Draft pending counsel review. This document is a working draft and has not yet been reviewed by counsel. The final version will be published with an Effective from date once counsel has signed off.
1. Data we collect
Account data
- Email address.
- Name.
- Password (stored as a salted hash; never accessible to us in plaintext).
- Profile information you provide (display name, avatar, time zone, pronouns).
- Authentication metadata: sign-in events, IP addresses, device and browser information.
Brand record data
- Content you upload to the Service: brand assets, text, structured data.
- Metadata about edits: who made each change, when, what changed.
Usage data
- Pages accessed, features used, sessions.
- Error reports and diagnostic information.
Billing data
- Billing name and address.
- Tax identifiers (VAT, GST, TRN) where provided.
- Payment method details (handled by Stripe; we do not store full card numbers).
AI feature data
- For Henry: the API key you provide (stored encrypted; see How your key is stored).
- Conversation content sent to and received from AI providers.
- Metadata about AI interactions.
2. How we use the data
- To provide the Service and operate accounts.
- To bill and process payments.
- To respond to support requests.
- To detect and prevent abuse, fraud, and security incidents.
- To improve the Service in aggregate; we do not use Customer Content for product improvement on an identified basis.
- To meet legal obligations.
We do not sell personal data. We do not share personal data with advertisers.
3. Lawful bases (GDPR / UK GDPR)
We process personal data on the following lawful bases:
- Contract. To provide the Service you subscribed to.
- Legitimate interest. To operate, secure, and improve the Service.
- Legal obligation. To meet tax, accounting, and regulatory requirements.
- Consent. Where consent is required (specific cookies, marketing communications).
4. Data we share
We share data with sub-processors and partners as needed to operate the Service. See Sub-processors for the current list. Categories:
- Infrastructure. Vercel (hosting), Supabase (database and storage).
- Payments. Stripe.
- Email. Our transactional email provider.
- Analytics. PostHog or Plausible (privacy-respecting analytics; no cross-site tracking).
- AI providers. Anthropic (Oswald). For Henry, the customer’s chosen provider (OpenAI or Gemini); the customer maintains the direct relationship with the provider.
- Source control. GitHub (per-tenant repos for Guardian customers using the Git workflow).
We do not share data with third parties for their own marketing or commercial purposes.
5. International transfers
Personal data may be transferred outside the EU/EEA, UK, or your local jurisdiction in the course of providing the Service. Where required, we use:
- EU Standard Contractual Clauses (SCCs).
- UK International Data Transfer Addendum (IDTA).
- Equivalent mechanisms for other jurisdictions.
Cross-border transfer details are in our Data Processing Addendum and the UAE PDPL statement.
6. Retention
- Active account data is retained while the subscription is active.
- Cancelled accounts enter a 30-day grace period; data is deleted afterwards.
- Backups age out per the retention schedule.
- Logs and analytics are retained for the period needed for security, debugging, and reporting (typically 90 days for granular logs; longer for aggregated metrics).
See Data Retention & Deletion.
7. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your data (subject to legal retention requirements).
- Restrict or object to processing.
- Receive your data in a portable format.
- Withdraw consent (where consent is the basis).
- Lodge a complaint with your local data protection authority.
To exercise these rights, contact legal@brandatlas.pro. We respond within 30 days (or sooner where required by law).
8. Specific jurisdictional notices
9. Security
We implement appropriate technical and organisational measures to protect personal data. See Security Overview for the controls.
10. Children
The Service is not directed at children under 16, and we do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes to this Policy
We may update this Policy. Material changes are announced 30 days in advance via email and in the Inbox. Continued use after the effective date constitutes acceptance.
What changed
- 27 May 2026: Initial draft published for counsel review.
