Privacy Policy

1. Introduction

BitBit ("we", "us", "our") is an agentic AI operations platform operated by All Webbed Up, an Australian business (ABN to be confirmed), based in Australia. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you access or use the BitBit platform at bitbit.chat and app.bitbit.chat (collectively, the "Service").

We are committed to complying with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and — where applicable — the General Data Protection Regulation (EU GDPR). By using the Service, you acknowledge that you have read and understood this Privacy Policy.

If you do not agree with this Privacy Policy, please do not use the Service.

2. Definitions

• "Personal Information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, as defined in the Privacy Act 1988.
• "Connected Service" means a third-party application or platform you authorise BitBit to access on your behalf (e.g. Gmail, Google Calendar, Slack, Xero).
• "Agent" means an AI-powered automated process within BitBit that performs tasks on your behalf.
• "Organisation" means a workspace within BitBit, which may be a personal workspace or a team/business workspace.
• "Context Baseplate" means the compiled world model BitBit builds from your connected data to provide contextual AI assistance.

3. Information We Collect

3.1 Account Information

When you create a BitBit account, we collect:

• Email address
• Name (if provided)
• Password (stored securely hashed via Supabase Auth — we never store plaintext passwords)
• Authentication tokens from OAuth sign-in providers (Google, Microsoft)

3.2 Connected Service Data

When you connect third-party services, we access and process data from those services according to the permissions (OAuth scopes) you grant. This includes:

• Gmail: Email metadata (sender, recipient, subject, date), email snippets, and email content. We request the following scopes: full Gmail access (https://mail.google.com/), read-only access (gmail.readonly), and send access (gmail.send). This enables BitBit to read your emails, draft responses, and send messages on your behalf when instructed.
• Google Calendar: Calendar event details including title, description, attendees, times, and location. Scopes: read-only calendar access (calendar.readonly) and event management (calendar.events). This enables BitBit to read your schedule and create or modify calendar events on your behalf.
• Google Analytics: Website analytics data. Scopes: analytics read access (analytics.readonly) and full analytics access (analytics). This enables BitBit to read and analyse your website performance data.
• Microsoft Outlook: Email metadata and content. Scopes: mail read (Mail.Read) and mail send (Mail.Send).
• Slack: Messages from configured channels and direct messages. Used to surface actionable information and enable agent-assisted responses.
• WhatsApp: Inbound and outbound messages via the Meta Cloud API and/or Baileys bridge. Message content, sender phone numbers, and timestamps.
• Instagram: Direct messages and conversation data from your Instagram Business account via the Meta Graph API.
• SMS (Telnyx): Inbound and outbound text messages, phone numbers, and timestamps.
• Xero: Accounting data including invoices, contacts, payments, and financial summaries. Used to enable invoice management and financial reporting agents.
• Asana: Task and project data to synchronise with BitBit's kanban board.
• Calendly: Calendar availability and meeting event data.

OAuth access and refresh tokens for Connected Services are encrypted and stored securely in our database. We use PKCE (Proof Key for Code Exchange) where supported for enhanced OAuth security.

3.3 Content You Create in BitBit

We store content you create or that agents create on your behalf within the Service, including:

• Tasks, goals, and kanban board data
• Contacts and contact metadata
• Notes, memories, and knowledge base entries
• Activity logs and audit trails
• Agent configurations, policies, and voice profiles
• Reports and generated documents

3.4 Context Baseplate Data

To provide intelligent, context-aware assistance, BitBit builds a structured knowledge model (the "Context Baseplate") from your connected data. This includes:

• Entity profiles: Compiled summaries of people, organisations, and projects you interact with, built from cross-referencing your emails, calendar events, tasks, and messages.
• Relationship graphs: Connections between entities (e.g. which contacts are associated with which projects).
• Semantic memories: Facts, patterns, and preferences learned from your interactions over time, stored with confidence scores.
• Timeline events: A chronological record of significant interactions across your connected channels.
• Cross-references: Links between mentions of the same entity across different channels and data sources.

The Context Baseplate is organisation-scoped and is not shared across organisations. It is used solely to improve the relevance and accuracy of AI agent responses within your workspace.

3.5 Usage and Analytics Data

We collect information about how you use the Service, including:

• Onboarding funnel events (e.g. workspace creation, connection setup, completion)
• Feature usage patterns and agent interaction logs
• AI agent run metadata: model used, token counts, cost estimates, duration, number of tool calls, success/failure status
• Error reports and performance data (via Sentry — see Section 7)

3.6 Technical Data

When you access the Service, we automatically collect:

• IP address (used for rate limiting and security)
• Browser type and version
• Session cookies and authentication tokens (Supabase session management)
• Referrer URL

We set a strict Referrer-Policy: strict-origin-when-cross-origin header to limit referrer data shared with third parties. We do not use advertising cookies or tracking pixels.

3.7 Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other financial payment instruments on our servers. Stripe provides us with limited information such as the last four digits of your card, billing email address, invoice amounts, and payment status. For more information, see Stripe's Privacy Policy.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To operate BitBit, including running AI agents, managing tasks, syncing channels, sending notifications, and delivering the core functionality you request.
• AI Processing: Your messages, task context, entity profiles, and relevant Connected Service data are sent to Anthropic's Claude API to generate AI-powered responses, recommendations, and agent actions. See Section 6 for details on AI data processing.
• Building Context: To construct and maintain the Context Baseplate — entity profiles, relationship graphs, and semantic memories — so that AI agents can provide relevant, contextual assistance.
• Communications: To send you transactional emails (via Resend), notifications (via email, WhatsApp, or in-dashboard), daily digests, approval requests, and weekly reports. You can configure notification preferences within the Service.
• Security and Fraud Prevention: To protect the Service using rate limiting, CSRF protection, Content Security Policy headers, HSTS, webhook signature verification, and authentication.
• Error Monitoring: To identify and fix bugs and performance issues using Sentry error tracking.
• Improving the Service: To understand usage patterns, improve features, and develop new functionality.
• Billing: To process payments, track usage metering (agent runs, token consumption), and manage subscriptions via Stripe.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

5. Lawful Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions where the GDPR applies, we process your personal data on the following lawful bases:

• Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide the Service you have signed up for, including AI agent execution, data synchronisation, and notification delivery.
• Consent (Art. 6(1)(a)): Where you explicitly grant OAuth permissions to connect third-party services, you consent to our accessing and processing data from those services. You can revoke consent at any time by disconnecting the service.
• Legitimate Interests (Art. 6(1)(f)): For security measures (rate limiting, fraud prevention, error monitoring), service improvement, and analytics — balanced against your privacy rights.
• Legal Obligation (Art. 6(1)(c)): Where processing is necessary to comply with a legal obligation.

6. AI Data Processing

BitBit uses Anthropic's Claude AI models (including Claude Haiku, Claude Sonnet, and Claude Opus) to power its AI agents. When you interact with BitBit or when agents execute tasks on your behalf, the following data may be sent to Anthropic's API:

• Your messages and instructions to the AI
• A system prompt containing your current context: active tasks, contacts, calendar events, reminders, channel summaries, organisation policies, and voice profile
• Entity context from the Context Baseplate (relevant entity profiles and relationship data for entities mentioned in your message)
• Tool call results from agent actions (e.g. search results, task creation confirmations)

Anthropic's data handling: As of our last review, Anthropic does not use data submitted via its API to train its models. For full details, see Anthropic's Privacy Policy and API Data Usage Policy.

We log AI agent runs (including token counts, cost estimates, duration, and success/failure status) for billing, cost management, and debugging. We do not persistently store the full content of AI model inputs or outputs beyond the immediate session, except where content is saved as part of your organisation data (e.g. agent-generated task descriptions, email drafts).

7. Third-Party Service Providers

We use the following third-party services to operate BitBit. Each processes data on our behalf and is subject to their own privacy policies:

8. Google API Services — Limited Use Disclosure

BitBit's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

8.1 What Google Data We Access

BitBit requests access to the following Google API scopes, each for a specific purpose:

• Gmail API (https://mail.google.com/, gmail.readonly, gmail.send): To read your emails, surface actionable messages to AI agents, draft and send emails on your behalf when you instruct BitBit to do so.
• Google Calendar API (calendar.readonly, calendar.events): To read your schedule, display upcoming events, check availability, and create or modify calendar events when instructed.
• Google Analytics Data API (analytics.readonly, analytics): To read your website analytics data and provide AI-powered performance insights and reports.

8.2 Limited Use Compliance

In accordance with Google's Limited Use requirements, BitBit:

• Only uses Google user data to provide and improve the Service's user-facing features. We use Gmail data to show you your emails, enable AI-assisted email management, and build entity context. We use Calendar data to display your schedule and enable scheduling features. We use Analytics data to generate reports.
• Does not transfer Google user data to third parties except: (a) as necessary to provide and improve user-facing features (e.g. sending relevant context to Anthropic's Claude API for AI processing as described in Section 6); (b) as necessary to comply with applicable law; or (c) as part of a merger, acquisition, or asset sale with notice to users.
• Does not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
• Does not allow humans to read Google user data unless: (a) we have your affirmative consent for specific messages or content; (b) it is necessary for security purposes (such as investigating abuse); (c) it is necessary to comply with applicable law; or (d) our use is limited to internal operations and the data has been aggregated and anonymised.

8.3 Revoking Google Access

You can revoke BitBit's access to your Google data at any time by:

• Disconnecting the Google integration from your BitBit settings
• Removing BitBit from your Google account at myaccount.google.com/permissions

Upon revocation, we will stop accessing your Google data. Previously synced data used to build your Context Baseplate (entity profiles, semantic memories) may be retained until you request deletion.

9. Data Storage and Security

9.1 Where Your Data is Stored

Your primary application data is stored in a Supabase-managed PostgreSQL database hosted in the South Asia (Mumbai) region. Background workers run on Fly.io in the Sydney, Australia region. The application is hosted on Vercel's global edge network.

9.2 Security Measures

We implement the following security measures to protect your data:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS. We enforce HSTS with a one-year max-age, including subdomains, with preload.
• Row Level Security (RLS): Database-level access controls ensure that users can only access data belonging to their organisation.
• Content Security Policy (CSP): Strict CSP headers prevent cross-site scripting attacks and limit resource loading to trusted domains.
• CSRF Protection: Cross-site request forgery protection on all API routes in production.
• Rate Limiting: IP-based and tiered rate limiting on authentication endpoints (20/min), webhook endpoints (100/min), and general API endpoints.
• OAuth Security: PKCE (Proof Key for Code Exchange) for all Google OAuth flows. Cryptographically secure state parameters with constant-time comparison. OAuth state and code verifier stored in HTTP-only cookies.
• Webhook Verification: HMAC-SHA256 signature verification for Stripe, Telnyx, and Slack webhooks with timestamp tolerance checks.
• Clickjacking Protection: X-Frame-Options DENY and frame-ancestors 'none' in CSP.
• Permissions Policy: Camera, microphone, and geolocation access are disabled by default.
• Circuit Breakers: Automatic circuit breakers on external API calls to prevent cascade failures.
• Cost Guards: Daily budget limits on AI agent execution to prevent runaway costs.

While we implement commercially reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

9.3 International Data Transfers

Your data may be transferred to and processed in countries outside of Australia, including the United States (where Anthropic, Vercel, Stripe, and Sentry are located) and India (where our Supabase database is hosted). For users in the EEA, these transfers are made pursuant to appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable.

10. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We share your information only in the following circumstances:

• Service providers: With the third-party providers listed in Section 7, solely to operate and deliver the Service.
• AI processing: With Anthropic, as described in Section 6, to provide AI-powered features.
• Connected Services: With the third-party services you explicitly connect (e.g. sending an email via Gmail API, creating a calendar event), solely to perform the actions you or your configured agents request.
• Legal requirements: When we believe disclosure is necessary to comply with applicable law, regulation, legal process, or governmental request.
• Safety and rights: To protect the rights, property, or safety of BitBit, our users, or the public.
• Business transfers: In connection with a merger, acquisition, reorganisation, or sale of assets, in which case we will notify affected users before personal information is transferred and becomes subject to a different privacy policy.

11. Cookies and Similar Technologies

BitBit uses a minimal set of cookies, all of which are strictly necessary for the operation of the Service:

• Supabase session cookies: Used to maintain your authenticated session. These are HTTP-only, secure cookies managed by Supabase Auth.
• OAuth state cookies (oauth_state, oauth_code_verifier): Temporary cookies used during the OAuth flow to prevent CSRF attacks. These are deleted after the OAuth callback completes.

We do not use advertising cookies, social media tracking pixels, or third-party analytics cookies. We do not participate in cross-site tracking.

12. Data Retention

We retain your data according to the following principles:

• Account data: Retained for as long as your account is active and for a reasonable period thereafter to allow for reactivation or comply with legal obligations.
• Connected Service data: Synced data from Connected Services is retained for as long as the connection is active. When you disconnect a service, we stop syncing new data. Previously synced data may be retained as part of your Context Baseplate until you request deletion.
• Agent run logs: AI agent execution metadata (token counts, costs, durations, error messages) is retained for billing, auditing, and debugging purposes.
• Error tracking data: Sentry error reports are retained according to Sentry's data retention policies.
• Deleted accounts: When you request account deletion, we will delete or anonymise your personal data within 30 days, except where retention is required by law or legitimate business needs (e.g. billing records, fraud prevention).

13. Your Rights

13.1 Rights Under the Australian Privacy Act

Under the Australian Privacy Principles, you have the right to:

• Access your personal information held by us (APP 12)
• Request correction of inaccurate or incomplete personal information (APP 13)
• Make a complaint about a breach of the APPs
• Opt out of receiving direct marketing communications

13.2 Rights Under the GDPR (EEA/UK Users)

If you are located in the EEA or UK, you additionally have the right to:

• Access your personal data (Art. 15)
• Rectification of inaccurate personal data (Art. 16)
• Erasure ("right to be forgotten") of your personal data (Art. 17)
• Restriction of processing (Art. 18)
• Data portability — receive your data in a structured, commonly used, machine-readable format (Art. 20)
• Object to processing based on legitimate interests (Art. 21)
• Withdraw consent at any time where processing is based on consent (Art. 7(3)), without affecting the lawfulness of processing before withdrawal
• Lodge a complaint with a supervisory authority

13.3 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@bitbit.chat. We will respond to your request within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.

You can also manage many aspects of your data directly within BitBit, including:

• Disconnecting Connected Services from your settings
• Deleting tasks, contacts, and other content you have created
• Configuring notification preferences
• Revoking OAuth access via your Google, Microsoft, or other provider account settings

14. Children's Privacy

BitBit is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us at privacy@bitbit.chat and we will take steps to delete such information.

15. Automated Decision-Making and Profiling

BitBit's AI agents perform automated processing, including:

• Classification: Incoming messages are automatically classified by priority and routed to appropriate agents.
• Confidence-based action routing: AI agents assess a confidence score before taking actions. Actions below your configured confidence threshold are queued for your manual approval rather than executed automatically.
• Entity profiling: The Context Baseplate automatically builds profiles of people and organisations you interact with, based on data from your Connected Services.
• Sentiment analysis: Messages may be analysed for sentiment to prioritise urgent or negative communications.

These automated processes are designed to assist you and are subject to your control. You can configure confidence thresholds, review approval queues, and override any automated decision. No solely automated decision is made that produces legal effects or similarly significantly affects you without your explicit input.

16. Notification Channels

BitBit may send you notifications through the following channels:

• In-dashboard notifications: Displayed within the BitBit application.
• Email: Sent via Resend from bitbit@bitbit.chat. Includes approval requests, alert escalations, daily digests, and weekly reports.
• WhatsApp: Approval requests, digests, and urgent notifications sent via the Meta Cloud API.

You can configure your notification preferences within BitBit's settings, including which channels are active and which notification types you receive. Critical security notifications may bypass your preferences to ensure service integrity.

17. Open-Source and Third-Party Components

BitBit is built using open-source software components including Next.js, React, and various npm packages. These components do not independently collect or process your personal information through BitBit.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email or an in-dashboard notification at least 14 days before the changes take effect
• Where material changes affect your Google API data usage, we will seek your renewed consent where required

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

19. Complaints

If you believe we have breached the Australian Privacy Principles or the GDPR, you may lodge a complaint with us at privacy@bitbit.chat. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may escalate your complaint to:

• Australia: The Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au
• EEA/UK: Your local data protection supervisory authority

20. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: