Privacy Policy

BrandWeave is operated by Ide8 Technologies (Pty) Ltd (Registration No. 2024/307501/07), a private company registered in the Republic of South Africa. We are the data controller (referred to as a "responsible party" under South Africa's Protection of Personal Information Act, POPIA) for all personal information processed through the Service.

BrandWeave is available globally through the Paddle payment infrastructure. This means we serve users across many jurisdictions, including the European Union, the United Kingdom, the United States, and beyond. We are committed to respecting the privacy rights of all our users regardless of their location.

2.1 Information You Provide Directly

• Account data: Your name, email address, and password (or OAuth token from a social login provider such as Google or LinkedIn) when you register.
• Brand data: Brand names, slogans, colour palettes, logos, source images, and other creative assets you upload or generate within the platform.
• Team member data: Names, email addresses, and photographs of team members you add to your brand for features such as professional headshot generation. This may constitute biometric or sensitive personal information under applicable law.
• Payment data: Billing name, address, and payment method details. Full card numbers are processed exclusively by our payment provider (Paddle) and are never stored on BrandWeave servers.
• Support communications: Messages, attachments, and context you provide when submitting a support request, feedback, or enquiry.
• Profile information: Any optional information you provide, such as company name, industry, or profile photograph.

2.2 Information Collected Automatically

• Device & usage data: IP address, browser type and version, operating system, device identifiers, pages visited, links clicked, time spent on pages, and other interaction data.
• Cookies & similar technologies: Session cookies used for authentication and optional analytics cookies to understand usage trends. See Section 11 for more detail.
• Log data: Server-side logs recording API requests, response times, error codes, and system events for security and debugging purposes.

2.3 Information from Third Parties

If you sign in using a third-party authentication provider, we receive basic profile information (name, email address, and profile picture) from that provider. We currently support:

• Google OAuth — subject to your Google account privacy settings and the Google Privacy Policy.
• LinkedIn (via OpenID Connect) — subject to your LinkedIn account privacy settings and the LinkedIn Privacy Policy.

We do not receive or store your password from any of these providers.

We use your personal information for the following purposes:

• Service delivery: To create and maintain your account, process your brand assets, deliver AI-generated content, and provide the core functionality of BrandWeave.
• AI processing: Your uploaded content (images, text prompts, brand data) is transmitted to third-party AI providers to generate, edit, and refine brand assets and marketing materials. See Section 7 for important details.
• Billing & subscription management: To process payments, manage your subscription, send billing confirmations, and handle refund requests via Paddle.
• Communications: To send transactional emails (account verification, password resets, subscription confirmations, support responses) and, where you have consented, marketing updates about new features or offers.
• Product improvement: To analyse aggregated, anonymised usage patterns, fix bugs, prioritise features, and improve the performance and quality of the Service.
• Security & fraud prevention: To detect, investigate, and prevent unauthorised access, abuse, fraudulent activity, and other potentially harmful or illegal conduct.
• Legal compliance: To comply with applicable laws, regulations, court orders, and lawful governmental requests.

Depending on your location, we rely on one or more of the following legal bases for processing your personal information:

Under South Africa's Protection of Personal Information Act, 4 of 2013 (POPIA), we process your information in accordance with the conditions for lawful processing set out in Chapter 3, including the requirements for purpose specification, information quality, openness, security safeguards, and data subject participation.

We do not sell your personal information. We share data only with the following categories of recipients, and only to the extent necessary:

• AI service providers: Your content (images, text prompts, brand data) is transmitted to generative-AI providers such as OpenAI, Anthropic, and Recraft, accessed in part via Vercel AI Gateway, to deliver the core features of the Service. We seek data-processing terms with these providers that restrict the use of your data for training their general-purpose models; however, the specific opt-out rights and model-training policies vary by provider, API tier, and may change over time. We cannot guarantee that your data will never be used in any form by upstream AI providers for model improvement purposes. For the most current position, please refer to the privacy policies of OpenAI, Anthropic, and Recraft respectively.
• Infrastructure providers: Supabase (database, object storage, authentication), Vercel (hosting and deployment), and related cloud service providers operate the underlying infrastructure of BrandWeave.
• Payment processor: Paddle processes subscription payments and tax calculations on our behalf. Your payment card data is handled entirely by Paddle and is subject to their privacy policy.
• Email service providers: Transactional email providers (e.g., for account verification or support responses) may process your email address on our behalf.
• Legal authorities: We may disclose personal information where required by law, valid court order, or lawful governmental request, or where we believe disclosure is necessary to protect the rights, property, or safety of BrandWeave, our users, or the public.
• Business transfers: In the event of a merger, acquisition, restructuring, or sale of all or a portion of our assets, your information may be transferred to the successor entity. We will provide notice of any change in data controller.

BrandWeave is based in South Africa and serves users globally. Your personal information may be transferred to and processed in countries other than your country of residence - including the United States and countries within the European Union - where our infrastructure providers and AI service providers are located.

We ensure appropriate safeguards are in place for cross-border transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA;
• POPIA Section 72 compliance for transfers outside South Africa - we ensure recipients are subject to equivalent privacy laws or binding agreements;
• UK IDTA (International Data Transfer Agreement) or equivalent mechanisms for transfers to or from the United Kingdom;
• Data-processing agreements with all sub-processors requiring equivalent data-protection standards.

We have data-processing agreements with our AI providers requiring them to:

• Process your data only as instructed by us;
• Not use your data to train or improve their general-purpose models (where such opt-outs are contractually available and enabled);
• Delete or anonymise your data after processing within the timeframes specified in their agreements;
• Implement appropriate security measures to protect your data in transit and at rest.

Headshot Generation: When you upload photographs of team members for AI headshot generation, those photographs may constitute biometric information under applicable law. By uploading such images, you confirm that you have obtained the informed consent of the individuals depicted and that they are aware their images will be processed by AI systems. Source images are retained in your account until you choose to delete them. You may request deletion of source images at any time by removing them directly within your account or by submitting a "Personal Information Request" through our support process.

We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher;
• Encryption of sensitive data at rest;
• Role-based access controls limiting data access to authorised personnel;
• Row-level security policies on database resources;
• Regular security reviews and vulnerability assessments;
• Secure cloud infrastructure with SOC 2-compliant providers.

However, no method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority (including the South African Information Regulator and relevant EU data protection authorities) within the timeframes required by applicable law.

We retain your personal information for as long as your account is active, as needed to provide the Service, or as required by applicable law. Specifically:

• Account data: Retained for the lifetime of your account, plus up to 90 days after account deletion to allow for data recovery requests and to complete pending obligations.
• Brand assets and generated content: Retained as long as your account is active. Deleted within 90 days of account closure.
• Billing records: Retained for up to 7 years after a transaction as required for tax and accounting compliance.
• Log data: Retained for up to 90 days for security and debugging purposes, then deleted or anonymised.
• Support communications: Retained for up to 3 years after closure of a support request, then deleted or anonymised.

When retention periods expire, we delete or anonymise your data in a secure manner. You may request early deletion of your data as described in Section 10.

Depending on your location and the applicable law, you may have some or all of the following rights regarding your personal information. To exercise any of these rights, please submit a support request through your account, selecting the "Personal Information Request" request type.

We will respond to verifiable requests within 30 days (or within the period required by applicable law). We may need to verify your identity before processing your request.

If you are located in the EU or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. South African users may lodge a complaint with the Information Regulator of South Africa.

We use cookies and similar technologies to provide and improve the Service. The types of cookies we use are:

• Strictly necessary cookies: Required for authentication and session management. These cannot be disabled.
• Functional cookies: Used to remember your preferences (e.g., theme selection, language).
• Analytics cookies: Used to understand how users interact with the Service, so we can improve it. These are optional and anonymised where possible.

You can manage or disable non-essential cookies through your browser settings. Disabling cookies may affect the functionality of parts of the Service.

The Service is not directed to children under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate parental or guardian consent, we will take steps to delete that information as soon as reasonably practicable.

If you believe we have inadvertently collected information from a child, please contact us at support@brandweave.io.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you via email or an in-app notification at least 14 days before the changes take effect. The "Effective date" at the top of this page will be updated to reflect when the revised policy comes into force.

We encourage you to review this policy periodically. Continued use of the Service after the effective date of any revised policy constitutes your acceptance of the changes.

If you have any questions, concerns, or complaints about this Privacy Policy or our data-handling practices, please contact our Information Officer:

Terms & Conditions · Refund Policy

If you are not satisfied with our response, you may escalate your complaint to the relevant supervisory authority:

• South Africa: Information Regulator — inforegulator.org.za
• European Union: Your national data protection authority (e.g., CNIL, ICO, BfDI).
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk