This Privacy Policy explains how BrandPurl ("we", "us", "our") collects, uses, and protects information when you use our website, application, and APIs (collectively, the "Service"). By using the Service you agree to this policy.
1. Information we collect
- Account data. When you sign up we receive your email address (and, for SMS login, your phone number) from our identity provider (Supabase).
- Brand data. Anything you create inside BrandPurl — brand profiles, product URLs, generated posts, uploaded images.
- Connected accounts. When you connect a third-party platform (e.g. Buffer) we receive an OAuth access token from that platform, plus the list of channels associated with your Buffer account (Twitter, Facebook, LinkedIn, etc.). We never receive your platform passwords.
- Usage data. Standard request logs (IP, user-agent, timestamps) used for security and abuse prevention; retained no longer than 90 days.
- Payment data. If/when you purchase credits, payment information is processed by Stripe. We never see or store your full card number.
2. How we use information
- To generate and store the social-media content you ask us to produce.
- To publish or schedule posts to platforms you have explicitly connected.
- To operate, secure, and improve the Service — including debugging and abuse detection.
- To send you transactional emails (sign-in confirmations, billing receipts, security alerts).
We do not sell or rent your data. We do not use your private brand content to train public generative-AI models.
3. Third-party processors
- Supabase — authentication and primary database.
- Cloudflare R2 — image and media storage.
- Upstash — rate limiting / queues.
- MiniMax — generative AI inference.
- Stripe — payments and billing.
- Buffer — when you connect Buffer, your tokens authorize BrandPurl to publish on your behalf. You can revoke access at any time from within BrandPurl or from Buffer’s own settings.
4. How we protect OAuth tokens
Access tokens issued by connected platforms (e.g. Buffer) are encrypted at rest with AES-256-GCM using a dedicated server-side key. Tokens are never sent to the browser, never logged in plaintext, and are decrypted only inside the server process at the moment a publish API call is made.
5. Your rights
- Access & export — request a copy of your data.
- Deletion — delete your account at any time. We remove personal data within 30 days, except where retention is required by law (e.g. tax records).
- Disconnect — revoke any third-party connection from your dashboard. This deletes the stored token immediately.
6. Data retention
Account and content data are retained as long as your account is active. Backups are purged within 30 days of permanent deletion. Request logs are retained for up to 90 days.
7. Children
The Service is not directed at children under 16, and we do not knowingly collect data from them.
8. Changes to this policy
We may update this policy from time to time. Significant changes will be announced via email and via a notice inside the app at least 14 days before they take effect.
9. Contact
Questions or requests: privacy@brandpurl.com.