Legal

Privacy Policy

This policy explains what personal data BrandPulse collects, why we collect it, and your rights under UK GDPR and the Privacy and Electronic Communications Regulations (PECR). Please read it carefully.

1. Who we are

BrandPulse ("we", "us", "our") is the data controller for personal data processed through usebrandpulse.uk. We are registered in England and Wales. For data protection enquiries contact us at [email protected].

You can lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.

2. Data we collect

We collect the following categories of personal data:

Account data: Name, email address, and account preferences you provide when signing up or updating your profile.

Brand and competitive data: Brand names, domains, competitor names, and the AI-generated responses we retrieve on your behalf. This data belongs to you.

Payment data: Billing details are handled directly by Stripe. We store only a Stripe customer ID and subscription status — never raw card details.

Usage and technical data: IP address, browser type, and log data collected automatically when you use the service. We use this for security and service reliability.

Communications: Any correspondence you send us (support emails, feedback).

3. Legal basis for processing

Contract (Article 6(1)(b)): Providing the BrandPulse service, managing your account, and processing payments.

Legitimate interests (Article 6(1)(f)): Security monitoring, fraud prevention, improving the service, and sending product update emails to existing customers. Our interests are balanced against your rights — you can object at any time.

Legal obligation (Article 6(1)(c)): Retaining financial records as required by HMRC.

Consent (Article 6(1)(a)): Where we rely on consent (e.g. marketing to non-customers), you can withdraw it at any time by emailing us or clicking "unsubscribe".

4. Cookies and similar technologies

We use only strictly necessary cookies. These are required for the service to function and do not require your prior consent under PECR.

Cookie	Purpose	Duration
sb-* (Supabase auth)	Keeps you signed in across page loads.	Session / 1 week
csrf	Protects against cross-site request forgery attacks.	24 hours
cookie_consent	Remembers that you have seen this cookie notice.	1 year

We do not use advertising cookies, third-party analytics cookies, or tracking pixels.

5. Sub-processors and third-party recipients

We share data with the following sub-processors to operate the service. Each is bound by data processing agreements and, where applicable, Standard Contractual Clauses or UK International Data Transfer Agreements (IDTAs) for transfers outside the UK.

Sub-processor	Purpose	Location
Supabase Inc.	Authentication, database (PostgreSQL), file storage.	USA (IDTA)
Stripe Inc.	Payment processing and billing.	USA (IDTA)
OpenAI, L.L.C.	AI-generated brand visibility queries.	USA (IDTA)
Inngest Inc.	Background job orchestration.	USA (IDTA)
Cloudflare Inc.	CDN, DDoS protection, Turnstile CAPTCHA.	USA (IDTA)
Sentry (Functional Software, Inc.)	Error monitoring and diagnostics.	USA (IDTA)

We will notify you of any material changes to this list at least 14 days in advance by email.

6. Data retention

Account and brand data — retained for the life of your account, then deleted within 30 days of account closure.

Payment records — retained for 7 years as required by UK tax law.

Server logs — retained for 90 days.

Support correspondence — retained for 2 years.

7. Your rights under UK GDPR

You have the following rights. To exercise any of them contact [email protected]. We will respond within one calendar month.

Access: Request a copy of the personal data we hold about you. You can also export your data directly from your account settings.

Rectification: Correct inaccurate data.

Erasure ("right to be forgotten"): Delete your account and all associated data from your account settings, or email us.

Portability: Receive your data in a structured, machine-readable format (JSON). Use the "Download my data" option in account settings.

Restriction: Ask us to pause processing while a dispute is resolved.

Objection: Object to processing based on legitimate interests at any time.

Automated decision-making: We do not make solely automated decisions that have a legal or similarly significant effect on you.

8. Security

We implement appropriate technical and organisational measures including TLS encryption in transit, row-level security in our database, CSRF protection, and rate limiting. See our Security Policy for details on vulnerability disclosure.

9. Changes to this policy

We may update this policy. If we make material changes we will notify you by email at least 14 days before the changes take effect. The current version is always available at usebrandpulse.uk/privacy.