Privacy Policy
Last updated: July 9, 2026 · Operated by Bad Decision (Lagos, Nigeria) · support@baddecision.app
This Privacy Policy explains how Bad Decision ("Bad Decision", "we", "us", or "our") collects, uses, discloses, and safeguards your information when you visit our website at baddecision.app, access our dashboard at dashboard.baddecision.app, or use our software services (collectively, the "Service"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Nigeria Data Protection Act (NDPA) 2023.
1. Information We Collect
1.1 Information You Provide Directly
When you create an account, subscribe to a paid plan, or contact us, we collect:
- Account information: Your name, email address, password (hashed), and company name.
- Profile information: Your job title, role, timezone, and outreach preferences (sender name, copywriting style, target audience).
- Payment information: When you subscribe to a paid plan, our payment processor (Dodo Payments) collects and processes your card details. We never see or store your full card number — only the last 4 digits, card brand, and expiration date for display purposes.
- Communication: Emails you send to our support team, and any information you voluntarily provide when filling out forms on our website.
1.2 Information We Collect Automatically
When you access the Service, we automatically collect certain technical and usage information:
- Device and browser information: IP address, browser type and version, device type, operating system, and screen resolution.
- Usage information: Pages visited, time spent on pages, clicks, feature usage, search queries you run, and error logs.
- Cookies and similar technologies: See our Cookie Policy for details.
1.3 Lead Data You Process Through the Service
When you use our lead generation, email verification, or cold outreach features, you may process data about third-party individuals (your leads). This may include:
- Business contact information (name, email address, phone number, job title)
- Company information (name, website, industry, location, tech stack)
- Social media profile links (LinkedIn, Twitter, Instagram)
- Email engagement data (opens, clicks, replies, bounces)
You are the data controller for this lead data. You are responsible for ensuring you have a lawful basis (consent, legitimate interest, etc.) to process this data under GDPR, CCPA, NDPA, and any other applicable law. We are your data processor — we process lead data only on your instructions and only to provide the Service to you.
2. How We Use Your Information
We use the information we collect for the following purposes:
- To provide the Service: Create and manage your account, process payments, deliver lead generation results, run email campaigns on your behalf, and provide customer support.
- To communicate with you: Send you service-related emails (welcome emails, payment receipts, security alerts, product updates), respond to your support inquiries, and send marketing emails (only if you opt in).
- To improve the Service: Analyze usage patterns, identify bugs, measure feature adoption, and prioritize new features.
- To detect and prevent fraud, abuse, and security incidents: Monitor for suspicious activity (mass account creation, payment fraud, spam campaigns, ToS violations), and block bad actors.
- To comply with legal obligations: Respond to lawful requests from law enforcement, regulators, or courts; enforce our Terms of Service; and protect our legal rights.
3. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:
- Performance of a contract (Article 6(1)(b)): To deliver the Service you subscribed to, process your payments, and fulfill our obligations under the Terms of Service.
- Legitimate interests (Article 6(1)(f)): To detect and prevent fraud, improve our Service, communicate with you about updates, and enforce our rights. We balance our legitimate interests against your privacy rights and only process where necessary.
- Legal obligation (Article 6(1)(c)): To comply with applicable laws (tax records, financial regulations, law enforcement requests).
- Consent (Article 6(1)(a)): For marketing emails, optional analytics, and any other processing where we ask for your explicit consent. You can withdraw consent at any time.
4. How We Share Your Information
We do not sell your personal data. We share information only in these limited cases:
4.1 Service Providers
We use third-party service providers to operate the Service. Each is contractually bound to protect your data:
- WorkOS: Authentication and user identity management. Processes your email, name, and login credentials. (United States)
- Supabase: Database hosting. Stores your account data, lead data, and campaign data. (United States / EU regions available)
- Dodo Payments: Payment processing. Processes your card details and billing information. (United States / global)
- Amazon Web Services (AWS): Cloud infrastructure. Hosts our backend API, scraping workers, and email-sending workers. (Multiple regions)
- Vercel: Frontend hosting. Serves the marketing site and dashboard. (Global edge network)
- Resend: Transactional email delivery. Sends welcome emails, payment receipts, and password resets. (United States)
- Cloudflare: CDN, DDoS protection, DNS. (Global edge network)
- DeepSeek: AI copywriting for outreach message generation. Processes lead names, company names, and outreach context. (China — see Section 4.3 for transfer safeguards)
- MyEmailVerifier / BillionVerify / Reoon / MailboxValidator: Email verification. Processes email addresses only. (Various jurisdictions)
- Sentry: Error tracking. Processes anonymized error data and (optionally) user IDs. (United States)
4.2 Business Transfers
If Bad Decision is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you by email and via a prominent notice on our website 30 days before any such transfer.
4.3 International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States, Nigeria, and China. We use Standard Contractual Clauses (SCCs) approved by the European Commission to protect transfers from the EEA/UK to third countries. For transfers to the United States, we rely on the EU-U.S. Data Privacy Framework where applicable.
Note on DeepSeek: We use DeepSeek (a Chinese AI provider) for outreach message drafting. DeepSeek only receives the lead's name, company name, and your chosen copywriting style — never email addresses, never phone numbers, never full lead profiles. If you do not want any data sent to DeepSeek, you can disable AI drafting in your settings or supply your own DeepSeek API key (community members only).
4.4 Legal Disclosures
We may disclose your information if required by law, court order, or government regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
5. Data Retention
We retain your personal data for as long as necessary to provide the Service:
- Active accounts: All data is retained while your account is active. You can delete your account at any time from Settings → Account → Delete Account.
- Closed accounts: We retain account data for 30 days after deletion (in case you change your mind), then permanently delete it. Lead data and campaign data are deleted immediately.
- Lead data: Retained as long as your workspace is active. Deleted when your workspace is deleted.
- Email engagement data (opens, clicks, replies): Retained for 24 months for analytics, then aggregated and anonymized.
- Billing records: Retained for 7 years to comply with tax and financial regulations.
- Security logs: Retained for 12 months for fraud and abuse detection.
6. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data (the "right to be forgotten").
- Restriction: Request that we limit processing of your data in certain circumstances.
- Portability: Request your data in a structured, machine-readable format (CSV or JSON).
- Objection: Object to processing based on legitimate interests or for direct marketing.
- Withdraw consent: Withdraw consent at any time where we rely on consent for processing.
To exercise any of these rights, email us at support@baddecision.app with the subject "Privacy request" and your account email. We will respond within 30 days (or as required by applicable law).
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the EEA, this is your country's supervisory authority. In Nigeria, this is the Nigeria Data Protection Commission (NDPC). In California, this is the California Attorney General.
7. Data Security
We take reasonable technical and organizational measures to protect your data, including:
- Encryption in transit: All data is transmitted over HTTPS/TLS 1.2+.
- Encryption at rest: Database and object storage are encrypted with AES-256.
- Secrets management: API keys, SMTP passwords, and other secrets are encrypted with AES-256-GCM at the application layer and stored separately from the data they protect.
- Access controls: Role-based access control (RBAC) with the principle of least privilege. Production database access is restricted to two named engineers.
- Auditing: All access to production systems is logged and reviewed monthly.
- Vulnerability management: We run automated dependency scans on every code change and conduct quarterly security reviews.
- Incident response: In the event of a data breach, we will notify affected users and the relevant supervisory authority within 72 hours, as required by GDPR Article 33.
Despite these measures, no system is 100% secure. We cannot guarantee absolute security of your data.
8. Children's Privacy
The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately at support@baddecision.app and we will delete it.
9. Cookies and Tracking Technologies
We use cookies and similar technologies to operate and improve the Service. See our Cookie Policy for details on what we use, why, and how to opt out.
10. Third-Party Links and Services
The Service may contain links to third-party websites or integrate with third-party services (e.g. Apollo, Hunter, MyEmailVerifier when you supply your own API keys). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.
11. Your Responsibilities (Lead Data)
Because you control the lead data you process through Bad Decision, you are responsible for:
- Obtaining any necessary consent or having a legitimate interest to process lead data under applicable law.
- Honoring opt-out / unsubscribe requests within 10 business days (CAN-SPAM) or immediately (GDPR).
- Including your physical mailing address and a one-click unsubscribe link in every cold email you send through the Service (we provide these by default; do not remove them).
- Not using the Service to send unsolicited spam, phishing, or illegal content. See our Terms of Service for the full Acceptable Use Policy.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and post a prominent notice on our website at least 30 days before the change takes effect. We encourage you to review this page periodically.
13. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us:
- Email: support@baddecision.app
- Attn: Privacy Team, Bad Decision, Lagos, Nigeria
14. Data Processing Addendum (DPA)
For enterprise customers who require a signed Data Processing Addendum under GDPR Article 28, please see our DPA page or email us at support@baddecision.app with subject "DPA request".
Email us at support@baddecision.app and we'll get back to you within 24 hours.