Privacy Policy

Webase Global sp. z o.o. of ul. Modrzewiowa 10, 37-450 Stalowa Wola, Podkarpackie, Poland operates AI Smart. You can reach our privacy team at legal@webase.global for any questions or to exercise your rights.

This Privacy Policy applies to all users of the Services globally, including users in the European Union, United Kingdom, United States, and other jurisdictions, unless a dedicated local policy or statutory notice is required.

We act as a data controller for account, platform, security, billing, and business operations data (for example account registration, invoicing, product analytics, and abuse prevention).

We generally act as a data processor for customer content and third-party personal data that you store or process in workspaces (for example leads, clients, social audience data, uploaded files, prompts, automation datasets, and campaign assets), processed on your instructions.

Depending on your use of the Services, we may collect:

• Account and identity data: name, email address, account ID, workspace ID, role, profile settings, and login metadata.
• Authentication and security data: password hash (where password auth is used), session identifiers, MFA/security events, IP logs, device/browser fingerprints, and audit events.
• Workspace and member data: organization/company name, workspace metadata, invitations, membership status, permission configuration, and workspace preferences.
• Billing data: plan, subscription status, invoices, tax/VAT details, wallet transactions, usage events, payment processor references, and anti-fraud billing logs.
• Operational usage data: feature usage, extension usage, integration status, queue/job execution data, run outcomes, system diagnostics, and error telemetry.
• Support and communication data: support tickets, knowledge-base interactions, notices, and administrative communications.
• Content data: uploaded files, generated media, prompt text, generated text/media metadata, tags, campaign drafts, scheduled content, and publication logs.
• Integration data: OAuth tokens/refresh tokens (if issued), provider account IDs, connected pages/channels metadata, scopes, token expiry metadata, and sync/publish responses.
• Third-party personal data you provide: names, usernames, profile info, and business data from your clients/leads/contacts/sources.

We receive personal data from:

• You directly (registration, settings, uploads, prompts, ticket submissions, billing profile updates).
• Your workspace members and administrators.
• Connected third-party integrations and APIs you authorize.
• Payment processors and fraud/risk service providers.
• System telemetry and service logs generated by your usage of the Services.

We process personal data to:

• Provide and operate accounts, workspaces, extensions, integrations, media management, and publishing workflows.
• Execute AI and automation tasks requested by users/workspaces.
• Measure usage and apply quotas, billing, wallet transactions, and subscription entitlements.
• Authenticate users, secure sessions, detect abuse, and investigate incidents.
• Provide support, troubleshoot issues, and respond to legal/privacy requests.
• Improve reliability, performance, and product quality through diagnostics and analytics.
• Comply with legal obligations (for example accounting, tax, audit, legal requests, and fraud prevention).

Where GDPR or UK GDPR applies, our legal bases include:

• Contract performance: to provide the Services you request.
• Legitimate interests: to secure, maintain, and improve the Services, prevent abuse, and administer business operations.
• Legal obligation: to satisfy regulatory, tax, accounting, and lawful disclosure duties.
• Consent: where required for specific activities (for example optional marketing communications or optional cookie categories where applicable).

AI features process your inputs and related metadata to generate outputs. This may include sending prompts, context snippets, and processing parameters to external model providers configured by the platform.

We use provider responses to deliver features, enforce metering/billing, and store resulting outputs where your workspace configuration allows. AI outputs may include personal data if your prompts include such data.

Unless explicitly stated in a dedicated enterprise agreement, you should not assume your data is excluded from all provider-side processing beyond immediate inference. You are responsible for avoiding unnecessary sensitive data in prompts.

When you connect integrations, we process account/page/channel metadata and tokens required to operate those connections. Tokens are used only to execute requested actions (for example syncing data, publishing posts, or reading configured data scopes).

Integration scope and availability depend on external provider rules and your granted permissions. If tokens expire, scopes change, or providers restrict access, integration functions may fail until reauthorized.

Payment card details are processed by payment processors (for example Stripe) and are not fully stored by us. We store transaction references, invoice metadata, subscription state, wallet balances, top-up events, and billing event records required for financial operations and audits.

We use essential cookies/session technologies for authentication, security, and platform operation. Where non-essential cookies or similar technologies are used, they are governed by our Cookie Policy and, where required by law, controlled through a consent banner/consent preferences mechanism.

Browser-level controls may affect feature behavior (especially login/session flows). Where legally required, consent choices are respected for non-essential technologies.

We may share personal data with:

We do not sell personal data in exchange for money.

• Infrastructure and hosting providers (for application runtime, storage, backups, and networking).
• Payment processors and financial operations providers.
• AI/API providers needed for requested features.
• Security, logging, monitoring, and anti-fraud service providers.
• Customer-support tooling providers.
• Professional advisors and authorities where disclosure is legally required.

Personal data may be processed in multiple jurisdictions. Where cross-border transfers are regulated, we use lawful safeguards such as adequacy decisions, standard contractual clauses, and/or equivalent legal mechanisms.

We retain data for as long as required to provide the Services, operate billing, maintain security, and meet legal obligations.

Post-termination retention is typically up to 90 days for operational recovery/export context, unless longer retention is required by law, fraud prevention, dispute handling, or security investigations.

• Account/workspace data: retained while account/workspace is active and for a post-termination operations window.
• Operational logs and diagnostics: retained according to operational security and observability needs.
• Billing and financial records: retained for statutory accounting/tax requirements.
• Backups: retained on rolling schedules and then overwritten.

We implement commercially reasonable technical and organizational safeguards, which may include encryption in transit (TLS), role-based access controls, audit logging, tenant isolation at application level, monitoring, and incident response procedures.

No method of transmission/storage is fully secure; therefore, we cannot guarantee absolute security.

Depending on your jurisdiction, you may have rights to access, correction, deletion, restriction, objection, portability, and withdrawal of consent (where consent is used). You may also have rights related to automated decision-making and profiling, where applicable.

You can submit requests via legal@webase.global. We may request verification to protect account security and prevent unauthorized disclosure.

For U.S. state privacy laws (where applicable), we disclose categories of personal data collected, business/commercial purposes, categories of recipients, and rights request methods in this Policy. We do not sell personal data for monetary consideration.

The Services are not intended for use by minors under 16 in the EU or under 18 elsewhere unless permitted by applicable law. We do not knowingly target children.

We may send product and operational communications required for service delivery. Marketing messages are provided where lawful basis exists and can be opted out where applicable.

We use automated systems for fraud detection, abuse prevention, reliability controls, and usage/billing calculations. These controls are primarily technical/operational and not intended as solely automated decisions producing legal or similarly significant effects within the meaning of Article 22 GDPR.

If you are in the EU/EEA/UK and believe processing violates applicable law, you may lodge a complaint with your local supervisory authority. We encourage contacting us first so we can try to resolve your concern quickly.

Depending on your role and plan, the product may provide controls for account archive/deletion, export requests, privacy preferences, session/security management, and integration disconnect actions.

Some controls may be restricted for compliance, security, billing reconciliation, or legal hold reasons.

When valid deletion requests are received, we delete or anonymize personal data unless retention is required by law, unresolved disputes, fraud/security investigations, or enforceable legal obligations.

In case of merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred as part of the transaction, subject to confidentiality and legal safeguards.

We may update this Privacy Policy to reflect legal, technical, or operational changes. Material updates are communicated via in-product notices and/or email before becoming effective when required.

Privacy requests, data subject rights requests, and compliance inquiries: legal@webase.global.