Privacy Policy

Effective: March 22, 2026 · Last Updated: March 22, 2026

Bestia Technologies Inc. ("Bestia", "we", "us", "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use WhatsDone and other Bestia products.

Our foundational commitment: Your data belongs to you. We do not sell it, share it with advertisers, mine it for marketing, or use it to train general-purpose AI models. We process your data solely to provide the service you requested.

1. Information We Collect

1.1 Information you provide directly

• Account information: name, email address, and profile photo (obtained via Google OAuth 2.0)
• Organisation information: company name, team structure, member invitations
• Feedback: your approvals, dismissals, edits, and comments on AI-generated suggestions
• Support communications: any messages you send to our support team

1.2 Information we access from Google Workspace

When you connect your Google account, we access the following data through Google's OAuth 2.0 APIs, strictly limited to providing WhatsDone's functionality:

• Gmail (read-only): Email messages, threads, labels, and metadata. Used to extract action items, generate intelligence briefs, and identify patterns.
• Google Calendar (read-only): Calendar events, attendees, and scheduling information. Used for scheduling intelligence and conflict detection.
• Google People/Contacts (read-only): Contact names and email addresses. Used to identify senders and enable team collaboration.

We request the minimum OAuth scopes necessary. We do not request write access to your Gmail. We do not send emails on your behalf. We do not modify your calendar without your explicit action.

1.3 Information collected automatically

• Device information: browser type, operating system, screen resolution
• Usage data: pages visited, features used, time spent (aggregated, not personally identifiable)
• Error logs: technical error information to diagnose and fix issues

We do not use third-party analytics tracking pixels, advertising SDKs, or data collection tools that would expose your data to additional parties.

2. How We Use Your Information

• To provide the service: Processing your emails to extract action items, generate briefs, and surface insights.
• To improve extraction quality: Using your feedback (approvals, dismissals, edits) to improve AI accuracy for your organisation only.
• To communicate with you: Sending transactional emails (invitations, OTP codes, account notifications). We never send marketing emails without your explicit consent.
• To ensure security: Monitoring for abuse, preventing unauthorised access, and maintaining service integrity.
• To comply with law: Responding to valid legal process (subpoenas, court orders) when required.

3. What We Never Do With Your Data

• We never sell your personal data to any third party, under any circumstances, ever.
• We never share your data with advertisers, data brokers, or marketing platforms.
• We never use your email content to train general-purpose AI models. Your data does not improve models for other customers.
• We never display advertisements of any kind within our products.
• We never retain your data after account deletion beyond the legally required minimum.
• We never access your data manually unless required for technical support you explicitly requested, or as required by law.

4. Data Sharing

We share personal data only with the following categories of recipients, and only to the extent necessary to provide our services:

• AI processing providers: Anthropic (Claude API) processes email content to extract actions. Anthropic's commercial API does not retain input data for model training. See our Sub-Processor List for details.
• Infrastructure providers: Railway (hosting), Resend (transactional email). These providers process data under contractual obligations requiring equivalent privacy standards.
• Your organisation: If you are part of a team, your organisation's owner/administrator can see team-wide activity. Individual email content is not shared with other team members unless you explicitly share it.
• Legal requirements: We may disclose data if required by valid legal process. We will notify you before disclosure unless legally prohibited from doing so.

5. Data Retention

• Active accounts: We retain your data for as long as your account is active and as needed to provide the service.
• Account deletion: Upon deletion, all personal data (emails, actions, feedback, organisation knowledge) is permanently deleted within 30 days. Database backups are purged within 90 days. All OAuth tokens are revoked immediately.
• Aggregated data: Anonymised, aggregated statistics (e.g., total actions extracted across all users) may be retained indefinitely, but these contain no personal data and cannot be used to identify individuals.

6. Your Privacy Rights

6.1 All users

• Access: Request a copy of all personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of all your personal data.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to specific processing activities.

6.2 California residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to know: You can request the categories and specific pieces of personal information we have collected.
• Right to delete: You can request deletion of your personal information.
• Right to correct: You can request correction of inaccurate personal information.
• Right to opt-out of sale/sharing: We do not sell or share your personal information. There is no need to opt out because we never engage in these practices.
• Right to non-discrimination: We will not discriminate against you for exercising any rights.

To exercise any right, contact privacy@bestia.ai. We will verify your identity and respond within 45 days.

6.3 UK and EEA residents

See our UK & International Data Protection Addendum for your full rights under the UK GDPR, Data Protection Act 2018, and Data (Use and Access) Act 2025.

7. Google API Services Compliance

WhatsDone's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only access Gmail data to provide the WhatsDone service as described in this policy
• We do not use Gmail data for serving advertisements
• We do not allow humans to read your email content unless: (a) we have your affirmative agreement, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) our use is limited to internal operations and the data has been aggregated and anonymized
• We do not transfer Gmail data to third parties except as necessary to provide or improve the service, to comply with applicable laws, or as part of a merger or acquisition with adequate data protection

8. Children's Privacy

Our products are not intended for use by children under the age of 16 (or 13 in the United States). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will promptly delete it. Contact privacy@bestia.ai if you believe a child has provided us with personal data.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by sending an email to the address associated with your account at least 30 days before the changes take effect. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

10. Contact

• Privacy enquiries: privacy@bestia.ai
• Data Protection Officer: privacy@bestia.ai
• Postal: Bestia Technologies Inc., Attn: Privacy, 1600 Rosecrans Ave, Bldg 7, Manhattan Beach, CA 90266