Privacy Policy

Last Updated: March 18, 2026
Note: Looking for ZChat privacy information? A different privacy policy applies to the ZChat application. You can find it here: ZChat Privacy Policy.

This Privacy Policy explains how we collect, use, store, and protect personal data when you use our services, including our Personal Data Server (PDS) operating on the AT Protocol network.

1. Introduction

This service is operated by Aureus Z, Inc., operator of bapu.app. We are committed to minimizing data collection, protecting user privacy, and operating our services in a secure and transparent manner.

Contact: contact@bapu.app

2. What Is Personal Data?

Personal Data refers to information that can identify you directly or indirectly, including usernames, email addresses, IP addresses, cryptographic identifiers, and technical metadata.

3. Scope of This Policy

This Policy applies to account registration, authentication, content hosting, federated communication, API access, and system operation. It does not apply to third-party applications, appviews, or external services.

4. Personal Data We Collect

Data You Provide

System Data

Public Content

Content published on the AT Protocol network is public by design. This includes posts, profiles, follows, likes, and blocks.

5. Data We Do Not Collect

Note: Government-issued identification and biometric data (liveness checks) are processed directly by our identity verification provider and are not stored on our systems.

6. How We Use Personal Data

We do not sell or commercially exploit personal data.

7. Legal Basis for Processing

We process personal data on the following legal bases:

Users in the European Economic Area (EEA) may contact us to request clarification of the legal basis applicable to any specific processing activity.

8. Data Sharing

Data may be shared with infrastructure service providers, including our identity verification provider, or when legally required. We use Cloudflare for traffic routing, security, and performance monitoring. Cloudflare may process technical data including IP addresses and browser information as a data processor on our behalf. We do not sell or rent personal data.

9. Identity Verification

For certain handle grants, we use Didit as our identity verification provider. Didit may process identity documents and biometric data (such as liveness checks) directly on our behalf. This data is not transmitted to or stored on Bapu's systems. Didit's processing is governed by their own privacy policy, available at didit.me. We encourage users to review it before completing verification.

10. Data Retention

11. Security

We implement industry-standard security controls including encryption, access controls, monitoring, and regular audits. However, no system can be guaranteed completely secure.

12. Your Rights

You may request access to, correction, deletion, or export of your personal data at any time by contacting contact@bapu.app. We will respond within 30 days. Users in the EEA have additional rights under GDPR, including the right to object to processing and the right to lodge a complaint with a supervisory authority.

13. Cookies

We use only essential technical cookies required for authentication and system security.

14. Children

This service is not intended for users under 13 years of age or the minimum age required by applicable law.

15. Jurisdiction

This Policy is governed by the laws of the State of Delaware, United States.

16. Policy Updates

This Policy may be updated periodically. Material changes will be announced on our website.

© 2026 Aureus Z, Inc.