Privacy Policy
Effective Date: June 1, 2026
Barista, Inc. (“Barista,” “we,” “us”) provides an AI-powered PR intelligence platform. This Privacy Policy explains how we collect, use, share, and protect personal information when you visit getbarista.ai, sign up, or use the Barista application and services (the “Service”).
1. Two Roles: Controller and Processor
We handle personal information in two distinct capacities, and different rules apply to each.
As a controller, we decide how and why we process information about: visitors to our website; people who sign up, join the waitlist, or contact us; and the authorized users of customer accounts. This policy governs that processing.
As a processor, we process personal information that our customers upload to or generate within their workspaces — for example, details about journalists, podcasters, and other media contacts (“Customer Workspace Data”). Here, our customer is the controller and decides how that data is used. Our handling of Customer Workspace Data is governed by our agreement with the customer and the Data Processing Addendum at getbarista.ai/dpa, not primarily by this policy. If you are a media contact or other individual whose data appears in a customer's workspace, please direct privacy requests to that customer; we will assist them as required by law.
2. Information We Collect
Information you provide:
- Account and contact details: name, email, company, role, and password credentials.
- Billing information: processed by our payment processor; we receive limited records such as plan, transaction status, and the last four digits of a card. We do not store full payment card numbers.
- Communications: messages you send us and information you provide in support requests.
Customer Workspace Data you submit to the Service: contacts, outlets, companies, news clips, prompts, and documents you create or upload. This may include personal information about third parties (handled as processor — see Section 1).
Information collected automatically:
- Usage and device data: pages and features used, actions taken, browser and device type, IP address, and timestamps.
- Cookies and similar technologies — see Section 8.
3. How We Use Information
As a controller, we use personal information to:
- create and administer accounts and provide the Service;
- process payments and manage subscriptions and credits;
- communicate with you about the Service, including service notices and, with appropriate consent where required, marketing;
- monitor, secure, debug, and improve the Service, including in aggregated and de-identified form;
- comply with legal obligations and enforce our terms.
AI processing. Providing the Service involves sending prompts and relevant Customer Data to third-party AI model providers to generate output. We do not use Customer Data to train our own models, and our AI providers are contractually prohibited from training their models on data submitted through the Service. See Section 5 for the providers involved.
4. How We Share Information
We share personal information only as follows:
- Service providers / subprocessors who help us operate the Service, under contracts limiting their use of the data (Section 5).
- Payment processing for billing.
- Legal and safety: to comply with law, respond to lawful requests, or protect rights, safety, and the integrity of the Service.
- Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.
5. Subprocessors and Service Providers
We use the following service providers to operate the Service:
| Provider | Purpose | Data involved |
|---|---|---|
| Supabase | Authentication and primary database | Account data, Customer Workspace Data |
| Vercel | Application hosting and delivery | Usage data, data in transit |
| AI model providers via Vercel AI Gateway (currently OpenAI and Anthropic) | Generative AI processing for agent and content features | Prompts and relevant Customer Data; no model training |
| Stripe | Payment and subscription processing | Billing and limited payment data |
| Resend | Transactional and product email delivery | Name, email, message content |
| Braintrust | AI observability and quality evaluation | AI interaction logs (may include prompt/response content) |
| Attio | Customer relationship management for our own sales and accounts | Prospect and account contact details |
We may update this list as our providers change and will reflect changes here. Where required by the DPA, we will notify customers of new subprocessors before they begin processing Customer Workspace Data.
6. International Data Transfers
We are based in the United States, and our providers may process data in the U.S. and elsewhere. If we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, incorporated through our DPA. You may request more information using the contact details below.
7. Data Retention
We retain personal information for as long as needed to provide the Service, maintain your account, comply with legal obligations, resolve disputes, and enforce our agreements. Customer Workspace Data is retained per our agreement with the customer and the DPA; on account termination we make it available for export for a limited period and then delete it in the ordinary course.
8. Cookies
We use cookies and similar technologies for essential functionality, security, and analytics. Where required, we request consent for non-essential cookies and honor recognized opt-out signals (such as Global Privacy Control). You can control cookies through your browser settings.
9. Your Privacy Rights
Depending on where you live, you may have rights to access, correct, delete, or obtain a copy of your personal information, to opt out of certain processing, and to not be discriminated against for exercising these rights.
- U.S. state laws (including California's CCPA/CPRA and the Oregon Consumer Privacy Act): you may request access, deletion, correction, and portability, and confirm that we do not sell or share your personal information for cross-context behavioral advertising. You may use an authorized agent and may appeal a denied request.
- EEA / UK / Switzerland (GDPR/UK GDPR): you may also object to or restrict processing, withdraw consent, and lodge a complaint with your supervisory authority. Our legal bases include performance of a contract, legitimate interests, consent, and legal obligation.
To exercise rights as a customer or website user, email tech@getbarista.ai. We will verify your request as required by law. If your data appears in a customer's workspace, contact that customer (see Section 1).
10. Security
We use technical and organizational measures designed to protect personal information, including encryption in transit, access controls, and use of reputable infrastructure providers. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We will notify affected parties and customers of security incidents as required by law and the DPA.
11. Children
The Service is not directed to children under 16, and we do not knowingly collect their personal information. If you believe a child has provided us personal information, contact us and we will delete it.
12. Changes to This Policy
We may update this policy from time to time. We will post the updated version with a new effective date and, for material changes, provide additional notice where required.
13. Contact
Barista, Inc.
550 NW Franklin Ave STE 218, Bend OR 97703
tech@getbarista.ai