Brand Generator

Privacy Policy

Last updated: April 3, 2026

This Privacy Policy ("Policy") describes how Brand Generator("we", "us", or "our") collects, uses, stores, shares, and protects personal data when you access or use our platform. By creating an account or using our services, you acknowledge that you have read and understood this Policy.

This Policy complies with: the General Data Protection Regulation (EU) 2016/679 ("GDPR") for users in the European Economic Area; the Brazilian General Data Protection Law — LGPD (Law No. 13,709/2018) for users in Brazil; and the California Consumer Privacy Act ("CCPA") for California residents, as applicable.

1. Data Controller

Brand Generator is the data controller responsible for the processing of your personal data. For any inquiries related to data protection, contact us via our Discord server.

2. Data We Collect

2.1 Visitors (Non-registered Users)

  • Technical data: IP address (anonymized where required by law), browser type and version, operating system, device type, referring URL, pages visited, and time spent on pages
  • Cookies and similar technologies: Functional and analytical cookies as described in Section 6

2.2 Registered Users

  • Account data: Full name and email address (provided via Google OAuth or magic link authentication)
  • Usage data: Brand kit generation history, input preferences, reshuffle and export activity
  • Credit data: Credit balance, transaction history, and consumption records

2.3 Paying Users

  • All data described in Section 2.2
  • Payment data: Processed and stored exclusively by Stripe, Inc. — we never receive, access, or store full credit card numbers, CVV codes, or bank account details on our servers
  • Billing identifiers: Stripe customer ID, purchase timestamps, and transaction amounts

2.4 Data We Do Not Collect

We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation.

3. Legal Basis and Purpose of Processing

We process your personal data only when we have a valid legal basis. The following describes each purpose and its corresponding legal basis:

  • Service provision (generating brand kits, managing credits, processing reshuffles and exports) — Legal basis: contract execution
  • Payment processing for credit purchases — Legal basis: contract execution
  • Transactional communications (generation status, purchase confirmations, account security alerts) — Legal basis: contract execution
  • Aggregated analytics for service improvements and AI cost management — Legal basis: legitimate interest
  • Fraud prevention and security Legal basis: legitimate interest
  • Tax and accounting compliance Legal basis: legal obligation

Where processing is based on legitimate interest, we have conducted balancing tests to ensure your rights and freedoms are not overridden. You may request details of these assessments by contacting us.

4. AI Processing and Automated Decision-Making

When you generate a brand kit, the input data you provide (product description, industry, target audience, personality traits, and color preferences) is transmitted to third-party AI providers solely for the purpose of generating your brand assets. This data:

  • Is used exclusively to fulfill your generation request
  • Is not used to train, fine-tune, or improve AI models
  • Is not retained by AI providers beyond the duration of the request

Brand generation involves automated processing of your inputs. However, the outputs are creative assets (not legal, financial, or consequential decisions about you), and you retain full control through reshuffles and the choice to export or discard results.

Generated brand assets (logos, images, and other files) are stored securely and associated with your account until deletion.

5. Data Sharing and Third-Party Processors

We share personal data only with third-party service providers who act as data processors on our behalf, strictly for the purposes of operating the platform:

  • Infrastructure and hosting: Cloud infrastructure, database, and file storage services
  • Payment processing: Stripe, Inc. (PCI DSS Level 1 certified)
  • AI content generation: Third-party AI model providers
  • Analytics: Aggregated usage analytics services
  • Email delivery: Transactional email services

All third-party processors are bound by Data Processing Agreements (DPAs) that require them to process data only as instructed, implement appropriate security measures, and delete data upon termination of services.

Brand Generator does not sell, rent, lease, or trade personal data to any third party for marketing, advertising, or any other purpose.

We may disclose personal data if required by law, court order, or governmental authority, or to protect our rights, safety, or property in the context of legal proceedings.

6. Cookies and Tracking Technologies

  • Strictly necessary cookies: Required for authentication, session management, and security. These cannot be disabled without breaking core functionality.
  • Analytical cookies: Used to collect aggregated, anonymized usage patterns for service improvement. These are loaded only after you provide consent where required by applicable law.

We do not use advertising or third-party tracking cookies. You may configure your browser to refuse cookies at any time, though disabling essential cookies will prevent authentication and core platform usage.

7. Data Retention

  • Account data: Retained while your account is active. Upon account deletion request, we delete your personal data within 30 days, except where retention is required by law.
  • Brand kit assets: Retained while your account is active. Deleted together with your account upon deletion request.
  • Transaction records: Credit purchases, usage, and refund records are retained for up to 5 (five) years after the transaction date to comply with tax, accounting, and anti-fraud obligations, even after account deletion.
  • Payment credentials: Stored and managed entirely by Stripe. We do not retain payment credentials on our systems at any time.
  • Analytics data: Anonymized and aggregated data may be retained indefinitely as it does not constitute personal data.

8. International Data Transfers

Your personal data may be processed on servers located outside your country of residence, including in the United States. When data is transferred across borders, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, for transfers from the EEA
  • Data Processing Agreements with adequacy certifications from our service providers
  • Compliance with Chapter V of the LGPD for transfers involving Brazilian user data

You may request a copy of the applicable transfer safeguards by contacting us.

9. Your Rights

Depending on your jurisdiction, you may exercise the following rights regarding your personal data:

  • Access: Obtain confirmation of whether we process your data and request a copy
  • Rectification: Correct incomplete or inaccurate personal data
  • Erasure: Request deletion of your personal data, subject to legal retention obligations
  • Restriction: Request restriction of processing in certain circumstances
  • Portability: Receive your personal data in a structured, commonly used, machine-readable format
  • Objection: Object to processing based on legitimate interest
  • Consent withdrawal: Withdraw consent at any time, without affecting the lawfulness of prior processing

9.1 For EEA Residents (GDPR)

You have the right to lodge a complaint with your local Data Protection Authority if you believe your data has been processed unlawfully.

9.2 For Brazilian Residents (LGPD)

You have the additional rights to anonymization, blocking, or deletion of unnecessary or excessive data, and to information about public and private entities with which your data has been shared. You may also file a complaint with the ANPD (Autoridade Nacional de Proteção de Dados).

9.3 For California Residents (CCPA)

You have the right to know what personal information we collect, disclose, or sell (we do not sell personal information), the right to request deletion, and the right to non-discrimination for exercising your privacy rights.

To exercise any of these rights, contact us via our Discord server. We will verify your identity before processing any request and respond within 15 business days (or the shorter period required by your applicable law).

10. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Secure token-based authentication with session management
  • Granular database access controls and principle of least privilege
  • Payment data handled exclusively by a PCI DSS Level 1 compliant processor
  • Periodic security assessments and vulnerability reviews

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR), and notify affected users without undue delay where the breach poses a high risk. For Brazilian users, we will notify the ANPD and affected individuals in accordance with LGPD requirements.

12. Children's Privacy

Brand Generator is not directed to, and does not knowingly collect personal data from, anyone under 18 years of age. If we become aware that we have inadvertently collected personal data from a minor, we will take immediate steps to delete such data. If you believe a minor has provided us with personal data, please contact us immediately.

13. Policy Updates

We may update this Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email (to the address associated with your account) or by a prominent notice on the platform at least 15 days before the changes take effect. The "Last updated" date at the top of this Policy indicates the most recent revision.

Continued use of the platform after the effective date of a revised Policy constitutes your acceptance of the updated terms. If you do not agree with any changes, you may delete your account before the effective date.

14. Applicable Law and Jurisdiction

This Policy is governed by the law of your jurisdiction to the extent required. For users in the European Economic Area, the GDPR applies. For users in Brazil, the LGPD (Law 13,709/2018) applies, and disputes shall be resolved in the courts of the user's domicile. For California residents, the CCPA applies. In all other cases, applicable local data protection laws shall govern.

15. Contact

For questions about this Policy, to exercise your data rights, or to report a privacy concern, reach out to us via our Discord server.