Privacy Policy

Last updated: March 2026

Baseboard ("we", "us", or "our"), available at baseboard.cloud, is an e-commerce analytics platform. We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (GDPR) and other applicable EU privacy laws.

This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and what rights you have as a data subject. If you have any questions, please contact us at contact@baseboard.cloud.

1. Who We Are (Data Controller)

The data controller responsible for your personal data is:

  • Company: Baseboard – E-commerce Analytics
  • KvK number: 81489757
  • Address: Afrikaring 21, 3823CG Amersfoort
  • Email: contact@baseboard.cloud
  • Website: baseboard.cloud

For any privacy-related requests or questions, contact us using the details above.

2. What Data We Collect

We collect the following categories of data:

Account and Identity Data

  • Name and email address, provided when you sign up or sign in via Google OAuth.
  • Profile picture (if provided by your Google account).
  • Account preferences and settings you configure within the platform.

Business and Integration Data

When you connect third-party platforms (such as Shopify, Google Analytics 4, Google Ads, Klaviyo, Meta Ads, or TikTok Ads), we retrieve and store analytics and performance data from those services on your behalf. This may include:

  • Store metrics: orders, revenue, sessions, conversion rates.
  • Advertising data: campaign spend, impressions, clicks, ROAS.
  • Email marketing data: send counts, open rates, revenue attributed.
  • Aggregated audience data as provided by the connected platforms.

This data is retrieved using read-only access where available and is used solely to power your Baseboard dashboard. We do not collect personal data about your customers directly — only aggregated or anonymised metrics as exposed by third-party APIs.

Usage and Technical Data

  • Log data: IP address, browser type, operating system, pages visited, timestamps.
  • Error and diagnostic data collected via Sentry (see section 4).
  • Aggregated usage analytics collected via Umami (see section 4).

3. How We Use Your Data

We process your personal data for the following purposes and legal bases under GDPR:

  • Providing the service (contract performance): Creating and managing your account, syncing integration data, displaying your dashboard.
  • Billing and subscription management (contract performance): Processing payments, managing subscription status, sending invoices.
  • Service communications (legitimate interest): Sending transactional emails (account confirmations, password resets, billing receipts). We will not send marketing emails without your explicit consent.
  • Security and fraud prevention (legitimate interest): Detecting and preventing unauthorised access, monitoring for abuse, and maintaining service integrity.
  • Service improvement (legitimate interest): Analysing aggregated usage patterns to improve features and performance. We use privacy-preserving tools (Umami) that do not track individuals.
  • Legal compliance (legal obligation): Retaining records as required by applicable law, responding to lawful requests from authorities.

4. Third-Party Services We Use

We rely on the following sub-processors and third-party services to deliver Baseboard. Each is carefully selected and bound to appropriate data processing agreements.

Supabase

We use Supabase for authentication (including Google OAuth sign-in) and as our primary database. Your account information and integration data are stored in Supabase. Supabase is hosted on AWS infrastructure and is GDPR-compliant. Learn more at supabase.com/privacy.

Nango

We use Nango to manage OAuth connections to third-party platforms (such as Google Ads, Klaviyo, and others). Nango securely stores your OAuth tokens on our behalf. These tokens are used only to retrieve data for your dashboard. Learn more at nango.dev/privacy.

Sentry

We use Sentry for error monitoring and application performance tracking. When an error occurs, Sentry may capture technical information such as your browser type, operating system, the page where the error occurred, and a stack trace. We configure Sentry to minimise the collection of personal data and do not send sensitive business data to Sentry. Learn more at sentry.io/privacy.

Umami

We use Umami for website analytics on our marketing pages. Umami is a privacy-focused, cookie-free analytics tool. It does not collect personally identifiable information, does not use cookies, and does not track users across websites. Data is aggregated and anonymised. Learn more at umami.is/privacy.

Google (OAuth and Integrations)

We use Google OAuth for sign-in, which means Google processes your authentication. When you connect Google Analytics, Google Ads, or other Google services, those connections are governed by Google's Privacy Policy. We only access the data scopes you explicitly authorise.

5. Cookies

Baseboard uses a minimal number of cookies necessary to operate the service:

  • Authentication cookies: Set by Supabase to maintain your login session. These are strictly necessary and cannot be opted out of while using the service.
  • Preference cookies: Used to remember settings such as your selected theme (light/dark mode).

Our marketing pages use Umami for analytics, which is cookie-free and does not require consent under GDPR. We do not use advertising cookies, third-party tracking cookies, or any cookies for profiling or remarketing purposes.

6. Data Retention

We retain your data for the following periods:

  • Account data: Retained for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are legally required to retain it (for example, billing records may be retained for up to 7 years to comply with tax law).
  • Integration and analytics data: Retained for the duration of your subscription and deleted within 30 days of account closure.
  • Technical logs: Retained for up to 90 days for security and debugging purposes, then automatically deleted.

7. Data Transfers

Our primary infrastructure is based within the European Union or European Economic Area. Where data is transferred outside the EEA (for example, through Sentry or Nango), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or adequacy decisions.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of these rights, contact us at contact@baseboard.cloud. We will respond within 30 days.

  • Right of access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can ask us to correct inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten"): You can request that we delete your personal data, subject to legal retention obligations.
  • Right to data portability: You can request your personal data in a structured, machine-readable format.
  • Right to restrict processing: You can ask us to limit how we process your data in certain circumstances.
  • Right to object: You can object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl or the supervisory authority in your EU member state.

9. Data Security

We take reasonable technical and organisational measures to protect your data against unauthorised access, loss, or destruction. These include:

  • Encrypted data transmission using HTTPS/TLS.
  • Encrypted storage of sensitive credentials and OAuth tokens.
  • Access controls limiting which team members can access customer data.
  • Regular monitoring via Sentry to detect and respond to errors and anomalies.

No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please disclose it responsibly by emailing contact@baseboard.cloud.

10. Children's Privacy

Baseboard is not directed at or intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and notify you by email where appropriate. We encourage you to review this page periodically.

12. Contact Us

For any questions, requests, or concerns regarding this Privacy Policy or the way we handle your personal data, please contact us:

We aim to respond to all privacy requests within 30 days. For complaints that cannot be resolved directly with us, you may contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).