This Privacy Policy explains how Bastios ("Bastios," "we," "us," or "our") handles personal information in connection with the Bastios product and related websites and services. Bastios is a Texas limited liability company, owned 50/50 by two holding companies — Nathan's Better Business Inc. (BBI) and RGL Fortress Holdings LLC.
Registered legal name: Bastios AI LLC
Governing law / venue: State of Texas
This policy covers the limited personal information Bastios collects as a company — for example, visitors to our marketing websites (bastios.ai, bastios.net), people who contact us for sales or support, the contacts on a client's license and billing records, and the health/telemetry metadata our update agent reports about a deployed Box (see Section 4).
This policy does not govern the data that lives on a client's own Box. That on-box data (your books, records, transactions, documents, emails, and linked-account content) is controlled by the Client, stays on the Client's hardware, and is governed by the Client's own privacy practices. It also does not govern the independent terms and privacy policies of the third-party services a Client chooses to link (see Sections 6 and 11).
Bastios is a local, on-box, default-deny AI assistant delivered as a service and installed on a client-owned Mac mini. It is not a cloud SaaS that ingests your data. Stated plainly:
An honest note on what "on-box" does and does not mean: When you connect a cloud AI model (see Section 9), the assistant works by sending relevant business context to that model — that is its intended function. The promise here is that your data is not retained on Bastios servers and stays single-tenant on your Box; it is not a claim that nothing ever leaves the Box. The privacy modes in Section 9 control how names and secrets are handled before any cloud call.
For the limited off-box data we collect (marketing, support, license/subscription/billing, and update-agent health metadata), Bastios acts as an independent data controller and is responsible for that data under this policy.
For all data on the Box, the Client is the controller. The Client decides what data lives on its Box, what accounts to link, and how that data is used. Bastios does not control on-box data.
Bastios does not process the Client's books on any third party's behalf. Where a Client links QuickBooks Online, for example, Intuit and Bastios act as independent data controllers (not joint controllers); each is responsible for its own privacy compliance. Bastios does not process Intuit user data on Intuit's behalf.
Because the Client controls on-box data, requests from individuals about data residing on a Box (for example, a Client's customer or employee) are directed to the Client as controller. Bastios will reasonably assist the Client where required.
The following is the limited personal information Bastios collects as a company. Categories, sources, and purposes are presented in the notice format used under the California CPRA, the Colorado Privacy Act, and the Texas Data Privacy and Security Act.
| Category | Examples | Source | Purpose |
|---|---|---|---|
| Website visitor data | IP address, device/browser type, pages viewed, referring URL, essential cookie/analytics identifiers | Directly from your browser when you visit bastios.ai / bastios.net | Operate and secure the site; understand interest; respond to inquiries |
| Prospect & contact data | Name, business name, email, phone, role, message content | Directly from you (forms, email, calls) | Respond to sales and informational requests |
| Support communications | Support tickets, emails, the contents of your requests | Directly from you (the Client / AI Coordinator) | Provide and document support |
| License, subscription & billing records | Client legal/business name, billing contact, plan/tier, subscription status, invoices, payment status (card data handled by our payment processor, not stored by Bastios) | Directly from the Client; from our payment processor | Provision and bill the service; manage the subscription |
| Update-agent health / telemetry metadata | Box online/offline status, software version, update success/failure, health-check and crash signals, non-content diagnostic metadata | From the deployed Box's update agent (subscription clients) | Keep the Box reliable: monitoring, patching, post-update health checks, auto-rollback |
| Website voice-assistant conversations | The content of what you say to the voice assistant on our website — your questions and any business details you choose to share | Directly from you, through the voice assistant on bastios.ai | Respond to your inquiry; sales and business development; improve our products and services |
The update agent does not send your books, records, documents, or linked-account content to Bastios. Updates are pull-based: the Box phones home and applies updates only if the subscription is active; no Client data is ever pushed to or pulled from clients. Telemetry is operational metadata, not content.
Website voice assistant. If you use the voice assistant on the Bastios website (bastios.ai), we collect the information you choose to share during that conversation. We use it to respond to you, for our sales and business-development purposes, and to improve our products and services. This applies only to what you explicitly say to the voice assistant, which is part of our marketing website and is separate from the on-box product.
This section applies only to the Bastios marketing websites (bastios.ai, bastios.net), which are hosted on Cloudflare. The on-box product itself uses no third-party tracking, advertising, or analytics cookies — it runs locally on the Client's Box and does not load third-party trackers.
On our marketing site we use a limited set of cookies and similar technologies:
Consent. Where required by law, non-essential analytics cookies are set only after you consent through our cookie banner, and you may decline or withdraw consent at any time using the same banner or the controls described below. We honor browser-level signals (such as Global Privacy Control) where applicable.
How to manage cookies. You can manage or delete cookies through our cookie-preference control on bastios.ai and through your browser settings. Disabling non-essential cookies does not affect the Bastios appliance, which uses no such cookies. Further detail about any analytics provider we use and applicable retention periods is published in the cookie notice on bastios.ai.
The following remains on the Client's Box and does not flow to Bastios servers:
Bastios neither receives nor retains this data. We have no copy of your books on our servers.
The Client may link its own third-party accounts to the Box. Everything the assistant can do is governed by a default-deny permission broker on the Box:
Each linked third party is the Client's own account, white-glove provisioned in the Client's name. Bastios is not a money transmitter and takes no custody of funds. "Money" actions are approval-gated and run on the Client's own connected accounts.
We use the limited off-box information from Section 4 to:
We do not use this information to build advertising profiles or to make decisions producing legal or similarly significant effects about individuals.
Where the EU or UK GDPR applies to off-box personal data we collect, we rely on:
What the model does. Bastios is model-agnostic: the assistant operates with whatever AI model or large language model the Client connects, on the Client's own AI provider account. Bastios does not select or control the AI provider or govern what that provider does with data sent to it — the Client's use of any AI model is governed by the separate agreement between the Client and that provider. Within the assistant, the AI model is used for narration, classification, and routing only; deterministic code does the bookkeeping judgment — a guided procedure, not an unguided agent, decides how items are coded.
No training on your data by Bastios. Bastios does not use your data to train any model. Because the assistant runs on your own AI provider account, whether the AI provider retains or uses data sent to it — including for any training — is governed by your agreement with that provider. What Bastios controls is what leaves the Box: credentials are designed not to enter a prompt, and the default privacy mode pseudonymizes names and redacts secrets before any outbound call.
Credentials are designed not to enter a prompt. Stored credentials and API keys live in the macOS Keychain (or a 0600-permission file fallback) and travel only in HTTP headers; the system is designed so that they do not enter a model's system prompt, messages, or tool definitions. This was examined in an internal multi-agent credential-isolation review (dated 2026-06-29, spanning the Box and the managed Portal) that found no leak path in the paths examined.
Default pseudonymization before any cloud call. Every cloud call passes through one boundary that writes a metadata-only audit event (provider, model, counts, tags — never raw content) and applies a user-selectable privacy mode. The default mode, Pseudonymized, tokenizes known customer/vendor names (Customer A / Vendor B) and redacts secret formats before sending, then restores them in the reply; a re-scan fails closed if a secret would survive. Other modes are No-redaction (an explicit user choice) and Keep finance/PII local. An unknown or mistyped policy value resolves to Pseudonymized (fail-closed). With no key connected, a keyless mock is used and nothing is sent to a cloud model.
NIST alignment. Our AI handling is aligned to the NIST AI Risk Management Framework and mapped against the OWASP Agentic AI Top 10 (2026) in our internal security posture.
We do not sell your personal information for money.
Advertising cookies, only with your consent. We use Google's advertising tag (see Section 4A) to measure the performance of our own advertising. These advertising cookies are non-essential and are set only after you opt in through our cookie banner. To the extent this use is a "sale" or "share" for cross-context behavioral advertising, or "targeted advertising," as those terms are defined under the California CPRA, the Texas Data Privacy and Security Act, or similar state laws, it occurs only with your consent and you may opt out at any time. If you do not consent, we do not set these cookies and no such sharing occurs.
Honoring opt-out signals. We honor browser-level universal opt-out preference signals, such as Global Privacy Control ("do not sell / do not share"). When your browser sends such a signal, we treat advertising and analytics cookies as declined and do not set them, regardless of the banner. You can also change or withdraw your choice at any time using the "Cookie preferences" control on bastios.ai.
We do not use personal information for profiling that produces legal or similarly significant effects about individuals.
Bastios uses a limited number of trusted third-party service providers to support its company-side operations, including website hosting, payment processing, user authentication, email communications, and error or telemetry handling for the update agent. These providers process only the limited off-box data described in Section 4 and do so under contractual obligations designed to protect that information. When the optional Bastios Portal (portal.bastios.ai) managed-billing feature is used, the Portal securely retrieves the customer's vendor API key from an encrypted vault and injects it as an upstream request header; the Portal relies on Stripe for payment processing, Clerk for user authentication and identity management, and Cloudflare for secure application hosting and infrastructure.
A Client may connect its own third-party accounts to the Box — for example, accounting, email and calendar, bank-transaction data, payments, electronic signature, messaging, and AI-model providers. Each linked service is the Client's own account, white-glove provisioned in the Client's name, and data shared with it is governed by that party's own terms and privacy policy, not by Bastios. Connectors read only what a task needs through sanctioned APIs — no bulk extraction, warehousing, scraping, or cross-client aggregation. You can request a current list of the third-party connections Bastios supports by emailing hello@bastios.ai.
On-box data is Client-controlled and Client-deletable. Because Bastios does not hold your books and records, Bastios sets no retention period for them. The Client controls how long on-box data is kept and can delete it. The on-box audit log is append-only and stays on the Box.
Securely delete on consent revocation. Where a Client revokes a connector's consent, the Box securely deletes the affected connector-sourced data consistent with the relevant provider's requirements (including Intuit's secure-deletion requirement on revocation).
Off-box retention. Bastios retains the limited off-box data described in Section 4 only for as long as necessary to fulfill the purposes for which it was collected, including providing and supporting the Services, administering customer accounts and subscriptions, complying with legal and regulatory obligations, resolving disputes, protecting the security and integrity of the Services, and enforcing our contractual rights. As general guidance: license, subscription, and billing records are retained for the life of the account and for seven (7) years thereafter to meet tax and accounting requirements; support communications for up to three (3) years; website analytics for up to twenty-six (26) months; and update-agent health/telemetry metadata for up to twenty-four (24) months. When retention is no longer necessary, Bastios securely deletes or irreversibly de-identifies the information in accordance with its data retention and disposal procedures. Certain records may be retained for longer periods where required by applicable law, to resolve disputes, respond to legal requests, or establish, exercise, or defend legal claims.
Bastios maintains administrative, technical, and organizational safeguards designed to protect the limited off-box information it holds and to secure the software it delivers. Our program follows a default-deny, human-in-the-loop model: sensitive actions require human approval, credentials and secrets are kept in protected storage, network exposure is restricted, and access is controlled and logged. Where the software performs automated tasks on the Box, it does so within controlled, default-deny boundaries designed to keep Financial Data, PII, and credentials protected. Each release is reviewed for security issues before delivery, and we review and update these measures over time. No security program eliminates all risk.
Honest statement on certifications. Bastios does not currently hold SOC 2, ISO 27001, PCI DSS, HIPAA, or any other security certification or attestation, and has not undergone an accredited external audit or formal third-party penetration test. We describe our security posture honestly and do not overstate it.
Depending on where you live, you may have some or all of the following rights regarding the off-box personal information Bastios controls:
Requests about on-box data (data residing on a Client's Box) are directed to the Client as the controller of that data; Bastios will reasonably assist the Client as required.
Submission methods. You may submit a request by emailing privacy@bastios.ai or by using our online Privacy Request Form at bastios.ai/privacy-request. At least two methods are provided where California law requires.
Identity verification. We will take reasonable steps to verify your identity before acting, which may require matching information we already hold.
Authorized agents. An authorized agent may submit a request on your behalf with proof of authorization; we may still verify your identity directly.
Timelines. We respond within the timeframes required by applicable law (generally within 45 days under US state laws, extendable as permitted; within one month under the GDPR/UK GDPR).
Right to appeal. If we deny your request, you may appeal by emailing privacy@bastios.ai with "Appeal" in the subject line. We will respond to appeals within the period required by Colorado, Texas, and Virginia law and, where applicable, tell you how to contact your state attorney general.
The Bastios product and websites are intended for businesses and are not directed to children. We do not knowingly collect personal information from anyone under 13 (or under 16 where applicable law sets that threshold). If we learn that we have collected such information, we will delete it. If you believe a child has provided us information, contact privacy@bastios.ai.
International transfers. Bastios is headquartered in the United States, and the limited off-box data described in this Policy is processed in the United States. Where Bastios transfers personal data subject to the laws of the European Economic Area or the United Kingdom, we use appropriate safeguards recognized under applicable law, including the EU Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum (IDTA) or other lawful transfer mechanisms.
On-box data does not transfer. A Client's on-box data physically remains on the Client's premises, on the Client-owned Box. Bastios does not move that data to its own infrastructure.
Off-box data. If a security incident affects the off-box personal data Bastios controls, we will notify affected individuals and authorities as required by law — including, where applicable, notifying the relevant EU/UK supervisory authority within 72 hours under the GDPR, and notifying Texas residents without unreasonable delay and no later than 60 days, and the Texas Attorney General within 30 days where a breach affects at least 250 Texans, alongside other applicable state and federal requirements.
Intuit 24-hour passthrough. A security incident affecting Intuit-sourced data is reported to Intuit within 24 hours of discovery, consistent with Intuit's developer terms.
On-box incidents. Because the Client controls the Box, the Client is the controller for any incident affecting on-box data and leads notification to its own affected individuals; Bastios will reasonably assist and will report any connector-specific obligations (such as the Intuit 24-hour notice) that apply.
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above. If we make material changes, we will provide notice as required by applicable law, which may include notice by email, through the Bastios website, or through the Bastios Portal. Your continued use of the Services after an updated Privacy Policy becomes effective constitutes acceptance of the updated policy, to the extent permitted by law.
General: hello@bastios.ai
Privacy requests: privacy@bastios.ai
Legal: legal@bastios.ai
Privacy Officer: Bastios Privacy Team (privacy@bastios.ai)
EU / UK representative: Not applicable — Bastios does not offer goods or services to, or monitor the behavior of, individuals in the EEA or UK. If that changes, Bastios will appoint an Article 27 representative and update this Policy.
Websites: bastios.ai, bastios.net