Privacy Policy

Effective date: June 27, 2026

Bastion AI (“Bastion AI,” “we,” “us,” or “our”) provides an AI-driven, read-only Microsoft 365 / Entra security assessment and monitoring service. This Privacy Policy describes the information we collect, how we use and share it, and the choices you have. It applies to the Bastion AI website and services.

Information we collect

  • Information you provide. Your name, work email, company, and message when you contact us or request a service, and the email address you use to sign in to your account.
  • Payment information. Payments are processed by our payment provider, Stripe. We do not store full card numbers; we receive limited billing details and your subscription status.
  • Service data. To deliver our security services we process technical information about the systems you authorize us to assess. Under our bring-your-own-key (BYOK) model you control your AI provider accounts and keys; we use them only as needed to perform the services you engage us for and do not retain them beyond that purpose.
  • Usage and device data. Basic technical data such as IP address, browser type, and pages viewed, plus an essential authentication cookie.

How we use your information

  • Provide, operate, secure, and improve our services.
  • Respond to your inquiries and deliver the services you request.
  • Process payments and manage subscriptions.
  • Send service and account communications, such as sign-in links.
  • Comply with legal obligations and enforce our terms.

Cookies

We use a single essential, first-party cookie to keep you signed in to your account. We do not use third-party advertising or cross-site tracking cookies.

How we share information

We share information with service providers who process it on our behalf: Stripe (payments), Vercel (hosting), and Resend (email delivery). Each processes data under its own terms. We may also disclose information to comply with the law or protect our rights. We do not sell your personal information.

Data retention

We keep personal information only as long as needed for the purposes described here, to provide our services, and to meet legal, accounting, or reporting requirements, after which we delete or anonymize it.

Security

We apply administrative, technical, and physical safeguards appropriate to the sensitivity of the information we handle. No method of transmission or storage is completely secure, but protecting your data is core to what we do.

Your rights and choices

Depending on where you live, including under the GDPR and CCPA/CPRA, you may have the right to access, correct, delete, or port your personal information, to opt out of certain processing, and to withdraw consent. To exercise these rights, contact us at info@bastionsecurity.dev. We will not discriminate against you for exercising them.

International transfers

We are based in the United States and may process information there. Where required, we use appropriate safeguards for cross-border transfers.

Children's privacy

Our services are intended for businesses and are not directed to children under 16, and we do not knowingly collect their information.

Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the effective date above and, where appropriate, by additional notice.

Contact us

Bastion AI, 2150 N First St, San Jose, CA 95131. Email info@bastionsecurity.dev · (408) 785-0763.