Privacy Policy

Account information: When you register, we collect your email address and a display name you provide. We do not collect your full name, phone number, or payment details unless you voluntarily provide them.

Virtual number & OTP data: We store incoming SMS messages received on your assigned virtual number, including the sender, message body, and timestamp. OTP codes extracted from these messages are stored and automatically expire after 15 minutes.

Gmail data: If you connect your Gmail account, we store an OAuth refresh token (encrypted at rest) and read only emails that match OTP patterns. We do not read, store, or share any other email content.

Device & session data: We record device name, operating system, browser, IP address, and last-seen timestamp for each active session. This is used exclusively for session management and security.

Push notification tokens: If you enable push notifications, we store your browser or device push token to deliver real-time OTP alerts.

Trusted contacts: Contact names and email addresses you manually add for account recovery purposes.

Usage analytics: We collect anonymised product usage events (e.g., page views, feature interactions) to improve the service.

We use your data solely to provide and improve the Baadio service:

• Authenticating you and securing your account
• Delivering OTP codes to your inbox in real time
• Sending push notifications when a new code arrives
• Enabling account recovery via trusted contacts
• Diagnosing errors and improving reliability
• Analysing aggregated, anonymised usage patterns to prioritise features

We never sell your personal data. We do not use your OTP messages for advertising or marketing purposes.

We use the following sub-processors. Each has its own privacy policy.

We retain your data for as long as your account is active. Specific retention windows:

• OTP codes: auto-expired after 15 minutes; full message records retained for 30 days, then deleted
• Device sessions: retained until you revoke them or delete your account
• Gmail OAuth tokens: retained until you disconnect Gmail or delete your account
• Account data: retained until you delete your account, after which all associated records are permanently removed within 30 days

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your account and all associated data — available directly from Settings → Danger Zone
• Port your data in a machine-readable format
• Object to certain processing activities

To exercise any right not available through the app, email us at lightcold22@gmail.com. We will respond within 30 days.

We protect your data using industry-standard measures: TLS in transit, AES-256 encryption at rest for sensitive fields (OAuth tokens), row-level security on all database tables, and short-lived JWT sessions with automatic rotation. No security measure is perfect, but we work to minimise risk.

Baadio is not directed at children under 13. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us and we will delete it promptly.

We may update this policy from time to time. When we make material changes, we will update the "last updated" date at the top of this page. Continued use of Baadio after changes constitutes your acceptance of the updated policy.

Questions or concerns about this Privacy Policy? Contact us at:

lightcold22@gmail.com