Privacy Policy
Effective Date: April 3, 2026
Company Name: Beespoke Services Ltd (trading as Backona)
Website: backona.com, backona.ai and subdomains
Contact Email: [email protected]
Company Address: 4th Floor, 18 St. Cross Street, London, United Kingdom, EC1N 8UN
At Beespoke Services Ltd, trading as Backona ("Backona," "we," "us," or "our"), we are committed to safeguarding the privacy and security of your personal data. This Privacy Policy outlines how we collect, use, and protect the personal data of users who interact with our website and use our products and services—including Backona AI, Backona CMP (Consent Management Platform), Backona CA (Clever Analytics), Backona SST (Server Side Tagging), and our consulting and other services—in compliance with the UK General Data Protection Regulation (UK GDPR), the EU GDPR, and relevant international data privacy laws.
1. Data Controller Information
Beespoke Services Ltd is the data controller for the personal data processed through our products, services, and website. For any inquiries regarding data protection, please contact us at [email protected].
2. Personal Data We Collect
We collect and process the following categories of personal data:
2.1 Data Collected via Backona Products and Services
- User Input Data: Information you provide when interacting with our products (e.g. Backona AI queries and commands, configuration in Backona CMP, Backona CA, or Backona SST). This data is processed to deliver the requested functionality and insights.
- Interaction Logs: Data related to your usage of our products and services, such as interaction history, frequency of use, and session duration. This information helps us improve functionality and user experience.
- Technical Data: Information about the device and software you use to access our products and website, including IP address, device type, browser information, and operating system.
- AppSumo Data: If you purchase Backona AI through a third-party marketplace such as AppSumo, we may receive limited personal data (such as your name, email address, and plan tier) for the purpose of activating and managing your access. This data is used strictly to fulfil our contractual obligations and will not be used for unrelated marketing without consent.
- Google API Data: Where a product supports it (e.g. Backona AI), we access and process users' enabled Google API data through authorized OAuth connections, strictly limited to the scopes explicitly consented to by users. This may include data from Google Analytics 4 (website traffic and engagement metrics), Google Search Console (search performance, queries, impressions, click-through data), and Google Ads (campaign performance, keyword data, ad spend, and demographic insights), depending on which integrations you enable.
- Facebook Marketing API Data: Where a product supports it (e.g. Backona AI), if you choose to connect your Facebook account, we access data from the Facebook (Meta) Marketing API through an authorized OAuth connection. This includes advertising account metadata (account name, currency, timezone), campaign data (status, budgets, objectives), performance insights (impressions, clicks, spend, reach, conversions), and pixel tracking data. Access is strictly limited to the scopes you explicitly consent to during the Facebook authorization process (
ads_read,ads_management). We store only your OAuth access token and its expiration date; we do not collect your Facebook profile information (such as name, email, or profile picture).
2.2 Data Collected via the Website
- Identification and Contact Data: Information you provide through forms on our website, such as name, email address, and other contact details, typically during registration, inquiries, or newsletter sign-ups.
- Usage Data: Information about your interaction with our website, including pages visited, time spent on the site, and navigation patterns. This data is collected through cookies and similar technologies.
- Technical Data: Information related to the device you use to access our website, such as IP address, browser type, and operating system.
2.3 Organization and Team Member Data
When you create an organization or invite users to join your workspace in products that support this (e.g. Backona AI), we process the following personal data:
- Name, email address, and role of invited users
- Metadata such as invitation date, inviter's email, and whether the invite was accepted
- Login data if the invitee joins the platform
You confirm that you have appropriate permission to provide personal data of others when inviting team members. The invitee may choose to access Backona using a different email address from the one you provided. This data is used solely for facilitating access to our products and will not be used for marketing without explicit consent.
3. Purpose and Legal Basis for Processing
We process your personal data for the following purposes and under the following legal bases:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Name, Email | Account setup and support | Contractual necessity |
| Technical data (IP, device, browser) | Website functionality and security | Legitimate interest |
| Interaction logs | Product improvement and analytics | Legitimate interest |
| Invitee emails | Team collaboration | Legitimate interest |
| AppSumo data | Account activation and licence management | Contractual necessity |
| Organization / team member data | Team collaboration and access management | Legitimate interest |
| Analytics data | Improve user experience | Legitimate interest |
| Cookies (non-essential) | Analytics and marketing | Consent |
| Marketing preferences | Email campaigns | Consent |
| Google API data (GA4, Search Console, Ads) | Deliver product features (e.g. analytics, insights) | Contractual necessity / Consent |
| Facebook Marketing API data | Deliver advertising analytics features | Contractual necessity / Consent |
3.1 Backona Products and Services
- Performance of a Contract: To provide the Backona products and services you request, including processing your inputs, configurations, and data to deliver tailored insights, consent management, analytics, and other functionality.
- Legitimate Interests: To analyze usage patterns, improve our products' functionality, and develop new features based on user interactions.
- Inviting Team Members and Managing Organizations: Where a product supports teams (e.g. Backona AI), we process the personal data of invited users under our legitimate interests in enabling team collaboration and managing user accounts. It is the inviter's responsibility to ensure they have the invitee's consent or authority to share their information.
3.2 Website
- Performance of a Contract: To manage your account, respond to inquiries, and provide you with information and services.
- Legitimate Interests: To monitor and improve our website, personalize your experience, and conduct marketing activities.
- Consent: For sending marketing communications and storing non-essential cookies on your device. You can withdraw your consent at any time by contacting us at [email protected].
- Transactional Communications on Behalf of Users: Our products (e.g. Backona AI) may send system-generated emails (e.g. team invitations) to users on behalf of another user. These are transactional and necessary to enable product functionality, and not considered marketing communications.
4. Cookies and Similar Technologies
To ensure our website and applications function securely and effectively, Backona utilizes cookies and similar tracking technologies. We categorize these cookies based on the specific services you interact with, such as our informational website and the Backona AI product platform.
4.1. Website and General Service Cookies
For visitors navigating our primary website and related promotional pages, we utilize various cookies to manage performance, analytics, and user preferences. Detailed information regarding these specific cookies—including their providers, purposes, and expiration dates—is dynamically maintained and available within the Cookie Consent Banner presented upon your first visit to the site. You may review and update your consent preferences for these website-specific cookies at any time via the banner settings.
4.2. Backona AI Product Cookies
When you access and use the core Backona AI product, we deploy specific, purpose-driven cookies to facilitate secure authentication, maintain session continuity, and process transactions correctly. Below is an outline of the cookies utilized by the Backona AI product application:
Necessary and Functional Cookies
These cookies are essential for the core operation of the application, including security and transaction processing.
appSelectedPricePlan- Expiration: 1 Week
- Purpose: Temporarily retains the subscription plan ID selected by the user on the pricing page to seamlessly transition to the Stripe checkout process.
- Justification: This cookie is essential for finalizing transactions. Without it, the user would lose their selected plan during checkout. Furthermore, when enforcing localized pricing (e.g., presenting prices in PLN), the absence of this cookie could result in currency or pricing discrepancies, causing user confusion and checkout failure.
appSessionId- Expiration: 1 Week
- Purpose: Acts as the primary identifier for your authenticated user session within the application.
- Justification: Essential for maintaining access to your account and securely cross-referencing your session in our database. It ensures that when you explicitly log out, the session is appropriately cleared from our secure servers.
csrfToken- Expiration: Session (cleared when your browser is closed)
- Purpose: Stores a unique cryptographic token utilized during the authentication process.
- Justification: A critical security requirement designed to protect user accounts and the application infrastructure against Cross-Site Request Forgery (CSRF) attacks.
appLastLoginEmail- Expiration: 6 Months
- Purpose: Stores an encoded reference to your last successfully used email address to present a streamlined "Continue as..." login suggestion upon your return.
- Justification: While not strictly necessary to use the application, this cookie significantly reduces authentication friction. If declined or cleared by the user, the application functions normally, but the user will be required to manually re-enter their email credentials upon their next visit.
5. Data Sharing and Transfers
5.1 Data Processors and Third-Party Services
We do not sell your personal data. We may share your data with trusted third-party service providers who process data on our behalf, including:
- Infrastructure Providers: Such as cloud infrastructure providers for hosting and Docker images repository for code distribution.
- AI Model Integrations: Including OpenAI and Anthropic Claude for AI processing, and LangChain for interaction logging.
- Analytics and Marketing Tools: Such as Google Analytics, Matomo, Microsoft Clarity, Google Ads, Facebook Pixel, and LinkedIn Marketing.
- Email Communication Providers: Such as Sender, for managing newsletters and transactional email communications.
- Google APIs: If you enable Google integrations in a product that supports them, data is exchanged with Google via the Google Analytics API, Google Search Console API, and/or Google Ads API to retrieve your analytics, search performance, and advertising data. This data is transmitted securely and processed solely to deliver the relevant product features.
- Facebook (Meta) APIs: If you connect your Facebook Ads account to a product that supports it (e.g. Backona AI), data is exchanged with Meta via the Facebook Marketing API to retrieve your advertising account information, campaign data, and performance insights. This data is transmitted securely and processed solely to deliver the relevant product features.
- Marketplace Platforms: If you register through AppSumo, we may receive and share minimal personal data with AppSumo to confirm license validity and usage for fraud prevention or technical support purposes.
Your data may be transferred to and processed in countries outside the UK and EEA, including the United States (e.g., by OpenAI, Anthropic, Stripe, and Google). Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the service provider's certification under the EU-U.S. Data Privacy Framework, where applicable.
List of all Third-Party Services Used within Backona Products and Services
| Tool / Infrastructure | Purpose | Frontend / Backend / Other | Integration type with Backona platform | Processing of User Related Data via Cookies | Data for AI Model Training? |
|---|---|---|---|---|---|
| OpenAI | LLM models integration | Backend | Based on application setup | No | No |
| Anthropic Claude | LLM models integration | Backend | Based on application setup | No | No |
| LangChain | LLM models interaction logging and testing | Backend | Permanent | N/A | N/A |
| Google Analytics API | Integration with Customer GA4 API | Backend | Based on user authorization | N/A | N/A |
| Google Search Console API | Integration with Customer Google Search Console for search performance analytics | Backend | Based on user authorization | N/A | N/A |
| Google Ads API | Integration with Customer Google Ads accounts for advertising performance analytics | Backend | Based on user authorization | N/A | N/A |
| Facebook Marketing API | Integration with Customer Facebook Ads accounts for campaign analytics and insights | Backend | Based on user authorization | N/A | N/A |
| Google GCP Services | User app authentication and authorization | Backend | Permanent | Yes | N/A |
| Stripe | Subscription plans and user payment processing | Backend | Permanent | Yes | N/A |
| AppSumo | Subscription plans and user payment processing | Backend | Permanent | Yes | N/A |
| Matomo | Track user purchase path from Landing Page to Tool | Frontend | Permanent | Yes | N/A |
| GA4 Analytics | Monitor user interactions on the website | Frontend | Permanent | Yes | N/A |
| Google Ads | Marketing tool to gather interest | Frontend | Permanent | Yes | N/A |
| Facebook Pixel | Marketing tool to gather interest | Frontend | Permanent | Yes | N/A |
| LinkedIn Marketing | Marketing tool to gather interest | Frontend | Permanent | Yes | N/A |
| Microsoft Clarity | Track user interactions with the tool | Frontend | Permanent | Yes | N/A |
| OVH | Infrastructure for solution hosting | Infrastructure | Permanent | N/A | N/A |
| DockerHub | Application packages distribution | Infrastructure | Permanent | N/A | N/A |
| GitHub | Storing source code | Infrastructure | Permanent | N/A | N/A |
| ClickUp | Internal CRM and management | External Tool | Separate from application | N/A | N/A |
| Sender | Newsletter and email communication with users | External Tool | Separate from application | N/A | N/A |
| Google Workspace | Internal and external communication, Customer support | External Tool | Separate from application | N/A | N/A |
5.2 AI/ML Models Training
We do not retain user data obtained through Google Workspace APIs or other third-party APIs for the purpose of developing, improving, or training generalized AI or machine learning models. We strictly use data in accordance with user permissions and only to deliver the core functionalities of our products. The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements. The use of other APIs data will adhere to the API provider's terms of service and privacy policy.
5.3. Google Workspace API Data Usage
Backona's use and transfer of information received from Google Workspace APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use of user data requirements.
5.4. Facebook (Meta) Marketing API Data Usage
Where a product supports the Facebook Marketing API (e.g. Backona AI), we access it solely to provide advertising analytics and campaign management features. Data retrieved from the Facebook Marketing API (including ad account details, campaign information, performance metrics, and pixel data) is:
- Used exclusively to deliver the core analytics functionalities of that product as requested by the user.
- Not sold, leased, or transferred to any unrelated third party.
- Not used for developing, improving, or training generalized AI or machine learning models.
- Not used for purposes unrelated to the service the user has authorized.
Our use of the Facebook Marketing API complies with Meta's Platform Terms and the Meta Developer Policies. You may revoke Backona's access to your Facebook data at any time by disconnecting your Facebook account in the product's settings or by removing the app from your Facebook Business Integrations settings.
6. Data Retention
We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, and reporting obligations. The following retention periods apply:
- Account data (name, email, login credentials): Retained for the duration of the active account, plus 12 months after account closure for legal and audit purposes.
- Interaction logs and usage analytics: Retained for up to 24 months from the date of collection.
- Marketing data (newsletter preferences, consent records): Retained until you withdraw consent or unsubscribe.
- Team invitation metadata: Retained for up to 12 months for audit and security purposes, even if the invitation is not accepted. Users may request deletion of unaccepted invites by contacting us.
- Third-party integration data (Google, Facebook): Deleted upon disconnection of the integration or within 30 days of a deletion request.
- Payment and transaction records: Retained for up to 7 years to comply with tax and financial reporting obligations.
Where data is no longer needed for its original purpose and no legal obligation requires further retention, it will be securely deleted or anonymised.
7. Data Security
We implement robust security measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:
- Encryption of data in transit using TLS/SSL protocols.
- Secure storage of authentication tokens and credentials with restricted access.
- Use of CSRF protection and state validation for third-party OAuth flows (e.g., Google, Facebook).
- Regular review of access controls and security practices.
- Infrastructure hosted with reputable providers that maintain industry-standard physical and network security.
While we take reasonable steps to safeguard your data, no method of electronic transmission or storage is completely secure. We encourage users to take their own precautions, such as using strong passwords and keeping login credentials confidential.
8. Children's Data
Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that personal data has been collected from a person under 18 without appropriate parental or guardian consent, we will take steps to delete that data promptly. If you believe that we may have inadvertently collected data from a minor, please contact us at [email protected].
9. Automated Decision-Making and Profiling
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you. While our products (e.g. Backona AI) use artificial intelligence to generate insights and analytics, these outputs are intended as informational tools only and do not constitute automated decisions about individuals.
10. Your Rights Under GDPR
You have the following rights concerning your personal data:
- Right to Access: Obtain a copy of your personal data.
- Right to Rectification: Correct any inaccurate or incomplete personal data.
- Right to Erasure: Request deletion of your personal data under certain circumstances.
- Right to Restrict Processing: Request limited use of your data under certain conditions.
- Right to Object: Object to the processing of your personal data based on our legitimate interests.
- Right to Data Portability: Request your data in a structured, commonly used format.
- Right to Withdraw Consent: Withdraw any consent given for processing at any time.
- Right to Lodge a Complaint: Lodge a complaint with the UK Information Commissioner’s Office (ICO): www.ico.org.uk / Tel: +44 303 123 1113
To exercise these rights, please contact us at [email protected].
11. Third-Party Purchases and Marketplace Deals
If you access any Backona product (e.g. Backona AI) through a third-party deal platform such as AppSumo, your rights under this policy remain unaffected. However, your interactions with the marketplace itself (e.g. refunds, purchases) are governed by their privacy and data practices.
12. Revoking Third-Party Integrations
You may disconnect or revoke any third-party integration at any time:
- Google: Revoke access from your Google Account permissions or by disconnecting within the relevant Backona product's settings (e.g. Backona AI Settings).
- Facebook (Meta): Revoke access from your Facebook Business Integrations settings or by disconnecting within the relevant Backona product's settings (e.g. Backona AI Settings).
Upon revocation, Backona will no longer be able to access data from the disconnected service. Previously retrieved data may be retained in accordance with Section 6 (Data Retention) unless you request its deletion.
12.1 Facebook Data Deletion
If you wish to have your Facebook-related data deleted from Backona, you may do so in any of the following ways:
- From within the product: In the Backona product that uses Facebook (e.g. Backona AI), navigate to Settings and disconnect your Facebook account. This will immediately remove your stored Facebook OAuth access token and revoke Backona's ability to access your Facebook data.
- From Facebook directly: Go to your Facebook Settings > Business Integrations, find "Backona" in the list, and click Remove. This revokes Backona's access. To also delete the data already stored by Backona, please follow up with a deletion request as described below.
- By contacting us: Send an email to [email protected] with the subject line "Facebook Data Deletion Request". Please include the email address associated with your Backona account. We will process your request and delete all Facebook-related data associated with your account within 30 days, in accordance with applicable data protection laws.
What data is deleted: Upon a deletion request, we remove your Facebook OAuth access token, access token expiration data, Facebook Ads account configuration, and any cached Facebook advertising data (campaign data, insights, and pixel data) associated with your account.
Confirmation: Once the deletion is complete, we will send a confirmation to the email address associated with your Backona account.
13. International Representation and B2B Requests
If you are located in the EU and require local representation under Article 27 of the GDPR, or if you are a business customer requesting a Data Processing Addendum (DPA), please contact us at [email protected].
14. U.S. State Privacy Notice
Backona does not sell or share personal data as defined under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) or other applicable U.S. state privacy laws.
If you are a resident of California or another U.S. state with applicable privacy legislation, you have the right to:
- Request disclosure of the categories and specific pieces of personal information we have collected about you.
- Request disclosure of the categories of sources from which personal information is collected.
- Request disclosure of the business or commercial purpose for collecting your personal information.
- Request disclosure of the categories of third parties with whom we share your personal information.
- Request deletion of your personal information, subject to certain exceptions.
To exercise any of these rights, please contact us at [email protected]. We will respond to verifiable requests within the timeframes required by applicable law.
Contact Information
Beespoke Services Ltd (trading as Backona)
4th Floor, 18 St. Cross Street,
London, United Kingdom, EC1N 8UN
[email protected]