Last updated: April 9, 2026
Privacy Policy
1. Who we are
Brandli is a product of dp.vision (dpvision.agency), a company registered in Poland. We act as the data controller for personal data processed through our platform at brandli.io.
Contact: hello@brandli.io
Address: dp.vision, Poland
Supervisory authority:UODO (Urząd Ochrony Danych Osobowych), Warsaw, Poland
2. Data we collect
2.1 Account data
When you sign up, we collect:
- Email address and password (hashed by Supabase Auth)
- Company name
2.2 Brand data
During onboarding, you provide or we extract:
- Your website URL (we scan it to extract brand colors, fonts, messaging)
- Uploaded brand assets (logos, images)
- Brand voice and content strategy preferences
2.3 Social media integration data
When you connect platforms via OAuth (LinkedIn, Meta, Twitter):
- OAuth access tokens and refresh tokens (encrypted at rest using AES-256-GCM)
- Organization/page names and IDs
- Public profile information (name, profile URL)
We never access your private messages, contacts, or non-public data beyond what the requested permissions allow.
2.4 Payment data
Payments are processed by Stripe. We do not store credit card numbers. Stripe processes your name, email, and payment method under their own privacy policy.
2.5 Usage and analytics data
With your consent, we collect:
- Page views, feature usage, session data (via PostHog)
- Conversion events (via Google Analytics)
- Error reports and stack traces (via Sentry — no PII by default)
Analytics tracking only activates after you give consent via our cookie banner.
2.6 AI interaction data
When you use our AI agents, we send to Anthropic (Claude API):
- Your brand configuration (company name, colors, tone, messaging)
- Knowledge base entries you created
- Your chat messages and instructions
- Previous feedback you gave on AI outputs
Important: Anthropic does not use API inputs or outputs to train their models. Data is retained by Anthropic for up to 30 days for trust and safety purposes, then deleted. See Anthropic's Privacy Policy.
3. Legal bases for processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Account creation, service delivery | Contract performance |
| AI content generation | Contract performance |
| OAuth integrations | Contract performance |
| Payment processing | Contract performance |
| Transactional emails | Contract performance |
| Analytics (PostHog, GA) | Consent |
| Error monitoring (Sentry) | Legitimate interest (service reliability) |
| Website scraping (onboarding) | Contract performance |
| Tax/accounting records | Legal obligation |
4. Sub-processors
We share data with these service providers:
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase | Database, auth, file storage | EU (Frankfurt) | N/A (EU) |
| Anthropic | AI content generation | US | SCCs + DPF |
| Stripe | Payments | US/EU | DPF certified + SCCs |
| Resend | Transactional email | US | SCCs |
| PostHog | Product analytics | EU/US | SCCs (if US instance) |
| Sentry | Error monitoring | US | DPF certified + SCCs |
| Firecrawl | Website scraping (onboarding) | US | SCCs |
| Inngest | Background job processing | US | SCCs |
| Vercel | Application hosting | US (Edge: global) | DPF certified + SCCs |
5. International data transfers
Some of our sub-processors are located in the United States. We ensure adequate protection through EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework (DPF).
6. Data retention
- Account data: Duration of your account + 30 days after deletion
- Brand assets: Duration of your account + 30 days
- OAuth tokens: Until you disconnect or delete your account
- Payment records: 5 years (Polish tax law — Ordynacja podatkowa)
- Analytics data: 26 months
- Error logs: 90 days
- AI interaction logs: 30 days, then deleted
7. Your rights
Under GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing
- Data portability (receive your data in machine-readable format)
- Object to processing based on legitimate interest
- Withdraw consent at any time (for analytics/marketing)
- Lodge a complaint with UODO or any EU supervisory authority
To exercise your rights, email hello@brandli.io. We respond within 30 days.
8. Security measures
- All data encrypted in transit (TLS 1.3)
- OAuth tokens encrypted at rest (AES-256-GCM)
- Database hosted in EU (Supabase, Frankfurt region)
- Row-Level Security (RLS) enforcing workspace isolation
- CSRF protection on all mutation endpoints
- Passwords hashed by Supabase Auth (bcrypt)
9. AI-generated content
Brandli uses artificial intelligence (Anthropic Claude) to generate marketing content. This content is provided as suggestions — you are responsible for reviewing, editing, and approving content before publishing. AI-generated content may not be eligible for copyright protection in all jurisdictions.
10. Children
Brandli is a B2B service not directed at individuals under 16. We do not knowingly collect data from children.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. The "last updated" date at the top reflects the current version.