Revised on 12.02.2026
This Privacy Policy (hereinafter — the Policy) defines the procedures for collecting, processing, storing, and protecting personal data of Basalt PMS platform users (hereinafter — the Platform). The Policy has been developed in accordance with the EU General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable data protection legislation. For users located in the Russian Federation, the Russian-language version of this Policy governed by Federal Law No. 152-FZ applies. By using the Platform, you confirm that you have read this Policy and understand how your personal data is processed.
Data controller: Aleksandr Zhukov, sole proprietor. Registered address: 620000, Yekaterinburg, Russia. Email: support@basaltpms.com. The controller is responsible for ensuring that your personal data is processed in compliance with the GDPR and applicable data protection laws.
Personal data is processed on the following legal grounds under GDPR Art. 6(1): (a) Consent (Art. 6(1)(a)) — where you have given explicit consent, such as during registration on the Platform; (b) Contract performance (Art. 6(1)(b)) — processing necessary for the performance of a contract to which you are a party, including the provision of Platform services; (c) Legitimate interests (Art. 6(1)(f)) — processing necessary for our legitimate interests, such as improving service quality, ensuring security, and preventing fraud, provided these interests are not overridden by your fundamental rights and freedoms.
Personal data is processed for the following purposes: registration and authentication of users on the Platform; identification of users within teams and projects; fulfillment of contractual obligations for service delivery; provision of technical support and communication with users; payment processing and financial record-keeping; ensuring security and preventing fraudulent activity; improving the functionality and quality of Platform services; compliance with applicable legal obligations.
We process the following categories of personal data: Account data — email address, name (display name in the team), profile photo (avatar). Technical data — IP address, browser type and version, operating system, device data, timezone. Usage data — actions on the Platform, session data, theme and language preferences. Cookie data — technical session identifiers and user preference identifiers. Payment data — subscription information and transaction history (bank card details are processed by a third-party payment provider and are not stored on our servers).
Personal data and project metadata are stored in a secure Supabase cloud database. Media files (videos, images, archives) are stored in an isolated enterprise-grade Basalt storage. Personal data is retained for the duration of the account and 12 months after its deletion (to allow for recovery upon request). Technical logs are retained for no more than 90 days. After the specified periods, data is securely erased in accordance with GDPR Art. 17.
In accordance with GDPR Art. 32, we implement appropriate technical and organisational measures to protect your data, including: SSL/TLS encryption for data in transit and AES-256 encryption for data at rest; strict role-based access control (RBAC) within your organisation; two-factor authentication; monitoring for suspicious activity; and regular data backups. We regularly review and update our security practices to ensure ongoing protection.
In accordance with the ePrivacy Directive (2002/58/EC), we only use strictly necessary (essential) cookies required for: maintaining user sessions and authentication; saving the selected theme (Light/Dark/Noir); saving interface language settings. We do not use advertising, analytics, or any third-party tracking cookies. You can manage cookies through your browser settings; however, disabling essential cookies may prevent you from using the Platform.
Due to the use of cloud infrastructure, data may be processed on servers located outside the European Economic Area (EEA), including in the United States. Such transfers are safeguarded by: EU adequacy decisions where applicable (GDPR Art. 45); Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Art. 46(2)(c)); and additional technical measures as necessary. Our infrastructure providers (Supabase, AWS) maintain appropriate data processing agreements and transfer mechanisms in compliance with GDPR Chapter V.
Basalt does not sell, rent, or share personal data with advertising agencies or any third parties for commercial purposes. Data may be shared exclusively with: authorised data processors ensuring Platform operation (hosting, notifications) — under data processing agreements in accordance with GDPR Art. 28, with appropriate safeguards and confidentiality obligations; competent authorities upon a lawful request as required by applicable legislation.
Basalt integrates with external services (Google Drive, Telegram, etc.) for project resource management. We only access files, folders, and data that you explicitly connect. Data processing by external services is governed by their own privacy policies. We encourage you to review the privacy practices of any third-party service you choose to connect.
Under the GDPR, you have the following rights regarding your personal data: Right of access (Art. 15) — obtain confirmation and a copy of your data; Right to rectification (Art. 16) — request correction of inaccurate data; Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten"); Right to restriction (Art. 18) — request limitation of processing; Right to data portability (Art. 20) — receive your data in a structured, machine-readable format; Right to object (Art. 21) — object to processing based on legitimate interests; Right to withdraw consent (Art. 7(3)) — withdraw your consent at any time without affecting the lawfulness of prior processing; Right to lodge a complaint — file a complaint with your local Data Protection Authority (supervisory authority). To exercise your rights, send a request to support@basaltpms.com with your name and the email address linked to your account. We will respond without undue delay and in any event within one month of receipt (GDPR Art. 12(3)).
Personal data is subject to erasure when: the purposes of processing have been achieved; consent is withdrawn by the data subject; the data subject exercises their right to erasure; retention periods have expired. Data erasure is carried out by irreversible deletion of records from databases and file storage within 30 days. Where required, we will inform any recipients to whom the data has been disclosed (GDPR Art. 19).
The controller reserves the right to amend this Policy. The current version is published on this page with the date of the last revision. In case of material changes, we will notify users by email or through a notification on the Platform at least 30 days before the changes take effect. If you do not agree with the updated Policy, you may exercise your right to erasure as described in Section 12.
For all questions related to personal data processing and to exercise your data protection rights, you can contact the data controller: