Security & Data Protection

How we protect your brand data, respect your privacy, and handle AI processing transparently.

Last updated: February 2026

Your Data Is Yours

You own all generated content — logos, strategies, messaging, visual assets. No restrictions on commercial use. No attribution required. No watermarks.

Never Used for AI Training

Your brand data is never used to train, fine-tune, or improve any AI model. We use API-only access with data processing agreements that prohibit provider-side retention.

Private by Default

Each brand workspace is completely isolated. No other user, client, or competitor can access your data. No cross-client data mixing.

How AI Processing Works

Like any AI-powered tool, we send information to AI providers to generate your branding materials. Here is exactly what happens:

What we send

Limited brand information: company name, industry, description, target audience, and brand values. This is the minimum needed to generate relevant branding content.

We never send:

Passwords, payment details, personal contact information, internal business documents, or any data beyond what you enter in the branding modules.

Which providers process your data

We use established AI providers, each serving a specific purpose in the branding process:

Provider	Purpose	Data Sent
OpenRouter	AI model gateway ZDR	Brand descriptions, strategy prompts
OpenAI	Text & image generation	Brand descriptions, visual prompts
Anthropic	Strategic analysis	Brand strategy context
Google AI	Analysis & voice generation	Brand descriptions, voice parameters
Recraft	Vector graphics	Visual style prompts
Replicate	Image processing	Generated images (for processing)
Fal.ai	Image processing	Generated images (for processing)

ZDR = Zero Data Retention — provider deletes input/output immediately after processing.

What happens after processing

AI providers process your brand data solely to generate your requested output. Under our data processing agreements, they do not retain, view, or use your brand data for any other purpose — including training their AI models. Responses are returned to us, and the input data is not stored on the provider side.

For Agencies & Studios

We understand that agencies handle sensitive client data and need assurances before using any platform for real client work.

Agency-Specific Commitments

Client data isolation — Each brand workspace is completely separate. No cross-client visibility, no data mixing between brands, no way for one client's data to appear in another's outputs.
White-label deliverables — All exports (logos, assets, mockups) contain no BrandingStudio.ai branding or watermarks. Present everything under your agency name.
Data Processing Agreements — Business customers requiring a formal DPA (GDPR Article 28) can request one at legal@brandingstudio.ai.
Secure client sharing — Share brand guidelines with clients through password-protected Brandbook pages. Control what they see without giving platform access.
Complete data removal — When you delete a brand or close your account, all associated data (strategies, assets, generated content) is permanently removed within 30 days.
Commercial use rights — All plans include full commercial use rights. Use generated assets for client work, presentations, and deliverables without restrictions.

Infrastructure Security

Your data is protected by multiple layers of security across our entire infrastructure.

Encryption

TLS 1.3 for all data in transit. AES-256 encryption for data at rest. All API communications use HTTPS.

Database

Hosted in the EU (Ireland) on Neon, a SOC 2 compliant provider. Automated backups with point-in-time recovery.

File Storage

EU-hosted on Cloudflare R2. All generated assets (logos, mockups, PDFs) are stored in European data centers.

Authentication

Payments

Processed by Stripe (PCI DSS Level 1). We never store credit card numbers on our platform. Stripe handles all payment data.

Analytics

Consent-gated analytics via PostHog (EU Frankfurt). No tracking without your explicit consent. No third-party advertising cookies.

GDPR & Data Residency

Data Controller

It Matters Lda (PT516373978), Rua Vieira Pinto 109, 4430-254 Vila Nova de Gaia, Portugal. We are the data controller under GDPR and Portuguese data protection law.

Where your data lives

EU
Database — Neon, Ireland
EU
File storage — Cloudflare R2, European data centers
EU
Analytics — PostHog, Frankfurt (consent-gated)
EU
Invoicing — Moloni, Portugal

International transfers

Some providers (authentication, AI processing) are US-based. All international transfers are protected by:

Standard Contractual Clauses (SCCs) — EU Commission approved
Data Processing Agreements (DPAs) with all providers
EU-US Data Privacy Framework (DPF) certification where applicable
TLS 1.3 encryption for all cross-border data transfers

Your rights

Data export — Download all your data in JSON format from account settings

Account deletion — All data permanently removed within 30 days

Breach notification — 72-hour notification to authorities (GDPR Art. 33)

Data portability — Receive your data in machine-readable format

Compliance & Data Processing

We maintain data processing agreements with all service providers and comply with EU data protection regulations.

Data Processing Agreements

Business customers requiring a formal Data Processing Agreement (GDPR Article 28) can request one by contacting legal@brandingstudio.ai. You may also request copies of the SCCs and DPAs we have with our subprocessors.

Data retention

Active accounts — Data retained while account is active
Account deletion — All data removed within 30 days
Payment records — 7 years (Portuguese tax law requirement)
Backups — Automatically purged after 90 days

For full details, see our Privacy Policy.

Contact & Resources

Security & Privacy Contacts

Privacy

privacy@brandingstudio.ai

GDPR Requests

gdpr@brandingstudio.ai

Legal

legal@brandingstudio.ai

Security & Data Protection

How we protect your brand data, respect your privacy, and handle AI processing transparently.

Last updated: February 2026

Your Data Is Yours

You own all generated content — logos, strategies, messaging, visual assets. No restrictions on commercial use. No attribution required. No watermarks.

Never Used for AI Training

Your brand data is never used to train, fine-tune, or improve any AI model. We use API-only access with data processing agreements that prohibit provider-side retention.

Private by Default

Each brand workspace is completely isolated. No other user, client, or competitor can access your data. No cross-client data mixing.

How AI Processing Works

Like any AI-powered tool, we send information to AI providers to generate your branding materials. Here is exactly what happens:

What we send

Limited brand information: company name, industry, description, target audience, and brand values. This is the minimum needed to generate relevant branding content.

We never send:

Passwords, payment details, personal contact information, internal business documents, or any data beyond what you enter in the branding modules.

Which providers process your data

We use established AI providers, each serving a specific purpose in the branding process:

Provider	Purpose	Data Sent
OpenRouter	AI model gateway ZDR	Brand descriptions, strategy prompts
OpenAI	Text & image generation	Brand descriptions, visual prompts
Anthropic	Strategic analysis	Brand strategy context
Google AI	Analysis & voice generation	Brand descriptions, voice parameters
Recraft	Vector graphics	Visual style prompts
Replicate	Image processing	Generated images (for processing)
Fal.ai	Image processing	Generated images (for processing)

ZDR = Zero Data Retention — provider deletes input/output immediately after processing.

What happens after processing

For Agencies & Studios

We understand that agencies handle sensitive client data and need assurances before using any platform for real client work.

Agency-Specific Commitments

Client data isolation — Each brand workspace is completely separate. No cross-client visibility, no data mixing between brands, no way for one client's data to appear in another's outputs.
White-label deliverables — All exports (logos, assets, mockups) contain no BrandingStudio.ai branding or watermarks. Present everything under your agency name.
Data Processing Agreements — Business customers requiring a formal DPA (GDPR Article 28) can request one at legal@brandingstudio.ai.
Secure client sharing — Share brand guidelines with clients through password-protected Brandbook pages. Control what they see without giving platform access.
Complete data removal — When you delete a brand or close your account, all associated data (strategies, assets, generated content) is permanently removed within 30 days.
Commercial use rights — All plans include full commercial use rights. Use generated assets for client work, presentations, and deliverables without restrictions.

Infrastructure Security

Your data is protected by multiple layers of security across our entire infrastructure.

Encryption

TLS 1.3 for all data in transit. AES-256 encryption for data at rest. All API communications use HTTPS.

Database

Hosted in the EU (Ireland) on Neon, a SOC 2 compliant provider. Automated backups with point-in-time recovery.

File Storage

EU-hosted on Cloudflare R2. All generated assets (logos, mockups, PDFs) are stored in European data centers.

Authentication

Payments

Processed by Stripe (PCI DSS Level 1). We never store credit card numbers on our platform. Stripe handles all payment data.

Analytics

Consent-gated analytics via PostHog (EU Frankfurt). No tracking without your explicit consent. No third-party advertising cookies.

GDPR & Data Residency

Data Controller

It Matters Lda (PT516373978), Rua Vieira Pinto 109, 4430-254 Vila Nova de Gaia, Portugal. We are the data controller under GDPR and Portuguese data protection law.

Where your data lives

EU
Database — Neon, Ireland
EU
File storage — Cloudflare R2, European data centers
EU
Analytics — PostHog, Frankfurt (consent-gated)
EU
Invoicing — Moloni, Portugal

International transfers

Some providers (authentication, AI processing) are US-based. All international transfers are protected by:

Standard Contractual Clauses (SCCs) — EU Commission approved
Data Processing Agreements (DPAs) with all providers
EU-US Data Privacy Framework (DPF) certification where applicable
TLS 1.3 encryption for all cross-border data transfers

Your rights

Data export — Download all your data in JSON format from account settings

Account deletion — All data permanently removed within 30 days

Breach notification — 72-hour notification to authorities (GDPR Art. 33)

Data portability — Receive your data in machine-readable format

Compliance & Data Processing

We maintain data processing agreements with all service providers and comply with EU data protection regulations.

Data Processing Agreements

Data retention

Active accounts — Data retained while account is active
Account deletion — All data removed within 30 days
Payment records — 7 years (Portuguese tax law requirement)
Backups — Automatically purged after 90 days

For full details, see our Privacy Policy.

Contact & Resources

Security & Privacy Contacts

Privacy

privacy@brandingstudio.ai

GDPR Requests

gdpr@brandingstudio.ai

Legal

legal@brandingstudio.ai

Security & Data Protection

Your Data Is Yours

Never Used for AI Training

Private by Default

How AI Processing Works

What we send

Which providers process your data

What happens after processing

For Agencies & Studios

Agency-Specific Commitments

Infrastructure Security

Encryption

Database

File Storage

Authentication

Payments

Analytics

GDPR & Data Residency

Data Controller

Where your data lives

International transfers

Your rights

Compliance & Data Processing

View Full Subprocessor List

Data Processing Agreements

Data retention

Contact & Resources

Security & Privacy Contacts

Security & Data Protection

Your Data Is Yours

Never Used for AI Training

Private by Default

How AI Processing Works

What we send

Which providers process your data

What happens after processing

For Agencies & Studios

Agency-Specific Commitments

Infrastructure Security

Encryption

Database

File Storage

Authentication

Payments

Analytics

GDPR & Data Residency

Data Controller

Where your data lives

International transfers

Your rights

Compliance & Data Processing

View Full Subprocessor List

Data Processing Agreements

Data retention

Contact & Resources

Security & Privacy Contacts