How we protect your brand data, respect your privacy, and handle AI processing transparently.
Last updated: February 2026
Like any AI-powered tool, we send information to AI providers to generate your branding materials. Here is exactly what happens:
Limited brand information: company name, industry, description, target audience, and brand values. This is the minimum needed to generate relevant branding content.
We never send:
Passwords, payment details, personal contact information, internal business documents, or any data beyond what you enter in the branding modules.
We use established AI providers, each serving a specific purpose in the branding process:
| Provider | Purpose | Data Sent |
|---|---|---|
| OpenRouter | AI model gateway ZDR | Brand descriptions, strategy prompts |
| OpenAI | Text & image generation | Brand descriptions, visual prompts |
| Anthropic | Strategic analysis | Brand strategy context |
| Google AI | Analysis & voice generation | Brand descriptions, voice parameters |
| Recraft | Vector graphics | Visual style prompts |
| Replicate | Image processing | Generated images (for processing) |
| Fal.ai | Image processing | Generated images (for processing) |
ZDR = Zero Data Retention — provider deletes input/output immediately after processing.
AI providers process your brand data solely to generate your requested output. Under our data processing agreements, they do not retain, view, or use your brand data for any other purpose — including training their AI models. Responses are returned to us, and the input data is not stored on the provider side.
We understand that agencies handle sensitive client data and need assurances before using any platform for real client work.
Your data is protected by multiple layers of security across our entire infrastructure.
TLS 1.3 for all data in transit. AES-256 encryption for data at rest. All API communications use HTTPS.
Hosted in the EU (Ireland) on Neon, a SOC 2 compliant provider. Automated backups with point-in-time recovery.
EU-hosted on Cloudflare R2. All generated assets (logos, mockups, PDFs) are stored in European data centers.
Powered by Clerk, a SOC 2 compliant authentication provider. Secure session management with JWT tokens.
Processed by Stripe (PCI DSS Level 1). We never store credit card numbers on our platform. Stripe handles all payment data.
Consent-gated analytics via PostHog (EU Frankfurt). No tracking without your explicit consent. No third-party advertising cookies.
It Matters Lda (PT516373978), Rua Vieira Pinto 109, 4430-254 Vila Nova de Gaia, Portugal. We are the data controller under GDPR and Portuguese data protection law.
Some providers (authentication, AI processing) are US-based. All international transfers are protected by:
We maintain data processing agreements with all service providers and comply with EU data protection regulations.
Business customers requiring a formal Data Processing Agreement (GDPR Article 28) can request one by contacting legal@brandingstudio.ai. You may also request copies of the SCCs and DPAs we have with our subprocessors.
For full details, see our Privacy Policy.