Legal
Privacy Policy
Last updated: 2026-03-15
BASAL is a local-first platform. Your workspace data — documents, knowledge graph, entities, and decisions — lives on your machine, not ours. This policy covers what the cloud service at basal.is collects and how we handle the Google account data you choose to share with us.
Operator
The basal.is cloud service is operated by Agora Innovation Limited, a private company incorporated in the Dubai International Financial Centre (DIFC), registered number 12487. Registered address: DIFC Innovation One, Dubai International Financial Centre, United Arab Emirates.
1. Information we collect
1.1 Account information (Google OAuth)
When you sign in with Google, we receive your name, email address, and profile picture. We use this solely to identify your account and display your profile within the application. We do not access your Google password.
1.2 Google Workspace data (optional, per-feature)
BASAL's Executive Assistant (EA) mode connects to your Google Workspace to import signals that power your local knowledge graph. Each integration is opt-in — we only request access when you enable a specific feature. All imported data is processed locally on your device and is not stored on basal.is servers.
| Integration | Google API scopes | What we access | Why |
|---|---|---|---|
| Gmail | gmail.readonly, gmail.send | Email metadata and content (read-only); ability to send emails on your behalf | Import email signals into your local knowledge graph; send notifications or responses you initiate |
| Google Drive | drive.readonly, drive.file | Read your Drive files; create or modify files in a BASAL-specific folder | Import document signals; export BASAL-generated reports to your Drive |
| Google Calendar | calendar.readonly, calendar.events | Read calendar events; create or modify events | Import scheduling signals; create events you initiate through BASAL |
| Google Sheets | spreadsheets.readonly, spreadsheets | Read and write spreadsheets | Import structured data; export BASAL-generated analyses |
| Google Contacts | contacts.readonly | Read your contacts (read-only) | Resolve person identities in your local knowledge graph |
| Google Admin (Workspace admins only) | admin.directory.user.readonly, admin.directory.domain.readonly, admin.directory.customer.readonly | Read user directory, domains, and customer info (read-only) | Import organizational structure for team-aware features |
Key principle: Google Workspace data flows from Google → your local device. It is processed by BASAL's local runtime and stored in your local knowledge graph. It does not pass through or persist on basal.is servers.
1.3 API key metadata
When you create a BASAL API key (bsk_ prefix), we store the key's name, creation date, last-used timestamp, and a SHA-256 hash of the key. We never store the plaintext key after initial generation.
1.4 LLM proxy usage logs
When you use the BASAL Intelligence proxy (for AI-powered features), we log: timestamp, token count, model tier, API key ID, response latency, and response status. We do not log the content of your prompts or the AI's responses.
1.5 Standard web logs
When you visit basal.is, we collect standard web server logs: IP address, browser user agent, and pages visited. These are used for security monitoring and are not linked to your account.
2. Information we do NOT collect or store
- Workspace content — documents, transcripts, emails, calendar events, or any data imported via EA mode
- Knowledge graph data — entities, facts, relationships, decisions
- LLM prompts or responses — the proxy forwards requests to inference providers without logging content
- Local filesystem data — artifacts, workspace files, configuration
- CLI telemetry — the BASAL CLI does not send usage data to basal.is
- Google passwords — we use OAuth tokens, never your password
3. How we use your information
| Data | Purpose |
|---|---|
| Google profile (name, email, picture) | Account identification and display |
| Google Workspace data | Processed locally on your device to build your knowledge graph — never stored on our servers |
| API key metadata | Key management, abuse prevention |
| Proxy usage logs | Rate limiting, usage monitoring, abuse detection |
| Web logs | Security monitoring, service reliability |
4. How we share your information
We do not sell your data. We share data only as follows:
- LLM inference providers — When you use AI features, your prompts are routed through our proxy to state-of-the-art large language models selected by capability tier (reasoning, embedding, fast inference). Providers include OpenAI, Anthropic, Google, and others. These providers process your prompts under their own privacy policies. We do not log prompt content.
- Infrastructure providers — We use Supabase (authentication, metadata storage) and Cloudflare (proxy hosting, web security). These providers process data as necessary to operate the service under their respective data processing agreements.
- Legal compliance — We may disclose data if required by applicable law or valid legal process.
5. Data retention
| Data | Retention |
|---|---|
| Account data | Retained while your account is active |
| Proxy usage logs | 90 days |
| Web server logs | 30 days |
| Revoked API keys | Hash retained for audit (plaintext never stored) |
| Google OAuth tokens | Stored locally on your device only; revocable via Google Account settings |
6. Data security
- API keys are hashed with SHA-256 before storage — plaintext is shown once at creation and never stored
- All communication with basal.is uses TLS encryption
- Google OAuth tokens are stored in your device's secure storage (OS keychain / Electron safeStorage) and are never transmitted to basal.is servers
- The LLM proxy enforces per-user rate limits and request size caps
7. Your rights and choices
- Revoke Google access — Remove BASAL's access to your Google account at any time via Google Account permissions
- Manage API keys — View, create, and revoke API keys via the BASAL desktop app or CLI
- Delete your account — Request full account deletion by emailing privacy@basal.is. We will delete your account data and all associated API key hashes within 30 days
- Delete local data — You control all local data directly. Delete your workspace directory and
~/.basal/at any time - Data export — Your local knowledge graph is stored in standard formats on your device. No export request to us is needed — the data is already yours, locally
8. Google API Services disclosure
BASAL's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only request Google API scopes that are necessary for features you have explicitly enabled
- Google Workspace data is processed locally on your device and is not stored on basal.is servers
- We do not use Google Workspace data for advertising or sell it to third parties
- We do not use Google Workspace data to train AI models
9. Children's privacy
BASAL is a business productivity tool and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@basal.is.
10. International data transfers
Account metadata and API key data are stored on infrastructure hosted by Supabase and Cloudflare, which may process data in multiple regions. LLM requests are routed through Cloudflare Workers, which execute at the edge location nearest to you. Google Workspace data is processed locally on your device and does not transit our servers.
11. Changes to this policy
We may update this policy as the service evolves. Material changes will be communicated via the email associated with your account at least 14 days before they take effect. The effective date at the top of this page reflects the most recent revision.
12. Contact
For privacy questions or data requests, contact us at privacy@basal.is.