GDPR & DATA PROTECTION
Your data, your rights.
Badex is a controller and processor under EU GDPR. We process personal data lawfully, fairly, and transparently.
Data Residency
EU (West Europe)
Azure data centers in Amsterdam, Netherlands
DPO Designated
Aurelian Badiu
dpo@badex.app
Supervisory Authority
Belgian APD/GBA
www.dataprotectionauthority.be
What we collect
Account Data
Name, email, company name, billing address, VAT number
Authentication Data
Hashed passwords, MFA tokens, OAuth refresh tokens (encrypted)
Email Metadata
Subject lines, recipient addresses, send timestamps (NOT email body content unless required for signature processing)
Telemetry Data
IP addresses (anonymized after 30 days), user agent, page views
Payment Data
NOT stored. Processed by Stripe (PCI-DSS Level 1 compliant)
Your GDPR rights
Right to Access
Request a copy of all personal data we hold about you (Article 15).
Right to Rectification
Correct inaccurate or incomplete personal data (Article 16).
Right to Erasure
Delete your personal data ("right to be forgotten") (Article 17).
Right to Restriction
Limit processing of your personal data (Article 18).
Right to Portability
Receive your data in a machine-readable format (Article 20).
Right to Object
Object to processing based on legitimate interest (Article 21).
Right to Lodge Complaint
File complaints with your local data protection authority.
Data retention
| Category | Retention |
|---|---|
| Account data (active customer) | Duration of contract + 30 days after deletion |
| Billing records (legal obligation) | 7 years (Belgian tax law) |
| Email metadata | 90 days |
| Authentication logs | 90 days |
| Application logs (anonymized) | 30 days |
Exercise your rights
We respond to GDPR requests within 30 days. Verification of identity is required to prevent fraudulent requests.