Privacy Policy

Brand Protector (“we”, “us”) operates a brand-protection SaaS at brandprotector.io. This Privacy Policy explains what we collect, why we collect it, how long we keep it, and the rights you have over it. We process data in two roles: as a controller for our own account and billing data, and as a processor for the brand-context, scanner credentials, and detection records you upload into your tenant workspace.

We collect three buckets of data:

• Account data. Your email address (via Google sign-in), display name, the tenants you belong to, your role in each tenant, and audit timestamps for your sign-ins and actions.
• Brand & workspace data.Information you upload to configure scanners — your brand name, keywords, domains, marketplace seller IDs, allowlists, contact emails, and counterfeit-listing context. This is “customer data” and you remain its controller.
• Scanner credentials. Per-platform API tokens and refresh tokens (e.g. Amazon SP-API, eBay, Walmart, Slack webhooks) you provide so our scanners can act on your behalf. These are stored in Google Secret Manager under a tenant-scoped naming convention.
• Operational telemetry. Standard server logs (IP, user-agent, timestamps), error reports via Sentry, and usage metrics for capacity planning and abuse detection. We do not use analytics or marketing cookies, and we do not load third-party tracking scripts on either the marketing site or the application.

We do notintentionally collect special-category personal data (health, biometrics, etc.). Brand Protector is a B2B tool; please don't paste sensitive personal data into it.

• Run scanners. Detect counterfeit listings on the surfaces you select.
• Send takedowns. Generate, sign, and submit DMCA, Brand Registry, VeRO, and platform-specific takedown notices on your behalf, and track responses.
• Operate your account. Authenticate sign-ins, enforce per-tenant access controls, send transactional email (via Resend), bill subscriptions (via Stripe).
• Support. Respond to your support requests and triage bugs.
• Security & abuse prevention. Rate-limit authentication endpoints, detect anomalous activity, and preserve audit trails.

Our legal bases under GDPR are: (a) contract for delivering the service you signed up for; and (b) legitimate interests for operational telemetry and abuse prevention. We currently set strictly-necessary cookies only (no analytics, no marketing trackers), so consent is not the legal basis for any cookie we use today — see our Cookie Policy for the full inventory. If we ever add analytics or marketing cookies, we will switch to a real consent flow before any new cookie is set.

• Active subscription. All workspace data is retained for as long as your subscription is active.
• Cancellation. When you cancel, your tenant enters a 30-day soft-delete window during which we can restore on request. After 30 days, tenant data is purged from Firestore and the evidence GCS bucket. (See the multi-tenant design doc, decision #6.)
• Audit logs. Sign-in records and takedown attestations may be retained for up to 7 years for legal defensibility, with all customer-identifying fields purged after the 30-day window where feasible.
• Backups. Encrypted backups roll off on a standard 35-day cycle.
• Billing records.Stripe-controlled records are retained per Stripe's policy and applicable tax law (typically 7 years).

We use a small set of vetted sub-processors to deliver the service:

• Google Cloud Platform — hosting (Cloud Run), database (Firestore), object storage (GCS), secrets management (Secret Manager). Region: us-central1 (compute), nam5 multi-region (Firestore).
• Google Identity (OAuth) — sign-in. We receive your email and basic profile.
• Stripe — subscription billing. Card data never touches our servers.
• Resend — transactional email delivery.
• Sentry — error monitoring. We scrub PII from error reports where practical.
• Scanner providers — OpenAI, Anthropic, Perplexity, Google AI, xAI, SerpAPI, and Apify, used to detect counterfeit listings on AI platforms and search engines.

The current list of sub-processors is also referenced in our Data Processing Addendum. We update this list when sub-processors change.

Brand Protector uses strictly-necessary cookies only: a sign-in session, CSRF protection, and HMAC-signed tokens for platform-admin step-up reauthentication and impersonation. We do not use analytics or marketing cookies, and we do not load third-party tracking scripts on either the marketing site or the application.

The full list of cookies, their purposes, and their lifetimes is documented in our Cookie Policy. Strictly-necessary cookies are exempt from the GDPR / UK ePrivacy consent requirement; we still disclose them via a banner on the marketing site so you can review what is set before you sign up.

If you are in the EU/EEA, UK, or California, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate personal data.
• Delete your personal data (subject to limitations, e.g. legal hold or pending takedown actions).
• Export your data in a portable, machine-readable format.
• Restrict or object to processing.
• Withdraw consent where consent is the basis.
• Opt out of “sale” or “sharing” of personal information (CCPA). We do not sell your data.
• Lodge a complaint with your supervisory authority.

To exercise any of these rights, email privacy@brandprotector.io. We respond within 30 days.

We follow industry-standard security practices: encryption in transit (TLS) and at rest, least-privilege IAM scoped per tenant, server-side validation of every cross-tenant boundary, audit logging of admin actions, hard-coded server-only Firestore writes, rate-limiting on authentication, and routine dependency auditing. No system is unbreakable; we describe our incident-response process in the DPA.

Our infrastructure is hosted in the United States. If you are in the EU/UK, your data is transferred to the US under the Standard Contractual Clauses (SCCs) attached to our DPA. Sub-processors operate under their own SCC commitments where applicable.

Brand Protector is not directed at, and we do not knowingly collect personal data from, children under 16.

We may update this policy as the service evolves. Material changes will be announced by email to account owners at least 30 days before they take effect, and the “Last updated” date at the top will change.

For privacy questions, data-rights requests, or to report a security issue:

• Email: privacy@brandprotector.io
• Security disclosures: security@brandprotector.io