Privacy Policy
Effective Date: 26 February 2026 • Last Updated: 26 February 2026
Controller and Contacts
Bay Tree Capital OÜ, Sepapaja tn 6, 15551, Tallinn, Estonia
Privacy/DSAR: support@betterbuylow.com
DPO: No DPO required; Privacy Contact is support@betterbuylow.com
UK GDPR Representative: Not appointed yet (this Policy will be updated when appointed).
1. What We Collect
- Account: email, password (Argon2id hashed), name, username, country, timezone, language.
- Device/usage: IP address, headers, device info, log data, crash reports (where applicable).
- Analytics/telemetry: events, funnels, heatmaps, A/B assignments (GA4 EEA mode).
- Transactions: subscription status, invoices, limited card metadata from Stripe (e.g., last4, brand), country/ZIP for tax.
- AI interactions: prompts/outputs retained for 24 months for quality and safety; we instruct users not to include personal data in prompts and design systems to avoid personal data in prompts; no personal data is sent to AI vendors.
- Special categories: not intentionally collected.
Children: Service is for 18+ and not intended for children under 13 (US) or under 16 (EU where applicable). Accounts are deleted if detected.
2. Sources
From you, automatically via device/usage, cookies/SDKs (with consent where required), and third parties (e.g., Stripe, consent tools, analytics/ads vendors).
3. Purposes and Legal Bases (EU/UK)
- Account provisioning and service delivery: contract.
- Payments/billing/tax compliance: contract; legal obligation.
- Support/communications: contract; legitimate interests (operations).
- Security/fraud/abuse detection: legitimate interests; legal obligation.
- Analytics/product improvement: legitimate interests (balancing test).
- Marketing: consent for EU/UK/Canada (double opt‑in for EU/Quebec; consent logs retained); legitimate interests with one‑click opt‑out elsewhere.
- Advertising: consent and/or legitimate interests, honoring choices and banners.
4. Marketing and Communications
Emails include transactional and marketing communications. Unsubscribe anytime via one‑click link; processed within 10 business days. Physical address in emails: Sepapaja tn 6, 15551, Tallinn, Estonia. Provider: AWS SES.
5. Cookies, Advertising, and Your Privacy Choices
Consent Management Platform: CookieYes. Banner in EU/EEA, UK, Brazil, Québec (and other consent‑required regions as applicable).
Categories: strictly necessary, analytics, functional, advertising. You can withdraw/adjust consent at any time via the banner.
Global Privacy Control (GPC) honored where applicable. “Do Not Sell or Share” link provided for US state privacy compliance where required.
Google Consent Mode v2 implemented for analytics and ads where applicable to respect consent choices and regional requirements.
Universal opt‑out signals: we endeavor to honor recognized browser‑level opt‑out signals as required by applicable law.
US State Law Opt‑Out Controls
You can opt out of sale/sharing and targeted advertising below. We also honor Global Privacy Control (GPC) signals supported by your browser.
- Opt out of sale/sharing (disables cross‑context behavioral advertising where applicable)
- Opt out of targeted advertising
- Manage analytics cookies
Note: These in‑page controls are provided for transparency and will be wired to your consent tools when available. Until then, you may also adjust browser settings or use GPC.
6. Analytics and Advertising
Analytics: Google Analytics 4 (EEA mode). Advertising/measurement: Google Ads and Meta Pixel (and similar). Required disclosures and opt‑outs are provided. Consent Mode v2 is used where applicable.
7. AI Processing
Vendor: OpenAI. We do not send personal data to AI vendors. Prompts/outputs are collected without personal data and retained for 24 months for quality/safety. Vendor model training use disabled. We apply minimization and filtering measures to prevent personal data in prompts.
8. Sharing and Processors
Processors: Stripe (payments), Supabase (DB/auth/hosting; EU self‑hosted), OpenAI (AI inference), Google (GA4, Ads), Meta (Pixel), AWS SES (email), Cloudflare (CDN/DNS), Sentry (self‑hosted error monitoring), CookieYes (consent management). We do not sell personal data. If certain ad configurations qualify as “sale”/“share,” we provide the required disclosures and opt‑outs.
9. International Transfers
Primary hosting: EU self‑hosted Supabase. For non‑EU vendors, we rely on Standard Contractual Clauses and, where applicable, the EU‑US Data Privacy Framework per vendor public policies, along with supplementary measures. We do not assert vendor participation; see vendor privacy documentation.
Transfer Impact Assessments (TIAs) and risk‑based supplementary measures are undertaken where required by law to support cross‑border transfers.
10. Retention
- Accounts: life of account + 24 months after closure (unless legal retention applies).
- Server logs: 12 months.
- Analytics: 26 months.
- Payments/tax: 7–10 years as required by law.
- Backups: rolling 90 days; daily; encrypted.
- AI prompts/outputs: 24 months.
- Deletion after account closure: within 90 days, subject to legal retention.
11. Security
TLS in transit; encryption at rest; Argon2id password hashing; secret management; least‑privilege access; audit logging. Pen tests at least annually and post‑major releases. Incident response and breach notification with an initial 72‑hour target for EU‑reportable breaches. MFA may be added later.
We maintain vendor Data Processing Agreements (DPAs) and conduct periodic vendor risk assessments.
12. Your Rights
EU/UK: access, rectification, erasure, restriction, portability, objection, and withdraw consent; contact or lodge a complaint with a supervisory authority. US state privacy rights (CPRA/CPA/VCDPA/CTDPA/UCPA): access/know, delete, correct (where applicable), opt‑out of sale/sharing/targeted advertising, limit sensitive data use where applicable, and appeal denials; GPC signals honored. Canada (PIPEDA; Québec Law 25), Brazil (LGPD), India (DPDP 2023), UAE (PDPL), South Africa (POPIA), Australia/NZ: local rights and notices apply.
High‑risk processing assessments: we perform Data Protection Impact Assessments (DPIAs) or equivalent assessments where required by applicable law.
Exercise rights via: support@betterbuylow.com • Response within 30 days, extendable by 60 days for complexity.
16. Regional Supplements and Additional Notices
- United States (state privacy laws): we recognize universal opt‑out signals where required; provide opt‑outs for sale/sharing/targeted advertising; and honor consumer rights described above.
- Brazil (LGPD): we rely on appropriate transfer mechanisms and security measures; new SCC requirements are monitored and adopted in line with ANPD mandates.
- India (DPDP 2023): we monitor evolving cross‑border transfer restrictions and consent manager requirements; we will update mechanisms as rules finalize.
- EU AI Act transparency: where AI features are used, we provide appropriate disclosures and controls, and avoid sending personal data to AI vendors.
13. Subprocessors Appendix
We maintain an up‑to‑date list of processors (purpose, data categories, location, transfer mechanism). We will update this Policy on material changes.
14. Changes
We may update this Policy to reflect operational or legal changes. We will provide notice as required by law. Continued use indicates acceptance.
15. Contact
Privacy/DSAR: support@betterbuylow.com
Business/Legal/Abuse: support@betterbuylow.com
Address: Sepapaja tn 6, 15551, Tallinn, Estonia