Skip to content

Legal

Privacy Policy

Last updated: April 24, 2026

This privacy policy is a placeholder pending final legal review before our first paid customer. It represents our current intended practices. For questions, contact [email protected].

Who we are

AlreadyBack LLC (in formation, Wyoming USA) operates the AlreadyBack service and is the controller for the limited personal data we collect about you as a customer. For the backup data you upload from Airtable, we act as a data processor on your behalf — those responsibilities are defined in our Data Processing Agreement.

What data we collect

  • Account data: email, name, organization name.
  • Authentication data: Airtable OAuth tokens (refresh and access), stored encrypted and used only to pull your backups.
  • Backup payload: the data we back up from your Airtable bases, encrypted end-to-end with AES-256-GCM. We do not inspect it.
  • Usage telemetry: page views, feature usage, error logs — aggregated and de-identified where possible.
  • Payment information: processed by Stripe. We never see or store full card numbers.

Why we collect it

Under GDPR Article 6, our legal bases are:

  • Contract (Art. 6(1)(b)): running the service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): security monitoring, fraud prevention, product improvement.
  • Legal obligation (Art. 6(1)(c)): tax, anti-money-laundering, sanctions compliance.
  • Consent (Art. 6(1)(a)): optional product marketing emails. You can withdraw consent at any time.

Where we store it

You choose your data residency region at signup. Available regions:

  • EU-West (Germany) — live today, default for EU accounts.
  • US-East (United States) — Q2 2026.
  • APAC · Singapore — Q3 2026.

Our sub-processor list is kept current at /sub-processors (published before first paid customer).

Who we share it with

We share your data only with our sub-processors — infrastructure partners that operate under a DPA aligned with ours. We do not sell your data, and we do not share your data for advertising purposes.

Your rights

Under GDPR, you have the right to access, rectify, erase, restrict, object to, and port your personal data, and to withdraw consent.

Under CCPA, California residents additionally have the right to know what we collect, request deletion, opt out of “sale” (we do not sell), limit use of sensitive personal information, and receive non-discrimination for exercising these rights.

How to exercise your rights

Email [email protected] from the address on your account, or use the in-app Export my data and Delete my account actions. Response SLAs:

  • GDPR: 30 days.
  • CCPA: 45 days.

Data retention

  • Backup snapshots:per your plan's retention window — 30 days (Protection), 90 days (Resilience), 395 days (Immunity).
  • Account metadata: up to 3 years after account closure, for legal and tax reasons.
  • Access and security logs: 90 days.
  • Aggregated analytics: indefinitely, with no personally identifiable information.

International transfers

If you are in the EU/EEA and choose a non-EU region, we rely on the EU Standard Contractual Clauses (Module 2, controller-to-processor). We maintain a Transfer Impact Assessment (TIA), available on request. Supplementary measures are detailed in the DPA.

EU / UK representative

Our representative under GDPR Article 27 and UK GDPR will be appointed before we onboard our first EU or UK customer. Contact details will be published here and in the DPA.

Contact

Privacy questions, rights requests, or complaints: [email protected].