone number, name, purchase details, device type, approximate location, and behavioral data.

4.2 Third-Party Enrichment

We enrich consumer profiles using People Data Labs and Twilio Lookup to provide you with additional context such as employment data, social profiles, and phone intelligence. This enrichment is performed automatically when a consumer registers their first product with your brand.

4.3 Your Responsibilities

You are responsible for your use of customer data accessed through the Dashboard, API, or webhooks. You agree to:

• Use customer data only for product support, warranty administration, and the specific incentives offered through our platform
• Comply with all applicable privacy laws (including CCPA, CAN-SPAM, and TCPA)
• Not sell consumer personal information obtained through Bawte
• Maintain appropriate security measures for any customer data you export or receive via webhooks
• Honor consumer requests to delete their data when forwarded by Bawte

4.4 Data Access

You can access customer registration data through:

• The Dashboard (customer list, registration details, enrichment profiles)
• The REST API (programmatic access with API key authentication)
• Real-time webhooks (push notifications for new registrations and events)

5. Data Security

We take the security of your data seriously. Our measures include:

• Encryption in transit — all connections use TLS (HTTPS). No unencrypted traffic is accepted.
• Encryption at rest — database storage is AES-256 encrypted at the infrastructure level.
• Row-Level Security — enforced on all database tables so that brands can only access their own data.
• Password hashing — passwords are securely hashed using industry-standard algorithms. We never store plaintext passwords.
• API key security — API keys are hashed at rest and displayed only once at creation.
• Rate limiting — applied to authentication, Dashboard, and API endpoints to prevent abuse.
• Input validation — all inputs are validated server-side to prevent injection attacks.
• Audit logging — administrative actions are logged for security review.

6. Data Retention

We retain information as follows:

• Account data — retained as long as your brand account exists
• Product data — retained as long as the product exists in your account
• Customer registration data — retained according to our Consumer Privacy Policy
• API and webhook logs — retained for up to 90 days
• Audit logs — retained for up to 24 months
• Team member data — removed when a team member is removed from your account

If your brand account is terminated, we will retain customer registration data for warranty fulfillment purposes as described in our Consumer Privacy Policy.

7. Your Rights

• Access your data — view all brand, product, and team data in your Dashboard
• Export your data — export customer registrations and analytics via the API
• Update your data — edit brand settings, products, and team members at any time
• Delete products — remove products from your account
• Close your account — contact us at privacy@bawte.com to request account closure

California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of sale. To exercise these rights, email privacy@bawte.com.

8. Cookies and Local Storage

We use essential cookies to maintain your authenticated Dashboard session. These are set and managed by our authentication provider (Supabase) and are necessary for the Services to function. We do not use advertising, marketing, or third-party tracking cookies.

We use your browser's local storage to save your theme preference (light or dark mode).

9. International Data

Our Services are operated in the United States. If you access the Dashboard from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using our Services, you consent to this transfer.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the Services after any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, contact us at:

• Privacy: privacy@bawte.com
• Security: security@bawte.com