Privacy Policy

Last Updated: February 25, 2026

1. Introduction

Baseshift, Inc. ("Baseshift", "we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you visit our website, use our Platform, or engage with our Services. It should be read alongside our Terms of Service and, where applicable, our Data Processing Addendum ("DPA").

2. Who This Policy Applies To

This Policy applies to visitors to our website, customers and authorized users of the Platform, individuals who contact us, and anyone whose personal data we process in connection with our Services. If you use the Platform as an authorized user on behalf of a customer organization, that organization is also responsible for your use of the Platform under the DPA.

3. Personal Data We Collect

  1. Account and Registration Data - When you register or subscribe, we collect your name, email address, contact details, employment information (job title, company), account credentials. Payments are processed securely by third-party payment providers. Baseshift does not store credit card or payment details.
  2. Platform Usage Data - When you use the Platform, we may collect log data (IP addresses, browser type, timestamps), usage metrics, performance telemetry, and information shared during support interactions. Usage Data does not include SQL query text, database content, or schema information - that is Customer Data governed by the DPA.
  3. Customer Data -Where Baseshift processes Customer Data (database schema metadata, query logs, stack traces, and workload-derived content) on behalf of business customers, it does so as a Data Processor under the DPA. Customers are responsible for applying appropriate masking and protection to sensitive data before transmission to Baseshift systems.
  4. Communications and MarketingWhen you contact us or subscribe to marketing communications, we collect your name, email address, communication preferences, and the content of your messages.
  5. Cookies and TrackingWe use strictly necessary cookies to operate the Platform, and analytics and preference cookies (with your consent) to improve our services. You can manage preferences via our cookie banner or browser settings. 

4. How We Use Your Personal Data

We use personal data to:

  1. Provide, operate, and manage the Platform and Services, including account management and subscription billing
  2. Monitor performance, diagnose issues, detect and prevent fraud, abuse, and security incidents
  3. Improve and develop the Platform, using aggregated or de-identified Usage Data (not Customer Data, unless licensed under the Terms of Service)
  4. Send transactional communications (billing, security alerts, policy updates) and, where permitted, marketing communications
  5. Comply with applicable laws, enforce our agreements, and protect the rights and safety of Baseshift, our customers, and third parties

5. Legal Basis for Processing

We process personal data only where we have a valid legal basis. Depending on the activity, this is: contractual necessity (to perform our agreement with you); legal obligation (to comply with applicable law); legitimate interests (fraud prevention, security, service improvement, marketing to existing customers - balanced against your rights); or consent (marketing communications, non-essential cookies - withdrawable at any time).

6. How We Share Personal Data

We do not sell or rent personal data. We share it only in the following circumstances:

  1. Sub-Processors - We engage vetted third-party sub-processors to help deliver our Services. A current list of our sub-processors is available in our Data Processing Addendum. All sub-processors are bound by contractual obligations to process data only as instructed and to maintain appropriate security. Customers under the DPA receive 30 days' notice before any new sub-processor is engaged.
  2. Affiliates, Advisors, and Legal Requirements We may share personal data with Baseshift corporate affiliates (under equivalent protections); professional advisors (lawyers, accountants, auditors) bound by confidentiality; and law enforcement or regulatory authorities where required by law, court order, or to protect rights and safety.
  3. Business TransfersIn the event of a merger, acquisition, or similar transaction, personal data may be transferred as part of that transaction, subject to appropriate confidentiality arrangements.

7. International Data Transfers

Personal data may be transferred to and processed in countries outside where it was collected, including countries with different data protection standards. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (EU SCCs, UK IDTA, or Swiss SCCs as applicable). EEA transfers are governed by Irish law. For Israeli data subjects, transfers comply with the Israeli Protection of Privacy Law. By using our Services, you acknowledge that your data may be transferred internationally as described.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy, or as required by law. Account data is kept for the duration of your relationship with us plus a reasonable period for legal or audit purposes. Following subscription termination, Customer Data is deleted within a reasonable period subject to backup retention schedules - customers should export their data before termination. When data is no longer needed, we securely delete or anonymize it.

9. Data Security

We implement industry-standard technical and organizational measures to protect personal data, including encryption in transit (TLS) and at rest, access controls, audit logging, and regular security assessments. We hold ISO 27001 and SOC 2 Type II certifications, available on request. In the event of a security incident affecting Customer Data, we will notify affected customers within 48 hours of becoming aware. No transmission over the internet is completely secure, and we cannot guarantee absolute security.

10. Children's Data

The Platform is not intended for individuals under 16. We do not knowingly collect data from children under 16. If you believe we hold such data, please contact us at privacy@baseshift.com and we will promptly investigate and delete it.

11. Your Rights

Subject to applicable law, you have the right to: be informed about how we process your data; access a copy of your personal data; correct inaccurate data; request deletion ("right to be forgotten"); restrict or object to certain processing; receive your data in a portable format; withdraw consent at any time; and request human review of any automated decisions. To exercise these rights, contact us at privacy@baseshift.com - we may ask you to verify your identity and will respond within the timeframe required by law (generally 30 days).

If you are an end user of one of our customers' deployments, please contact your system administrator. You also have the right to lodge a complaint with your relevant supervisory authority: the Irish Data Protection Commission (EEA), the UK ICO (UK), or the Israeli Privacy Protection Authority (Israel).

12. Contact Us and Policy Updates

For any questions, concerns, or to exercise your rights, contact us at privacy@baseshift.com. 

We may update this Privacy Policy from time to time. For material changes, we will post a notice on the Platform and notify you by email. The "Last Updated" date at the top reflects the most recent revision. Continued use of the Platform after the effective date of any update constitutes acceptance of the revised Policy.