Security & data

Your customer data
never leaves your account.

Complete documentation of what BHASM reads, how it is stored, what it never does, and your rights as a data principal. Version 1.2 — updated May 2026.

What BHASM reads

Shopify
Orders  ·  sessions  ·  cart events  ·  refunds  ·  customer tags
Read access only via official Shopify API. No write access.
Razorpay / Stripe
Payment status  ·  timestamps  ·  failure codes  ·  subscription status
Payment card details are never accessed. Status fields only.
HubSpot / Zoho
Contact records  ·  deal stage  ·  activity  ·  email engagement
CRM write-back of health scores only when explicitly enabled.
WhatsApp via Interakt
Delivery receipts  ·  read receipts  ·  reply detection
Message content you did not write is never stored.
Google Analytics 4
Session counts  ·  engagement patterns  ·  event data
No PII from GA4. Aggregate behaviour patterns only.
CSV uploads
Any structured customer list  ·  purchase history  ·  contact data
Uploaded files processed and stored in your account only. Never shared.

How your data is stored

Encryption
AES-256 at rest. TLS 1.3 in transit. All data encrypted before writing to disk.
Isolation
Row-level security per account. Your data is structurally invisible to every other BHASM account.
Data residency
India: Mumbai. US and Global: US East. Selectable at account level.
Retention
Retained for the life of your account. Deleted within 72 hours of deletion request.
Backups
Point-in-time recovery. Backups encrypted identically to live data. Retained 30 days.
AI processing
Message enrichment uses Anthropic Claude API. Context sent is anonymised — no raw PII sent.

What BHASM never does

Sell your customer data to any third party.
Share customer records across BHASM accounts. Each account is structurally isolated.
Use your data to train any AI model, including BHASM proprietary models.
Store payment card details, PINs, or account credentials.
Access contacts you have not explicitly imported or connected.
Send any message without your approval on the Seed plan.
Retain data after account deletion beyond the 72-hour processing window.
Access your systems beyond the specific API scopes you have authorised.
What this looks like in practice

The system that knows when to stop.

Pressure signal detected
Customer raised a complaint.
Silence enforced.
All outreach is blocked. No campaign, no brief item, no autonomous send — until BHASM detects resolution signals. The relationship is worth more than the send.
Payment failure detected
Payment failed 3 days ago.
Promo blocked.
Sending a promotional message to a customer with a failed payment creates regulatory exposure and destroys trust. BHASM treats this as an absolute block. No override exists.
These are not configurable. They are architecture. How the laws work →

Compliance

DPDP Act 2023
Digital Personal Data Protection Act. Consent recorded at signup with timestamp. Purpose limitation enforced. Data principal rights honoured including correction and deletion.
GDPR aligned
Lawful basis of processing documented. Data subject rights supported. Data processing agreements available on request.
Right to deletion
Email hello@bhasm.ai. All personal data removed from live systems within 72 hours. Backup removal within 30 days. Confirmation email sent.
Consent management
Granular consent per channel — email, WhatsApp, SMS. Opt-out respected immediately. Consent log available to account holder on request.

Security questions

For security questions, penetration test reports, data processing agreements, or compliance documentation for your procurement team:

hello@bhasm.ai

Version 1.2  ·  Updated May 2026

Built for the relationships
you cannot afford to lose.

No credit card. Seed tier is free forever.
Security & data
>