Privacy Policy

This Privacy Policy describes how brandRNA (“we”, “us”, “our”), a sole trader registered in the United Kingdom, processes personal data when you use our website at brandrna.com, our API at api.brandrna.com, and our dashboard at app.brandrna.com (together, the “Service”).

We are the data controller for the personal data described below. For any privacy-related question or to exercise your rights, email bmanashe@googlemail.com.

Account data. When you sign up we store your email address and a password hash (handled by Firebase Authentication on our behalf). We assign a unique user ID, generate one or more API keys, and record the date and time of account creation.

Usage data. For each API call we record the timestamp, the endpoint, the URL submitted, the size of the response, and counters used for billing and rate-limiting. We retain per-day rollups so that we can show usage charts and bill you correctly.

Billing data. If you upgrade to paid usage we store a Stripe customer ID, subscription ID, payment status, your billing tier, your cap, and invoice metadata. Card details are handled directly by Stripe; we never see or store your card numbers.

Submitted URLs and brand packs. The URLs you submit and the brand packs we return are stored against your account so that you can re-fetch them. Cached brand packs may also be served to other users who submit the same URL, which is how the cached-lookup pricing works; your account is not associated with those cached responses.

Technical data. Server logs record IP address, user-agent, and request metadata for abuse prevention, troubleshooting and security. We retain raw logs for 30 days and summary statistics for longer.

Communications. If you contact us by email or through a form we keep that correspondence to handle your request and for our records.

• Performance of contract — to provide the Service, manage your account, process API calls, and bill paid usage.
• Legitimate interests — to keep the Service secure (rate-limiting, fraud detection, debugging), to improve the product (aggregate analytics, model behaviour), and to communicate operational updates.
• Legal obligation — to keep transaction records, comply with tax law, and respond to lawful requests.
• Consent — for any marketing email we may send; you can withdraw consent at any time using the unsubscribe link in those emails or by emailing us.

We use the following third parties to operate the Service. Each handles personal data on our instructions under a written data processing agreement.

Some of our processors are based in the United States or use US infrastructure. Where we transfer personal data outside the UK or European Economic Area we rely on (a) the EU–US and UK–US Data Privacy Framework where the recipient is certified, or (b) the UK International Data Transfer Agreement and the European Commission Standard Contractual Clauses, with supplementary measures where required.

• Account data: while your account is open, plus up to 12 months after closure for backups and dispute resolution.
• Usage data: 13 months for billing and analytics.
• Billing records: 7 years for tax and accounting (HMRC requirement).
• Cached brand packs: indefinitely, keyed on the public URL, and not associated with your account once cached.
• Server logs: 30 days for raw logs, longer for aggregated metrics.
• Email correspondence: up to 3 years.

We use industry-standard measures including TLS in transit, AES-256 at rest, role-based access on Google Cloud, principle-of-least- privilege service accounts, secret rotation, and audit logging. API keys are hashed in the database; we cannot recover a lost API key, only revoke it and issue a new one.

No service is perfectly secure. If we become aware of a breach that affects your personal data we will notify you and the Information Commissioner's Office (ICO) where required by law.

You have the right to:

• access the personal data we hold about you;
• rectify data that is inaccurate or incomplete;
• have your personal data erased (subject to our legal retention obligations);
• restrict processing in certain circumstances;
• data portability — receive your data in a structured, machine-readable form;
• object to processing based on legitimate interests;
• withdraw consent at any time where processing is based on consent;
• not be subject to a decision based solely on automated processing that has legal effects on you.

To exercise any of these rights, email bmanashe@googlemail.com. You can also delete your account from the dashboard at any time; this triggers our automated GDPR purge job within 24 hours.

If you are unhappy with how we handle your data you can complain to the UK Information Commissioner's Office at ico.org.uk.

See our Cookie Policy for what cookies we set and how to manage them.

The Service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has signed up, contact us and we will delete the account.

We may update this Privacy Policy from time to time. The “last updated” date at the top of this page reflects the most recent change. Material changes will be communicated by email or a dashboard notice.

For privacy questions or to exercise your rights: bmanashe@googlemail.com.