BrandCanvasAI
Log inGet started
Legal

Privacy Policy

Last updated: June 2, 2026

Your privacy matters. This policy explains what we collect, why, how long we keep it, who we share it with, and the rights you have. We follow the principles of the EU General Data Protection Regulation (GDPR) and the UK GDPR, and we apply the same standards globally.

1. Who we are (Data Controller)

BrandCanvas AI ("we", "us", "our") is the data controller for personal data processed through brandcanvasai.com and the BrandCanvas AI application. You can reach us at hello@brandcanvas.ai for any privacy question or to exercise your rights.

2. Information we collect

2.1 Information you give us

  • Account data: email address and password (stored only as a salted hash; we never see your plaintext password).
  • Profile data: business name, industry, target audience, preferred visual style.
  • Brand inputs: the briefs, prompts, color preferences, and reference material you submit.
  • Generated brand outputs: logos, palettes, typography pairings, mockups, and guideline documents created from your inputs.
  • Support & communications: the content of emails or messages you send us.

2.2 Information collected automatically

  • Usage data: pages viewed, features used, generation events, timestamps, and approximate location derived from IP.
  • Device data: browser type, operating system, screen size, language.
  • Cookies and similar: see our Cookie Policy.

2.3 Information from third parties

  • Payments: billing metadata (plan, amount, currency, status) from our payment processor. We never receive your full card number.
  • Authentication providers: if you sign in with Google, we receive your name, email, and profile picture from Google.

3. Legal bases for processing (GDPR)

  • Contract: to create your account, deliver credits, and run generations you request.
  • Legitimate interests: to keep the service secure, prevent fraud, debug issues, and improve quality.
  • Consent: for non-essential cookies, marketing emails, and any optional analytics.
  • Legal obligation: to keep accounting records and respond to lawful requests.

4. How we use information

  • To provide, maintain, and improve BrandCanvas AI.
  • To process purchases, deliver credits, issue invoices, and prevent fraud.
  • To respond to support requests and send essential account emails (password resets, billing receipts, security alerts).
  • To run aggregated, non-identifying analytics on usage patterns.
  • To enforce our Terms, investigate abuse, and comply with the law.
  • To send product updates only if you have opted in; you can unsubscribe at any time.

5. AI model usage

Brand generations are produced by our own pipeline orchestrating third-party large language and image models (e.g. via the Lovable AI Gateway). Your prompts and any uploaded reference content are transmitted to these providers solely to fulfill the generation request and are not used by us, or — under our contractual terms — by those providers, to train their public foundation models.

6. Sharing your information

We do not sell personal information. We share data only with the processors needed to run the service:

  • Hosting & infrastructure: Lovable Cloud (database, file storage, edge runtime).
  • Authentication: Supabase Auth (managed via Lovable Cloud).
  • Payments: Stripe or Paddle, depending on your region.
  • Email delivery: our transactional email provider.
  • AI model providers: the providers reachable via the Lovable AI Gateway.
  • Analytics: privacy-friendly product analytics where enabled.
  • Legal: authorities where we are legally required to disclose.

7. International transfers

Some of our processors are located outside the EEA/UK. Where this happens, we rely on Standard Contractual Clauses approved by the European Commission and, where applicable, the UK International Data Transfer Addendum, plus supplementary technical and organizational measures.

8. Data retention

  • Account data: kept while your account is active and for up to 12 months after deletion to handle disputes and abuse.
  • Brand outputs: kept until you delete them or close your account.
  • Billing records: kept for the period required by tax law (typically 7 to 10 years depending on jurisdiction).
  • Support emails: kept up to 24 months.
  • Server logs: kept up to 90 days for security and debugging.

9. Security

We use encryption in transit (TLS 1.2+), encryption at rest, row-level security on our database, scoped access tokens, audit logging, and the principle of least privilege for staff access. No system is impenetrable, but we work hard to keep your data safe and to notify you within 72 hours if a personal data breach affecting you occurs, as required by GDPR.

10. Your rights

Depending on your jurisdiction, you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request deletion ("right to be forgotten") of data we no longer need to retain;
  • port your data in a structured, machine-readable format;
  • restrict or object to certain processing;
  • withdraw consent at any time, where processing is based on consent;
  • lodge a complaint with your local supervisory authority.

To exercise any right, email hello@brandcanvas.ai. We respond within 30 days.

11. Children

BrandCanvas AI is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Automated decision-making

We do not make decisions about you that produce legal or similarly significant effects using solely automated processing.

13. Changes to this policy

We may update this policy from time to time. Material changes will be highlighted at the top of this page and, where appropriate, notified by email. The "Last updated" date above always reflects the current version.

14. Contact

Privacy questions or requests: hello@brandcanvas.ai.