Privacy Policy

Basepop — operated by PMH Digital Consulting
CVR: 43409948
Contact: hello@basepop.app
Last updated: 24 May 2026
Effective date: 24 May 2026

This Privacy Policy explains how PMH Digital Consulting ("Basepop", "we", "us", "our") collects, uses, stores, and shares information about you when you use the Basepop platform at basepop.app and its subdomains (the "Service"). It also explains your rights under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Danish data protection law.

Please read this policy carefully. If you do not agree with it, you must not use the Service.

1. Who We Are and How to Contact Us

The data controller responsible for your personal data is:

PMH Digital Consulting
CVR: 43409948
Denmark
Email: hello@basepop.app
Website: basepop.app

For all privacy-related questions, requests to exercise your rights, or data protection concerns, please contact us at hello@basepop.app with the subject line "Data Protection Inquiry". We aim to respond within 5 business days.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at dt.dk.

2. What Data We Collect and Where It Comes From

2.1 Data You Provide Directly

  • Account data: Your name, email address, job title, and company name when you register for an account.

  • Billing data: Billing address and VAT number. Payment card details are collected and stored directly by our payment processor — we never see or store your full card number.

  • Communications: Messages you send us via email or support channels, including any personal data contained in those messages.

  • User-generated content: Dashboard configurations, custom metrics, goals, agent instructions, and any other content you create within the Service.

2.2 Data We Collect Automatically

  • Usage data: Pages visited, features used, actions taken within the platform, timestamps, and session duration.

  • Technical data: IP address, browser type and version, operating system, device type, and referring URL.

  • Log data: Server-side logs including request paths, response times, and error events. These are structured and scoped to your workspace identifier — they do not contain your business data.

  • Cookies and similar technologies: See Section 7 for full details.

2.3 Data From Third-Party Platform Integrations

When you connect a third-party platform (such as Shopify, Meta Ads, Google Ads, or TikTok Ads) to Basepop, we ingest data from that platform on your behalf using the access permissions you grant us during the OAuth connection flow. This data is used solely to provide the analytics features of the Service.

The types of data ingested depend on the platform and the permissions you grant. Examples include:

  • Shopify: Orders, revenue figures, product catalogue, collections, and store metadata. Customer names and email addresses are not stored individually — they are used only for aggregate analytics (e.g., order counts, revenue totals).

  • Meta Ads: Campaign performance metrics (spend, impressions, clicks, reach, conversions). We do not access or store personal data about the end users who see your ads.

  • Google Ads / Google Search Console: Campaign metrics, keyword performance, click-through rates, and search query data at aggregate level.

  • TikTok Ads: Campaign performance metrics (spend, impressions, clicks, conversions).

You are the data controller for any personal data contained within your connected platforms. Basepop processes that data as your data processor. Our data processing obligations are described in Section 9.

3. Legal Bases for Processing (GDPR Article 6)

We only process your personal data where we have a valid legal basis under GDPR. The table below sets out which legal basis we rely on for each purpose.

3.1 Performance of a Contract (Article 6(1)(b))

We process your account data and third-party platform data because it is necessary to provide the Service you have subscribed to. Without this processing, we cannot operate your account or deliver the analytics features.

3.2 Legitimate Interests (Article 6(1)(f))

We process usage data, technical data, and log data to:

  • Monitor and improve the performance and security of the Service.

  • Detect and prevent fraud, abuse, and unauthorised access.

  • Understand how users interact with the platform to guide product development.

  • Send you product updates and service notifications relevant to your use of Basepop.

We have assessed that our legitimate interests in these activities are not overridden by your rights and interests, given that the processing is limited, proportionate, and expected within a professional B2B context.

3.3 Legal Obligation (Article 6(1)(c))

We retain certain financial and transactional records because we are required to do so under Danish bookkeeping law (Bogføringsloven) and other applicable legislation.

3.4 Consent (Article 6(1)(a))

Where we use non-essential cookies or send you marketing communications, we rely on your consent. You can withdraw consent at any time — see Sections 7 and 10 for details.

4. How We Use Your Data

4.1 To Provide and Operate the Service

  • Creating and managing your account and workspace.

  • Ingesting and processing data from your connected integrations.

  • Rendering dashboards, charts, forecasts, and AI-generated insights.

  • Running anomaly detection and sending alerts.

  • Processing your subscription and handling billing.

4.2 To Communicate With You

  • Sending transactional emails: account confirmation, password reset, billing receipts, and service alerts.

  • Notifying you of material changes to these terms or the Service.

  • Responding to support requests.

  • Sending product update communications relevant to your use of Basepop (you can opt out at any time).

4.3 To Improve the Service

  • Analysing aggregate usage patterns to prioritise features and fix problems.

  • Monitoring system performance and diagnosing technical issues.

  • Conducting internal research and development. This never involves using your business data or third-party platform data in identifiable form.

4.4 To Ensure Security and Prevent Abuse

  • Detecting and investigating suspicious activity, fraud, or unauthorised access.

  • Enforcing our Terms of Service and Acceptable Use Policy.

  • Complying with legal obligations and responding to lawful requests from authorities.

5. Who We Share Your Data With

We do not sell your data. We do not share your data for advertising purposes. We share your data only in the following circumstances:

5.1 Sub-processors

We use a limited number of carefully selected third-party service providers ("sub-processors") to operate the Service. Each sub-processor is bound by a data processing agreement and may only process your data on our documented instructions. Our current sub-processors include:

  • Supabase — Authentication, relational database (OLTP), and metadata storage. Hosted in Frankfurt, EU.

  • ClickHouse Cloud — Analytics data warehouse (OLAP) for storing and querying time-series business data. Hosted in Frankfurt, EU.

  • Vercel — Frontend hosting and serverless functions. Hosted in Frankfurt, EU.

  • Railway — Backend compute for data orchestration (Dagster). Hosted in Frankfurt, EU.

  • Stripe — Payment processing. Stripe is a data controller for payment data under its own privacy policy.

  • Resend — Transactional email delivery.

  • Sentry — Error monitoring and exception tracking. Error reports may contain metadata about the action that caused the error but are never enriched with your business data.

  • PostHog — Product analytics and feature flags. Usage events are pseudonymised.

An up-to-date list of sub-processors is maintained at basepop.app/sub-processors. We will notify you of any new sub-processor additions that handle personal data before they are engaged, giving you the opportunity to object.

5.2 Legal Requirements

We may disclose your data where required by law, regulation, court order, or other legal process. Where permitted, we will notify you before complying with such a request.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all assets of PMH Digital Consulting, your data may be transferred to the acquiring entity. You will be notified in advance, and the acquiring entity will be required to honour this Privacy Policy or provide you with a new policy and the opportunity to delete your account.

5.4 With Your Explicit Consent

We will share your data with any other party only with your explicit prior consent.

6. International Data Transfers

All primary infrastructure used by Basepop is located within the European Union (Frankfurt, Germany), meaning your data does not ordinarily leave the EEA. Where a sub-processor operates outside the EEA (for example, certain components of Stripe's or PostHog's infrastructure), we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46.

7. Cookies and Tracking Technologies

7.1 What We Use Cookies For

We use the following categories of cookies:

  • Strictly necessary cookies: Required for the Service to function. These include session cookies that keep you logged in. These cannot be disabled without breaking the Service.

  • Analytics cookies: Used by PostHog to understand how users interact with the platform in aggregate. These are pseudonymised and do not identify you individually. You can opt out via our cookie banner.

  • Preference cookies: Store your UI preferences such as theme or sidebar state. These are functional and improve your experience.

7.2 Managing Cookies

You can control non-essential cookies via the cookie preference banner shown on your first visit to basepop.app. You can change your preferences at any time by clicking "Cookie settings" in the website footer. You can also configure your browser to block or delete cookies, though this may affect how the Service functions.

7.3 No Cross-Site Tracking

We do not use cookies or tracking pixels to follow you across other websites. We do not participate in any third-party advertising networks.

8. Data Retention

8.1 Account and Service Data

We retain your account data and third-party platform data for as long as your account is active. If you close your account, we will delete your data within 30 days of your request, subject to the exceptions below.

8.2 Legal Retention Obligations

Certain financial and transactional records (invoices, payment records) are retained for up to 5 years as required by Danish bookkeeping law (Bogføringsloven § 10).

8.3 Aggregated and Anonymised Data

Anonymised, aggregated data that cannot reasonably be linked to you or your organisation may be retained indefinitely for product improvement and statistical purposes.

8.4 Backups

Data deleted from live systems may persist in encrypted backups for up to 30 additional days before being purged from backup storage.

9. Our Role as Data Processor for Your Business Data

When you connect third-party platforms to Basepop, any personal data within those platforms (for example, customer records in Shopify) is processed by Basepop on your behalf. In this context:

  • You are the data controller — you determine the purpose and means of collecting that data from your customers.

  • Basepop is the data processor — we process it only to provide you with the analytics features you have subscribed to.

Our obligations as your data processor are set out in Section 10 of our Terms of Service, which constitutes our Data Processing Agreement (DPA). Our obligations include processing only on your instructions, maintaining appropriate security measures, assisting with data subject requests, and notifying you of any personal data breach within 72 hours.

You are responsible for ensuring you have a lawful basis for sharing your customers' data with Basepop, and that your own privacy notices accurately describe this processing.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights with respect to your personal data. To exercise any of these rights, contact us at hello@basepop.app with the subject line "Data Subject Request". We will respond within 30 days and will not charge a fee unless the request is manifestly unfounded or excessive.

10.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you and information about how we process it.

10.2 Right to Rectification (Article 16)

You have the right to request that we correct inaccurate personal data or complete incomplete data we hold about you.

10.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent (if consent was the legal basis), or where processing is unlawful. This right is subject to our legal retention obligations (see Section 8.2).

10.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while you contest the accuracy of the data or object to our processing.

10.5 Right to Data Portability (Article 20)

Where processing is based on contract or consent and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

10.6 Right to Object (Article 21)

You have the right to object to processing of your personal data where we rely on legitimate interests as our legal basis. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is for the establishment, exercise, or defence of legal claims.

10.7 Right to Withdraw Consent

Where we rely on your consent as the legal basis for processing (e.g., analytics cookies or marketing emails), you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at dt.dk, or with the supervisory authority in your country of residence or place of work.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:

  • Encryption of all data in transit using TLS 1.2 or higher.

  • Encryption of data at rest using AES-256 or equivalent.

  • Row-level security (RLS) in our database layer, ensuring that each workspace can only access its own data.

  • Access controls and authentication requirements for all internal systems.

  • Structured logging with workspace-scoped identifiers for auditability.

  • Real-time error monitoring via Sentry to detect and respond to anomalies.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at hello@basepop.app.

11.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Danish Data Protection Authority (Datatilsynet) within 72 hours of becoming aware, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

12. Children's Data

The Service is intended exclusively for business users and is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us at hello@basepop.app and we will delete it promptly.

13. Links to Third-Party Websites

The Service may contain links to third-party websites or documentation (for example, links to platform API terms). We are not responsible for the privacy practices of those websites and encourage you to read their privacy policies. This Privacy Policy applies only to the Basepop platform.

14. Automated Decision-Making and Profiling

Basepop uses automated processing to generate forecasts, anomaly detection alerts, AI chat responses, and performance scores. These outputs are advisory only — they are decision-support tools presented to you as a human decision-maker, and no legally or similarly significant decisions about you are made solely by automated means. GDPR Article 22 is therefore not engaged.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Notify you by email at least 14 days before the changes take effect.

  • Display a prominent notice within the Service.

  • Update the "Last updated" date at the top of this page.

Your continued use of the Service after the effective date constitutes your acceptance of the updated policy. If you do not agree, you may close your account before the changes take effect.

16. Contact Us

For all privacy-related questions or to exercise your rights:

PMH Digital Consulting
CVR: 43409948
Email: hello@basepop.app
Website: basepop.app

Please use the subject line "Data Protection Inquiry" so we can route your message correctly. We aim to respond within 5 business days and will always respond within the 30-day statutory deadline under GDPR.

If you are not satisfied with our response, you may contact the Danish Data Protection Authority:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
dt.dk

This Privacy Policy was last updated on 24 May 2026 and supersedes all previous versions.