BadtoolBadtool
Get started

Privacy Policy

Last updated: 2026-06-01

1. Who we are

Badtool (“we”, “our”) is the data controller for personal data processed through this website and the Badtool platform. You can contact us about privacy at hi@badtool.ai.

2. Data we collect

Account data

When you sign up, we collect your email address, workspace name, and any profile information you choose to add (name, role, photo). Authentication is by magic link — we do not store passwords.

Usage data (the platform)

For workspaces you join, we store the content you and your teammates create: tasks, projects, SOPs, brain entries, files uploaded to Drive, and AI chat history. We also store activity events captured by the Badtool Chrome extension when you have it installed — page visits, time on task, interaction signals (click, scroll, and keystroke counts used to build an activity heatmap), professional-networking activity on LinkedIn (such as messages sent, profile views, and connection requests), and (on Pro/Teams plans) periodic screenshots of your active browser tab during a work session.

Analytics data (this website)

If you accept analytics cookies, we use Microsoft Clarity (session recordings, heatmaps), Google Analytics 4 (aggregate traffic statistics), and the Meta Pixel (to measure the performance of our Facebook and Instagram ads and, where applicable, to show you relevant ads) to understand how visitors use this site. These tools may set cookies and process IP addresses and device identifiers. You can withdraw consent at any time via the Cookie preferences link in the site footer.

Technical data

We log IP address, browser user-agent, and timestamps for security and abuse prevention (rate limits, login history, geo-fencing of office IPs on Teams plans).

3. Why we process your data (legal bases)

  • Contract (Art. 6(1)(b) GDPR) — to provide the Badtool platform you or your workspace admin has signed up for.
  • Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, keeping the platform reliable, and improving the service. We balance these against your rights and only rely on this basis where appropriate.
  • Consent (Art. 6(1)(a)) — analytics cookies on this website. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — accounting, tax, and responses to lawful regulator requests.

4. Who we share data with

We share personal data only with processors we need to run the service:

  • Supabase — database and authentication infrastructure.
  • Vercel — hosting and edge delivery.
  • Mailgun — transactional email (magic links, reports).
  • Stripe — billing and subscription management.
  • Anthropic, OpenAI — AI providers for chat, SOP grading, and report generation. We send only the content needed to fulfil your request; no training on your data.
  • Microsoft Clarity, Google Analytics — website analytics, when you have given consent.
  • Meta Platforms (Facebook/Instagram) — the Meta Pixel sends limited event data (e.g. page views, sign-ups) to measure and optimise our ads, only when you have given analytics consent.

We do not sell personal data. The only data shared with an advertising platform is the limited measurement data the Meta Pixel sends to Meta for ad performance — and only when you have consented to analytics cookies.

5. International transfers

Some processors are based in the United States. Where data is transferred outside the EEA, we rely on the EU Commission’s Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. Copies of the safeguards used are available on request.

6. How long we keep data

  • Account data — for the lifetime of your workspace. Deleted within 30 days of workspace deletion.
  • Activity events (Chrome extension) — 7 days on Free plan; retained for the lifetime of the workspace on Pro and Teams.
  • Analytics — Google Analytics retains for up to 14 months; Clarity retains for up to 13 months; the Meta Pixel _fbp cookie lasts up to 90 days, and Meta retains event data per its own data policy.
  • Billing records — retained for the period required by tax law (typically 7 years).

7. Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Have your data deleted (“right to be forgotten”)
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw consent for any processing based on consent
  • Lodge a complaint with your local supervisory authority — find yours at edpb.europa.eu

To exercise any of these rights, email hi@badtool.ai. We will respond within 30 days.

8. Cookies on this website

We use cookies in two categories:

  • Strictly necessary — authentication (auth-token), workspace branding hint (last-tenant-slug), and the cookie-consent record itself (cookie-consent). These do not require consent.
  • Analytics (opt-in in the EU) — Microsoft Clarity (_clck, _clsk), Google Analytics (_ga, _ga_*), and the Meta Pixel (_fbp, and _fbc when you arrive from a Meta ad). Only set if you click Accept all or enable analytics in the customize panel.

Visitors outside the EEA, UK, and Switzerland may see analytics cookies set automatically without a banner; you can still withdraw consent at any time via the Cookie preferences link in the site footer.

9. Children

Badtool is not directed at children under 16 and we do not knowingly collect data from them.

10. Changes to this policy

We may update this policy as the platform evolves. Material changes will be announced in-app or by email to workspace admins.