Privacy Policy

• Account information— email, optional name, password hash (or magic-link state), and the organisation(s) you belong to.
• Operator-supplied employee/student data— whatever fields you import (names, IDs, departments, photos, barcodes). You decide what to upload. We don’t require any specific fields beyond a first and last name.
• Templates, themes, and rendered badges— the design files you create and the PDFs we generate when you print.
• Operational telemetry— print job records (which operator printed which template at what time) and an audit log of admin actions. We don’t track behavioural analytics (no Google Analytics, no Mixpanel, no Segment).
• Print Agent pairings— if you install our optional desktop helper, the device’s hostname, the printer names it reports, and a bearer token used to authorise print dispatches to that machine.

BadgeBadger runs entirely in the United States. The components are:

• Database & file storage — Supabase. Postgres for structured records, S3-compatible object storage for photos and rendered PDFs, both encrypted at rest. Row-level security policies guarantee that one organisation can’t read another’s data even if a bug bypassed our application layer.
• Application hosting — Railway. Stateless Next.js server; no persistent operator data lives here.
• Transactional email — Resend for invitation emails, password resets, and weekly report digests. Subject to Resend’s privacy policy.
• Billing — Polar. Payment-method details never touch BadgeBadger; Polar handles the card and PCI compliance.
• DNS & edge — Cloudflare for DNS only. We don’t use Cloudflare’s reverse proxy for production data.
• Optional AI features — the Scan card to template feature sends an image of an existing ID card to Anthropic for layout extraction. Anthropic does not train on this data per their commercial API terms. We only call out to Anthropic when an operator clicks the “Scan card” button.

• We don’t use your data to train AI models — ours or anyone else’s.
• We don’t sell or share data with advertisers, brokers, or anyone outside the processors listed above.
• We don’t track operators across the web. No third-party analytics or advertising scripts run on hq.badgebadger.app.

Account and operator data persists for the life of your subscription. When you delete an employee record we soft-delete and then purge after 30 days. When you cancel your account we purge all records within 60 days unless you ask us to keep them longer for migration.

Audit log entries are kept for one year for security and dispute resolution. Print job records (who printed what, when) are kept for the life of the subscription as part of the audit trail and are deletable on request.

Depending on where you live (GDPR, CCPA, FERPA, COPPA), you may have the right to access, correct, delete, or export the data we hold about you. Email privacy@badgebadger.app with the request and we’ll respond within 30 days.

BadgeBadger acts as a data processor for the employee/student records you upload; the organisation that uploaded them is the data controller. Individual students or employees should make rights requests to their organisation first.

BadgeBadger is designed to be FERPA-friendly: directory information is the only field type we require, photos and IDs are stored under organisation-scoped Supabase RLS, and we sign a Data Processing Addendum with K-12 districts on request. See the DPA template and email k12@badgebadger.app to start the paperwork.

We don’t knowingly create accounts for children under 13 using the platform directly — only their schools or districts do.

We’ll email the account owner at least 30 days before any materially adverse change. Minor clarifications (typos, links, new sub-processors that don’t change the type of data collected) are reflected here without notice; check the “Effective” date above.

Privacy questions: privacy@badgebadger.app.
Security disclosures: security@badgebadger.app.
Everything else: help@badgebadger.app.