1. Introduction
Welcome to BASTUDIO ("the App," "Service," "we," "us," or "our"), operated by TouchApp Inc., a Delaware corporation (EIN: 32-0615643, Delaware File No.: 7721589), with its registered address at 16192 Coastal Highway, Lewes, DE 19958, United States (Sussex County).
This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our mobile application (available on iOS and Android) and web application at bastud.io (collectively, the "Platforms"). Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
If you do not agree with the terms of this Privacy Policy, please do not access or use the Service. We reserve the right to make changes to this Privacy Policy at any time and for any reason. We will alert you about any changes by updating the "Last updated" date of this Privacy Policy.
2. Information We Collect
We collect information that you provide directly to us, information collected automatically when you use the Service, and information from third-party sources.
a) Account Information
When you create an account, we collect:
- Email address - used for authentication, account verification, and communication
- Password - stored in hashed form using bcryptjs; we never store or have access to your plaintext password
- Display name - your chosen name displayed within the App
- Business name - the name of your business (optional)
b) Your Content
When you use the Service, you may upload:
- Photographs - before-and-after images captured or uploaded for documentation purposes
- Case metadata - procedure types, notes, and other case-related information
- Generated videos - before-and-after transformation videos created by the Service using your uploaded images
c) Payment Information
We do not directly collect or store your full payment card details. Payment processing is handled by third-party providers:
- RevenueCat - manages in-app purchases and subscriptions on iOS (App Store) and Android (Google Play)
- Stripe - processes web-based subscription payments
These providers may collect payment card numbers, billing addresses, and transaction history. Please refer to their respective privacy policies for details.
d) Usage Data
We automatically collect certain information when you interact with the Service, including:
- Features accessed and actions performed within the App
- Frequency and duration of usage sessions
- Number of cases created and videos generated
- Basic analytics and usage statistics
e) Device Information
We may collect information about the device you use to access the Service, including:
- Device type, model, and operating system version
- Unique device identifiers
- IP address
- Browser type and version (for web access)
- Platform (iOS, Android, or Web)
f) Social Media Account Data
When you choose to connect a social media account (YouTube, Instagram, or TikTok) to BASTUDIO for the purpose of publishing content, we collect and store:
- OAuth access tokens and refresh tokens — encrypted authorization credentials that allow BASTUDIO to publish content on your behalf, stored securely in our database and never shared with third parties
- Channel or account identifiers — unique identifiers for your connected social media account (e.g., YouTube channel ID), used solely to associate published content with your account
- Channel display name and thumbnail — your public channel name and profile image, used only to display your connected account within the BASTUDIO interface
- Scheduled post metadata — title, caption, hashtags, scheduled publication time, and post status for content you schedule through BASTUDIO
- Publication results — URL of successfully published content, error messages if publication fails
We do not collect, access, read, or store your followers, comments, messages, watch history, engagement data, or any other content from your social media accounts beyond what is strictly necessary to publish your scheduled posts.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Provide and maintain the Service: To operate the App, process your uploads, generate before-and-after videos using FFmpeg, and deliver the core functionality of the Service
- Account management: To create and manage your account, authenticate your identity via JWT tokens, and verify your email address
- Communication: To send you account verification emails, password reset instructions, service updates, and important notices via our email provider (Resend)
- Payment processing: To facilitate subscription management and billing through RevenueCat and Stripe
- Cloud storage: To securely store your uploaded images and generated videos in Cloudflare R2 cloud storage, isolated to your user account
- Service improvement: To analyze usage patterns, diagnose technical issues, and improve the performance and features of the Service
- Security: To detect, prevent, and address fraud, abuse, security risks, and technical issues
- Legal compliance: To comply with applicable laws, regulations, legal processes, or governmental requests
- Integration API: To provide integration capabilities with bastud.io for authorized users
- Social media publishing: When you connect a social media account (YouTube, Instagram, TikTok) and schedule a post, we use your stored OAuth tokens exclusively to publish the specific content you have scheduled. We do not use your tokens for any other purpose.
4. How We Share Your Information
We do not sell your personal information to third parties. We may share your information in the following circumstances:
a) Service Providers
We share information with third-party service providers who perform services on our behalf:
- Cloudflare (R2 Storage): Stores your uploaded images and generated videos in secure cloud storage
- Stripe: Processes web-based subscription payments and manages billing
- RevenueCat: Manages mobile in-app purchases and subscription entitlements on iOS and Android
- Resend: Delivers transactional emails including account verification and password reset communications
- Replit: Provides cloud infrastructure for hosting the Service
- Google (YouTube Data API v3): When you connect your YouTube account, your OAuth credentials are transmitted to Google's servers to authenticate and publish videos on your behalf
- Meta (Instagram Graph API): When you connect your Instagram account, your OAuth credentials are transmitted to Meta's servers to publish content on your behalf
- TikTok (TikTok for Developers API): When you connect your TikTok account, your OAuth credentials are transmitted to TikTok's servers to publish content on your behalf
b) Legal Requirements
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order, subpoena, or government agency request).
c) Business Transfers
If TouchApp Inc. is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.
d) With Your Consent
We may share your information with third parties when you have given us your explicit consent to do so.
5. Data Storage & Security
We take the security of your data seriously and implement appropriate technical and organizational measures to protect your information.
- Password security: All passwords are hashed using bcryptjs before storage. We never store or have access to plaintext passwords.
- Authentication: User sessions are managed via JSON Web Tokens (JWT) with appropriate expiration times.
- Cloud storage: Images and generated videos are stored in Cloudflare R2 cloud storage with per-user isolation, ensuring that each user can only access their own content.
- Email verification: We require email verification to confirm account ownership and prevent unauthorized access.
- Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
- Infrastructure: Our application is hosted on Replit's cloud infrastructure with Cloudflare's global network for storage, benefiting from their enterprise-grade security measures.
While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data.
6. Your Data & Medical Information
IMPORTANT DISCLAIMER: BASTUDIO is NOT a regulated device and is NOT HIPAA compliant. The Service is not designed, intended, or certified to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) or any other data protection regulation.
The Service allows professionals to upload before-and-after photographs and generate transformation videos. Regarding your data:
- We do not collect, store, or process Protected Health Information (PHI) as defined by HIPAA.
- Images uploaded to the Service are treated as user-generated content and are stored in Cloudflare R2 cloud storage isolated to your account.
- We do not associate images with records, diagnoses, or treatment plans.
- The Service does not include identification information such as names, dates of birth, or record numbers unless voluntarily added by the user in case notes.
Your Responsibilities:
- You are solely responsible for obtaining proper informed consent from each individual before photographing, uploading, or sharing their images through the Service.
- You must comply with all applicable laws, and professional ethical standards governing privacy in your jurisdiction.
- You acknowledge that the Service is intended for creating marketing and portfolio content and is not a substitute for a compliant electronic health records (EHR) system.
- You are responsible for determining whether your use of the Service complies with applicable applicable regulations, including but not limited to HIPAA, GDPR, and state privacy laws.
- You must ensure that any videos generated and shared on social media comply with consent agreements.
TouchApp Inc. disclaims all liability for any unauthorized disclosure of personal information resulting from your use of the Service.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
- Right to Access: You may request a copy of the personal information we hold about you, including your account data, uploaded content metadata, and usage history.
- Right to Correction: You may update or correct inaccurate personal information through your account settings (display name, practice name, email) or by contacting us.
- Right to Deletion: You may request the deletion of your account and associated personal information. Upon account deletion, we will remove your account data, uploaded images, and generated videos from our systems within a reasonable timeframe.
- Right to Data Portability: You may request a copy of your data in a commonly used, machine-readable format. You can also download your images and videos directly through the App before requesting account deletion.
- Right to Restrict Processing: You may request that we limit the processing of your personal information under certain circumstances.
- Right to Object: You may object to the processing of your personal information for certain purposes, such as direct marketing.
- Right to Withdraw Consent: Where we rely on your consent to process your information, you may withdraw that consent at any time.
To exercise any of these rights, please contact us at support@bastud.io. We will respond to your request within 30 days.
8. Children's Privacy
BASTUDIO is not intended for use by individuals under the age of 18. The Service is designed exclusively for licensed professionals.
We do not knowingly collect personal information from anyone under the age of 18. If we discover that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information as quickly as possible.
If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at support@bastud.io so that we can take appropriate action.
9. International Data Transfers
TouchApp Inc. is based in the United States (Delaware). If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.
By using the Service, you consent to the transfer of your information to the United States and other jurisdictions that may have different data protection laws than your country of residence.
Our service providers, including Cloudflare, Stripe, RevenueCat, and Resend, may process and store data in various locations worldwide. We rely on these providers' compliance with applicable data transfer mechanisms, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with our service providers
- Compliance with the EU-U.S. Data Privacy Framework where applicable
10. Data Retention
We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:
- Account data: Retained for the duration of your active account. Upon account deletion request, we will delete your account information within 30 days.
- Images and videos: Stored in Cloudflare R2 for the duration of your active account. Upon account deletion, all associated images and generated videos will be permanently deleted within 30 days.
- Usage data: Retained in aggregated, anonymized form for analytics purposes. Individual usage data is deleted with your account.
- Payment records: Transaction records may be retained as required by applicable tax and financial regulations, typically for a period of 7 years.
- Communication records: Email verification and transactional email records may be retained for up to 1 year for security and compliance purposes.
We may also retain certain information as required by law, to resolve disputes, enforce our agreements, or for other legitimate business purposes.
11. Third-Party Services
The Service integrates with and relies on third-party services. Each of these services has its own privacy policy governing their collection and use of data:
We encourage you to review the privacy policies of these third-party services to understand how they handle your data. We are not responsible for the privacy practices of these third-party services.
12. Google API Services & YouTube Data API
Google API Services User Data Policy Compliance: BASTUDIO's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
What YouTube data BASTUDIO accesses:
- YouTube channel information (channel ID, name, thumbnail) — used solely to display your connected account within the BASTUDIO interface
- YouTube video upload capability — used only to publish videos that you explicitly schedule through BASTUDIO
What YouTube data BASTUDIO does NOT access:
- Your subscribers, comments, messages, or private information
- Your watch history, playlists, or liked videos
- Your YouTube analytics or revenue data
- Any content not explicitly uploaded by you through BASTUDIO
How we store and protect Google user data:
- OAuth access tokens and refresh tokens are stored in encrypted form in our PostgreSQL database hosted on Replit infrastructure
- Tokens are never logged, displayed, transmitted to third parties, or used for any purpose other than publishing your scheduled content
- We request only the minimum scopes necessary:
youtube.upload and youtube.readonly
How to revoke access:
You can disconnect your YouTube account at any time from within the BASTUDIO app (Social Media section) or directly from your Google Account at myaccount.google.com/permissions. Upon disconnection, we immediately delete your stored OAuth tokens from our database.
Applicable platform terms:
13. Cookies & Tracking Technologies
BASTUDIO uses minimal tracking technologies. Here is what we use:
a) Authentication Tokens (JWT)
We use JSON Web Tokens (JWT) to authenticate your sessions. These tokens are stored locally on your device and are used to verify your identity when making requests to our servers. JWT tokens are not cookies but serve a similar purpose for session management.
b) Local Storage (AsyncStorage)
On mobile devices, we use AsyncStorage (React Native) to store your authentication token and user preferences locally on your device. This data remains on your device and is not transmitted to third parties.
c) Essential Technical Data
Our servers may log basic technical information such as IP addresses, request timestamps, and user agent strings for security monitoring and abuse prevention. This data is used solely for operational purposes and is not used for advertising or tracking.
What We Do NOT Use:
- We do not use advertising cookies or tracking pixels
- We do not use third-party analytics services that track users across websites
- We do not engage in cross-site tracking or behavioral advertising
- We do not sell or share your data with advertising networks
14. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:
Right to Know: You have the right to request that we disclose what personal information we have collected about you in the preceding 12 months, including the categories of information, the sources, the business purposes for collection, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (such as legal obligations or completing transactions you initiated).
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge you different prices, or provide a different quality of service because you exercised your rights.
Right to Opt-Out of Sale: We do not sell your personal information to third parties. Therefore, there is no need to opt out of the sale of personal information.
Categories of Information Collected:
- Identifiers (email address, display name, IP address)
- Commercial information (subscription and transaction records)
- Internet or network activity (usage data, device information)
- Professional information (practice name)
- User-generated content (images, case data, generated videos)
To exercise your California privacy rights, please contact us at support@bastud.io. We will verify your identity before processing your request and respond within 45 days.
15. Changes to This Privacy Policy
We reserve the right to update or modify this Privacy Policy at any time. When we make material changes, we will:
- Update the "Last updated" date at the top of this Privacy Policy
- Notify you via email or through a prominent notice within the App
- Provide a summary of the key changes made
Your continued use of the Service after any modifications to this Privacy Policy constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically for any changes.
If we make changes that materially affect how we handle your previously collected personal information, we will make reasonable efforts to notify you and give you an opportunity to review the changes before they take effect.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Company: TouchApp Inc.
- Tax ID: 32-0615643
- Delaware File No.: 7721589
- Address: 16192 Coastal Highway, Lewes, DE 19958, County of Sussex, United States
- Phone: +1 (360) 322-4986
- Email: support@bastud.io
- Website: bastud.io
We will do our best to respond to your inquiry within 30 days of receipt.