Privacy Policy

Last updated: May 19, 2026

1. Introduction

BayesCore (“we”, “our”, or “us”) operates https://bayescore.comand related services (collectively, the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it.

We are committed to transparency and to complying with applicable privacy laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and Brazil’s Lei Geral de Proteção de Dados (LGPD).

If you have questions, contact us at [email protected].

2. Data Controller / Business

For the purposes of GDPR, BayesCore is the data controller of personal data processed through the Service. For CCPA purposes, BayesCore is the business that determines the purposes and means of processing personal information.

Contact: [email protected]

3. Data We Collect

3.1 Account Data

When you register for an account we collect your email address and a salted password hash; we do not store your plaintext password.

3.2 Document Content

When you submit a document for evaluation, that document is transmitted to our servers and processed by the kernel. We store the resulting scan record (scores, grade, predicates) and associate it with a randomly generated UUID. If you are signed in, the scan is also associated with your account. We do not store the raw document text after scoring is complete unless you explicitly save it.

If your document contains personal data about third parties, please ensure you have authority to share that data with us.

3.3 Lead / Contact Data

If you provide your email address to receive scan results or updates, we store it as a lead recordtogether with the associated scan ID, score, grade, and the source field (e.g., “scan_result”). We use this solely to send the requested information and, with your separate consent, product updates.

3.4 Usage & Event Data

Our backend logs anonymised usage events (e.g., page viewed, scan started, scan completed). We record a SHA-256 hash of your browser user-agent string — not the raw string itself — so we can identify distinct browser types without storing fingerprintable information.

3.5 Analytics Cookies (Google Analytics 4)

Subject to your consent, we use Google Analytics 4 (GA4, tag G-8QMX6Z7FH4) to collect aggregated data on page views, session duration, referral sources, and feature usage. GA4 sets first-party cookies (_ga, _ga_*) that persist for up to 2 years. We have enabled IP anonymisation. We do not use GA4 for advertising or remarketing.

Analytics cookies are only set after you grant consent in our cookie banner. You may withdraw consent at any time — see Cookie Policy.

3.6 Custom Domain Data

If you connect a custom domain to BayesCore, we store the domain name and associated configuration required to route and score documents submitted under that domain.

3.7 Technical Data

Our servers and infrastructure automatically collect standard web server logs including IP address, HTTP method, URL, response code, and timestamp. These are retained for up to 30 days for security and operational purposes and are then deleted.

4. Legal Bases for Processing (GDPR / LGPD)

Processing activity	Legal basis (GDPR Art. 6)	LGPD basis
Create and manage your account	Art. 6(1)(b) — contract performance	Art. 7(V)
Process document scans	Art. 6(1)(b) — contract performance	Art. 7(V)
Send scan results by email (leads)	Art. 6(1)(f) — legitimate interests	Art. 7(IX)
Google Analytics (optional)	Art. 6(1)(a) — consent	Art. 7(I)
Security logging	Art. 6(1)(f) — legitimate interests	Art. 7(IX)
Legal obligations	Art. 6(1)(c) — legal obligation	Art. 7(II)

5. How We Use Your Data

To create and maintain your account and authenticate you securely.
To run the Bayesian kernel on your submitted input.
To generate and deliver scan reports, including by email when requested.
To analyse aggregate usage patterns so we can improve the Service.
To detect and prevent fraud, abuse, and security threats.
To comply with legal obligations and respond to lawful requests.

We do not sell your personal data to third parties. We do not use your data for targeted advertising.

6. Data Sharing & Third-Party Processors

Processor	Purpose	Location
Amazon Web Services (AWS)	Cloud hosting, storage, compute	US (Ohio, us-east-2)
Google LLC (GA4)	Analytics (consent-gated)	US (Google data centers)
GoDaddy Workspace Email (smtpout.secureserver.net)	Delivering license keys and scan result emails	US (GoDaddy data centers, Arizona)

We also share data when required by law, court order, or to protect the rights and safety of BayesCore, its users, or the public.

7. International Data Transfers

Our primary infrastructure runs on AWS US-East-2 (Ohio, United States). If you are located in the European Economic Area (EEA), the United Kingdom, Canada, Brazil, or another jurisdiction with data-transfer restrictions, your personal data is transferred outside your home jurisdiction when we process it.

We rely on the following transfer mechanisms:

EU–US Data Privacy Framework (DPF) — AWS participates in the EU–US DPF, which was found adequate by the European Commission in July 2023. This covers transfers of EEA personal data to AWS services in the US.
Standard Contractual Clauses (SCCs)— Where DPF does not apply, we rely on the European Commission’s 2021 SCCs incorporated into our data processing agreements with sub-processors.
Google Analytics — Google LLC participates in the EU–US DPF. Analytics data is only transferred after you grant consent.

UK users: transfers are covered by the UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs.

Brazil: transfers are made on the basis of contractual guarantees pursuant to Art. 33 LGPD.

8. Data Retention

Data category	Retention period
Account data (name, email)	Duration of account + 90 days after deletion request
Scan records (scores, grade)	Until you delete them or close your account
Lead / email records	24 months from last interaction, then deleted or anonymised
Session tokens	Up to 7 days; revoked on sign-out or expiry
Server access logs	30 days
Analytics data (GA4)	Up to 14 months (Google default); configurable in GA4 settings
Consent records	3 years from the last consent decision (legal obligation)

9. Your Privacy Rights

9.1 GDPR Rights (EU / EEA residents)

Access — obtain a copy of your personal data.
Rectification — correct inaccurate or incomplete data.
Erasure — request deletion (“right to be forgotten”), subject to legal exceptions.
Restriction — ask us to restrict processing in certain circumstances.
Portability — receive your data in a machine-readable format.
Object — object to processing based on legitimate interests or direct marketing.
Withdraw consent — withdraw analytics consent at any time via our Cookie Policy page without affecting prior lawful processing.
Lodge a complaint — with your national supervisory authority (e.g., CNIL in France, ICO in the UK, DPC in Ireland).

9.2 CCPA / CPRA Rights (California residents)

Know — request disclosure of personal information collected and how it is used.
Delete — request deletion of personal information we hold about you.
Correct — request correction of inaccurate personal information.
Opt-out of sale / sharing — we do not sell or share personal information for cross-context behavioural advertising. You may opt out of analytics data sharing by rejecting analytics cookies.
Limit use of sensitive personal information — we do not collect sensitive personal information as defined by CPRA.
Non-discrimination — we will not discriminate against you for exercising your rights.

California residents may submit requests via email to [email protected]. We will verify your identity before processing requests.

9.3 PIPEDA Rights (Canadian residents)

Under PIPEDA you have the right to access personal information we hold about you and to challenge its accuracy. You may withdraw consent for non-essential processing at any time, subject to legal or contractual restrictions. To exercise these rights, contact [email protected].

9.4 LGPD Rights (Brazilian residents)

Under Brazil’s LGPD you have the right to confirm, access, correct, anonymise, delete, and port your personal data; to obtain information about entities with which we have shared your data; to withdraw consent; and to lodge a complaint with the ANPD. Contact us at [email protected].

9.5 How to Submit a Request

Email [email protected] with the subject line “Privacy Request”. We will respond within 30 days (GDPR / LGPD) or 45 days (CCPA/CPRA), with one extension of equal length where necessary.

10. Cookies

We use strictly necessary cookies for the Service to function and, with your consent, analytics cookies. For a full inventory and management instructions, see our Cookie Policy.

11. Security

We implement appropriate technical and organisational measures to protect your personal data, including TLS/HTTPS in transit, encrypted storage at rest on AWS, hashed passwords, and access controls. No transmission over the internet is 100% secure; we cannot guarantee absolute security.

12. Children

The Service is not directed at persons under 16 years of age (or 18 where local law requires). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the “Last updated” date above and, where required by law, by notifying you by email or prominent notice on the Service. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related questions, data subject requests, or to withdraw consent:

Email: [email protected]
Website: https://bayescore.com