# badrap.io Privacy Policy

Badrap Ltd develops and maintains this service. We process your personal data according to the General Data Protection Regulation (GDPR) of the European Union, as well as according to all other relevant legislation according to Finnish and EU law. In this privacy policy we explain our basis for processing your personal information, and inform you of your rights regarding your personal data.

# Data controller contact details

Badrap Oy
Teknologiantie 18 B
90590 Oulu
Finland
Email: support@badrap.io
Business ID: 2846254-9

Badrap processes the personal information of its registered users in order to provide the service to the users. The legal basis for processing is explicit consent of the data subject - your own consent. You can create an account to the service yourself and submit your data if you choose to do so. We always ask for explicit consent before any of your personal data is stored under your user account.

For users who use our service without creating an user account, the legal basis for processing personal data is our legitimate interests. We use Google Analytics to collect anonymous visitor statistics. It allows us to know someone visited our service.

# What personal information do we process?

  • One or more email addresses that you may choose to register into our service
  • One or more IP addresses that you may choose to register into our service
  • Security researchers' warnings regarding your registered IP addresses and email addresses ("assets")

# Data sources

We receive your personal data with your explicit consent when you create an account for the service and when you use the service. You can choose to register your assets (IP addresses or email addresses that you use) under your user account. If you register an asset, it will be associated with your user account. You can add more assets under your user account. Registering a new asset under your account always requires your explicit consent. You can at any time see all of your personal data under your user account page, remove any registered assets from your account, or remove your whole user account completely.

We receive information security warnings from security researchers and research groups who follow malicious Internet traffic. If an asset that you have registered is found in any security researchers' warning lists, we will forward you any information regarding your asset that we have received from security researchers. As a rule, your personal data is not transferred to security researchers or any other third parties - only you yourself have access to your own personal data.

# Your rights as a data subject

You have the following rights according to GDPR regarding the processing of your personal data. You can exercise your rights either directly through our service, or by contacting us by email.

Right of access: You have the right to check at any time, what personal information we have stored in our database about you. You can do this yourself by logging in to your user account and checking your personal information from your account page.

Right to object: You have the right to object our processing of your personal data, if you think that our processing does not happen according to the GDPR or if you think we have no lawful basis for processing your data. You can exercise this right by removing your user account and refraining from using the service.

Right to erasure: You have the right to remove your personal data from the service at any time. The easiest way to do this is to log in to the service and to remove your user account.

Right to data portability: You have the right to request a machine-readable summary of your personal data from us, so that you can transfer them to another service provider. If you want to exercise your rights, please contact us by email.

Right to lodge a complaint: You have the right to complain to the supervisory authority if you think we are in violation of your rights, in violation of GDPR, or the Finnish law regarding personal data protection. The supervisory authority in this case is the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu) in Finland.

Right to object to direct marketing: You have the right to object to using your personal data for direct marketing purposes. Please keep in mind that we never use your data for direct marketing, nor do we transfer your data to third parties who could use it for direct marketing.

# Duration of processing

We process your personal information as long as your user account exists or as long as you keep using the service. If you have created a user account, you can at any time delete your account yourself. When you delete your account, all of your personal information is erased from our systems. If you use the service without a user account as an anonymous user, you can at any time just stop using the service and refrain from using it again. This will cease our processing of your personal data.

# Data recipients

Your personal data can be accessed by named employees of Badrap Ltd, who develop and maintain the service. As a rule, we do not transfer your data to third parties or use external service providers as subcontractors.

As part of our data breach monitoring service, we offer an integrated search function against security researcher Troy Hunt's Have I Been Pwned data breach reporting database. This search function allows you to search for your email addresses from the Have I Been Pwned data breach service, and to be automatically notified if any new data breaches are published which contain personal information relating to your email addresses.

Have I Been Pwned privacy policy states they do not store or log your email addresses in any way when a query is performed. If you do not trust Badrap or Have I Been Pwned for processing your email addresses securely, you can always refrain from enabling and using the Have I Been Pwned search feature in Badrap.

Note that you have to always provide your explicit and unambiguous consent to use Badrap's Have I Been Pwned search feature, and that you can revoke this consent from your account settings at any time.

# Data transfers outside of EU

Some parts of our technical service implementation use external components: we use Google Analytics for usage statistics, Mailgun and Mailchimp for sending automatic email notifications to registered users, and Google Cloud SQL for storing information. We require our foreign service providers that their countries have an adequate level of data privacy as required by the GDPR, and that they are committed to follow the GDPR and other relevant EU regulations.

# Automated individual decision-making

Your personal data is NOT used for automated individual decision-making or profiling.

# Data protection principles and measures

Your personal data is stored and processed according to the best possible current technical and organizatorial privacy and security practices that we know of. We use encryption in all data transfer and storage, access control and auditing in all access to data, as well as backups and version control to ensure the integrity and availability of databases and user account data. We constantly ensure that all our employees are aware of the importance of data privacy and that everyone works according to best practices. Our employees are required to uphold a non-disclosure policy for personal data according to the GDPR. When a data breach happens, we are prepared to report the incident to the supervisory authority as well as to the data subjects within the required time limits specified by legislature. We are also prepared to present our practices and measures to the supervisory authority, if needed. We constantly strive to develop our practices and measures further in order to improve the security and privacy of our service.

Technically the process goes as follows: The user (you) registers his/her/their email addresses and IP addresses to the service via a TLS-encrypted session. The data provided by the user is stored into a Google Cloud SQL database. The database is secured with strong encryption and it implements SSAE 16, ISO 27001, PCI DSS v3.0 and HIPAA requirements. Only named Badrap employees who maintain the service can access the database. All email transmissions are done over TLS-encrypted connections whenever possible. No physical copies are ever made of users' personal data and no personal data is ever processed manually.