Log inGet started free
Home/Legal/Privacy Policy
PrivacyLast updated · May 14, 2026Effective · May 14, 2026

Privacy Policy

This policy explains what data PrimeBase collects, why we collect it, who it's shared with, and the controls you have over it. We've written it in plain language — no dark patterns, no buried clauses.

You own your data.
Your customer records, documents, and accounting data belong to you — exportable on request and deletable at any time.
We don't sell it.
Ever. Not to ad networks, not to data brokers, not to model trainers. Period.
Encrypted, isolated, US-hosted.
TLS in transit, AES-256 at rest, every record isolated by workspace at the database layer.
§01

Who we are and how to read this policy

PrimeBase is operated by VividSphere LLP, based in Bangalore, India (“PrimeBase”, “we”, “us”). When we talk about “the Service” or “PrimeBase” in this policy, we mean the web application, mobile apps, customer and vendor portals, marketing site, and APIs published at primebase.io.

This policy applies to two groups of people, and they have different rights:

  • Customers — businesses and the team members who sign in to PrimeBase to run their operations. Here, PrimeBase is the data controller for account and product-usage data.
  • Customer end users — your customers and vendors who log into a portal you operate on PrimeBase. Here, PrimeBase is the data processor, acting on your instructions. Their privacy questions should go to you first; ours is a backstop.
In plain English
If you signed up for a PrimeBase account, this whole document is for you. If you're logging into someone else's portal that happens to run on PrimeBase, sections 2, 7, and 13 are the ones to read.
§02

Information we collect

We collect only what we need to deliver the Service, bill you, keep accounts secure, and improve the product. We've grouped it into four buckets.

2.1 Information you give us directly

  • Account information — your name, work email, password (stored as a one-way hash), company name, and time zone.
  • Billing information — billing address and tax identifiers if you provide them. Payment card details, when collected, are processed by our payment provider; full card numbers never reach our systems.
  • Customer content — anything you put into PrimeBase: customer records, projects, documents, invoices, accounting entries, files, comments, custom fields.
  • Support correspondence — messages you send us via email or attachments shared with us.

2.2 Information collected automatically

  • Device and connection data — IP address, browser, OS, and the time of each request.
  • Product usage — pages viewed, features used, errors encountered, and aggregate performance metrics. We use this to fix bugs and prioritise what to build next.
  • Cookies & similar tech — only what's required to keep you signed in, remember preferences, and measure aggregate product usage.

2.3 Information from third parties

  • Integrations you connect — when you authorise an integration (for example, connecting a Google or Outlook calendar), we receive only the data the scopes you granted allow. You can revoke at any time from your integration settings.

2.4 What we don't collect

We don't track you across the web with advertising pixels. We don't fingerprint your device. We don't read or store the contents of files you upload for purposes other than delivering them to your team and clients. And we don't train AI models on your customer content — see §4.
§03

How we use your information

Each piece of data we hold is tied to one of six lawful purposes. Here's the full map:

PurposeWhat we useLegal basis
Provide the ServiceAccount, customer content, usageContract
Bill and collect paymentBilling infoContract
Keep your account secureConnection, device, request metadataLegitimate interest
Provide customer supportAccount info, correspondenceContract
Improve the productAggregated, de-identified usageLegitimate interest
Send transactional emailsEmail, account eventsContract
Send product news (opt-in)Email, marketing prefsConsent
Comply with legal obligationsWhatever a valid order requiresLegal obligation

3.1 Automated decisions

We don't make any decision about you that has a legal or significant effect using only automated processing. Abuse-prevention checks (such as CAPTCHA and rate limits) flag activity for human review; they don't take final action on accounts.

§04

AI features and your customer content

PrimeBase ships several AI-assisted features (for example, OCR extraction from uploaded documents). We've designed them with the same standard we'd want as customers ourselves:

  • Your customer content is never used to train PrimeBase models, third-party foundation models, or anyone else's models.
  • Prompts and outputs are encrypted in transit and at rest, and retained only as long as needed to deliver the feature and monitor for abuse.
  • We use AI providers in pass-through mode and select providers whose terms forbid training on customer prompts.
§05

Google API services and user data

If you connect a Google account to PrimeBase, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.1 Google Calendar

When you connect Google Calendar, PrimeBase creates a dedicated calendar in your Google account and syncs PrimeBase appointments to it. We may access event titles, start/end times, descriptions, attendees, and technical identifiers for events we create. Our access is limited to calendars and events created by the PrimeBase app.

5.2 Gmail (send-only)

When you connect Gmail, PrimeBase requests the gmail.send scope only — used to send emails on your behalf from inside the product. We do not read your inbox, do not access existing messages, and do not retain message content. Your Gmail address is recorded for the purpose of associating sent emails with your account.

5.3 Permitted uses

Data received from Google APIs is used only to deliver user-facing calendar sync and email-send features in PrimeBase. We do not use Google user data for:

  • advertising or marketing personalisation,
  • resale or transfer to data brokers,
  • creditworthiness or lending decisions,
  • building standalone profiles of you outside PrimeBase, or
  • training generalised AI/ML models.

5.4 Sharing and disclosure

We do not sell Google user data. We share it only with the sub-processors strictly necessary to deliver the integration (e.g. our cloud hosting provider), under contractual confidentiality and data-protection obligations.

5.5 Security

OAuth access and refresh tokens are encrypted at the application layer with AES-256-GCM before they hit the database. Token access is restricted to the integration code paths that need it; the rest of the application sees the integration as opaque.

5.6 Retention and deletion

Tokens and integration metadata are retained while your account is active and the integration is enabled. Disconnecting the integration from PrimeBase stops further API access and removes the tokens from our database. You can also revoke PrimeBase's access at any time from your Google Account security settings.

§06

How we share information

We share data in only four narrow circumstances. Here they are, in full:

6.1 With sub-processors who run our infrastructure

We use a small set of vetted vendors for cloud hosting, email delivery, and analytics. Each is bound by their contractual security and data-protection terms. Our primary infrastructure runs on Google Cloud Platform. The current sub-processor list is available on request at support@primebase.io.

6.2 With integrations you explicitly connect

When you connect an integration (for example, a Google or Outlook calendar), we share only the data the scopes you granted allow, and only while the integration is active. Disconnecting it from your integration settings stops further sharing immediately. Google integrations are covered separately in §5.

6.3 With buyers, in the event of a sale

If we're acquired or merged, your data may transfer to the successor — under the same commitments in this policy or stricter. We'll notify you by email at least 30 days before the transfer takes effect, and you can export and delete your account before then.

6.4 When the law requires it

We comply with valid legal process. Before disclosing customer content in response to a subpoena, court order, or government request, we'll notify you so you can challenge it — unless we're legally prohibited from doing so or there's an imminent risk to life.

What we never do
We don't sell your personal information. We don't share it with advertisers. We don't share customer content with model trainers, data brokers, or “marketing partners”. If we ever change this, we'll notify account admins by email and give you the right to export and delete first — see §12.
§07

How long we keep data

We keep different categories of data for different durations, based on what's necessary and what regulators require:

CategoryActive retentionAfter deletion
Customer content (records, documents, files)For the life of your accountHard-deleted within 30 days
Account & billing recordsFor the life of your accountRetained as required by tax law
Product analytics eventsAggregated and de-identifiedNo link to you
Database backupsRolling encrypted backupsOverwritten on rotation
Support correspondenceFor the life of your accountHard-deleted on request

You can trigger deletion of your workspace at any time from Settings → Account → Close workspace, or by emailing support@primebase.io. Hard deletion completes within 30 days; we'll send you written confirmation when it's done.

§08

Your rights and how to exercise them

Depending on where you live, you have some or all of the following rights over the personal information we hold about you:

  • Access — request a copy of what we hold.
  • Rectification — correct anything inaccurate.
  • Erasure — ask us to delete it (“the right to be forgotten”).
  • Portability — receive your data in a structured format. Admins can self-serve CSV exports for customers and inventory batches; for other data, email us.
  • Object or restrict — opt out of processing based on legitimate interest, or pause it temporarily.
  • Withdraw consent — for anything we do based on consent (mainly product news), instantly.
  • Lodge a complaint — with your local supervisory authority in the EU/EEA, the UK ICO, or — for California residents — the California Attorney General.

How to exercise them

Email support@primebase.io from the address on file. We'll respond within 30 days (and usually within one business day). We don't charge for these requests, and we won't ask you why — though if a request is clearly unfounded or repetitive we may decline it.

If you're a portal end user
Your rights live primarily with the business whose portal you logged into — they're the data controller. Reach out to them first. If they don't respond, write to us and we'll help mediate or, if necessary, act on the request directly.
§09

How we protect your data

The short version: encryption everywhere, strict workspace isolation, role-based access, careful defaults.

  • TLS in transit. AES-256 at rest on Google Cloud Platform with envelope encryption managed by the cloud provider.
  • Sensitive identifiers and authentication tokens are additionally encrypted at the application layer before they hit the database.
  • Every record carries a workspace ID. Postgres row-level security policies block cross-tenant reads and writes at the database layer.
  • Every API endpoint declares the permission it requires. Custom roles and access rules on Business+ let admins restrict who can see and do what in your workspace.
  • Application secrets stored in Google Cloud Secret Manager with IAM-scoped access. Production access limited to a small number of engineers.
  • Public-facing forms are protected by a CAPTCHA challenge and a honeypot trap. Access codes on shared links are stored as one-way hashes with brute-force lockout.

For a fuller picture, see our security overview.

If something goes wrong
If we discover a security incident that affects your data, we'll notify your workspace admins directly by email — what happened, what to check on your side, and what we're doing to fix it.
§10

International data transfers

PrimeBase is hosted on Google Cloud Platform in the United States. If you sign up from the EU/EEA, UK, or another jurisdiction outside the US, your data will be transferred to and processed in the United States.

For these transfers, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum, supplemented by the technical safeguards described in §8 (encryption in transit, encryption at rest, application-layer encryption for sensitive identifiers, workspace isolation by row-level security).

§11

Children's privacy

PrimeBase is a tool for businesses. The Service is not intended for use by individuals under 18, and we don't knowingly collect personal information from anyone under 18. If you're a parent or guardian and believe your child has provided us with personal information, write to us at support@primebase.io and we'll delete it.

§12

Changes to this policy

We'll update this policy as PrimeBase evolves. When we do, we'll change the “Last updated” date at the top, and — if the change is material — we'll notify account admins by email before it takes effect, with enough time for you to export and delete first if you'd prefer to leave.

§13

Contact us

The fastest way to reach the team responsible for this policy is by email. A real human reads it and we aim to respond within one business day.

  • Email us anything · support@primebase.io
Questions?

Talk to a real human about your data.

Privacy questions go to a real engineer, not a queue. We aim to respond within one business day.

Email us anything
support@primebase.io
Related documents
Legal
Terms of Service
Updated May 2026
Trust
Security overview
How we protect your data