Privacy Policy.

This Privacy Policy explains what personal data BadRep Emails (“BadRep”, “we”, “us”, “our”) — operated by Larination, LLC (a Delaware limited liability company), 2810 N Church St, PMB 61607, Wilmington, DE 19802, USA — collects from you, why we collect it, how we use and share it, and the rights you have over it.

This policy applies to the BadRep website (badrep.email), the subscription product, and any related communications with us.

1. Short version

We collect the minimum we need to run a paid subscription service: your email, an authentication credential, your Stripe customer ID, and the emails you save inside the app. We use it only to let you log in, take payment, and provide the product. We share it with a small number of processors (Supabase, Stripe, Vercel, Customer.io, Notion, Sentry) whose job is to run the infrastructure. We don’t sell your data. We don’t use it to train machine learning models. You can delete your account at any time from the account page.

The rest of this document is the detailed version.

2. Data we collect

2.1 Account data

When you sign up, we collect your email address, a password, and (optionally) your first name. Passwords are never stored in plaintext — we use Supabase Auth, which hashes passwords with industry-standard algorithms before storage. Your first name (if provided) is used only to personalize the product UI and any transactional or marketing emails you’ve consented to receive.

2.2 Marketing consent

At signup we ask whether you’d like to receive product updates, new-feature announcements, and occasional email-marketing tips by email. This is an explicit opt-in (off by default). If you opt in, we record your consent and the timestamp for our audit records. You can withdraw consent at any time by unsubscribing from any of our marketing emails or emailing support@badrep.email — withdrawing consent does not affect transactional service emails (password resets, billing receipts, account changes), which we continue to send while your account is active.

2.3 Subscription data

When you start a subscription, Stripe collects your payment information (card number, expiry, CVC, billing address). We never see or store your full card number. From Stripe we receive and store:

• Your Stripe customer ID and subscription ID
• Subscription status (active, past_due, canceled, etc.)
• The price ID of your plan
• The end date of your current billing period
• Whether your subscription is set to cancel at period end

2.4 Usage data inside the product

We store the things you do inside the app that need to persist — most notably, the list of emails you’ve saved to your account, and any brand requests or bug/feature feedback you submit through the in-app forms (these are stored in our internal Notion workspace for triage).

2.5 Technical data

Our hosting provider (Vercel) and our database (Supabase) log certain technical information as part of running the service — for example, request timestamps, IP addresses, and error traces. This is standard operational logging and is retained for a limited period.

We use Sentry (Functional Software, Inc.) for error monitoring. When an error occurs in the product, Sentry receives a stack trace and contextual metadata that may include your user ID and the URL you were visiting, but never your password or payment details.

We may also use a small amount of privacy-respecting analytics to understand which features are used and where people drop off. If enabled, this is aggregated and does not identify individual users.

2.6 Cookies and local storage

We use cookies strictly necessary to keep you logged in (authentication session cookies set by Supabase Auth). We also use your browser’s sessionStorage to cache your search state so the app feels fast when you navigate between pages — this data stays on your device and is cleared when you close your browser tab.

We do not use third-party tracking cookies or advertising pixels.

3. Why we collect this data

We process your data for the following purposes:

We do not use your data for profiling or to train machine-learning models, and we do not send marketing email without explicit consent.

4. Who we share data with

We share your data with a small set of service providers who process it on our behalf:

• Supabase (Supabase, Inc.) — database and authentication. Hosts your email, password hash, saved emails, and subscription record.
• Stripe (Stripe, Inc.) — payment processing. Holds your card details and billing information; we only hold the customer and subscription IDs.
• Vercel (Vercel Inc.) — application hosting. Sees requests as they pass through, including URLs you visit and standard HTTP metadata.
• Customer.io (Peaberry Software, Inc.)— sends our transactional emails (signup confirmation, password reset, billing receipts, account change notices) and, where you’ve consented, our marketing emails. Holds your email address and any first-name personalization data.
• Notion (Notion Labs, Inc.) — stores brand requests and product feedback you submit through the in-app forms, along with the email address you used to submit them, so we can triage them internally.
• Sentry (Functional Software, Inc.) — error monitoring. Receives stack traces and contextual metadata when something breaks.

These providers are bound by their own contracts and privacy policies and are only permitted to use your data to provide services to us. We do not sell, rent, or trade your personal data to anyone.

We may disclose data if compelled by valid legal process (subpoena, court order) or to protect our rights, safety, or property, or those of our users or the public. Where legally permitted, we will notify you first.

5. International transfers

We are based in the United States(Delaware). Our processors may store or process data in jurisdictions outside your country of residence, including the United States and the European Union. Where required, these transfers are covered by appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

6. How long we keep data

• Account and subscription data: For as long as your account is active, and for up to 24 months after you close your account, in order to resolve disputes and comply with tax and accounting obligations.
• Billing records: We retain invoice and subscription history for at least 7 years where required by applicable tax law.
• Technical logs: Retained for a limited period by our hosting and database providers (typically 7–90 days) for debugging and security.
• Support correspondence and feedback: Retained for up to 24 months so we can reference prior tickets.

After these periods, data is deleted or irreversibly anonymized.

7. Your rights

Depending on where you live, you may have some or all of the following rights over your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate data.
• Deletion — close your account and have your personal data deleted. You can do this yourself from the account page; it removes your login, saved emails, and subscription record from our systems.
• Objection or restriction — object to, or restrict, certain processing.
• Withdraw consent — where processing is based on consent (e.g., marketing emails), you can withdraw it at any time.
• Complaint — lodge a complaint with your local data protection authority.

Please note: BadRep does notoffer a data export / portability function. The data we hold is limited (your email, saved email IDs, subscription metadata, marketing consent flag), and our product doesn’t produce the kind of user-generated content where export is meaningful. If you’re in a jurisdiction where portability is a statutory right and you’d like a summary of what we hold on you, email support@badrep.email and we will provide a human-readable summary.

To exercise any other right, email support@badrep.email. We’ll respond within 30 days.

If you’re in the European Economic Area or the UK

You have rights under the GDPR (and the UK GDPR) as described above. We are the data controller for your personal data. You have the right to lodge a complaint with your local supervisory authority.

If you’re in California

Under the California Consumer Privacy Act (“CCPA”) you have rights to know, delete, and correct personal information, and to non-discrimination when exercising those rights. In the past 12 months we have not sold personal information and have not shared it for cross-context behavioral advertising.

8. Security

We take reasonable technical and organizational measures to protect your data. These include:

• TLS encryption of data in transit
• Passwords stored as salted, hashed values (via Supabase Auth)
• Row-level security rules in our database so users can only see their own records
• Principle-of-least-privilege access for our team
• Regular patching of dependencies and infrastructure
• Server-side scrubbing of personal identifiers from the marketing emails we ingest, before they reach the public archive

No system is perfectly secure. In the unlikely event of a breach affecting your data, we will notify you and any required authorities in line with applicable law.

9. Children

BadRep is not intended for, and may not be used by, anyone under 18. We do not knowingly collect personal data from children. If you believe a minor has provided us data, email support@badrep.email and we will delete it.

10. Automated decision-making

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we’ll notify you by email at least 15 days before they take effect. The “Last updated” date at the top always reflects the current version. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact us

Questions about this policy, or want to exercise any of your rights?

Email: support@badrep.email
Postal: Larination, LLC, 2810 N Church St, PMB 61607, Wilmington, DE 19802, USA