1. Scope and non-goals
In scope
- A complete GDPR-compliant Privacy Policy for publication at
brandpilot.ai/privacybefore launch - Coverage of all 14 sections required by BRAA-111
- Sub-processor disclosure with a public list and the purpose of each processor
- All 6 GDPR data-subject rights with practical instructions for how to use them
Out of scope
- A separate Cookie Policy document. Section 13 acts as the current placeholder. If we add a cookie banner, Google Analytics, or any tracking cookies beyond strictly necessary cookies, we will publish a separate update.
- A separate DPA (Data Processing Agreement) for Team / Agency tiers. That is an Enterprise feature and is not required for the MVP.
- Expanded children's privacy clauses beyond the minimum age statement. We do not target users under 16 and do not knowingly process children's data.
- California-specific CCPA / VCDPA clauses. These will be added when US go-to-market requires them.
2. Data inventory
2.1 Account data (identity)
| Field | Source | Purpose | Required |
|---|---|---|---|
| Email address | Signup form | Authentication, transactional emails (billing, security, GDPR notices) | Yes |
| Name | Signup form / OAuth | Personalization in the UI and AI-generated content addressing | Yes |
| Phone number | Optional, Settings | Anti-abuse verification (re-trial prevention). Stored as a hash for the blocklist. | No |
| Authentication identifier (OAuth provider ID) | Google / GitHub / email link | Single sign-on and session management | Yes (one method required) |
| Telegram chat ID | Optional, Telegram bot link | Telegram notifications for briefs | No |
Storage: PostgreSQL users table (Supabase, EU regions for EU users where available).
2.2 Brand content data
| Category | Contents | Storage |
|---|---|---|
| Brands | Brand definitions, goals, positioning, audience descriptions | brands, brand_goals, pillars, strategies, brand_overrides |
| Voice profiles | Tone settings, voice training data, learned style | voice_profiles, past_posts_archive |
| Posts | Generated drafts, edited versions, published content | posts, post_versions, publish_events |
| Topics & sources | Topic ideas, source URLs (RSS, Reddit, etc.), search configurations | topics, sources, search_config |
| CRM | Network contacts you track for engagement | crm_entries |
| Reports | Strategist weekly / monthly summaries | reports |
| Uploaded files | Logos, brand assets, voice training files (audio / text) | uploaded_files table + Supabase Storage buckets |
Visibility: all brand content is protected by strict per-user RLS (Row-Level Security in PostgreSQL). Other users cannot read your brand data.
2.3 Usage telemetry
| Category | Contents | Purpose |
|---|---|---|
prompt_runs | LLM call metadata: model used, agent name, tokens consumed, cost, timestamp, error messages | Cost telemetry, fair-use enforcement, billing reconciliation |
metering_events | Action-level events: post drafted, post published, export requested, deletion triggered, etc. | Cap engine, trial lifecycle, billing |
injection_attempts | Detected prompt-injection attempts (security log) | Anti-abuse and security monitoring |
jobs | Background job execution status and metadata | Operational reliability |
What we do not store in telemetry: plaintext LLM inputs and outputs. prompt_runs.error_message may include short fragments in failure cases. Those records are anonymized on deletion.
2.4 Billing data
| Category | Contents | Source |
|---|---|---|
customers | Stripe customer ID, default payment-method reference, entity binding | Stripe (sub-processor) |
subscriptions | Tier, status, current period dates, coupons, grandfather flags | Stripe |
stripe_webhook_events | Raw Stripe event payloads (audit trail) | Stripe |
invites | Coupon codes, invite emails | Marketing campaigns |
What we do not collect: we do not store card numbers, CVV, or billing addresses in our own databases. Payments are processed by Stripe (PCI-DSS Level 1). We store only Stripe customer IDs and last-four references if Stripe provides them.
2.5 Cookies and tracking
At MVP launch:
- Strictly necessary cookies: session cookies (auth) and CSRF cookies. There is no opt-out because the product cannot function without them.
- Analytics: if we integrate Google Analytics, Plausible, or similar tooling, we will add a consent banner. At the time of this policy version, analytics is not enabled.
- Marketing cookies: not used.
- Third-party tracking: not used.
See Section 13 for details and future updates.
2.6 GDPR audit log
gdpr_audit_log (append-only, 7-year retention) records GDPR actions such as export requested, export delivered, deletion requested, deletion completed, and anonymization completed. It does not contain your content. It stores user ID, action type, timestamp, and actor (user / system / DPO).
3. Legal basis for processing (Art. 6 GDPR)
Each data category is processed under one of four legal bases.
| Category | Legal basis | Rationale |
|---|---|---|
| Account data | Art. 6(1)(b) - Contract performance | We cannot provide the service without email and authentication |
| Brand content | Art. 6(1)(b) - Contract performance | This is the core product: managing your personal brand |
Usage telemetry (prompt_runs, metering_events) | Art. 6(1)(b) - Contract performance + Art. 6(1)(f) - Legitimate interest | Needed for billing (contract) and for cost monitoring / cap enforcement (legitimate interest in operating the service sustainably) |
| Billing data | Art. 6(1)(b) - Contract performance + Art. 6(1)(c) - Legal obligation | Needed for payments (contract) and tax / audit retention |
Anti-abuse phone hash, deleted_users_blocklist | Art. 6(1)(f) - Legitimate interest | Protecting the service from trial abuse; we store hashes, not plaintext |
| Marketing emails (if you opt in) | Art. 6(1)(a) - Consent | Explicit opt-in, withdrawable at any time in Settings |
Security logs (injection_attempts) | Art. 6(1)(f) - Legitimate interest | Security of users and infrastructure |
Withdrawal of consent: where processing is based on consent (Art. 6(1)(a)), you may withdraw it at any time without explanation (Settings -> Email Preferences). Withdrawal does not affect the lawfulness of earlier processing.
Objection to legitimate interest: where processing is based on legitimate interest (Art. 6(1)(f)), you have the Right to object under Art. 21. See Section 5.5.
4. Sub-processors
We use the following sub-processors to provide the service. Each processor is bound by a DPA and, where applicable, Standard Contractual Clauses (SCCs) for transfers outside the EEA.
| Sub-processor | Purpose | Processing location | Transfer mechanism |
|---|---|---|---|
| Supabase (Supabase Inc., USA) | PostgreSQL hosting, authentication, file storage | EU regions where available, otherwise US | SCCs (EU 2021/914) + Supabase DPA |
| Stripe (Stripe Inc., USA) | Payment processing, billing, customer data | US (primary) | SCCs + Stripe DPA, PCI-DSS Level 1 |
| Anthropic (Anthropic PBC, USA) | LLM inference (Claude API) for content generation | US | SCCs + Anthropic DPA. Anthropic API: zero data retention for customer prompt content beyond generation and abuse monitoring rules. |
| Resend (Resend Inc., USA) | Transactional email delivery | US (with EU-region options where available) | SCCs + Resend DPA |
| Vercel / Railway | Application hosting and edge compute | US / EU multi-region | SCCs + provider DPA |
Anthropic specifically: we use the Anthropic API under their commercial terms, which state:
- prompts and completions are not used to train Anthropic models,
- prompts may be retained for abuse monitoring for a limited period only,
- access to raw prompts is restricted to authorized security personnel for incident response.
What we do not do: we do not sell your data, use it to train third-party models, or share it with advertisers or data brokers.
Sub-processor changes: if we change or add a sub-processor, we will publish a policy update and send 30 days' notice before the effective date. See Section 13.
5. Your rights under GDPR
You have the following rights. Requests can be submitted through Settings -> Privacy & Data or by emailing support@brandpilot.ai with the subject GDPR Request: [right]. We respond within 30 calendar days and may extend to 90 days for complex requests where the law permits.
5.1 Right of access (Art. 15)
You may request a copy of your data and information about how we process it.
How: Settings -> Export My Data. The export covers all categories listed in Section 2.
5.2 Right to data portability (Art. 20)
You may obtain your data in a machine-readable format for transfer to another service.
Self-serve endpoint: GET /api/account/export (via Settings -> Export Data). Authenticated only. Rate limit: 1 request per hour.
Export format (ZIP with machine-readable structure):
brandpilot-export-{your-id}-{timestamp}.zip
├── account.json - your profile (email, name, preferences)
├── billing.json - subscription and payments (without raw Stripe payloads)
├── brand-{brand_id}/
│ ├── brand.json - brand definition + voice + goals + strategy + pillars
│ ├── topics.csv - all topics
│ ├── posts.csv - all posts + versions
│ ├── publish-events.csv - publication history
│ ├── crm.csv - CRM contacts
│ ├── sources.csv - sources + search configs
│ └── uploads/ - original files (logos, brand assets, voice training)
├── voice-archive/ - past-post archive (if present)
└── README.md - structure description + GDPR notice
Delivery: a signed download URL is sent to your email and remains valid for 7 days.
Additional safeguard: before automatic deletion of an archived account, we generate an export and send the download link even if you did not request one, unless you already used self-serve export recently.
5.3 Right to rectification (Art. 16)
You may correct inaccurate or incomplete data.
How:
- Email, name, preferences -> Settings -> Account
- Brand content (brands, posts, voice, etc.) -> editable directly in the product
- Billing data -> Settings -> Billing -> Stripe Customer Portal
- If you cannot find the right surface ->
support@brandpilot.ai
5.4 Right to erasure (Art. 17 - "Right to be forgotten")
You may request deletion of your account and related data.
Self-serve flow:
- Request: Settings -> Delete Account -> confirm with your email
- Grace period: 30 days. During that period, you can cancel deletion by logging in or contacting
support@brandpilot.ai. - Confirmation email: sent immediately after the request, with a "Cancel deletion" link and an auto-export ZIP.
- Day +30: physical deletion begins.
What is permanently deleted (hard delete):
- All brand content: brands, posts, voice profiles, topics, sources, CRM entries, reports, uploaded files
- Storage uploads: voice archive files, logos, brand assets
- Personal identifiers: email, name, auth identifiers, Telegram chat ID
- Pending email-notification queue items for your account
What is anonymized and retained for 7 years:
- Payment and subscription records (without email or payment method, only financial fields needed for tax / audit compliance)
- Usage telemetry (cost data, action counts) without PII in payloads
- GDPR audit log entries documenting the deletion request and completion
- Stripe webhook events retained under Stripe operational requirements
Why we anonymize instead of fully deleting some records:
- Georgia tax law requires long-term retention of financial records
- Stripe chargeback and dispute windows require audit history
- GDPR Art. 6(1)(c) allows retention where there is a legal obligation
What is retained for 12 months after deletion for anti-abuse purposes:
- A hash of your email and phone number (if provided) in
deleted_users_blocklistto prevent trial abuse - These hashes are physically removed after 12 months
Automatic deletion for unfinished trials:
If you do not activate a paid subscription during the 7-day trial:
- Day 7: the account becomes read-only
- Day 37: the account is archived (export remains available through
support@brandpilot.ai) - Day 90: we send an email saying "Your data will be deleted in 7 days" and attach an automatic export link
- Day 97: a 7-day grace period begins. Logging in reactivates the account if allowed by the current plan state.
- Day 104: physical deletion begins under the same policy as self-serve deletion
DPO-routed erasure: if you want the request handled directly as a legal escalation, email dpo@brandpilot.ai.
5.5 Right to restriction (Art. 18) and objection (Art. 21)
Restriction: you may request a temporary freeze on processing (for example, during a dispute) by emailing support@brandpilot.ai. We will switch the account to read-only where possible.
Objection: if the legal basis is legitimate interest (see Section 3), you have the right to object. We will stop that processing unless we have compelling legitimate grounds that override your interests, rights, and freedoms. For example, we may not be able to stop logging prompt-injection attempts while an active security investigation is ongoing.
5.6 Right to lodge a complaint (Art. 77)
If you are unhappy with our response to a GDPR request, you may complain to the supervisory authority in your country (for EU residents, the national DPA such as CNIL in France or BfDI in Germany). We recommend contacting us first because most issues can be resolved faster without escalation.
6. Right to erasure - full text
Deletion of your data. You may request deletion of your account at any time through Settings -> Delete Account. After your request:
- For 30 days (the grace period), you may cancel it by logging in or emailing
support@brandpilot.ai.- After the grace period, we permanently delete your content (brands, posts, voice, strategies, sources, CRM, uploaded files), personal information (email, name), and authentication identifiers.
- We anonymize, but retain for 7 years where required by tax law or audit obligations, payment records, subscription records, AI-usage records, and audit logs. These records no longer contain your name or email after anonymization.
- Stripe payment events may remain in raw form for 7 years to satisfy financial audit obligations.
Automatic deletion for unfinished trials: if you do not activate a subscription during the 7-day trial, the account becomes read-only for 30 days, then archived for another 60 days. On day 90, we send a final-deletion notice and an automatic export link. On day 97, a 7-day grace period begins. After day 104, the account is deleted under the same policy as self-serve deletion.
Right to portability (GDPR Art. 20): at any time, you can use Settings -> Export Data to download a ZIP containing your data in JSON, CSV, and original-file formats.
7. Data retention summary
| Data category | Active user | After trial expiry (Day 104) | After self-delete (+30d grace) | Legal hold |
|---|---|---|---|---|
| Brand content (Group A) | retained while account is active | physically deleted | physically deleted after 30 days | No |
Personal identifiers (users.email, users.name) | retained while account is active | anonymized (NULL / deleted identifiers) | anonymized after 30 days | No |
| Billing records (Group B excluding raw Stripe payloads) | retained while account is active | anonymized, retained 7 years | same | 7 years |
stripe_webhook_events (raw payloads) | retained while account is active | retained 7 years in raw form | same | 7 years |
Anti-abuse hashes (deleted_users_blocklist) | not applicable | 12 months | 12 months | No |
GDPR audit log (gdpr_audit_log) | not applicable | 7 years | 7 years | 7 years |
Security logs (injection_attempts) | while active + 90 days | deleted with brand content | deleted with brand content | No |
After the 7-year retention window: anonymized billing records are physically deleted by a final purge job.
8. International data transfers
Because some of our sub-processors are located in the United States (including Anthropic and Stripe, and in some cases Supabase), we transfer data outside the EEA / UK.
For EU / UK residents, transfers are covered by:
- Standard Contractual Clauses (SCCs) for EU -> US transfers
- UK IDTA where applicable for UK -> US transfers
- Data Processing Agreements with each relevant sub-processor
See Section 4 for the full list of sub-processors and transfer mechanisms.
Adequacy preferences: where available, we prefer EU regions (for example, Supabase EU regions or EU-region email options). Anthropic and Stripe remain core US-based services.
Transfer Impact Assessment: we maintain a transfer-risk assessment for US transfers. Anthropic's no-training posture and provider encryption controls materially reduce risk, but they do not eliminate it.
If you are an EU resident and believe these transfers are unacceptable, contact support@brandpilot.ai. In practice, opting out of these transfers may make the service unusable because core LLM functionality depends on Anthropic.
9. Security
We protect your data with the following measures:
- Row-Level Security (RLS): PostgreSQL policies prevent other users from reading your data through the API
- Encryption at rest: Supabase default encryption for PostgreSQL data and Storage buckets
- Encryption in transit: TLS for all HTTP traffic
- Authentication: OAuth (Google, GitHub) or email magic link. We do not store plaintext passwords.
- Prompt-injection protection: filtering and trust-boundary controls before LLM calls; detected attempts are logged in
injection_attempts - Access control: least-privilege internal access; production-database access is restricted and audited
- Backups: automated encrypted backups with limited retention and deletion coverage in the GDPR erasure pipeline
If a breach occurs: we will notify affected users within 72 hours of discovery where GDPR requires it. Notification may include email, in-app notices, and public disclosure for significant incidents.
10. Children's privacy
Minimum age to use BrandPilot: 16 years old.
We do not target users under 16 and do not knowingly collect children's data. Signup requires an age-related acknowledgment.
If you are a parent or guardian and discover that your child registered without appropriate consent, email support@brandpilot.ai and we will remove the account promptly.
11. Changes to this policy
We may update this policy to reflect changes in:
- sub-processors,
- the data categories we collect for new features,
- legal or regulatory requirements in applicable jurisdictions.
Notification mechanism:
- Material changes such as new data categories, new sub-processors, retention changes, or new transfer mechanisms will trigger 30 days' notice by email and an in-app banner before the effective date.
- Non-material changes such as clarifications, typo fixes, or structural edits without substantive policy change may be published without advance notice, with the version and date updated in the footer.
Version history: the full history is available at /privacy/changelog.
12. Contact information
12.1 Controller
BrandPilot (operating entity: Georgia IE)
Address: [Tbilisi, Georgia legal address to be added after Georgia IE registration]
Email: support@brandpilot.ai
12.2 Data protection contact
We have not appointed a formal DPO for the MVP, but we maintain a dedicated GDPR contact point.
Email: dpo@brandpilot.ai
Subject prefix: GDPR Request: [Access | Erasure | Portability | Rectification | Restriction | Objection]
Response SLA:
- Acknowledgement: 5 business days
- Resolution: 30 calendar days (extendable to 90 days for complex requests where legally permitted)
12.3 EU representative
[To be appointed when required for EU customer operations under Art. 27.]
13. Cookies and tracking
At the time of this policy version:
- only strictly necessary cookies are used (auth session, CSRF),
- there is no analytics tracking,
- there are no marketing cookies,
- there is no third-party tracking.
If we add analytics or marketing cookies:
- we will introduce a consent banner with granular choices,
- we will update this section with a full cookie inventory,
- we will notify existing users 30 days in advance for material changes as described in Section 11.
Browser controls: you can still block cookies in your browser settings, but blocking strictly necessary cookies may log you out or break the product.
14. Dispute resolution
We prefer to resolve issues directly through support@brandpilot.ai. If direct resolution is not possible:
- GDPR-related disputes: your local data protection authority (see Section 5.6)
- General disputes: governing law is Georgia (Georgia IE entity), and jurisdiction is the courts of Tbilisi, Georgia, except where mandatory local consumer-protection law overrides this rule
Appendix A - Glossary
- Anonymization - irreversible removal of identifying fields while preserving aggregated or financial fields where legally required
- Controller - the entity that determines the purposes and means of processing (BrandPilot)
- DPA - Data Processing Agreement
- DPO - Data Protection Officer
- EEA - European Economic Area
- GDPR - General Data Protection Regulation (EU 2016/679)
- PII - Personally Identifiable Information
- Processor - an entity that processes data on behalf of the controller (our sub-processors)
- RLS - Row-Level Security
- SCC - Standard Contractual Clauses
- TIA - Transfer Impact Assessment