Security, privacy & data handling.

Baton Strategies operates on top of trusted cloud infrastructure. Our hosting and database providers are responsible for the underlying platform security (physical data centers, network, managed database hardening). Baton Strategies is responsible for how the application is built and configured on top of that platform — including authentication, access policies, and the data we choose to collect. Our clients and users are responsible for safeguarding their account credentials and the information they choose to share.

• Sign-in is required for all advisor, buyer, and admin areas. Public marketing pages do not expose private data.
• Roles (admin, broker, advisor, user) are stored server-side and enforced through database row-level security policies, not by the browser.
• Sensitive seller, buyer, and contact records are scoped so that advisors and brokers can only read records they own or are assigned to.
• Confidential deal materials (CIMs, data rooms, NDA PDFs, advisor agreements) live in private storage buckets and are served through short-lived, signed URLs after the appropriate NDA or access grant is in place.

We collect the information you provide directly — for example, valuation inputs, seller and buyer contact details, business financials shared during diligence, and account profile information. We also collect basic operational metadata (timestamps, audit logs of sensitive actions) so we can support clients and investigate issues.

The Baton Strategies website and application are served over HTTPS/TLS. Application data and uploaded files are stored with our managed database and storage providers, which apply encryption at rest as part of their managed service. We do not claim end-to-end encryption.

We rely on a small set of vendors to operate the platform. Categories include:

• Hosting and edge delivery for the website and application.
• Managed database, authentication, and file storage.
• Payments processing for advisor subscriptions and onboarding fees.
• Transactional email delivery for notifications and signed documents.

For a current list of named subprocessors, email contact@batonstrategies.com.

We retain client and transaction records for as long as needed to deliver the service and to meet our business and legal recordkeeping needs. If you would like a copy of your data or want us to delete information associated with your account, contact us at contact@batonstrategies.com and we will respond within a reasonable timeframe.

We use a minimal set of first-party cookies and local storage entries that are required for sign-in sessions and basic site functionality. We do not sell personal information.

To exercise a privacy request (access, correction, or deletion), email contact@batonstrategies.com from the address associated with your account. We may need to verify your identity before fulfilling the request.

If you believe you have found a security vulnerability in our website or application, please email contact@batonstrategies.com with a description of the issue and steps to reproduce it. Please give us a reasonable opportunity to investigate and remediate before any public disclosure.

We do not currently claim SOC 2, ISO 27001, HIPAA, PCI, or GDPR certification. We follow the security practices described on this page and use vendors that operate under their own compliance programs. For specific compliance questions tied to an engagement, contact us directly.