Privacy Policy

Deploying Baponi in your own infrastructure? Enterprise customers who self-host Baponi retain complete control over all data. Baponi stores nothing: no code, no execution outputs, no credentials, no audit logs, no telemetry. All data remains entirely within your VPC. This Privacy Policy does not apply to self-hosted deployments. Learn more.

This Privacy Policy explains how Baponi, Inc. (“Baponi”, “we”, “us”) collects, uses, shares, and protects information when you visit our website at baponi.ai, use our sandboxed code execution platform, APIs, and related services (collectively, the “Services”), or otherwise interact with us.

Baponi is a sandboxed code execution platform for AI agents and developers. We process data in two distinct capacities depending on the data type:

Data Controller: For account information, usage data, and website visitor data, Baponi determines the purposes and means of processing and acts as the data controller under applicable data protection laws.
Data Processor: For Customer Data submitted to the Services for code execution -including source code, execution outputs, files, and environment variables -Baponi processes data solely on behalf of and under the instructions of our customers. Our processing of Customer Data as a data processor is governed by our Data Processing Addendum in addition to this Privacy Policy.

1. Information We Collect

1.1 Account Information

When you create a Baponi account, we collect:

Identity data: Name, email address, and organization name
Authentication data: An external user identifier from your identity provider. We do not store passwords. Authentication is delegated entirely to your identity provider
Billing data: Payment method information processed and stored by our payment processor (Stripe). We receive and store a billing address and a tokenized payment reference. We never receive, transmit, or store full credit card numbers
Organization data: Organization name, URL slug, plan tier, region preference, team membership roles, and configuration settings
Profile data: Optional avatar URL and display name

1.2 Execution Data

When you execute code through the Services, we collect and store:

Customer Code: The source code submitted for execution (up to 64 KB per execution)
Execution Output: Standard output (stdout), standard error (stderr), and exit codes produced by your code (each up to 64 KB, truncated with a flag if longer)
Generated files: Files created during execution that are written to Managed Storage or Volumes
Execution metadata: Language, sandbox configuration (CPU, memory, network policy), duration, sandbox overhead, timestamps, and resource consumption
Request context: API Key identifier used (not the key value), source agent name (if provided), delivery mode, timeout settings, and user-provided metadata key-value pairs
Environment variables: Variables passed at the request level or configured on the sandbox and API Key (stored as JSONB)
Thread identifiers: Optional conversation or session correlation IDs you provide for grouping related executions
LLM integration data: Optional LLM trace identifiers and platform names you provide for correlating executions with upstream AI requests

Retention: Execution data (code, stdout, stderr) is retained according to the data retention period configured on each sandbox. Retention options range from one (1) hour to thirty (30) days, or indefinitely until you delete it. You control the retention period per sandbox. Baponi will delete execution data in accordance with the configured retention period.

1.3 Audit Data

We maintain immutable audit logs for security and compliance:

Administrative audit logs: A record of every significant action performed in your account, including the action type, the actor’s email address, the resource affected, the outcome (success, failure, or denied), the reason for failure, a structured summary of changes made, and the authentication method used (session or API token)
Network request metadata: For audit log entries, we may record the requester’s IP address and user agent string
Web tool audit logs: When your code uses built-in web search or web fetch tools, we log the requested URL, query parameters, the web policy applied (allowed or blocked), prompt injection scan results (if enabled), response size, duration, and a copy of the response body (up to 60 KB). These logs are immutable and cannot be modified or deleted by any user, including Baponi personnel

Retention: Audit logs are retained according to your plan tier. Current default retention periods are published on our pricing page. Audit log data is permanently deleted after the retention period using automated database partitioning.

1.4 Configuration Data

We store the configuration you create within the Services:

Sandboxes: Name, description, resource limits (CPU, memory), network policy, default environment variables, image selection, and data retention settings
API Keys: Name, description, a public key prefix (first characters shown for identification), and a SHA-256 hash of the full key value. The full API Key is shown exactly once at creation and is never stored
Storage connections (BYOB): Provider type, bucket name, region, path prefix, authentication method, connection status, and credentials. Credentials are encrypted at rest using AES-256-GCM before storage and are only decrypted at runtime to mount your storage into an Execution Environment
Resource connectors: Connector type, non-secret connection parameters (host, port, database name), credentials hint (masked value), connection status, and credentials. Credentials are encrypted at rest using AES-256-GCM and are injected into Execution Environments as credential files or environment variables at runtime
Volumes: Name, slug, and creation metadata. Volume data is stored in cloud object storage within your organization’s namespace
Web tool policies: Domain allowlists or blocklists, rate limits, HTTPS requirements, and prompt injection detection settings
Runtime images: Image reference, digest, display name, languages supported, size, import status, and auto-discovered metadata. For private registries, registry credentials are encrypted at rest using AES-256-GCM

1.5 Technical and Website Data

When you visit our website or use the console, we collect:

Device data: Browser type and version, operating system, screen resolution
Network data: IP address, approximate geographic location (country and region level only)
Referral data: The page or source that referred you to our site
Login activity: Timestamp and count of your logins (we do not log the IP address of individual login events beyond what appears in audit logs)

1.6 Communications

When you contact us through our contact form, we retain:

Support requests: Your email address, message content, and any attachments you provide
Sales inquiries: Name, email address, company, and information you provide during conversations

2. Information We Do Not Collect

BYOB Storage contents: When you mount your own cloud storage (Amazon S3, Google Cloud Storage, or Azure Blob Storage), your data stays in your storage accounts. We do not copy, index, cache, or independently access your BYOB data. The mount is active only during execution sessions that you initiate. Between executions, we have no access to your BYOB data
Decrypted credential values: Credentials for storage connections, resource connectors, and private registries are encrypted at rest and only decrypted in memory at runtime for the duration of a mount or injection. Decrypted values are never logged, cached to disk, or persisted beyond the active request
Full API Key values: We store only a SHA-256 hash for authentication verification and a short prefix for display. The full key is shown once at creation and cannot be retrieved afterward
Sensitive personal categories: We do not collect social security numbers, government-issued identifiers, genetic or biometric data, health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual orientation
Children’s data: We do not knowingly collect information from anyone under sixteen (16) years of age. See Section 11

3. How We Use Your Information

3.1 Service Delivery

Providing, operating, and maintaining the Services, including executing your code in sandboxed Execution Environments
Storing execution data (code and output) to make results available to you through the API and console for the duration of your configured retention period
Processing transactions and sending billing notifications
Authenticating users and managing access permissions
Enforcing plan limits, quotas, and usage-based billing

3.2 Security and Platform Integrity

Detecting, investigating, and preventing fraud, abuse, and Acceptable Use Policy violations through automated analysis of resource consumption patterns, network traffic, and execution metadata
Maintaining immutable audit logs to support security investigations and compliance requirements
Scanning web tool requests for prompt injection attacks when you enable this feature
Monitoring platform health, performance, and availability
Responding to security incidents

3.3 Communication

Responding to your support requests and inquiries submitted through our contact form
Sending service-related notifications, including maintenance windows, security alerts, and billing updates
Sending product updates and feature announcements. You can opt out of non-essential communications at any time

3.4 Improvement

Analyzing aggregated, de-identified usage patterns to improve the Services, such as identifying popular languages, typical resource consumption, and common error patterns
Generating internal analytics and performance benchmarks
Developing new features and functionality

We do not use your code, execution outputs, files, environment variables, or connector credentials to train machine learning models, to improve services for other customers, or for any purpose beyond providing the Services to you. This commitment applies to all plan tiers, including the Free Tier. See Section 4.3 of our Terms of Service.

3.5 Legal Compliance

Complying with applicable laws, regulations, and valid legal processes
Enforcing our Terms of Service and other agreements
Protecting our rights, property, and safety, and those of our customers and the public

4. Legal Bases for Processing

For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:

Purpose	Legal Basis
Service delivery, execution data storage, billing, and authentication	Performance of contract (Art. 6(1)(b) GDPR)
Security monitoring, fraud prevention, abuse detection, audit logging	Legitimate interest (Art. 6(1)(f) GDPR)
Product improvement using aggregated, de-identified data	Legitimate interest (Art. 6(1)(f) GDPR)
Marketing communications	Consent (Art. 6(1)(a) GDPR)
Tax records and legal compliance	Legal obligation (Art. 6(1)(c) GDPR)
Responding to legal process and law enforcement requests	Legal obligation (Art. 6(1)(c) GDPR)

For all processing based on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us through our contact form.

5.1 We Do Not Sell Your Data

Baponi does not sell, rent, or trade your personal information to third parties for their marketing or advertising purposes. We do not share personal information with data brokers. We do not engage in cross-context behavioral advertising. For purposes of the California Consumer Privacy Act (CCPA), we do not “sell” or “share” personal information as those terms are defined under CCPA.

5.2 Service Providers (Subprocessors)

We share information with third-party service providers who process data on our behalf to help us deliver the Services. All service providers are contractually required to process data only for the purposes we specify, to maintain appropriate security measures, and to delete or return data upon termination of their engagement.

Categories of subprocessors include: cloud infrastructure and hosting, payment processing, identity and authentication, product analytics, and email delivery. All service providers are located in the United States or the European Union.

The current list of subprocessors, including provider names, is available to customers upon request through our contact form. We will notify customers before engaging a new subprocessor.

5.3 Legal Requirements

We may disclose information when we believe in good faith that disclosure is necessary to:

Comply with applicable law, regulation, or valid legal process such as a subpoena, court order, or government request
Protect the rights, property, or safety of Baponi, our customers, or the public
Enforce our Terms of Service

When legally permitted, we will notify affected customers before disclosing their information in response to legal process. We evaluate all government requests for data and challenge requests that we determine are overly broad, vague, or lack proper legal authority.

5.4 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will notify you via email or prominent notice on our website before your information becomes subject to a materially different privacy policy. You will have the opportunity to delete your account before the transfer takes effect.

5.5 Aggregated and De-Identified Data

We may share aggregated, de-identified data that cannot reasonably be used to identify you or any individual. This includes platform performance statistics, industry benchmarks, and usage trends.

6. International Data Transfers

Baponi is based in the United States and processes SaaS customer data on infrastructure located in the United States. Your organization’s region preference is stored and respected for data residency purposes.

If you are located outside the United States, your information is transferred to the United States for processing. For transfers of personal data from the EEA, UK, or Switzerland, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our Data Processing Addendum
Supplementary measures including encryption in transit (TLS 1.2+) and at rest (AES-256-GCM for credentials, AES-256 for storage), access controls, and contractual commitments

For self-hosted Enterprise deployments, all data remains entirely within your own infrastructure. No data is transferred to Baponi. See Section 13.

7. Data Retention

We retain your information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Data Category	Retention Period
Account information (email, name, org)	Duration of active account, plus 90 days after deletion for account recovery
Execution data (code, stdout, stderr)	Per-sandbox configurable: 1 hour, 24 hours, 7 days, 30 days, or indefinitely until deleted by Customer
Execution metadata (timestamps, resource usage)	Same as execution data retention for the associated sandbox
Administrative audit logs	Per plan tier: published on pricing page. Automatically deleted via database partitioning
Web tool audit logs	Same retention as administrative audit logs
Billing records	7 years, as required by tax and financial regulations
Support correspondence	3 years after resolution
Website analytics	13 months
Marketing consent records	Duration of consent, plus 3 years
Configuration data (sandboxes, API keys, connectors)	Duration of active account. Deleted within 60 days of account termination
Encrypted credentials (storage, connectors, registries)	Duration of active configuration. Deleted when you remove the connection or close your account

BYOB Storage data remains under your control in your own cloud storage accounts at all times. We do not retain copies.

Volume data is stored in cloud object storage within your organization’s namespace and is deleted when you delete the volume or close your account.

When you delete your account, we delete all Customer Data in the ordinary course of our data lifecycle operations, except for: (a) billing records we are legally required to retain; (b) anonymized, aggregated data that cannot identify you; and (c) data in automated backup and disaster recovery systems, which is overwritten in the normal course of those systems’ retention cycles.

8. Data Security

We implement administrative, technical, and physical security measures designed to protect your information:

Encryption in transit: All data transmitted between your systems and the Services is encrypted using TLS 1.2 or higher
Encryption at rest: All credentials (storage connections, resource connectors, registry passwords, webhook secrets) are encrypted using AES-256-GCM with per-value random nonces before database storage. Database storage is additionally encrypted at the infrastructure level
Access controls: Role-based access with principle of least privilege. Multi-factor authentication for all internal systems. Employee access to production data is logged, justified, and reviewed
Execution isolation: Code execution in multi-layer sandboxed environments with process, filesystem, network, and resource isolation between tenants
Credential isolation: Credentials are decrypted only in memory at runtime, never written to disk in plaintext, never logged, and never cached beyond the active request lifecycle
Immutable audit trail: Administrative and web tool audit logs are protected by database triggers that prevent all modification and deletion, ensuring tamper-proof records for compliance
API Key security: Full API Key values are never stored -only a SHA-256 hash for verification and a short prefix for identification. Keys cannot be retrieved after creation
Incident response: Documented incident response procedures with defined escalation paths and notification timelines

No method of electronic transmission or storage is completely secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security. We encourage you to use strong, unique API keys, rotate them periodically, and configure the shortest practical data retention period for your sandboxes.

9. Your Privacy Rights

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you
Rectification: Request correction of inaccurate or incomplete data
Erasure: Request deletion of your personal data, subject to legal retention requirements and the immutability of audit logs during their retention period
Restriction: Request that we limit processing of your data in certain circumstances
Portability: Receive your data in a structured, commonly used, machine-readable format
Objection: Object to processing based on legitimate interest
Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal
Lodge a complaint: File a complaint with your local supervisory authority

We respond to verified GDPR requests within thirty (30) days. If we need additional time due to the complexity or number of requests, we will notify you within the initial thirty-day period, for up to an additional sixty (60) days.

Note on audit logs: Administrative and web tool audit logs are immutable by design for security and compliance purposes. We cannot selectively delete individual audit log entries. Audit log data is automatically and permanently deleted when the retention period for your plan tier expires.

9.2 Rights Under CCPA/CPRA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it
Right to delete: Request deletion of your personal information, subject to certain exceptions including legal retention obligations and immutable audit records
Right to correct: Request correction of inaccurate personal information
Right to opt out of sale or sharing: We do not sell your personal information or share it for cross-context behavioral advertising. No opt-out action is required
Right to limit use of sensitive personal information: We do not collect or use sensitive personal information as defined under CCPA
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

We respond to verified CCPA requests within forty-five (45) days.

9.3 Other Jurisdictions

Residents of other U.S. states or jurisdictions with applicable privacy laws may have similar rights. Contact us through our contact form to exercise your rights regardless of your location.

9.4 How to Exercise Your Rights

To exercise any privacy right:

Contact form: Submit a request through our contact form
In-app: Use the account settings within the Baponi console to export or delete your data

We may need to verify your identity before processing your request by confirming your email address and account ownership. We will not require you to create an account solely to submit a privacy request. We do not charge a fee to process or respond to your request unless it is manifestly unfounded or excessive.

10.1 Essential Cookies

We use a single essential session cookie (_safesandy_session) that is encrypted using AES-256-GCM. This cookie contains your authentication state and is required for the Services to function. It expires after twenty-four (24) hours or at the end of your browser session. This cookie cannot be disabled without breaking core functionality.

10.2 Analytics Cookies

We use PostHog for product analytics to understand how the Services are used and to identify areas for improvement. Analytics data is de-identified and used solely for product improvement. You may opt out of analytics cookies through your browser settings or by using browser extensions that block tracking scripts.

10.3 No Advertising or Tracking Cookies

We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies. We do not participate in advertising networks. We do not serve ads on any Baponi property.

Cookie	Duration	Purpose
`_safesandy_session`	24 hours or session	Encrypted authentication state
PostHog analytics	13 months	De-identified product usage analytics

10.5 Do Not Track

Because we do not engage in cross-site tracking, we treat all users consistently regardless of Do Not Track browser signals.

11. Children’s Privacy

The Services are not directed at individuals under sixteen (16) years of age. We do not knowingly collect personal information from children under 16. If we discover that we have collected personal information from a child under 16, we will delete that information promptly. If you believe we have inadvertently collected information from a child, please contact us immediately through our contact form.

12. Data Breach Notification

In the event of a confirmed security breach that compromises the confidentiality, integrity, or availability of your personal data, we will:

Notify affected customers without undue delay, and in any event within seventy-two (72) hours of confirming the breach
Provide details of the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures we have taken or propose to take to address it
Notify the relevant supervisory authority as required by applicable law
Cooperate with affected customers in fulfilling their own breach notification obligations to their data subjects or regulators

13. Self-Hosted Enterprise Deployments

For Enterprise customers who deploy Baponi on their own infrastructure:

Baponi stores nothing. We do not receive, process, store, or have access to any data processed by the self-hosted deployment -including code, execution outputs, credentials, audit logs, user data, or any other information. All data remains entirely within your Virtual Private Cloud (VPC) and under your exclusive control
No telemetry by default. The self-hosted Software does not transmit any data to Baponi unless you explicitly enable optional support access. There is no phone-home, no usage reporting, and no analytics collection
This Privacy Policy does not apply to data processed entirely within your own infrastructure. Your own privacy policies and data handling practices govern
If you grant support access, any data shared for troubleshooting is treated as Confidential Information under your Enterprise Agreement and deleted after the support engagement concludes

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will:

Update the “Last updated” date at the top of this page
Notify registered users via email at least thirty (30) days before the changes take effect
Post the revised policy on our website

Your continued use of the Services after the effective date of a revised policy constitutes your acceptance of the changes. If you disagree with the changes, you should discontinue use of the Services and delete your account prior to the effective date.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please reach out through our contact form.

For data protection inquiries from EU residents, you may also reach our data protection point of contact through the same contact form by selecting the “Privacy” category.

If you are located in the EEA and are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority.