← Back to Home

BaoBrain Privacy Policy

Last updated: December 3, 2025

Overview

BaoBrain ("we," "us," "our") provides privacy-first behavioral analytics for e-commerce stores. This Privacy Policy explains what data we collect, how we use it, and your rights.

Key Point: BaoBrain does NOT collect or store personal information (names, emails, phone numbers, addresses) about your store's customers. We only collect anonymous behavioral data.

Data Controller vs Data Processor

For Merchants Using BaoBrain:

  • YOU (the merchant) are the Data Controller. You own and control all data about your customers and store operations.
  • BaoBrain is the Data Processor. We process anonymous analytics data on your behalf to provide insights.

Your Responsibilities as Data Controller:

  • Maintain your own privacy policy disclosing use of analytics tools
  • Obtain necessary consents from your customers where required by law
  • Comply with GDPR, CCPA, and other applicable privacy laws
  • Inform customers about cookie usage and tracking

What Data We Collect

1. Merchant Account Information

When you create a BaoBrain account:

  • Email address
  • Name (optional)
  • Hashed password (we never store plaintext passwords)
  • Store URL and platform type (Shopify, WooCommerce, etc.)
  • Stripe customer ID for billing (we never see your credit card number)
  • Subscription status and billing events
  • Login attempts and security lockout information (for fraud prevention)

2. Behavioral Analytics Data (Anonymous)

When visitors browse stores that have installed BaoBrain, we collect completely anonymous behavioral data:

  • Session Data: Random session ID (not tied to any person), timestamp
  • Behavioral Events: Page views, clicks (element selectors only), scroll depth, time on page
  • Navigation: URLs visited, referrer (where they came from), UTM parameters
  • Device Information: Browser type, operating system, screen dimensions, viewport size, device type (mobile/desktop)
  • Performance Metrics: Page load time, browser performance data
  • E-commerce Events: Product IDs viewed, cart events, order IDs. Order IDs are numeric identifiers only and contain no associated customer information.
  • Location: Country, region, and city (derived from IP address - see IP section below)
  • Heatmap Data: Click coordinates on page (for visual heatmaps)

3. Store & Platform Data

  • Store URL and domain name
  • Platform type (Shopify, WooCommerce, BigCommerce, custom)
  • Platform access tokens (encrypted and stored securely, required to connect your store)
  • Installation timestamps and configuration settings

4. A/B Testing Data

  • Test configurations you create
  • Variant assignments (which test version a session saw)
  • Goal event tracking (conversions per variant)

5. AI-Generated Insights

We generate AI summaries and insights based on aggregated anonymous behavioral data. These summaries contain no personal information.

6. Google Analytics Integration (Optional)

If you connect Google Analytics:

  • OAuth access and refresh tokens (encrypted)
  • GA4 property IDs and configurations
  • Google Analytics metrics (displayed in BaoBrain dashboard)

What We DO NOT Collect

BaoBrain is built for privacy. We explicitly DO NOT collect:

  • Personal Identifiable Information (PII): Names, email addresses, phone numbers, physical addresses, social security numbers, government IDs
  • Payment Information: Credit card numbers, CVV codes, billing addresses, payment account details
  • Login Credentials: Usernames, passwords, authentication tokens (except our own OAuth tokens for integrations)
  • Biometric Data: Fingerprints, facial recognition, voice prints
  • Form Input Values: Text entered into forms (contact forms, checkout fields, search boxes) — only anonymous events like "form_submitted" are tracked
  • Full IP Addresses: We immediately hash/anonymize IP addresses; we never store raw IP addresses
  • Precise Geolocation: GPS coordinates, street-level addresses — we only derive country/region/city from IP
  • Chat/Messaging Content: Private messages, customer support conversations, chatbot transcripts
  • Social Media Profiles: Facebook profiles, Instagram handles, Twitter usernames
  • Health Information: Medical records, prescriptions, health conditions

Important: If you attempt to send PII through custom events or misconfigured tracking, BaoBrain's systems are designed to detect and strip out personal data.

How We Use Your Data

For Merchant Accounts:

  • Provide and operate the Services
  • Process payments and manage subscriptions
  • Send transactional emails (login alerts, billing receipts, service updates)
  • Provide customer support
  • Improve and optimize our Services
  • Prevent fraud and enforce our Terms of Service

For Analytics Data:

  • Generate behavioral insights, heatmaps, and session replays for merchants
  • Calculate conversion rates and identify drop-off points in funnels
  • Create AI-generated recommendations and insights
  • Improve our analytics algorithms and features (using aggregated, anonymized data)
  • Provide industry benchmarks (anonymized and aggregated across merchants)

We do NOT use data for:

  • Selling to advertisers or data brokers
  • Building cross-site tracking profiles of individual customers
  • Marketing or targeting visitors on other websites
  • Sharing with other merchants or third parties (except as required by law)

IP Addresses & Geolocation

What We Do with IPs:

  • Collection: When a visitor loads a page with BaoBrain tracking, their IP address is temporarily received by our servers (this is unavoidable in web requests).
  • Processing: We immediately use the IP to derive approximate geolocation (country, region, city) using a local IP-to-location database.
  • Hashing: We then hash the IP address using a one-way cryptographic function combined with a rotating secret key. This creates an anonymized identifier that cannot be reversed back to the original IP.
  • Storage: Only the hashed IP and derived location (country/region/city) are stored. The original IP address is immediately discarded and never stored in our database.

Why We Hash IPs:

  • Prevent session duplication (a visitor refreshing the page multiple times is counted as one session)
  • Detect bot traffic and filter out spam/abuse
  • Provide approximate geolocation insights (e.g., "30% of visitors from California")

What We Don't Do:

  • We do NOT store raw IP addresses
  • We do NOT build dossiers or profiles tied to specific IPs
  • We do NOT share IP addresses (raw or hashed) with third parties
  • We do NOT use IPs for tracking across different websites

Under GDPR, hashed IP addresses with rotating keys and immediate discarding are considered pseudonymized data (not personal data) when used solely for analytics purposes.

Data Retention

Merchant Account Data:

  • Retained for as long as your Account is active
  • After Account deletion: Billing records kept for 7 years (tax/legal requirements), other data deleted within 90 days

Analytics Data (Anonymous Behavioral Data):

  • Raw event data: Retained for 13 months
  • Aggregated reports: Retained indefinitely (no PII, fully anonymized)
  • Session replays: Retained for 90 days
  • Heatmaps: Retained for 6 months

Why These Periods?

  • 13 months allows year-over-year comparison (e.g., "December 2024 vs December 2023")
  • Aggregated data helps improve our algorithms and provide benchmarks
  • Shorter retention for replays/heatmaps balances utility with privacy

You can request earlier deletion of your data by contacting privacy@baobrain.com.

Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption: Data in transit uses TLS 1.3+; data at rest encrypted using AES-256
  • Password Security: Passwords hashed using bcrypt with high cost factor; plaintext passwords never stored
  • OAuth Tokens: Encrypted at rest; never logged or exposed in logs/errors
  • IP Hashing: One-way cryptographic hashing with rotating secret keys
  • Access Controls: Role-based access; employee access limited to necessary operations; audit logging
  • Infrastructure: Hosted on secure cloud providers (database with encrypted backups)
  • Monitoring: Automated intrusion detection, rate limiting, DDoS protection
  • Authentication: Rate limiting on login attempts, account lockout after failed attempts, optional 2FA (coming soon)

Despite these measures, no system is 100% secure. If you believe your Account has been compromised, contact security@baobrain.com immediately.

Your Privacy Rights (GDPR & CCPA)

For Merchants (Your Rights):

  • Right to Access: Request a copy of all data we have about your Account
  • Right to Rectification: Correct inaccurate Account information
  • Right to Deletion: Request deletion of your Account and associated data (subject to legal retention requirements)
  • Right to Data Portability: Export your Analytics Data in machine-readable format
  • Right to Object: Object to processing of your data for certain purposes
  • Right to Restrict Processing: Request limitation on how we process your data
  • Right to Withdraw Consent: Cancel your subscription and stop data processing at any time
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise any of these rights, contact privacy@baobrain.com. We will respond within 30 days.

For Your Store's Customers (End Users):

BaoBrain does NOT collect personal data about end users. However, as the Data Controller, YOU (the merchant) are responsible for:

  • Handling GDPR/CCPA data subject requests from your customers
  • Providing opt-out mechanisms for tracking (e.g., honoring "Do Not Track" signals, cookie consent banners)
  • Disclosing in your privacy policy that you use analytics tools like BaoBrain

If you receive a customer request to delete or export analytics data, contact us at privacy@baobrain.com and we will assist. However, since our data is anonymized and not tied to specific individuals, we typically cannot identify which data belongs to a specific customer.

Cookies and Tracking Technologies

BaoBrain uses cookies and similar technologies to provide the Services.

On Your Store (Visitor Tracking):

  • Session Cookie (_bb_session): Stores anonymous session ID, expires after 30 minutes of inactivity
  • Visitor ID Cookie (_bb_visitor): Stores anonymous visitor identifier for returning visitor detection, expires after 2 years
  • A/B Test Cookie (_bb_variant): Remembers which test variant was shown, expires when test ends or after 30 days

On BaoBrain Dashboard (Merchant Login):

  • Authentication Cookie (baobrain_auth): Keeps you logged in, expires after 30 days or when you log out
  • Session Cookie (baobrain_session): Manages your dashboard session state

Third-Party Cookies:

  • Stripe (payment processing) - only when accessing billing pages
  • Google OAuth (if you connect Google Analytics)

You can disable cookies in your browser settings. This may affect functionality for merchants but will prevent analytics tracking for store visitors.

Google OAuth & Analytics Integration

When you connect Google Analytics (optional):

  • We request read-only access to your Google Analytics account
  • Access and refresh tokens are encrypted and stored securely
  • Data is used solely to display your GA4 metrics in BaoBrain's dashboard
  • We never share your Google data with third parties
  • We do NOT use Google Workspace data to train AI/ML models

You can revoke BaoBrain's access at any time through your Google Account permissions or by disconnecting in BaoBrain settings.

BaoBrain's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Data Sharing and Disclosure

We share data only in these limited circumstances:

  • Service Providers: Cloud hosting (database storage), Stripe (payment processing), email services (transactional emails only). These providers are contractually obligated to protect your data and use it only for providing services to BaoBrain.
  • Legal Requirements: If required by law, court order, or government request
  • Business Transfers: In the event of a merger, acquisition, or sale of assets (with notification to affected users)
  • Protection of Rights: To protect our rights, safety, or property, or that of our users

We do NOT:

  • Sell your data to advertisers, data brokers, or marketing companies
  • Share analytics data between different merchants
  • Provide customer data to any third party for their own use

Children's Privacy

BaoBrain is not intended for children under 13. We do not knowingly collect personal information from children. If you are under 13, do not use BaoBrain or provide any information to us.

If we learn we have collected information from a child under 13, we will delete it immediately. Parents or guardians who believe we may have information about a child should contact privacy@baobrain.com.

International Data Transfers

BaoBrain is based in the United States. Your data may be transferred to and processed in the U.S. or other countries where our service providers operate.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: We rely on Standard Contractual Clauses approved by the European Commission for international transfers. By using BaoBrain, you consent to the transfer of your information to the U.S. and other jurisdictions.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes:

  • We will update the "Last Updated" date at the top
  • We will post the revised policy on this page
  • For material changes, we will notify you via email or prominent notice in the app

Your continued use of BaoBrain after changes are posted constitutes acceptance of the updated Privacy Policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

Email:

Mail:

BaoBrain LLC
4539 N 22ND ST
STE R
PHOENIX, AZ, 85016, USA

We will respond to all requests within 30 days.