Privacy Policy

1. What this policy covers

This policy explains what data Bakku ("we", "our", "us") collects, how we use it, and how we protect it. Bakku is an AI-powered chargeback dispute service at bakku.ai.

2. Data we collect

Account data: Your email address and business name when you sign up.

Square data: When you connect your Square account via OAuth, we access your disputes, orders, payment details, and merchant information. We only access data necessary to analyze and respond to chargebacks.

AI analysis data: Win probability scores, AI-generated recommendations, and rebuttal letters created for your disputes.

Usage data: Pages visited, features used, and basic analytics to improve the service.

We do not collect payment card numbers, bank account details, or your customers' personal information beyond what Square provides in dispute records.

3. How we use your data

To detect, analyze, and respond to chargebacks on your behalf. To generate AI-powered rebuttal letters and evidence packages. To display your dispute history, analytics, and recovery metrics. To send you notifications about dispute status changes. To improve our AI analysis and service quality.

We do not sell your data. We do not use your data for advertising. We do not share your business data with other merchants.

4. Third-party services

Bakku uses the following third-party services to operate:

Square — to access your dispute and transaction data via their API.

Anthropic (Claude AI) — to analyze disputes and generate rebuttal content. Dispute data is sent to Anthropic's API for analysis. Anthropic does not retain your data beyond processing the request per their data policy.

Supabase — to securely store your account and dispute data in a PostgreSQL database.

Vercel — to host the Bakku application.

Resend — to send email notifications (when enabled).

5. Data security

We take security seriously: Square access tokens are encrypted at rest using AES-256-GCM encryption. All data is transmitted over HTTPS. Database access is restricted by row-level security policies — you can only access your own data. API routes require authentication. Webhook endpoints verify signatures to prevent unauthorized access.

6. Data retention

We retain your data for as long as your account is active. If you delete your account or disconnect Square, we will delete your dispute data within 30 days. Aggregated, anonymized analytics data may be retained indefinitely.

7. Your rights

You have the right to: Access your data — your dashboard shows all data we hold. Export your data — contact us and we will provide a full export. Delete your data — contact us or disconnect Square from settings. Revoke Square access — disconnect from Bakku settings or directly from your Square Dashboard.

If you are in the EU, UK, or California, you may have additional rights under GDPR, UK GDPR, or CCPA respectively. Contact us to exercise these rights.

8. Cookies

Bakku uses essential cookies for authentication and session management only. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Children's privacy

Bakku is a business service and is not intended for anyone under 18 years old. We do not knowingly collect data from minors.

10. Changes to this policy

We may update this policy from time to time. We will notify you of material changes via email. The effective date at the top will be updated accordingly.

11. Contact

If you have questions about your data or this policy, contact us at info@bakku.ai.