Closed beta

Privacy Policy

Effective May 9, 2026 — Version 2026-05-09-v1

Who we are

Baseline ("we," "us," "our") is a closed beta service operated personally by two individuals before incorporation, based in Canada. This Privacy Policy explains what data we collect about you, how we use it, who we share it with, and the rights you have over it.

If you have any questions, please contact us via the contact page.

What we collect

Account information. Your email address and a hashed password (we never store your password in plaintext).
Self-reported daily check-ins. Mood, sleep hours, stress level, decision fatigue, and optional notes you submit through the dashboard.
Google Calendar metadata (only if you connect Google). When events are scheduled, how long they are, free/busy patterns. We do not read event titles, descriptions, or attendees beyond what is required to compute workload signals.
Gmail metadata (only if you connect Google). Timing and headers of emails — when they were sent, by whom, to whom. We do not read the body of any email. The OAuth scope we request is gmail.metadata, which technically prevents us from reading email content.
Operational logs. Server-side request logs (timestamps, IPs, paths) retained for up to 30 days for security and debugging.

What we do not collect

We do not collect biometric data from wearables in this version.
We do not read the bodies of your emails. Ever.
We do not collect your location, your phone number, your demographics, or your contacts.
We do not use third-party analytics, advertising trackers, or marketing pixels.
We do not sell your data, and we do not share it with advertisers.

How we use your data

To compute your dashboard. Your check-ins and connected metadata feed into the trend chart, stress score, sleep summary, and workload index that you see when you log in.
For aggregated investor reports. If your organization has a client/investor admin, we display aggregated metrics across the cohort — never your individual data — and only when at least 5 founders are contributing data in the lookback window. This threshold is enforced server-side as a privacy firewall.
To send transactional email. Account-related emails (password resets, sign-up confirmations) only. We do not send marketing email.
To improve the service. We may review aggregated, de-identified usage patterns to debug and improve the product.

How long we keep your data

Account data: retained until you delete your account.
Check-ins and metadata: retained until you delete your account, or until the underlying integration is disconnected (in which case the tokens are revoked but historical signal records remain visible to you).
Soft delete: when you delete your account, we mark it deleted within 1 day.
Hard delete: all related rows, including from backups, are permanently removed within 30 days.
Operational logs: retained no more than 30 days.

Your rights

Access. Download a complete export of your data at any time.
Correction. Edit or correct any data we hold about you.
Deletion. Delete your account and all associated data. Soft-deleted within 1 day, hard-deleted within 30 days, including from backups.
Withdraw consent. Disconnect any integration (Google) or stop participating at any time, with no consequence.
Portability. Receive your data in a structured, commonly used format on request.
Complain. If you believe we have mishandled your data, you can contact us directly or file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

To exercise any of these rights, email us via the contact page. We will respond within 30 days.

Security

Passwords are hashed with bcrypt before storage.
All communication between your browser and our servers uses HTTPS.
OAuth tokens for Google are stored server-side and used only to fetch the metadata you authorized.
Database access is restricted to the application's service role; no human routinely reads check-ins or email metadata.

No system is perfectly secure. If we ever discover a breach affecting your data, we will notify you within 72 hours of confirming it.

Cookies and local storage

We use browser localStorage to remember your login session (your authentication token) so you don't have to log in on every page. We do not set tracking cookies, and we do not use third-party cookies.

Children

Baseline is intended for adult founders. We do not knowingly collect data from anyone under 18. If you believe a child has signed up, contact us and we will delete the account.

Changes to this policy

We may update this Privacy Policy as the product evolves. When we do, we will increment the version number at the top of this page and, for material changes, notify active users by email. Continued use of Baseline after a change constitutes acceptance of the updated policy.

Honest acknowledgment Baseline is a closed beta operated personally by two individuals. Our processes are reasonable but not enterprise-grade. We recommend you only participate if you're comfortable with the operators having custody of your data during the beta. If anything in this policy concerns you, please don't sign up — and feel free to tell us why so we can do better.