RelevantBaseRelevantBase
Get started
Back to home

Legal · Privacy

RelevantBase Privacy Policy

Last Modified: May 31st, 2026

This is the Privacy Policy of RelevantBase. "RelevantBase" ("us", "we", or "our") is the business name and service of Esgrape Oy, which operates in Helsinki, Finland and on the internet site www.relevantbase.com (the "Site"). The "Service" or "Subscription Service" refers to our SaaS product RelevantBase, which is an AI-native business intelligence platform intended to be used for data analytics, data management, and agentic task execution purposes.

We at RelevantBase are committed to protecting your privacy. This Privacy Policy applies to both our Website (www.relevantbase.com) and our Service. This Privacy Policy governs our data collection, processing, and usage practices. It also describes your choices regarding use, access, and correction of your personal information. If you do not agree with the data practices described in this Privacy Policy, you should not use the Website or the Subscription Service.

This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of Personal Information we receive from users of the Site and/or the Service. We use your personal information only for providing and improving the Site and/or the Service. By using the Site and Service, you agree to the collection and use of information in accordance with this Privacy Policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, accessible at www.relevantbase.com.

If you have any questions about this Privacy Policy or our treatment of the information you provide us, please write to us by email at privacy@relevantbase.com.

1. Information about Data Collection and Use

While using our Site or the Service, we may ask you to provide us with certain personally identifiable information ("Personal Data") that can be used to contact or identify you or your company. Personally identifiable information may include: your name, email address, postal address, phone number, and company name.

We collect the above mentioned personal data directly from you when you sign up for the Service. If you do not provide us with your above mentioned personal details, we may not be able to enter into an agreement with you.

In addition, we may collect technical data such as IP address, operating system, web browser, and browsing history on relevantbase.com domain and other RelevantBase web properties, prior to entry into the agreement. This data may be combined with your personal data so that we may create optimized and efficient services and provide further analysis to improve sales, delivery, and customer experience of our Services.

1.1 Data Processed by the Service on Your Behalf

RelevantBase connects to third-party data sources — including but not limited to Google Ads (via the Google Ads API), Google Analytics, Matomo, Meta Ads, Shopify, ActiveCampaign, LinkedIn Ads, and others — on your behalf and using credentials you provide. For Google Ads specifically, we access campaign performance data (impressions, clicks, costs, conversions, and related metrics) using the https://www.googleapis.com/auth/adwords OAuth scope on a read-only basis. The data retrieved from these sources ("Customer Business Data") is stored in your dedicated tenant environment within our Service. We process Customer Business Data solely to provide the Service to you. We do not use Customer Business Data for any other purpose, including training AI models.

1.2 AI Processing

RelevantBase uses large language models (LLMs) hosted on our EU Google Cloud infrastructure to power its AI agent capabilities. When you interact with the Service:

  • Your chat messages and instructions are processed by LLMs running within our EU cloud environment. Inference does not leave the EU.
  • Data submitted through the Service is not used to train the underlying models.
  • Agent-generated artifacts, analyses, and responses are stored within your tenant environment on our European infrastructure.
  • Your AI interactions may be logged for debugging and service improvement purposes, but are never shared with third parties or used to train AI models.

1.3 Limited Use of Google User Data

RelevantBase's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, data accessed through Google APIs (including Google Ads and Google Analytics) is:

  • Used only to provide and improve user-facing features that are prominent in the RelevantBase user interface;
  • Not transferred to others except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users;
  • Not used for advertising purposes, including personalized, retargeted, or interest-based advertising;
  • Not sold to any third party;
  • Not used to train AI models or general-purpose AI systems.

Users may revoke RelevantBase's access to their Google data at any time via https://myaccount.google.com/permissions, or by disconnecting the connector from within the RelevantBase application.

2. Your Personal Data Controller

RelevantBase — the business name of Esgrape Oy ("RelevantBase" or "We")

Business ID (Y-tunnus): 2083680-9

Address: Helsinki, Finland

Email: privacy@relevantbase.com

Contact person in case of matters relating to the processing of personal data: Jouni Leskinen, CEO, privacy@relevantbase.com

3. Data Processing Purposes

We may process your personal data for the following purposes:

  • Identification and authentication
  • Concluding the agreement with you or the legal entity you represent
  • Maintaining a contractual relationship with you or the legal entity you represent, including invoicing, providing you with support for the Services under the agreement, and troubleshooting
  • Sending you or the legal entity you represent necessary updates regarding the Services under the agreement and changes in our Terms and Conditions or this Privacy Policy
  • Statistical and analytical purposes
  • Service improvement
  • Security monitoring and fraud prevention

We use personal data to generate reports and statistics regarding the use of our Services. Where possible, we use anonymized data or non-personal data in these activities.

To the extent we process personal data with the aim to improve our services, the legitimate interest pursued by us is the development of our business and processes. We strive to limit the use of personal data in this context to the minimum and will process your personal data as necessary towards the mutual benefit of improving and optimizing our Services.

3.1 Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR:

  • Performance of a contract (Article 6(1)(b) GDPR): Processing necessary to provide the Service to you
  • Legitimate interest (Article 6(1)(f) GDPR): Service improvement, security monitoring, and fraud prevention
  • Consent (Article 6(1)(a) GDPR): Marketing communications and optional analytics cookies
  • Legal obligation (Article 6(1)(c) GDPR): Compliance with applicable laws and regulations

4. Data Processing and Data Storing

We process personal data and Customer Business Data to provide our AI-native business intelligence platform and related services to our customers. All data is stored on our systems within the European Union. The data stored on our systems is strongly encrypted both in motion and at rest. Any stored data is deleted permanently once the data is unnecessary or when you cease the use of our systems.

RelevantBase is constantly monitoring Service security and pays attention to the absolute privacy of Customer Personal Data and Customer Business Data:

  • Our staff is trained regularly for handling data and our systems are monitored constantly.
  • Our staff has access on a need-to-know basis only.
  • For any data we process, access is strictly restricted.
  • We will never sell your Personal Information or Customer Business Data to any third party.
  • Customer Business Data is isolated per tenant. Each customer's data is logically separated and cannot be accessed by other customers.
  • RelevantBase uses official APIs (Application Programming Interfaces) for accessing third-party data sources whenever possible. Data transfers are done using TLS-encrypted HTTPS connections.
  • For authentication with data sources (such as Google Analytics, Meta Ads, Shopify, and others), our platform uses OAuth2. With these services, our platform will only have the rights to access the data you have explicitly authorized and nothing else on your account. You can revoke RelevantBase's access to your data at any point from your account control panel in the respective third-party service.
  • Some data sources may require you to provide API keys or tokens. Any tokens, keys, or passwords are stored encrypted using Fernet symmetric encryption in our systems.
  • Customer Business Data stored in the lakehouse uses the Apache Iceberg table format on Google Cloud Storage, providing versioned, auditable data management.

4.1 Data Infrastructure

Our data processing and storage takes place exclusively in European data centers:

  • Primary infrastructure: Google Cloud Platform in the EU
  • Database: Cloud SQL (PostgreSQL) in the EU
  • Object storage: Google Cloud Storage in EU multi-region
  • AI inference: LLMs hosted on Google Cloud infrastructure in the EU
  • Application hosting: Google Cloud Run in the EU

All infrastructure is operated within the European Union. No Customer Business Data leaves the EU.

4.2 Business Transfers

If RelevantBase or its assets are acquired by another company, whether by merger, acquisition, bankruptcy, or otherwise, that company would receive all information gathered by RelevantBase on the Website and the Service. In this event, you will be notified via email or a notice on our website, of any change in ownership, uses of your Personal Information, and choices you may have regarding your Personal Information.

4.3 Legal Disclosure

We reserve the right to use or disclose your Personal Information if required by law or if we reasonably believe that use or disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a law, court order, or legal process.

5. Recipients of Personal Data

When processing your personal data for the purposes described above, we may transfer the personal data to the following third parties:

RecipientPurposeData Location
Google Cloud PlatformServers, infrastructure, storage, database, user authentication, AI inferenceEU
StripePayment processingEU/US (PCI DSS compliant)
Google AnalyticsWebsite traffic analysisEU
ResendTransactional emailEU

We will notify you of material changes to this list of sub-processors via the Service or by email.

We do not share Customer Business Data (data retrieved from your connected data sources) with any third party. Customer Business Data remains exclusively within our European Google Cloud infrastructure.

We may also transfer personal data to the relevant authorities in Finland or abroad where such authorities have a legal right to receive the information.

6. Safeguarding Personal Information

We take data protection seriously. We use various technical measures to prevent unauthorized access to the information you submit to us through our Website or the Service, and also any wrongful use of this information.

Personal Data is collected to databases that are protected by firewalls, authentication, and other technical means. Databases and backups thereof are located in secure premises within the European Union and only certain persons, designated beforehand, may access the data.

6.1 Encryption

  • Encryption in transit: All data transmitted between clients and our Service, and between internal services, uses TLS 1.2 or higher. All client-to-service interactions enforce TLS.
  • Encryption at rest: All databases, object storage, backups, and connection credentials are encrypted at rest using Google Cloud's default encryption (AES-256). Connection credentials (OAuth tokens, API keys) are additionally encrypted using Fernet symmetric encryption before storage.
  • Key management: Encryption keys are managed through Google Cloud Key Management Service (KMS).

6.2 Authentication and Access Control

  • User authentication is handled through GCP Identity Platform (Firebase Authentication) using industry-standard OIDC protocols.
  • The Service implements role-based access control (RBAC) with four roles: Admin, Analyst, Operator, and Viewer.
  • OAuth2 tokens for third-party data sources are encrypted and stored per-connection, accessible only to the authorized tenant.
  • All API endpoints are authenticated and rate-limited to prevent abuse.

6.3 Security Monitoring

  • All access to the Service is logged with structured audit trails.
  • Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are enforced on all responses.
  • Rate limiting is applied per-user, per-tenant, and per-endpoint to prevent abuse.

7. Data Transfers Outside the EU/EEA

Our primary infrastructure is located entirely within the European Union, on Google Cloud Platform. AI inference is performed on EU-hosted Google Cloud infrastructure.

In limited circumstances, your personal data may be transferred outside the European Union or the European Economic Area — for example, if a third-party service provider listed in Section 5 processes data in the United States. In such cases, we ensure that the personal data is transferred in accordance with applicable law, including:

  • The EU-US Data Privacy Framework (DPF), where the recipient is certified
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission for the recipient country

Customer Business Data (data from your connected data sources) is never transferred outside the EU/EEA.

8. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access (Article 15): You can request information about what Personal Data we process about you and obtain a copy.
  • Right to rectification (Article 16): You can request correction of inaccurate or incomplete Personal Data.
  • Right to erasure (Article 17): You can request deletion of your Personal Data when there is no longer a legitimate reason for us to retain it.
  • Right to restriction of processing (Article 18): You can request that we restrict the processing of your Personal Data under certain circumstances.
  • Right to data portability (Article 20): You can request to receive your Personal Data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21): You can object to the processing of your Personal Data based on legitimate interests.
  • Right to withdraw consent: If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

To exercise any of these rights, please contact us at privacy@relevantbase.com. We will respond to your request within 30 days and notify you of the action we have taken.

You also have the right to lodge a complaint with a supervisory authority. In Finland, the competent authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), www.tietosuoja.fi.

9. Retention of Personal Information

We retain Personal Information that you provide to us where we have an ongoing legitimate business need to do so (for example, as long as is required in order to contact you about the Subscription Service or our other services, or as needed to comply with our legal obligations, resolve disputes, and enforce our agreements).

Customer Business Data is retained for the duration of your subscription. Upon termination of your subscription, Customer Business Data is deleted within 30 days unless you request earlier deletion or unless retention is required by law.

When we have no ongoing legitimate business need to process your Personal Information, we securely delete the information or anonymize it or, if this is not possible, then we will securely store your Personal Information and isolate it from any further processing until deletion is possible. We will delete this information from the servers at an earlier date if you so request.

9.1 Disconnecting Data Sources and Deletion

Users may disconnect any connected data source at any time from the Connectors page within their RelevantBase workspace. Disconnecting a Google source (or any other source) immediately revokes RelevantBase's access tokens and ceases all further data retrieval from that source. Customer Business Data already retrieved from that source can be deleted by the workspace Admin via the Data → Delete action within the Service, or by emailing privacy@relevantbase.com. Deletion is completed within 30 days.

10. Cookies

Cookies are files with a small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your computer's hard drive. Like many sites, we use Cookies to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Site or the Service.

We store the following types of cookies on the relevantbase.com website and Services when you use our properties:

  • Strictly necessary cookies: Session cookies used by the application to store state between page views (such as your current logged-in information and authentication tokens). These cookies are essential for the Service to function and cannot be disabled.
  • Analytics cookies (optional): Google Analytics tracking cookies for tracking page views and understanding how visitors use our website. These are only set with your consent.
  • Functional cookies: Cookies that remember your preferences and settings to improve your experience.
  • Advertising / conversion measurement cookies: We use the Google Ads tag (gtag.js) on our website to measure conversions from our own marketing campaigns. For visitors in the European Economic Area, the United Kingdom, and Switzerland, these cookies are set only after you accept them via our cookie consent banner; for visitors in other regions, they are enabled by default. We implement Google Consent Mode v2 so that the tag honors your choice. We do not use these cookies for cross-site profiling or audience-list retargeting.

You can change your cookie choice at any time using the Cookie preferences link in the website footer.

11. Security

The security of your Personal Information and Customer Business Data is very important to us. RelevantBase is built on Google Cloud Platform and uses Google's security, privacy, and compliance tools to protect all customer data and meet compliance requirements.

11.1 Infrastructure Security

  • All services run on Google Cloud Platform in the EU
  • Google Cloud Platform maintains SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and other certifications
  • Network traffic is isolated using Virtual Private Cloud (VPC) configurations
  • All inter-service communication is encrypted using TLS

11.2 Application Security

  • All user inputs are validated and sanitized to prevent injection attacks
  • Content Security Policy (CSP) and other security headers are enforced
  • SSRF (Server-Side Request Forgery) protection is implemented for all outbound connections
  • Rate limiting protects against abuse (per-user, per-tenant, and per-endpoint)
  • Credentials and secrets are encrypted at rest and never logged

11.3 AI Security

  • AI agent actions are governed by a structured tool policy with four levels of control (platform defaults, tenant defaults, agent defaults, per-role overrides)
  • Sensitive operations (such as writing data or executing code) require explicit approval based on the configured tool policy
  • AI conversations are isolated per tenant and per user session
  • No Customer Business Data is used to train AI models

More detailed information about Google Cloud Platform's security can be found at the Google Cloud Trust Center: https://cloud.google.com/security

12. Links to Other Sites

Our Site may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. RelevantBase has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third-party sites or services.

13. Website Analytics

RelevantBase works with third-party providers to obtain information regarding traffic on RelevantBase websites, including pages viewed and actions taken when visiting relevantbase.com and other RelevantBase web properties; to provide us with information regarding the use of our websites and the effectiveness of our communications.

We use analytics services that respect user privacy. Analytics data is collected to understand how visitors use our website and to improve the user experience. We also use the Google Ads tag (gtag.js) for conversion measurement of our own marketing campaigns. We do not use audience-list remarketing or cross-site behavioral advertising.

14. Data Protection of Minors

RelevantBase does not consciously request personal information from users under 18 years old, and RelevantBase's websites and Services are not intended for users below this age. Minors may not make purchases or other purchasing actions via this website without the consent of their parents or legal guardians unless the relevant legislation so permits. If you believe that we have collected information about a child under 18, please contact us at privacy@relevantbase.com so that we may delete the information.

15. Data Processing Agreement (DPA)

For customers who require a Data Processing Agreement in accordance with Article 28 of the GDPR, we offer a standard DPA that covers our processing of Customer Business Data on your behalf. To request a DPA, please contact us at privacy@relevantbase.com.

16. Changes to This Privacy Policy

RelevantBase may update this Privacy Policy from time to time. The Privacy Policy is published on our website at relevantbase.com. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Modified" date. For significant changes, we will provide notice via email or through the Service. You are advised to review this Privacy Policy periodically for any changes.

17. Contact Information and Submitting Requests

If you have any questions, requests, feedback, or concerns about this Privacy Policy, please contact us at privacy@relevantbase.com. We may reject requests that are unreasonably repetitive, excessive, or manifestly unfounded.

You can request information from RelevantBase at any time about which Personal Data we process about you and the correction or deletion of such Personal Data. We aim always to find a solution directly with you in case of possible disagreement. You can also make a complaint to the data protection authority if you consider that your personal data is being processed unlawfully.

Supervisory authority: Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) Lintulahdenkuja 4, 00530 Helsinki, Finland www.tietosuoja.fi tietosuoja@om.fi