This Privacy Policy explains how Bahama collects, uses, shares, retains, and protects information when you visit our website, create an account, connect an MCP-compatible AI client, use the dashboard, call our APIs, deploy applications, manage resources, communicate with us, or purchase paid services.

Bahama is an agent-native infrastructure control plane. We coordinate account authentication, project metadata, source upload handoff, deployment jobs, managed resource orchestration, usage analytics, billing, and related support. Deployed customer applications run on third-party infrastructure such as Cloudflare and production traffic to those applications is not intended to route through Bahama's web application.

For account, billing, marketing, support, website, and product administration data, Bahama generally acts as a controller. For application source, project content, runtime metadata, and end-user information that you submit to Bahama or cause Bahama to process for your applications, Bahama generally acts as a service provider or processor on your behalf, subject to your instructions and applicable law.

This Policy applies to the Bahama website, dashboard, OAuth and account flows, MCP server, API, deployment pipeline, managed-resource tooling, emails, billing flows, and related services. It does not apply to websites, applications, services, or infrastructure that are operated by our customers, even if those applications were deployed with Bahama.

If you are an end user of an application created by a Bahama customer, the customer is responsible for its own privacy notice and data practices. We process that application's data only as needed to provide Bahama services to the customer, unless another lawful basis applies.

• Provide, secure, authenticate, operate, maintain, debug, and improve Bahama.
• Create and administer accounts, sessions, OAuth clients, grants, MCP authorization, API authorization, and user consent flows.
• Create projects, provision managed resources, generate runtime contracts, sign upload URLs, run deployment jobs, show deployment status, and coordinate Cloudflare-backed infrastructure.
• Attribute usage to accounts and projects, enforce plan limits, detect abuse, calculate bills, process payments, collect taxes, manage invoices, and administer subscriptions.
• Provide customer support, respond to inquiries, troubleshoot errors, investigate incidents, and communicate service, security, product, billing, and legal notices.
• Analyze product usage, improve reliability, develop new features, perform research, and measure marketing effectiveness.
• Prevent spam, fraud, malware, credential abuse, denial-of-service activity, account takeover, prohibited content, and violations of our Terms of Use.
• Comply with legal obligations, enforce agreements, resolve disputes, protect rights and safety, and support audits or corporate transactions.

Bahama is designed to be used by AI agents and MCP-compatible clients that you authorize. When you connect a client, that client may send tool calls, project names, deployment requests, database queries, source-upload metadata, and other instructions to Bahama on your behalf. You are responsible for reviewing the permissions you grant to any client and for configuring that client safely.

We use Customer Content, including source code, uploaded files, project instructions, database queries, logs, and MCP tool inputs and outputs, to provide and secure the services, fulfill your requests, debug problems, prevent abuse, and comply with law. We do not sell Customer Content. We do not use private Customer Content to train public foundation models unless you give us separate, explicit permission or submit the content to a feature that clearly says it will be used that way.

If Bahama offers optional AI-assisted support, analysis, deployment help, or debugging features, we may send the specific content needed for that feature to model providers or infrastructure providers acting on our behalf. We will use reasonable controls designed to limit that processing to the requested feature.

We share information only as needed for the purposes described in this Policy, as directed by you, or as permitted by law.

• Service providers and subprocessors. We may share information with vendors that provide hosting, databases, infrastructure, analytics, email, authentication, error monitoring, payments, billing, customer support, security, and business operations.
• Infrastructure providers. We may share project, deployment, runtime, usage, source-upload, secret-binding, and resource information with providers such as Cloudflare when needed to provision, deploy, operate, secure, or measure your applications.
• Payment processors. We may share billing and transaction information with Stripe or successor payment processors to process payments, manage subscriptions, prevent fraud, handle disputes, and comply with financial obligations.
• Authorized clients and users. We may disclose information to MCP clients, API clients, dashboard users, collaborators, or integrations that you authorize, according to their permissions.
• Legal, safety, and enforcement. We may disclose information if we believe it is necessary to comply with law, legal process, or government requests; enforce our terms; prevent fraud or abuse; protect rights, safety, or security; or investigate suspected violations.
• Business transfers. We may disclose or transfer information in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction.
• Aggregated or deidentified information. We may share information that does not reasonably identify you or your end users, including aggregate usage, reliability, performance, and business metrics.

Bahama depends on third-party services to operate. These may include Cloudflare for infrastructure and deployment, Stripe for payments, Vercel or similar providers for hosting and analytics, Better Auth-related authentication infrastructure, email providers, database providers, analytics tools, error monitoring tools, and support tools.

Your use of third-party services may be subject to their own terms and privacy policies. For example, payment information processed by Stripe is governed by Stripe's privacy policy and payment terms. Bahama is not responsible for third-party services that you choose to connect to your projects, including AI providers, OAuth providers, payment providers, databases, APIs, or other services whose credentials you store as project secrets.

You are responsible for the applications you build, deploy, and operate with Bahama. If your application collects personal information from end users, you are responsible for providing your own privacy notice, obtaining required consents, honoring user rights, choosing appropriate security controls, and complying with laws that apply to your application.

Unless we separately agree in writing, Bahama is not designed for protected health information, regulated financial account data, payment card data outside Stripe-hosted or processor-hosted flows, children's data requiring verifiable parental consent, export-controlled workloads, or other sensitive regulated data. Do not submit those categories of data to Bahama or deploy workloads that require special legal or compliance commitments from Bahama without a separate written agreement.

We retain information for as long as reasonably necessary to provide the services, maintain your account, fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, enforce agreements, preserve security, prevent fraud, and maintain business records.

Retention periods vary by data type. Account and billing records may be retained for legal, tax, audit, and accounting reasons. Security logs may be retained to protect the service. Source uploads, deployment artifacts, logs, usage rollups, and operational telemetry may be retained for shorter or longer periods depending on product needs, debugging, compliance, abuse prevention, and backup practices. Deleted data may persist for a limited time in backups or provider systems before deletion is completed.

We use reasonable technical, administrative, and organizational safeguards designed to protect information against unauthorized access, loss, misuse, alteration, and disclosure. These safeguards may include authentication, scoped OAuth access, server-side ownership checks, encryption in transit, provider-managed encryption at rest, access controls, logging, secret masking, and operational monitoring.

No internet service is completely secure. You are responsible for using strong account credentials, safeguarding tokens and API keys, controlling access to your MCP clients and projects, reviewing AI agent actions, and avoiding submission of sensitive data that Bahama is not designed to process.

Bahama is operated from the United States and uses providers that may process information in the United States and other countries. Those countries may have data protection laws different from those where you live. Where required, we use appropriate safeguards for international transfers, such as contractual commitments or other lawful transfer mechanisms.

Depending on where you live, you may have rights to access, correct, delete, restrict, port, or object to certain processing of personal information. You may also have rights to withdraw consent, opt out of certain marketing communications, or appeal a privacy-rights decision. We will respond to valid requests as required by applicable law and may ask you to verify your identity.

You can unsubscribe from marketing emails using the unsubscribe link in those messages. You may still receive transactional, account, security, billing, and legal notices. You may manage some account and project information through the dashboard. To submit a privacy request, contact privacy@bahama.ai.

If privacy laws such as the California Consumer Privacy Act, other U.S. state privacy laws, the GDPR, or the UK GDPR apply to your personal information, we will honor the rights and obligations required by those laws. We do not sell personal information in the traditional sense. If our use of analytics or advertising technologies is considered a sale, sharing, or targeted advertising under applicable law, we will provide legally required opt-out mechanisms.

If you are a business customer that needs a data processing addendum for Customer Content, contact privacy@bahama.ai. Additional terms may be required before Bahama can support certain regulated or enterprise use cases.

Bahama is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to Bahama, contact privacy@bahama.ai and we will take appropriate steps to delete it.

We may update this Policy from time to time. If we make material changes, we will provide notice by updating the date above, posting a notice in the service, sending an email, or using another reasonable method. Your continued use of Bahama after an updated Policy becomes effective means the updated Policy applies to your use going forward.

For privacy questions, rights requests, or data protection inquiries, contact privacy@bahama.ai. For legal notices, contact legal@bahama.ai. If you are contacting us about a project or account, include enough information for us to identify the relevant account and request.