1. Information We Collect
We collect information in several ways to provide and improve the Service:
1.1 Information You Provide
- Account information: Name, email address, company name, and password when you register
- Brand assets: Logos, color palettes, fonts, brand guidelines, images, and other creative materials you upload
- Product data: Product names, descriptions, pricing, images, and URLs you submit for AI creative generation
- Prospect and contact data: Names, email addresses, company information, and other data in prospect lists you upload or that AI researches on your behalf
- Payment information: Credit card and billing details (processed and stored by Stripe; we do not store full card numbers)
- Communications: Support requests, feedback, and any messages you send us
1.2 Information Collected Automatically
- Usage data: Pages visited, features used, actions taken, session duration, and interaction patterns
- Device information: Browser type, operating system, screen resolution, and device identifiers
- Log data: IP addresses, access times, referring URLs, and error logs
- Cookies and similar technologies: See Section 11 for details on our cookie usage
1.3 Information from Third Parties
- Authentication providers: If you sign in via a third-party provider (e.g., Replit), we receive your name and email address
- Public sources: Our AI may research publicly available information about prospects, companies, and brands from the web
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process your brand assets through AI to generate creative content
- Power AI prospector features, including prospect research, email generation, and campaign management
- Process payments and manage your subscription
- Send transactional communications (account verification, password resets, billing notifications)
- Respond to your support requests and inquiries
- Analyze usage patterns to improve our AI models and user experience
- Detect, prevent, and address fraud, abuse, and technical issues
- Comply with legal obligations
3. AI Data Processing
Our Service uses AI extensively. Here is how your data interacts with AI systems:
- Brand analysis: When you submit a website URL or brand assets, our AI processes this information to extract brand identity elements (colors, logos, voice, guidelines). This processing may involve sending data to third-party AI providers (Google Gemini, Anthropic Claude).
- Creative generation: Your brand data, product information, and creative briefs are sent to AI providers to generate marketing content. Providers process this data per their own data handling policies but do not use your data to train their models.
- Prospect research: AI may search publicly available web sources to compile information about prospects and companies. This research data is stored in your account.
- Email generation: AI uses your brand knowledge base, prospect research, and conversation history to generate personalized outreach emails.
We do not use your brand assets, creative outputs, or proprietary data to train our own AI models or those of third parties. Your data is used solely to provide the Service to you.
4. Automated Decision-Making
In accordance with GDPR Article 22, we disclose the following automated decision-making processes that may produce significant effects:
- AI prospect scoring: Our AI assigns relevance scores to prospects based on publicly available information and your Ideal Customer Profile (ICP). These scores influence the order in which prospects are contacted but do not make legally binding decisions about individuals.
- Email reply classification: Incoming replies to outreach emails are automatically classified by AI (e.g., interested, not interested, opt-out). Opt-out classifications result in automatic cessation of further outreach to that recipient.
- Content guardrails: AI-generated emails are automatically screened for prohibited content, excessive length, and other policy violations before sending.
You have the right to request human review of any automated decision, obtain an explanation of the logic involved, and contest the decision. Contact us at privacy@brand.design to exercise these rights.
5. Data Sharing and Disclosure
We do not sell your personal data. We share your information only in the following circumstances:
- Service providers: We share data with third-party providers who assist us in operating the Service, including AI processing (Google, Anthropic), payment processing (Stripe), email delivery (Resend), cloud hosting, and analytics
- Team members: If you are part of an organization, your brand data and projects are accessible to other members of your team as configured by account administrators
- Legal requirements: We may disclose information when required by law, legal process, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others
- Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity
- With your consent: We may share your information in other ways if you direct us to or give us your explicit consent
6. Subprocessors
We use the following subprocessors to provide the Service. Each processes data only as necessary for its stated purpose:
| Subprocessor | Purpose | Location |
|---|
| Google LLC (Gemini API) | AI image generation, brand analysis, prospect research | United States |
| Anthropic PBC (Claude API) | AI text generation, creative writing, email composition | United States |
| Stripe, Inc. | Payment processing, subscription billing | United States |
| Resend, Inc. | Transactional and outreach email delivery | United States |
| Replit, Inc. | Cloud hosting, object storage, authentication | United States |
We will update this list when we add or change subprocessors. For the most current list, contact privacy@brand.design.
7. International Data Transfers
Your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from those in your country. When we transfer data internationally, we rely on appropriate legal mechanisms, including Standard Contractual Clauses (SCCs), to ensure adequate data protection. By using the Service, you consent to the transfer of your information as described in this Privacy Policy.
8. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate personal data
- Right to erasure: Request deletion of your personal data ("right to be forgotten")
- Right to data portability: Request your data in a structured, machine-readable format
- Right to restrict processing: Request that we limit how we use your data
- Right to object: Object to processing based on legitimate interests or for direct marketing purposes
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time
- Right regarding automated decisions: Request human review of automated decisions that significantly affect you (see Section 4)
To exercise any of these rights, contact us at privacy@brand.design. We will respond to your request within 30 days. Our lawful bases for processing include: performance of contract (providing the Service), legitimate interests (improving the Service, fraud prevention), and consent (where applicable). You may also lodge a complaint with your local data protection authority.
9. Your Rights Under CCPA
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:
- Right to know: You can request information about the categories and specific pieces of personal information we have collected about you
- Right to delete: You can request deletion of your personal information, subject to certain exceptions
- Right to correct: You can request correction of inaccurate personal information
- Right to opt-out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising purposes. If this ever changes, we will provide a clear "Do Not Sell or Share My Personal Information" mechanism.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights
- Right to limit use of sensitive personal information: You can request that we limit our use of sensitive personal information to what is necessary to provide the Service
Do Not Sell or Share: Brand.Design does not sell your personal information, nor do we share it for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.
To exercise your CCPA/CPRA rights, contact us at privacy@brand.design. We will verify your identity before processing your request and respond within 45 days.
10. Data Retention
We retain your data according to the following schedule:
- Account data: Retained for as long as your account is active, plus 30 days after deletion to allow for reactivation
- Brand assets and creative content: Retained for as long as your account is active; deleted within 30 days of account termination
- Prospect and outreach data: Retained for as long as your account is active; deleted within 30 days of account termination
- Payment records: Retained for 7 years as required by tax and financial regulations
- Server logs: Retained for up to 90 days for security and debugging purposes
- AI cost and usage logs: Retained for 12 months for billing verification and dispute resolution
- Anonymized analytics: Retained indefinitely in aggregate form that cannot identify individuals
11. Cookies and Tracking Technologies
We use cookies and similar technologies for the following purposes:
- Essential cookies: Required for the Service to function (authentication, session management, security). These cannot be disabled.
- Functional cookies: Remember your preferences and settings (theme, layout choices).
- Analytics cookies: Help us understand how the Service is used and identify areas for improvement. These collect anonymized usage data and can be disabled through the cookie consent banner.
You can manage your cookie preferences through the cookie consent banner that appears on your first visit, or by selecting "Cookie Preferences" at the bottom of any page. Most browsers also allow you to control cookies through their settings. Note that disabling essential cookies may prevent the Service from functioning properly.
12. Data Security and Breach Notification
We implement industry-standard security measures to protect your data, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Secure password hashing using industry-standard algorithms
- Regular security audits and vulnerability assessments
- Access controls limiting employee access to user data on a need-to-know basis
- Secure cloud infrastructure with redundancy and backup systems
While we strive to protect your data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security and are not responsible for unauthorized access resulting from factors outside our reasonable control.
Breach notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users without undue delay and, where required by GDPR, within 72 hours of becoming aware of the breach. We will also notify the relevant supervisory authority as required by applicable law. Notifications will describe the nature of the breach, likely consequences, measures taken, and contact information for further inquiries.
13. Data Processing Agreement
If you are a business customer processing personal data of EU/EEA/UK residents through our Service and require a Data Processing Agreement (DPA) to comply with GDPR Article 28, we offer a pre-signed DPA that covers our obligations as a data processor. To request a copy, contact dpo@brand.design.
14. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at privacy@brand.design.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on the Service at least 30 days before the changes take effect. We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when the policy was last revised.
16. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:
- Privacy inquiries: privacy@brand.design
- Data protection officer: dpo@brand.design
- General inquiries: hello@brand.design
- Mailing address: Brand.Design, Inc., 1209 Orange Street, Wilmington, DE 19801, United States