Privacy Policy

Last Updated: December 17, 2025

Ballast connects to your existing tools and data sources to provide unified search and insights. This policy explains how we handle your information, including data from connected services.

Ballast uses a single-tenant data architecture: every organization runs in its own dedicated database, isolated at the infrastructure level, not just by access controls.

1. What We Collect

Account Information

When you create an account, we collect:

  • Contact information (name, email) - To create and manage your account
  • Workspace details (organization name, team members) - To provide our services
  • Usage data - To improve the product and provide support

Data From Connected Services

When you connect third-party services (like GitHub, Slack, Google Drive, Salesforce, etc.), we access and sync data based on the permissions you grant. This may include:

  • Documents and files - From connected storage and productivity tools
  • Messages and communications - From connected messaging and email services
  • Code and repositories - From connected development platforms
  • Records and data - From connected databases, CRMs, and business tools
  • Metadata - Timestamps, authors, tags, and other contextual information

You control what we access. You choose which services to connect and can disconnect them at any time.

2. Third-Party Integrations & OAuth

Ballast connects to external services using industry-standard OAuth or API credentials that you provide.

How Connections Work

  • OAuth connections: You authorize Ballast through the third-party service's login flow. We receive access tokens but never see your passwords.
  • API key connections: For services that don't support OAuth, you provide API credentials directly.
  • Database connections: For direct database access, you provide connection credentials.

Credential Security

All credentials (OAuth tokens, API keys, database passwords) are:

  • Encrypted at rest using AES-256-GCM encryption
  • Never stored in plain text
  • Never shared with third parties
  • Deleted when you disconnect a service

What Permissions We Request

We request only the permissions necessary to sync your selected data. For example:

  • Read-only access where possible - We typically don't need write access
  • Scoped access - Limited to specific resources you select (e.g., specific repositories, channels, or folders)

Each integration shows what permissions it requires before you connect.

3. How We Process Your Data

To enable semantic search and insights, we process synced data as follows:

  • Content extraction - We extract text from documents, messages, code, and other content
  • AI embeddings - We use AI models to create searchable representations (embeddings) of your content
  • Vector storage - Embeddings are stored in a vector database for fast semantic search
  • Indexing - Metadata is indexed for filtering and organization

AI Processing

We use third-party AI services (such as OpenAI) to generate embeddings. When processing your content:

  • Content is sent to AI providers only for embedding generation
  • AI providers do not store or train on your data
  • We use enterprise API agreements that prohibit data retention by AI providers

4. How We Use Your Information

Your information is used for:

  • Providing services - Syncing data, enabling search, generating insights
  • Account management - Authentication, billing, and support
  • Product improvement - Aggregated, anonymized usage analytics
  • Communication - Service updates, security notices, and support responses

We do not:

  • Sell your data to third parties
  • Use your content to train AI models
  • Share your data for advertising purposes
  • Access your data except to provide our services or with your permission

5. Who Sees Your Information

Your Synced Content & Embeddings: Complete Isolation

Each organization gets its own dedicated database. This is not shared hosting with access controls - your synced content, embeddings, and indexed data live in a completely separate database that only your organization can access through our interfaces.

What this means:

  • Your own database - Not a shared database with row-level security, but a dedicated database instance for your organization alone
  • Access only through Ballast - The only way to reach your data is through MCP or API endpoints authenticated with your credentials. Direct database access is not available (except for Enterprise on-premise deployments)
  • No admin backdoor - Ballast staff cannot access, view, query, or export customer content during normal operations. Systems route requests automatically based on subdomain isolation. Access to customer content may occur only to respond to verified security incidents or comply with legal obligations, and any such access is explicitly authorized, time-bound, logged, and audited.
  • Complete separation from billing - Your account information (billing, authentication) lives in a separate system. When you contact support or manage your subscription, we never touch your synced content
  • Zero cross-tenant access - There is no database query, no API call, and no system pathway that could expose your data to another customer

We architected Ballast this way intentionally. Your synced content is yours. We provide the infrastructure; we don't access what's on it.

Account Information

For account administration (billing, authentication, support), limited information is processed by:

  • Infrastructure providers: Cloud hosting for the platform
  • Payment processors: For billing (we don't store credit card details)
  • Email services: For transactional emails

AI Processing

When generating embeddings, content is sent to AI providers (such as OpenAI) via their enterprise API. These providers:

  • Do not store your content after processing
  • Do not use your data for training
  • Are bound by enterprise data processing agreements

All third-party providers are bound by data processing agreements that prohibit retention or misuse of your information.

6. Disconnecting Services & Data Deletion

When you disconnect a data source:

  • OAuth tokens and credentials are immediately deleted
  • Synced content and embeddings are deleted within 30 days
  • Sync schedules and connection metadata are removed

When you delete your account:

  • All synced content, embeddings, and credentials are deleted within 30 days
  • Account data is retained for up to 90 days for legal/financial compliance
  • Backups are purged according to our retention schedule

7. Data Security

Security isn't an afterthought - it's built into how Ballast works:

  • Dedicated databases per organization - Your data can't leak to other customers because it doesn't share infrastructure with them
  • Encryption in transit - All connections use TLS 1.3
  • Encryption at rest - Data stored with AES-256 encryption
  • Credential encryption - OAuth tokens and API keys encrypted with AES-256-GCM before storage
  • No shared secrets - Each organization's database has unique credentials, encrypted separately
  • Access controls - Authentication required for all API access; team members see only what their permissions allow

No system is 100% secure. If there's a breach affecting your data, we'll notify you promptly.

8. Cookies & Analytics

We use cookies for:

  • Essential cookies: Session management, authentication, security
  • Analytics: Understanding product usage to improve the service

You can disable non-essential cookies in your browser settings.

9. Your Rights

You have control over your information:

  • Access: Request a copy of the information we have about you
  • Correction: Update your account information
  • Deletion: Delete your account and all associated data
  • Disconnect: Remove any connected service at any time
  • Opt-out: Unsubscribe from marketing emails

To exercise these rights, email privacy@ballast.sh. We'll respond within 30 days.

10. International Data Transfers

We're based in the United States. If you're outside the US, your information may be transferred here. We comply with applicable data protection laws, including GDPR for EU users and PIPEDA for Canadian users.

11. Changes to This Policy

We may update this policy as our practices evolve. Material changes will be communicated via email to active users. The "Last Updated" date at the top tracks revisions.

12. Contact

For privacy questions or to exercise your rights:

Email: privacy@ballast.sh
Response Time: Within 30 days

The bottom line: Your synced content lives in a dedicated database isolated at the infrastructure level. Ballast staff cannot browse, query, or export your data during normal operations. We don't sell your data, train AI on it, or share it with anyone. You control your connections, and you can disconnect or delete at any time.