Last updated · 21 June 2026
Privacy Policy
CampaignPacks is built to be honest, and that includes being honest about your data. This policy explains what we collect, why we collect it, who we share it with, and the control you have over it. We collect as little as we can to run the product, and we do not sell your data or run advertising or third-party tracking.
1. Who we are
CampaignPacks (“CampaignPacks”, “we”, “us”) is a product operated by Baseframe Labs, based in Switzerland. For the purposes of the EU and UK General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP), Baseframe Labs is the data controller for personal data processed through CampaignPacks.
You can reach us about anything in this policy at support@baseframelabs.com.
2. Scope of this policy
This policy covers the CampaignPacks web application at campaignpacks.com and the accounts, projects, and campaign packs you create within it. It does not cover third-party services you choose to connect or supply keys for (such as your AI provider or Canva), which have their own privacy policies. CampaignPacks is currently in private beta, so access is limited to invited email addresses.
3. Data we collect
Account data
When you sign in, we store your email address, an optional display name, and which sign-in method you used (email and password, or Google). If you sign in with Google, we receive basic profile information from Google as part of the sign-in.
Content you create
Inside the product you create projects and campaign packs. This can include:
- Project names, the website URLs you enter, and any competitor URLs you add
- Product descriptions, briefs, and answers you give about your launch goals
- Brand assets you upload, such as logos and images, and brand notes, colours, and fonts
- Text, titles, and headings we extract from the public web pages you ask us to read
- The campaign packs, revisions, and comments generated or written within the workspace
Provider keys and integration tokens
CampaignPacks uses a bring-your-own-key model for AI. If you add an Anthropic or OpenAI API key, we encrypt it (AES-256-GCM) before storing it. Your key is never shown back to you in full and is never sent to your browser; we decrypt it only on our server, only to make the AI calls you ask for. If you connect Canva, we store the resulting access tokens encrypted in the same way.
Technical and session data
To keep you signed in we set a single first-party session cookie (named __session). It is encrypted, HTTP-only, sent only over HTTPS in production, and expires after five days. We do not use analytics, advertising, or third-party tracking cookies, so there is no cookie banner because there is nothing to consent to beyond this strictly necessary cookie. Our hosting provider processes standard server logs (such as IP address and request metadata) to deliver and secure the service.
Local drafts
While you fill in the new-project wizard, your in-progress draft is saved in your browser’s localStorage so you do not lose it on refresh. This stays on your device and is cleared when you sign out.
4. How we use your data
We use your data only to run and improve CampaignPacks. Specifically, to:
- Create and secure your account and keep you signed in
- Generate, store, and let you edit, approve, and export your campaign packs
- Read the web pages and briefs you provide so we can build your strategy and assets
- Provide support and respond to your requests
- Maintain security, prevent abuse, and meet our legal obligations
We do not use your content to train AI models, and we do not sell your personal data or share it for advertising.
5. Legal bases (GDPR)
If you are in the EU, UK, or Switzerland, we rely on the following legal bases to process your personal data:
- Performance of a contract — to provide the account and features you ask for under our Terms of Service.
- Legitimate interests — to secure the service, prevent abuse, and improve the product, balanced against your rights.
- Consent — where you choose to connect an optional integration or supply an AI provider key; you can withdraw it at any time.
- Legal obligation — where we must process data to comply with the law.
7. AI providers and your content
When you generate a pack, the relevant inputs (your brief, the text we read from your URLs, and your instructions) are sent to the AI provider whose key you supplied, so it can produce the output. You choose the provider, and you bring your own key, which means your use is also governed by that provider’s terms and privacy policy.
Under Anthropic’s and OpenAI’s current API terms, content submitted through their APIs is not used to train their models by default. We do not enable any training-on-your-data options, and we never send your content to a provider you have not configured. We encourage you to review your provider’s policies directly, since that relationship is partly yours.
8. International transfers
We operate from Switzerland and serve users worldwide, and some of our providers process data in the United States and other countries. Where data leaves Switzerland, the EU, or the UK, we rely on recognised transfer mechanisms such as adequacy decisions and the European Commission’s Standard Contractual Clauses, together with the safeguards our providers maintain.
9. Retention
We keep your account and content for as long as your account is active. When you ask us to delete your account, we remove your profile, projects, campaign packs, brand assets, stored provider keys, and connected-integration tokens, and we delete your authentication record. Some information may persist briefly in backups or where we must retain it to meet a legal obligation, after which it is deleted. Local drafts in your browser are cleared when you sign out.
10. Your rights
EU, UK, and Switzerland (GDPR / FADP)
You have the right to:
- Access the personal data we hold about you and receive a copy
- Correct data that is inaccurate or incomplete
- Delete your data (the right to erasure)
- Restrict or object to certain processing
- Receive your data in a portable, machine-readable format
- Withdraw consent at any time, where we rely on consent
- Lodge a complaint with your data protection authority
In Switzerland, the supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC / EDÖB). In the EU and UK, you may complain to your local authority.
California (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect and how we use it, to request deletion or correction, and to not be discriminated against for exercising your rights. We do not sell or “share” personal information as those terms are defined under California law.
To exercise any of these rights, email support@baseframelabs.com. We may need to verify your identity before acting, and we will respond within the timeframes the law requires.
11. How we protect your data
We encrypt sensitive secrets such as AI provider keys and integration tokens at rest, keep them off the browser entirely, and gate access to your data behind authenticated, per-user checks. Sessions use encrypted, HTTP-only cookies over HTTPS. You can read more on our Security page. No system is perfectly secure, but we take reasonable, specific measures and design the product to minimise what is exposed.
12. Children
CampaignPacks is a business tool intended for adults and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.
13. Changes to this policy
We may update this policy as the product evolves. When we make material changes, we will update the date at the top and, where appropriate, notify you. Your continued use after an update means you accept the revised policy.
14. Contact us
Questions, requests, or concerns about your privacy? Email support@baseframelabs.com and we will help.