Badger Privacy Policy

1. Who we are

For data protection purposes, Bear-Up Ltd is the data controller for the personal data we process through Badger.

• Controller: Bear-Up Ltd (trading as Badger)
• Company number: 15888795
• Contact email: hello@badgerapp.io
• Privacy contact: hello@badgerapp.io

If we are legally required to appoint an EU or EEA representative in future, we will list their details here.

2. Who this policy applies to

This policy applies to:

• people who use the Badger app,
• people who visit our website or landing pages,
• people who contact us for support, feedback, or enquiries,
• people who receive emails or service communications from us.

Badger is not intended for anyone under 16.

3. What we collect

We collect the information we need to run Badger, deliver personalised features, process purchases, keep the service secure, and improve the app.

A) Account and authentication data

Depending on how you sign in, we may collect:

• your email address,
• your password, stored in hashed form and never in plain text,
• login and authentication records, such as sign-in timestamps,
• account identifiers,
• if you use third-party sign-in, a platform identifier and basic account details supplied by that provider, such as Apple or Google.

B) Onboarding and profile data

We may collect:

• questionnaire answers,
• goals,
• barriers or challenges,
• available time, preferences, resources, and constraints,
• comfort-zone or difficulty preferences,
• optional profile details you choose to add.

C) Journaling, mood, and check-in data

If you use these features, we may collect:

• mood, energy, or stress check-ins,
• journal entries,
• reflections,
• task completion or feedback signals, such as “done”, “too hard”, or helpfulness ratings.

D) Subscription, purchase, and billing data

We may collect:

• your subscription tier and subscription status,
• purchase metadata from Apple, Google Play, and/or RevenueCat,
• payment and billing records for direct or business purchases where relevant,
• invoices, receipts, and payment-related support records.

We do not receive or store your full bank card number from Apple or Google in the app-store purchase flow.

E) App usage, diagnostics, and technical data

We may collect:

• app events and feature interactions,
• device type,
• operating system,
• app version,
• crash logs,
• error reports,
• technical diagnostics,
• security and fraud-prevention logs.

F) Support and communications data

If you contact us, we may collect:

• your name,
• email address,
• support request content,
• attachments or screenshots you send us,
• records of communications with you.

G) Website and cookie-related data

If you use our website, we may collect standard technical website data such as:

• IP address,
• browser and device information,
• page views,
• referring source,
• cookie or analytics identifiers,

depending on how the website is configured and what consent choices are presented to you.

4. Special-category and sensitive data

Some data used in Badger may relate to your mental wellbeing, emotional state, or health-related experiences. Under UK GDPR and EU GDPR, this may amount to special-category data, which needs extra protection.

We do not diagnose, prescribe, or provide medical treatment.

Where we process special-category data, we will identify:

• a lawful basis under Article 6 UK GDPR, and
• a separate condition for processing under Article 9 UK GDPR.

For optional sensitive features, especially Journal AI and similar analysis features, our main approach is to rely on your explicit consent, which you can withdraw at any time by switching the feature off or contacting us. Explicit consent is one recognised condition for processing health-related special-category data.

5. How we use your data

We use personal data to:

• create and manage your account,
• sign you in and keep your account secure,
• provide the Badger app and its core features,
• generate tasks tailored to your goals, barriers, preferences, resources, and recent feedback,
• support journaling, mood tracking, and reflections if you use those features,
• process subscriptions, purchases, and billing,
• send transactional messages such as OTPs, password resets, billing updates, and service notices,
• monitor performance, fix bugs, and improve stability,
• protect the app, our users, and our systems from abuse, fraud, and misuse,
• improve Badger through analytics, testing, and service development,
• respond to support requests and legal or regulatory obligations.

6. Our lawful bases

Where UK GDPR or EU GDPR applies, we rely on the following lawful bases depending on the context:

Contract

We process data where it is necessary to provide the service you ask us for, including:

• creating your account,
• authenticating you,
• saving your preferences,
• delivering core app functionality,
• managing subscriptions and purchases,
• handling customer support linked to your account.

Consent

We rely on consent where appropriate, including for:

• optional Journal AI features,
• optional sensitive-data processing where required,
• certain notifications,
• optional analytics or tracking technologies where consent is required,
• any other clearly optional processing we ask you to turn on.

Legitimate interests

We may rely on legitimate interests to:

• keep the service secure,
• prevent abuse and fraud,
• monitor app reliability and performance,
• investigate bugs and incidents,
• improve the service in a proportionate way,
• manage internal administration and service operations,

provided our interests are not overridden by your rights and freedoms.

Legal obligation

We may process data where we must do so to comply with legal obligations, such as:

• tax and accounting requirements,
• responding to lawful requests,
• maintaining required records.

7. AI, journaling, and personalisation

Badger is designed to be privacy-conscious by default, especially around journaling.

A) Task generation

If AI-supported task generation is enabled, we may send minimal, pseudonymous context to an AI provider in order to generate or refine tasks.

This may include:

• questionnaire and preference data,
• recent task metadata,
• non-identifying state or difficulty context,
• recent feedback signals.

We do not intentionally include direct identifiers, such as your email address, in AI prompts.

B) Journal AI is off by default

Journal AI analysis is off by default.

If you choose to turn it on, we aim to provide a just-in-time explanation of:

• what may be analysed,
• why it is being used,
• what provider is involved,
• how to switch it off again.

C) Minimisation before AI processing

Where feasible, if Journal AI is enabled, we aim to:

• remove obvious direct identifiers,
• use summaries, topics, or extracted themes instead of raw text where possible,
• keep any shared content proportionate and limited to what is necessary.

D) No solely automated decisions with legal or similarly significant effects

Badger personalises content and recommendations, but it is not intended to make solely automated decisions that have legal or similarly significant effects on you.

8. Who we share data with

We use trusted service providers and infrastructure partners to run Badger. Depending on the feature or plan you use, these may include:

• cloud hosting and storage providers, for example Microsoft Azure,
• Apple and Google for app-store billing and subscription platforms,
• RevenueCat for subscription management,
• Stripe for direct or business billing where relevant,
• Postmark for transactional emails,
• Sentry for crash and error monitoring,
• OpenAI or other AI service providers for AI-supported features,
• analytics, attribution, or app-store reporting providers where enabled.

These providers generally act as our processors or service providers, meaning they process data on our behalf for defined purposes.

We may also share data:

• if required by law,
• to protect the rights, safety, or security of Badger, our users, or others,
• in connection with a business reorganisation, merger, sale, or investment transaction, subject to appropriate safeguards.

We do not sell your personal data.

9. International transfers

Some of our service providers may process personal data outside the UK or EEA, including in countries such as the United States.

Where personal data is transferred internationally, we aim to use appropriate safeguards, which may include:

• the UK International Data Transfer Agreement (IDTA),
• the UK Addendum to the EU Standard Contractual Clauses,
• other lawful transfer mechanisms where available.

We also aim to reduce transfer risks through measures such as:

• data minimisation,
• pseudonymisation,
• encryption in transit,
• careful vendor selection and review.

10. Security

We use technical and organisational measures designed to protect personal data, including as appropriate:

• HTTPS / TLS encryption in transit,
• restricted access controls,
• environment and credential management,
• logging and monitoring,
• security reviews,
• incident handling procedures,
• backup and recovery measures.

No service can guarantee absolute security, but we aim to use reasonable and proportionate safeguards.

11. How long we keep data

We keep personal data only for as long as we need it for the purposes described in this policy, after which we delete, anonymise, or securely minimise it where possible.

Typical retention periods or approaches may include:

• Account and profile data: while your account is active, and for a limited period afterwards where needed for support, security, or legal reasons.
• Journal entries and check-ins: until you delete them, delete your account, or until they are anonymised, summarised, or otherwise minimised under your settings or our retention practices.
• Crash logs and diagnostics: for a limited period appropriate to debugging and security.
• Support messages: for a limited period after your issue is resolved.
• Payment, subscription, and accounting records: as long as reasonably required for financial reporting, tax, audit, fraud prevention, or legal compliance.

Where you request deletion, we will also take into account backup cycles, legal obligations, and the need to defend legal claims.

12. Your rights and choices

Depending on where you live, you may have rights to:

• access your personal data,
• correct inaccurate data,
• delete your data,
• restrict processing,
• object to certain processing,
• withdraw consent,
• receive a copy of certain data in portable form,
• complain to a regulator.

You can also manage certain privacy choices directly in the app, such as:

• turning Journal AI on or off,
• changing notification settings,
• requesting data export where available,
• deleting content,
• requesting account deletion.

We may need to verify your identity before completing a rights request.

13. UK and EEA rights

If you are in the UK or EEA, you may have rights under UK GDPR or EU GDPR, including the rights to:

• access,
• rectification,
• erasure,
• restriction,
• objection,
• portability,
• withdraw consent,
• lodge a complaint with a supervisory authority.

If you are in the UK, you can complain to the Information Commissioner’s Office (ICO). If you are in the EEA, you can complain to your local data protection authority.

14. Children

Badger is not intended for anyone under 16.

If we believe we have collected personal data from someone under our permitted age threshold in a way that should not have happened, we may suspend the account and take steps to delete the relevant data.

15. Complaints

If you have a privacy concern or complaint, please contact us first at: hello@badgerapp.io

We will try to review and respond as reasonably and promptly as we can.

If you remain unhappy and applicable law gives you the right, you may complain to the ICO or your local data protection regulator.

16. Changes to this policy

We may update this Privacy Policy from time to time.

If we make material changes, we will take reasonable steps to notify you, for example through an in-app notice, website update, or email where appropriate.

The “Last updated” date at the top shows when this version was last revised.