Privacy Policy

Effective date: February 18, 2026

1. Introduction

Bawks (“we,” “us,” or “our”) operates the Bawks platform (the “Service”), a SaaS application that helps organizations build a Body of Knowledge from uploaded documents and provides AI-powered answers with source attribution and confidence scores. This Privacy Policy explains how we collect, use, share, and protect information about you when you use our Service. By accessing or using Bawks, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Account information (via Clerk):

• Email address and name
• Clerk user ID and organization ID
• User role (admin or member) — determined at runtime, not separately persisted

User-generated content:

• Uploaded documents (inquiries, policy docs, technical specs, etc.) — stored in AWS S3
• Document metadata (filename, file type, file size, description, tags)
• Extracted text chunks and vector embeddings
• Q&A pairs extracted from inquiries
• Queries submitted to your Body of Knowledge
• AI-generated answers and confidence scores
• Answer corrections and feedback (thumbs up/down ratings and written comments)

Technical and operational data:

• IP addresses — recorded per-action in audit logs (this constitutes personal data under GDPR)
• Browser and device information collected via standard HTTP request headers
• Activity events and audit trail records

3. How We Use Your Information

• Provide, operate, and maintain the Service
• Process, index, chunk, and embed uploaded documents into your organization's Body of Knowledge
• Generate AI-powered answers from your Body of Knowledge
• Process payments and manage your subscription
• Maintain audit logs for compliance and security purposes
• Improve service quality, reliability, and performance
• Communicate with you about the Service (transactional communications only)

Our legal bases for processing your personal data include: (a) performance of our contract with you (providing the Service, processing your documents, generating answers); (b) our legitimate interests (maintaining audit logs, improving service quality and security, preventing abuse); and (c) your consent where specifically requested. Where we rely on legitimate interests, we have assessed that these interests are not overridden by your data protection rights.

4. AI and Document Processing

• Documents are processed by two AI providers: OpenAI (text-embedding-3-large model) for generating vector embeddings used in semantic search, and Anthropic (Claude Haiku 4.5) for answer synthesis and document understanding
• Document text content is transmitted to OpenAI for embedding generation and to Anthropic for answer synthesis
• Documents and data are scoped to your organization with multi-tenant isolation enforced via row-level security
• Your customer data is not used to train AI models. Anthropic does not train on API inputs or outputs (see Anthropic Commercial Terms). OpenAI does not use API data to train models (see OpenAI API Data Usage Policy).
• AI-generated answers include confidence scores — these are statistical estimates produced by the AI and are not guarantees of accuracy or completeness

5. Data Sharing and Third Parties

We share data with the following third-party service providers solely to operate the Service:

• Clerk — Authentication, user and organization management, and session management. Receives: email address, name, organization membership, and session data.
• Anthropic — AI text generation and answer synthesis. Receives: document chunk text and query text. Anthropic does not train on API data.
• OpenAI — AI embedding generation for semantic search. Receives: document chunk text and query text. OpenAI does not use API data for training.
• AWS S3 — File storage. Receives: original uploaded documents and data export archives.
• AWS RDS — Database hosting. Stores all application data; encrypted at rest.
• Stripe — Payment processing and billing. Receives: organization metadata. Stripe manages all payment card details directly and we do not store payment card information.

Additionally, we use other AWS infrastructure services (including SQS for message queuing and CloudWatch for logging) as part of our service architecture. These operate within the same AWS environment and data handling policies described above.

We do not sell your personal data to third parties. We may disclose your data if required to do so by applicable law, court order, or other valid legal process.

6. Data Security

• Encryption at rest — S3 objects are encrypted via AWS KMS; RDS storage encryption is enabled
• Encryption in transit — all data is transmitted over HTTPS/TLS
• Row-level security (RLS) enforces multi-tenant data isolation at the database level
• Database and compute resources run in private VPC subnets not accessible from the public internet
• Regular automated backups with a 7-day retention period

7. Data Retention

• Account data is retained while your account remains active
• Documents and associated chunks are retained until explicitly deleted by an authorized user
• Queries, answers, and feedback are retained indefinitely as part of your audit trail
• Audit logs are retained indefinitely for compliance purposes
• Data export archives are accessible via a presigned URL that expires after 1 hour; the underlying ZIP file is deleted after a reasonable retention period

Upon receipt of a verified deletion request, we will delete or anonymize personal data within 30 days, except where retention is required for legal compliance, audit trail integrity, or the exercise or defense of legal claims.

8. International Data Transfers

All Bawks infrastructure is hosted in the United States (AWS us-east-2 / Ohio region). Our primary third-party service providers — Clerk and Stripe — are US-based companies. If you access the Service from outside the United States, your data may be transferred to and processed in the United States. Where required by applicable law (including GDPR), we rely on EU Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms to govern such international transfers. Our Data Processing Agreement (available upon request) incorporates the applicable transfer safeguards.

A Data Processing Agreement (DPA) incorporating applicable transfer safeguards is available upon request for enterprise customers. Contact [email protected].

9. Your Rights

• Access: You may request a copy of the personal data we hold about you.
• Correction: You may request correction of inaccurate or incomplete personal data.
• Deletion: You may request deletion of your personal data, subject to our legal retention obligations.
• Export: Organization admins may export a full data archive in ZIP format via the Service.
• GDPR (EU/EEA users): In addition to the above, you have the right to data portability, restriction of processing, and the right to object to processing based on legitimate interests.
• CCPA (California residents): You have the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information (we do not sell personal data).

To exercise any of these rights, please contact us at [email protected]. We will respond to verified requests within 30 days. If additional time is needed due to the complexity of the request, we will notify you of the extension within the initial 30-day period.

10. Cookies and Tracking

• Clerk authentication cookies (__client, __session, __clerk_db_jwt): Strictly necessary for authentication and session management. These cannot be opted out of while using the Service.
• No analytics or tracking cookies: We do not use Google Analytics, Mixpanel, Hotjar, or any similar third-party tracking or analytics tools.
• localStorage: We use browser localStorage solely to store the onboarding preference flag (bawks-onboarding-complete). No personal data is stored in localStorage.

11. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected personal data from a child under 16, please contact us immediately at [email protected] and we will take prompt steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification before the changes take effect. Your continued use of the Service after the effective date of any updated policy constitutes your acceptance of the changes. We encourage you to review this policy periodically.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

[email protected]