Legal

Privacy Policy

Last updated: June 2, 2026

Brandlyre ("we", "us", or "our") operates the website and application at brandlyre.com. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under applicable law including the General Data Protection Regulation (GDPR).

By using Brandlyre you agree to the collection and use of information in accordance with this policy. If you are using Brandlyre on behalf of an organisation, you confirm that you have authority to agree to these terms on its behalf.

1. Who is the data controller?

Brandlyre is a product operated by Andreality S.L. (Tax ID B-10663193), Pasaje Dr. Bartual Moret 8, 46010 Valencia, Spain, which is the data controller for personal data processed through Brandlyre. You can reach us at [email protected].

2. Data we collect

Account and profile data

When you register we collect your name, email address, and a hashed password. If you invite team members we also store their email addresses and role assignments.

Brand profile data

You may provide us with information about your brand including its name, website URL, logo, colour palette, tone-of-voice descriptions, target audiences, and marketing objectives. This information is used solely to power the AI-assisted content planning features.

Social-account OAuth tokens

When you connect a social network (Instagram, Facebook, LinkedIn, TikTok, Threads, X) we store the OAuth access and refresh tokens issued by that platform. These tokens are held encrypted at rest and are used exclusively to publish, schedule or retrieve content on your behalf. We never read your personal inbox or follow/unfollow contacts without your explicit instruction.

Uploaded media

Images and other media files you upload are stored in our cloud object storage (Cloudflare R2) under a per-brand prefix. Files are accessible only to authenticated members of your brand workspace.

Usage and log data

We collect server access logs (IP address, browser user-agent, page visited, timestamp) for security, debugging, and abuse prevention. Log data is retained for 90 days.

Cookies and analytics

We use first-party session cookies essential for authentication. With your consent (via our cookie-consent banner) we may also load Google Analytics (GA4) to understand aggregate usage patterns. GA4 data is anonymised and no cross-site tracking occurs. You can withdraw consent at any time via the cookie settings link in the footer.

Contact form submissions

If you contact us through our website form we store your name, email, subject, message, IP address, and browser user-agent. This data is used only to respond to your enquiry and is deleted after 24 months.

3. AI processing

Brandlyre uses large-language-model (LLM) APIs to generate copy, image descriptions, and content plans. Your brand profile data (name, tone notes, objectives) and post drafts may be sent to these APIs as part of generating suggestions. We currently use:

  • Google Gemini (primary) for text and Google Imagen for image generation — governed by Google's Privacy Policy.
  • OpenAI (fallback) — GPT-4o for text and gpt-image-1 for images — governed by OpenAI's Privacy Policy.

We do not use your data to train external AI models. API requests are made over TLS. If you prefer that a specific piece of brand information is not sent to AI providers, you may omit it from the brand profile.

4. Third-party services and sub-processors

We engage the following sub-processors. Each is GDPR-compliant or operates under appropriate transfer safeguards (e.g. EU Standard Contractual Clauses):

  • Hetzner Online GmbH — application hosting and database (Germany, EU)
  • Cloudflare — object storage (R2), content delivery (CDN), DNS, and bot protection (Turnstile)
  • Google — Gemini and Imagen AI (copy and image generation), Google Business Profile publishing, and optional analytics (GA4)
  • OpenAI — fallback AI copy and image generation
  • Meta (Facebook / Instagram / Threads) — social publishing, OAuth
  • LinkedIn — social publishing, OAuth
  • TikTok — social publishing, OAuth
  • Resend — transactional email delivery
  • Sentry — application error monitoring

We do not sell, rent, or share your personal data with any third party for advertising purposes.

5. Legal bases for processing

  • Contract performance — processing necessary to deliver the service you subscribed to.
  • Legitimate interests — security logging, abuse prevention, and product improvement analytics (aggregated).
  • Consent — optional analytics cookies; you can withdraw at any time.
  • Legal obligation — retaining records where required by applicable law.

6. Data retention

We retain account data for as long as your account is active plus 60 days after deletion to allow recovery. Social OAuth tokens are deleted immediately when you disconnect a social account. Uploaded media is deleted when you explicitly remove it or when the brand workspace is deleted. Log data is purged after 90 days. Contact-form submissions are deleted after 24 months.

7. Data transfers

Brandlyre's application servers and primary database are hosted in the European Union (Hetzner, Germany). Some sub-processors listed above (e.g. Google, OpenAI, Cloudflare, Meta, TikTok) may process data outside the European Economic Area (EEA). Where required, such transfers are governed by Standard Contractual Clauses approved by the European Commission.

8. Your rights (GDPR)

Under GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your data ("right to be forgotten").
  • Restriction — ask us to restrict processing in certain circumstances.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — at any time where consent is the legal basis.

To exercise any of these rights email [email protected] with the subject line "Data Rights Request". We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

9. Security

We implement appropriate technical and organisational measures to protect your data, including TLS in transit, encryption at rest for sensitive tokens, access controls, and regular security reviews. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

10. Children

Brandlyre is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us immediately and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you by email or by a prominent notice within the application when we make material changes. The "Last updated" date at the top of this page will always reflect the most recent revision.

12. Contact

Questions about this policy? Email us at [email protected] or write to us at Andreality S.L., Pasaje Dr. Bartual Moret 8, 46010 Valencia, Spain.