1. Data We Collect
Badex Signature collects only the data necessary to provide the email signature service:
- User directory data — Names, email addresses, job titles, phone numbers, and department information synced from your Microsoft 365 directory via Graph API, or manually created SMTP accounts for Generic SMTP plans.
- Email metadata — Sender and recipient email addresses for signature injection and analytics. We do not store email body content.
- Usage analytics — Email open and click events for banner campaign tracking.
- Account data — Administrator email addresses and authentication credentials for dashboard access.
2. How We Use Your Data
- To inject personalized email signatures into outbound emails
- To generate and manage DKIM signing keys per domain
- To provide analytics on signature engagement
- To sync user information automatically from Microsoft 365 or manage SMTP accounts
3. Data Storage
All data is stored on servers located in the European Union. We use industry-standard encryption for data at rest and in transit. Email content is never stored — only processed in memory during signature injection.
4. Lawful Basis of Processing
- Contract (Article 6(1)(b) GDPR) — Providing the Badex Signature service, account management, billing
- Legitimate interests (Article 6(1)(f) GDPR) — Security monitoring, fraud prevention, anonymised analytics
- Consent (Article 6(1)(a) GDPR) — AI Inbox email analysis (explicit tenant opt-in)
- Legal obligation (Article 6(1)(c) GDPR) — Compliance with applicable laws
5. Data Sharing with Third Parties
We do not sell or rent your data. We share data with the following service providers only as necessary to deliver our service:
- Microsoft Azure (EU) — Infrastructure, storage, monitoring
- Microsoft Graph API (EU / Global) — M365 email integration
- Stripe Inc. (USA) — Payment processing (PCI DSS compliant, card data not stored by BADEX)
- Groq Cloud (USA, opt-in only) — AI inference for AI Inbox, data not retained
- Google Gemini (USA, opt-in only) — AI fallback inference, data not retained
- Voyage AI (USA, opt-in only) — Email embedding for semantic search, data not retained
- Jina AI (Germany EU, opt-in only) — Fallback embedding provider, data not retained
- Cloudflare (EU / Global) — DNS, WAF, DDoS protection
- Contabo GmbH (Germany EU) — Server hosting
6. AI Features
Badex Signature includes optional AI features (AI Inbox) that are disabled by default. When enabled by the tenant, email subject and body text may be processed by AI providers for reply suggestions and semantic matching. No attachments or sender/recipient addresses are sent to AI providers. AI-generated content is clearly labeled. Tenants can disable AI at any time.
7. Data Retention
- Account and profile data — duration of subscription + 30 days
- Email logs and activity — 90 days
- Security logs — 90 days
- Billing records — 7 years (legal requirement)
- AI-processed content — not retained beyond processing
- Backups — 7 days local, 30 days cloud
8. Your Rights (GDPR)
You have the right to: access, rectify, erase, restrict processing, data portability (CSV/JSON), object, and rights related to automated decision-making. Contact admin@badex.app. We respond within 30 days.
9. International Data Transfers
Where data is transferred outside the EU/EEA, BADEX ensures safeguards via Standard Contractual Clauses (SCCs). AI providers process data only on explicit tenant opt-in and do not retain data.
10. Security
We implement TLS 1.2/1.3 encryption in transit, AES-256 encryption at rest, Wazuh SIEM monitoring, network segmentation, firewall controls, and VPN with MFA for all administrative access.
11. Supervisory Authority
Belgian Data Protection Authority — www.dataprotectionauthority.be
Rue de la Presse 35, 1000 Brussels — contact@apd-gba.be — +32 2 274 48 00
12. Contact
BADEX (Badex) — BE0743.754.923 — Zoersel, Belgium
Data Protection Contact: admin@badex.app (Aurelian Badiu, CEO)