Privacy Policy - BASTUDIO

1. Introduction

Welcome to BASTUDIO ("the App," "Service," "we," "us," or "our"), operated by TouchApp Inc., a Delaware corporation (EIN: 32-0615643, Delaware File No.: 7721589), with its registered address at 16192 Coastal Highway, Lewes, DE 19958, United States (Sussex County).

This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our mobile application (available on iOS and Android) and web application at bastud.io (collectively, the "Platforms"). Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

If you do not agree with the terms of this Privacy Policy, please do not access or use the Service. We reserve the right to make changes to this Privacy Policy at any time and for any reason. We will alert you about any changes by updating the "Last updated" date of this Privacy Policy.

2. Information We Collect

We collect information that you provide directly to us, information collected automatically when you use the Service, and information from third-party sources.

a) Account Information

When you create an account, we collect:

Email address - used for authentication, account verification, and communication
Password - stored in hashed form using bcryptjs; we never store or have access to your plaintext password
Display name - your chosen name displayed within the App
Practice name - the name of your medical practice (optional)

b) Patient Content

When you use the Service, you may upload:

Patient photographs - before-and-after images captured or uploaded for documentation purposes
Case metadata - procedure types, notes, and other case-related information
Generated videos - before-and-after transformation videos created by the Service using your uploaded images

c) Payment Information

We do not directly collect or store your full payment card details. Payment processing is handled by third-party providers:

RevenueCat - manages in-app purchases and subscriptions on iOS (App Store) and Android (Google Play)
Stripe - processes web-based subscription payments

These providers may collect payment card numbers, billing addresses, and transaction history. Please refer to their respective privacy policies for details.

d) Usage Data

We automatically collect certain information when you interact with the Service, including:

Features accessed and actions performed within the App
Frequency and duration of usage sessions
Number of cases created and videos generated
Basic analytics and usage statistics

e) Device Information

We may collect information about the device you use to access the Service, including:

Device type, model, and operating system version
Unique device identifiers
IP address
Browser type and version (for web access)
Platform (iOS, Android, or Web)

3. How We Use Your Information

We use the information we collect for the following purposes:

Provide and maintain the Service: To operate the App, process your uploads, generate before-and-after videos using FFmpeg, and deliver the core functionality of the Service
Account management: To create and manage your account, authenticate your identity via JWT tokens, and verify your email address
Communication: To send you account verification emails, password reset instructions, service updates, and important notices via our email provider (Resend)
Payment processing: To facilitate subscription management and billing through RevenueCat and Stripe
Cloud storage: To securely store your uploaded images and generated videos in Cloudflare R2 cloud storage, isolated to your user account
Service improvement: To analyze usage patterns, diagnose technical issues, and improve the performance and features of the Service
Security: To detect, prevent, and address fraud, abuse, security risks, and technical issues
Legal compliance: To comply with applicable laws, regulations, legal processes, or governmental requests
Integration API: To provide integration capabilities with bastud.io for authorized users

4. How We Share Your Information

We do not sell your personal information to third parties. We may share your information in the following circumstances:

a) Service Providers

We share information with third-party service providers who perform services on our behalf:

Cloudflare (R2 Storage): Stores your uploaded patient images and generated videos in secure cloud storage
Stripe: Processes web-based subscription payments and manages billing
RevenueCat: Manages mobile in-app purchases and subscription entitlements on iOS and Android
Resend: Delivers transactional emails including account verification and password reset communications
Replit: Provides cloud infrastructure for hosting the Service

b) Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order, subpoena, or government agency request).

c) Business Transfers

If TouchApp Inc. is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

d) With Your Consent

We may share your information with third parties when you have given us your explicit consent to do so.

5. Data Storage & Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect your information.

Password security: All passwords are hashed using bcryptjs before storage. We never store or have access to plaintext passwords.
Authentication: User sessions are managed via JSON Web Tokens (JWT) with appropriate expiration times.
Cloud storage: Patient images and generated videos are stored in Cloudflare R2 cloud storage with per-user isolation, ensuring that each user can only access their own content.
Email verification: We require email verification to confirm account ownership and prevent unauthorized access.
Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
Infrastructure: Our application is hosted on Replit's cloud infrastructure with Cloudflare's global network for storage, benefiting from their enterprise-grade security measures.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data.

6. Patient Data & Medical Information

IMPORTANT DISCLAIMER: BASTUDIO is NOT a medical device and is NOT HIPAA compliant. The Service is not designed, intended, or certified to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) or any other healthcare data protection regulation.

The Service allows aesthetic surgeons to upload patient before-and-after photographs and generate transformation videos. Regarding patient data:

We do not collect, store, or process Protected Health Information (PHI) as defined by HIPAA.
Patient images uploaded to the Service are treated as user-generated content and are stored in Cloudflare R2 cloud storage isolated to your account.
We do not associate patient images with patient medical records, diagnoses, or treatment plans.
The Service does not include patient identification information such as names, dates of birth, or medical record numbers unless voluntarily added by the user in case notes.

Your Responsibilities:

You are solely responsible for obtaining proper informed consent from each patient before photographing, uploading, or sharing their images through the Service.
You must comply with all applicable laws, regulations, and professional ethical standards governing patient privacy in your jurisdiction.
You acknowledge that the Service is intended for creating marketing and portfolio content and is not a substitute for a compliant electronic health records (EHR) system.
You are responsible for determining whether your use of the Service complies with applicable healthcare regulations, including but not limited to HIPAA, GDPR, and state privacy laws.
You must ensure that any videos generated and shared on social media comply with patient consent agreements.

TouchApp Inc. disclaims all liability for any unauthorized disclosure of patient information resulting from your use of the Service.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

Right to Access: You may request a copy of the personal information we hold about you, including your account data, uploaded content metadata, and usage history.
Right to Correction: You may update or correct inaccurate personal information through your account settings (display name, practice name, email) or by contacting us.
Right to Deletion: You may request the deletion of your account and associated personal information. Upon account deletion, we will remove your account data, uploaded images, and generated videos from our systems within a reasonable timeframe.
Right to Data Portability: You may request a copy of your data in a commonly used, machine-readable format. You can also download your images and videos directly through the App before requesting account deletion.
Right to Restrict Processing: You may request that we limit the processing of your personal information under certain circumstances.
Right to Object: You may object to the processing of your personal information for certain purposes, such as direct marketing.
Right to Withdraw Consent: Where we rely on your consent to process your information, you may withdraw that consent at any time.

To exercise any of these rights, please contact us at support@bastud.io. We will respond to your request within 30 days.

8. Children's Privacy

BASTUDIO is not intended for use by individuals under the age of 18. The Service is designed exclusively for licensed aesthetic surgeons and medical professionals.

We do not knowingly collect personal information from anyone under the age of 18. If we discover that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information as quickly as possible.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at support@bastud.io so that we can take appropriate action.

9. International Data Transfers

TouchApp Inc. is based in the United States (Delaware). If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

By using the Service, you consent to the transfer of your information to the United States and other jurisdictions that may have different data protection laws than your country of residence.

Our service providers, including Cloudflare, Stripe, RevenueCat, and Resend, may process and store data in various locations worldwide. We rely on these providers' compliance with applicable data transfer mechanisms, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with our service providers
Compliance with the EU-U.S. Data Privacy Framework where applicable

10. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:

Account data: Retained for the duration of your active account. Upon account deletion request, we will delete your account information within 30 days.
Patient images and videos: Stored in Cloudflare R2 for the duration of your active account. Upon account deletion, all associated images and generated videos will be permanently deleted within 30 days.
Usage data: Retained in aggregated, anonymized form for analytics purposes. Individual usage data is deleted with your account.
Payment records: Transaction records may be retained as required by applicable tax and financial regulations, typically for a period of 7 years.
Communication records: Email verification and transactional email records may be retained for up to 1 year for security and compliance purposes.

We may also retain certain information as required by law, to resolve disputes, enforce our agreements, or for other legitimate business purposes.

11. Third-Party Services

The Service integrates with and relies on third-party services. Each of these services has its own privacy policy governing their collection and use of data:

Cloudflare: Cloud storage (R2) for patient images and videos - Cloudflare Privacy Policy
Stripe: Web payment processing - Stripe Privacy Policy
RevenueCat: Mobile subscription management - RevenueCat Privacy Policy
Resend: Transactional email delivery - Resend Privacy Policy
Apple App Store: iOS app distribution and in-app purchases - Apple Privacy Policy
Google Play Store: Android app distribution and in-app purchases - Google Privacy Policy

We encourage you to review the privacy policies of these third-party services to understand how they handle your data. We are not responsible for the privacy practices of these third-party services.

12. Cookies & Tracking Technologies

BASTUDIO uses minimal tracking technologies. Here is what we use:

a) Authentication Tokens (JWT)

We use JSON Web Tokens (JWT) to authenticate your sessions. These tokens are stored locally on your device and are used to verify your identity when making requests to our servers. JWT tokens are not cookies but serve a similar purpose for session management.

b) Local Storage (AsyncStorage)

On mobile devices, we use AsyncStorage (React Native) to store your authentication token and user preferences locally on your device. This data remains on your device and is not transmitted to third parties.

c) Essential Technical Data

Our servers may log basic technical information such as IP addresses, request timestamps, and user agent strings for security monitoring and abuse prevention. This data is used solely for operational purposes and is not used for advertising or tracking.

What We Do NOT Use:

We do not use advertising cookies or tracking pixels
We do not use third-party analytics services that track users across websites
We do not engage in cross-site tracking or behavioral advertising
We do not sell or share your data with advertising networks

13. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

Right to Know: You have the right to request that we disclose what personal information we have collected about you in the preceding 12 months, including the categories of information, the sources, the business purposes for collection, and the categories of third parties with whom we share it.

Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (such as legal obligations or completing transactions you initiated).

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge you different prices, or provide a different quality of service because you exercised your rights.

Right to Opt-Out of Sale: We do not sell your personal information to third parties. Therefore, there is no need to opt out of the sale of personal information.

Categories of Information Collected:

Identifiers (email address, display name, IP address)
Commercial information (subscription and transaction records)
Internet or network activity (usage data, device information)
Professional information (practice name)
User-generated content (patient images, case data, generated videos)

To exercise your California privacy rights, please contact us at support@bastud.io. We will verify your identity before processing your request and respond within 45 days.

14. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. When we make material changes, we will:

Update the "Last updated" date at the top of this Privacy Policy
Notify you via email or through a prominent notice within the App
Provide a summary of the key changes made

Your continued use of the Service after any modifications to this Privacy Policy constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically for any changes.

If we make changes that materially affect how we handle your previously collected personal information, we will make reasonable efforts to notify you and give you an opportunity to review the changes before they take effect.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Company: TouchApp Inc.
EIN: 32-0615643
Delaware File No.: 7721589
Address: 16192 Coastal Highway, Lewes, DE 19958, United States (Sussex County)
Email: support@bastud.io
Website: bastud.io

We will do our best to respond to your inquiry within 30 days of receipt.