Legal Documents

Privacy Policy

Effective Date: May 25, 2026

At BaseLock, we take your privacy seriously. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have. BaseLock provides endpoint security and device management services for individuals and small businesses.

Information We Collect

We collect only what is needed to provide the service and bill for it. Specifically:

  • Account information: your name, email address, and mobile phone number, provided during registration.
  • Authentication data: one-time SMS verification codes and session tokens issued by Amazon Cognito.
  • Payment information: billing details are collected and stored by Stripe. BaseLock receives only a Stripe customer reference, the subscription plan, and the last four digits of the payment method for display.
  • Device telemetry: device identifiers, operating system and version, hostname, agent versions, and health indicators reported by the endpoint agents installed on your devices.
  • Threat detections: security events surfaced by the endpoint agent, including event type, severity, file path, file hash, process name, and timestamp. We do not receive file contents under normal operation.
  • Product usage: sign-in timestamps, in-product actions, and notification preferences, used to operate the dashboard and improve the product.
  • Support communications: emails and forms you submit to BaseLock support.
  • Cookies and local storage: we store session tokens and a small number of preferences in your browser's local and session storage. We do not use third-party advertising cookies.

How We Use Your Information

BaseLock uses your information to:

  • Provide and operate the service, including endpoint monitoring, threat detection, and incident response.
  • Authenticate you and protect your account through SMS one-time codes and session management.
  • Send transactional messages such as login codes, security alerts, billing receipts, and service updates.
  • Bill your subscription and process refunds.
  • Maintain audit logs of administrative actions for security and compliance.
  • Investigate and respond to suspected threats, abuse, or policy violations.
  • Improve product quality, reliability, and detection accuracy.

We do not sell your personal information. We do not use your data to train models that are shared with third parties outside the security workflows described below.

Data Access and Monitoring

We do not collect, access, or monitor personal content stored on your devices, including:

  • Files (documents, photos, videos)
  • Emails
  • Messages
  • Passwords
  • Browser history
  • Application data

Our management tools (including device management and endpoint detection technologies) are configured to monitor only device health indicators, security compliance, and threat detections.

Metadata Collection by Third-Party Tools

Our authorized security tools may collect limited metadata such as:

  • Filenames and file hashes
  • Process names and command lines
  • Device identifiers
  • Software version information
  • Threat signatures

These metadata collections are standard for security purposes and are not used to access, view, or copy the contents of your files.

Security Incident Response

In the event of a confirmed security incident (such as a malware infection or targeted attack), BaseLock may collect and review limited forensic metadata necessary to investigate and respond to the threat. This may include:

  • Process activity
  • Application crash reports
  • Threat detection logs
  • File attributes (such as name, size, hash, or type)
  • Where strictly required for analysis, a copy of the malicious artifact that triggered the detection

All incident response activities are limited to the scope of the threat. We do not perform blanket scans of customer personal content.

Automated Decision-Making

We use automated systems, including a security-focused machine learning model hosted on Amazon Bedrock, to triage detections and generate plain-language summaries of alerts. Only metadata about the detection (event type, file name, process, severity) is sent for triage. No file contents, personal communications, or browsing data are sent. The model output is advisory and does not by itself block legitimate activity on your device.

Remote Access

BaseLock employees cannot remotely access customer devices without:

  • A customer-initiated support request, and
  • The customer's explicit active consent.

Service Providers and Subprocessors

We share limited data with service providers that help us operate BaseLock. These providers are contractually bound to use your data only for the purposes we direct.

  • Amazon Web Services (AWS): hosting, storage, authentication (Cognito), email (SES), SMS (SNS), and AI inference (Bedrock). Primary region: US East (N. Virginia).
  • CrowdStrike: endpoint detection and response agent installed on your devices.
  • JumpCloud: device management and remote command execution.
  • Stripe: payment processing.
  • Cloudflare: DNS, web application firewall, and content delivery.
  • Vercel: hosting of the BaseLock website and dashboard.
  • Sentry: application error monitoring.

Data Ownership

All customer data remains the sole property of the customer. BaseLock claims no ownership rights over customer files, communications, or any personal content.

Data Security

All data BaseLock holds about you and your devices is encrypted in transit (TLS 1.2 or higher) and at rest using AWS-managed encryption. Access to production data is restricted to authorized personnel following least-privilege principles, audited, and gated by multi-factor authentication. Public BaseLock domains sit behind Cloudflare's web application firewall and rate limiting.

Data Retention

We retain account and device records for as long as your account is active and for a limited period afterward for billing, audit, and abuse-prevention purposes. Threat detection records and audit logs are retained for up to twelve (12) months. When you delete your account, we remove your personal data within thirty (30) days, except for a minimal tombstone record that allows us to honor your deletion request and meet legal obligations.

Your Rights

You have the following rights regarding your data, exercisable directly from the dashboard or by emailing privacy@getbaselock.com:

  • Access: request a copy of the personal data we hold about you using the "Download My Data" action in the dashboard.
  • Deletion: request deletion of your account and associated personal data using the "Delete My Data" action in the dashboard.
  • Correction: update inaccurate account information from your account settings.
  • Objection / restriction: ask us to limit how we use your data for specified purposes.

Depending on your location, you may have additional rights under laws such as the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), or the UK Data Protection Act. We honor verified requests under those laws.

Children's Privacy

BaseLock is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child without verifiable parental consent, we will delete it promptly.

International Data Transfers

BaseLock is operated from the United States. If you access BaseLock from outside the United States, your information may be transferred to, stored, and processed in the United States. Where required by law, we use appropriate safeguards (such as Standard Contractual Clauses) for these transfers.

SMS Communications

By providing your phone number, you consent to receive SMS messages from BaseLock for authentication, security alerts, and service updates. Standard message and data rates from your carrier may apply. See Section 15 of our Terms of Service for full details on SMS, including frequency, opt-out, and phone number changes.

Changes to This Policy

We will update this Privacy Policy when our practices change. Material changes will be communicated through the dashboard or by email at least thirty (30) days in advance, except where a shorter notice period is required by law or to address a security issue.

Contact Us

If you have any questions about this Privacy Policy, please contact us at:

Email: privacy@getbaselock.com