Website & Platform Privacy Policy

Baleen Research (“Baleen,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, how we use it, the legal bases on which we rely, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

If you have any questions about this policy or how we handle your data, please contact us at mb at baleenresearch dot com.

1. Scope and audience

This Privacy Policy applies to:

• Visitors to the Baleen website and any subdomains we operate;
• Subscribers who create an account or sign up to receive research content; and
• Institutional readers whose firms or employers have arranged access to Baleen content.

It covers personal data we collect through our website, our authentication and content-delivery systems, and our communications with you in connection with your use of the site.

It does not cover:

• Personal data we collect from clients outside the website — for example, in the course of an engagement, through correspondence, or under a contract. That processing is described in our separate client privacy notice, which is provided at the start of an engagement.
• Websites, services, or products operated by third parties, even where we link to them.

The data controller for the purposes of the GDPR and UK GDPR is Baleen Research, contactable at mb at baleenresearch dot com.

2. Data we collect

We collect the categories of personal data described below. We collect only what we need for the purposes described in Section 3, and we keep it only for as long as necessary (see Section 7).

2a. Data required to deliver the service

To create and maintain your account and deliver our research, we require:

• Email address
• First and last name

If you do not provide this information, we cannot create an account for you or deliver content to you.

2b. Optional information you may provide for a tailored experience

You may choose to provide any of the following to personalize your experience. Providing this information is entirely optional, and you may add, change, or remove it at any time:

• Role (selected from a preset dropdown that includes a “Prefer not to say” option)
• Firm or company
• LinkedIn URL
• City
• Free-text response to “what you’re hoping to get from Baleen”
• Delivery preference (immediate vs. digest)
• Delivery time and time zone
• PDF format preference (link vs. attachment)
• Content preference (previews and reports vs. reports only)
• Conferences you’re interested in
• Whether you wish to be included in event lists

2c. Information automatically collected when you use the site

When you visit or use the Baleen site, we automatically collect:

• A pseudonymized version of your IP address, generated using a keyed HMAC. The raw IP address is not stored.
• The user agent string sent by your browser.
• Sign-in events, including login attempts, successes, failures, and multi-factor authentication (MFA) verifications.
• Report view events, recording which reports you open and when.
• Click events generated when you interact with action buttons in Baleen emails or on report pages — including opening a report, downloading a PDF, listening to audio narration, submitting a rating or survey response, updating your delivery preferences, and unsubscribing. These clicks are routed through a tracked redirect before reaching their destination.
• Questions you ask through the ai-baleen Q&A feature are sent to our subprocessors (Anthropic, OpenAI, and Algolia) to generate an answer and to retrieve relevant material. Baleen does not retain the text of these questions in its own systems.
• Search queries you submit through our site search, which are logged by our search provider Algolia under their analytics retention terms.

We do not use third-party advertising trackers, and we do not run third-party web analytics that profile you across other sites.

3. How we use your data

We use personal data for the following purposes:

• To deliver research content, including reports, previews, and audio narration;
• To authenticate you when you sign in and to protect your account against unauthorized access;
• To maintain our distribution lists and ensure each recipient gets the content they requested in the format they prefer;
• To measure engagement with our content (such as opens, clicks, and downloads) so that we can inform editorial decisions about what to publish;
• To respond to inquiries you send us; and
• To comply with our legal and regulatory obligations.

4. Legal basis for processing (GDPR / UK GDPR)

We process personal data on the following legal bases under Article 6 of the GDPR and UK GDPR:

• Performance of a contract (Article 6(1)(b)) — to deliver the research service you have signed up for, including authenticating you and sending you the content you have requested.
• Legitimate interests (Article 6(1)(f)) — to maintain the security of our systems, prevent fraud and abuse, measure aggregate engagement with our research, and improve our editorial decisions. We have assessed that these interests, taking into account the limited scope of the data and reasonable user expectations in a professional research context, are not overridden by your rights and freedoms. You can object to processing based on legitimate interests at any time by contacting us.
• Consent (Article 6(1)(a)) — where we ask for it, for example before sending optional communications or activating non-essential features. You can withdraw consent at any time.
• Legal obligation (Article 6(1)(c)) — where we are required by law to retain or disclose data, for example in response to a lawful request from a competent authority.

5. Automated decision-making (GDPR Article 22)

When you sign up, an automated mechanism (auto_approve_from_email_list) checks whether your email address belongs to a pre-approved firm or institution. If it does, your account is approved automatically so you can begin receiving content without delay. If it does not, your application is queued for manual review.

This automated check produces only a binary outcome (approve now vs. queue for manual review) and does not produce legal effects or similarly significant effects concerning you, since a human reviewer evaluates any application that is not automatically approved.

You may at any time request that your sign-up be reviewed by a human regardless of the automated outcome. To do so, contact us at mb at baleenresearch dot com and we will arrange manual review.

6. Subprocessors and international transfers

We use a limited set of subprocessors to operate the service. Each subprocessor is bound by a written agreement that limits their processing of your data to the purposes we specify, and each maintains its own privacy and security commitments.

Personal data is primarily processed in the United States and, for some subprocessors, in the European Union. Some of our AI subprocessors use globally distributed inference infrastructure, which means that API requests we send for AI features (such as ai-baleen) may be routed to and processed in regions outside the United States and European Union, depending on the provider’s routing decisions. Stored data — including account profiles, content, and authentication records — remains in the United States.

Where personal data is transferred from the European Economic Area or the United Kingdom to a country that has not received an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented where appropriate by additional technical and organizational measures.

Data submitted to our AI subprocessors (Anthropic and OpenAI) through the ai-baleen feature is not used to train their foundation models. We use these providers under their commercial API terms, which exclude customer data from model training.

You may request a current list of subprocessors by contacting us.

7. Retention

We retain personal data only for as long as we need it for the purposes set out in this policy, after which it is deleted or anonymized:

• Authentication events (logins, MFA verifications): 90 days
• View events and link events (report opens, clicks, downloads): 1 year
• Security events (suspicious activity, abuse signals): 2 years
• Verification codes (one-time codes for sign-in or email confirmation): cleaned up after expiry
• ERP bridge request logs: 1 day
• ai-baleen question text: not retained by Baleen (subprocessors that receive the question to generate an answer apply their own retention terms)
• Account profile data (name, email, role, optional profile fields): retained while your account is active and deleted on request or after a period of inactivity

Where a longer retention period is required by law, we will retain the data for that period and no longer.

8. Data sharing beyond subprocessors

We do not sell your personal data, and we do not share it with third parties for their own commercial purposes. We may disclose personal data outside our subprocessor relationships only in the following circumstances:

• Legal and regulatory authorities, where disclosure is required by law, regulation, court order, or other lawful process;
• Affiliates or successors, in connection with a merger, acquisition, reorganization, financing, or sale of all or part of our business, in which case we will require the recipient to honor this Privacy Policy or notify you of any material change.

9. Your rights

Under the GDPR, the UK GDPR, and other applicable laws, you have the following rights regarding your personal data:

• Right of access — to obtain a copy of the personal data we hold about you. A self-service export endpoint is available, and a user-interface version is in development.
• Right to erasure (“right to be forgotten”) — to request deletion of your account and the personal data associated with it. A self-service deletion endpoint is available, and a user-interface version is in development.
• Right to rectification — to correct personal data that is inaccurate or incomplete.
• Right to withdraw consent — where we rely on your consent, to withdraw it at any time, without affecting the lawfulness of processing carried out before the withdrawal.
• Right to object — to object to processing based on our legitimate interests, including processing for engagement measurement.
• Right to restriction of processing — in certain circumstances, to ask us to limit how we process your data.
• Right to data portability — to receive certain personal data you provided to us in a structured, commonly used, machine-readable format.
• Right to lodge a complaint — with the data protection supervisory authority in your country of residence, place of work, or place of the alleged infringement. In the United Kingdom this is the Information Commissioner’s Office (ICO); in the EU, the relevant national data protection authority.

To exercise any of these rights, please contact us at mb at baleenresearch dot com. We may need to verify your identity before acting on your request. We will respond within one month of receiving a verified request, with the possibility of extending by up to two further months for complex or numerous requests, in which case we will inform you of the extension and the reasons.

10. Security

We take a layered approach to protecting your data:

• All traffic between your browser and our services is encrypted using TLS in transit.
• Database tables enforce row-level security so that each request can only access the data the requesting user is entitled to see.
• IP addresses are pseudonymized using a keyed HMAC before storage; raw IPs are not retained.
• Multi-factor authentication is required for all administrative access.
• We carry out periodic security reviews of our systems, dependencies, and access controls.

No system is perfectly secure. If we ever become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify you without undue delay.

11. Cookies and tracking

We use only the cookies and similar technologies necessary to operate the site:

• Authentication cookies set by Supabase, used to keep you signed in and to protect your session.
• Cloudflare Turnstile tokens, used to distinguish humans from automated bots without using third-party tracking.

We do not use third-party advertising cookies, and we do not run third-party web analytics that build profiles of you across other sites.

You can configure your browser to refuse cookies, but disabling authentication cookies will prevent you from signing in.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our subprocessors, or the law. When we make material changes, we will update the “Last updated” date at the top of this policy and notify subscribers by email and, where appropriate, with a notice on the site before the changes take effect. Continued use of the service after the effective date of an update constitutes acceptance of the updated policy, except where your fresh consent is required by law.

13. Contact

For all privacy inquiries — including requests to access, correct, export, or delete your data, or to withdraw consent — please contact:

Baleen Research · mb at baleenresearch dot com

We aim to respond to all privacy inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

← Back to Privacy