Privacy Policy

Effective date: 27 April 2026 Last updated: 27 April 2026

Contents

  1. Who We Are (Data Controller)
  2. What Personal Data We Collect
  3. Lawful Basis
  4. How We Use Your Data
  5. Third-Party Data Processors
  6. International Data Transfers
  7. Data Retention
  8. Your Rights
  9. Cookies & Analytics
  10. Supervisory Authority
  11. Changes to This Policy
  12. Contact

1. Who We Are (Data Controller)

Plain English: BrandVert.io is the company responsible for your personal data. Contact us at legal@brandvert.io for any privacy questions.

Kristjan Hoareau s.p., registered at Ulica Milana Majcna 35, 1000 Ljubljana, Slovenia, VAT ID SI35687665, registration number 8605556000 ("BrandVert.io", "we") is the data controller for personal data processed in connection with the Service. Contact: legal@brandvert.io.

2. What Personal Data We Collect

Plain English: We collect what's needed to run your account, process payments, operate the Service, and โ€” with your consent โ€” send you product updates and measure how the site performs.

2.1 Account data โ€” name, email address, hashed password, account creation date, role within a workspace.

2.2 Team data โ€” email addresses of users you invite, their assigned roles, invitation status.

2.3 Uploaded content โ€” images you upload to the Service and any text extracted from them. This content may incidentally contain personal data about third parties; you are responsible for ensuring you have the right to upload and process such content.

2.4 Billing data โ€” subscription plan, credit purchase history, invoice records. Full payment card details are processed exclusively by Stripe and are not stored by BrandVert.io.

2.5 Usage data โ€” translation job history, credit balance and ledger, feature activity, timestamps.

2.6 Technical data โ€” IP address, browser type and version, device type, operating system, session identifiers, referring URLs.

2.7 Communications โ€” content of emails or support requests you send us.

2.8 Analytics data โ€” page views, session duration, navigation paths, collected via Google Analytics 4 only with your prior consent.

3. Lawful Basis (GDPR Art. 6)

Plain English: We only process your data when we have a legal reason to. The reason depends on what the data is used for.
Data category Lawful basis Article
Account, team, content, usage data Performance of contract Art. 6(1)(b)
Billing records Performance of contract + legal obligation (accounting law) Art. 6(1)(b) + (c)
Analytics data Consent Art. 6(1)(a)
Marketing emails Consent Art. 6(1)(a)
Fraud prevention, security, legal claims Legitimate interests Art. 6(1)(f)

4. How We Use Your Data

Plain English: Your data is used to run the Service, process payments, send you emails you've asked for, keep the platform secure, and comply with the law. Nothing else.

We use your personal data to:

  • create and manage your account and workspace;
  • provide, operate, and improve the Service;
  • process credit purchases and subscription payments;
  • send transactional emails (account invitations, trial notices, billing receipts);
  • send product update and marketing emails, where you have given consent;
  • respond to support and legal enquiries;
  • detect and prevent fraud, abuse, and security incidents;
  • comply with applicable legal obligations;
  • measure Service usage and performance, where you have given consent to analytics.

5. Third-Party Data Processors

Plain English: We share your data with a small number of trusted companies to operate the Service. They can only use it for the specific purpose we've engaged them for.

BrandVert.io engages the following categories of data processors:

Processor Purpose Location
Stripe, Inc. Payment processing United States
Amazon Web Services (AWS) Cloud file storage (uploaded images, translated output) United States
AI processing services Text extraction and image translation Undisclosed
Google LLC (Analytics) Website analytics (consent-gated) United States
Email delivery provider Transactional and marketing email delivery To be confirmed

Each processor is bound by a data processing agreement and may only process personal data on our documented instructions.

6. International Data Transfers

Plain English: Some of our processors are based in the US. We make sure your data is still protected when it leaves the EU using approved legal mechanisms.

Some processors listed in Section 5 are located outside the European Economic Area (EEA), including in the United States. Where personal data is transferred to a third country, we rely on one or more of the following safeguards:

  • Adequacy decision โ€” where the European Commission has determined the destination country ensures adequate protection;
  • Standard Contractual Clauses (SCCs) โ€” EU Commission-approved contractual terms that bind the recipient to EU-equivalent data protection standards;
  • Processor's own compliance framework โ€” where the processor participates in a recognised cross-border transfer mechanism.

You may request details of the specific safeguards applicable to any transfer by contacting legal@brandvert.io.

7. Data Retention

Plain English: We keep your data only as long as needed. When you close your account, your content and personal data are deleted immediately โ€” except billing records, which we must keep for 7 years under Slovenian accounting law.
Data category Retention period
Account and team data Deleted immediately on account closure
Uploaded images and translated output Deleted immediately on deletion or account closure
Usage data (job history, credit ledger) Deleted immediately on account closure
Billing and invoice records 7 years from date of transaction (Slovenian accounting legislation)
Analytics data Per Google Analytics 4 retention settings (maximum 14 months)
Marketing consent records Until consent is withdrawn, plus 3 years for compliance evidence
Backup copies Purged within 30 days of the deletion event

8. Your Rights

Plain English: Under GDPR you have strong rights over your data โ€” to see it, correct it, delete it, and more. Email us at legal@brandvert.io and we'll respond within 30 days.

Under the GDPR you have the following rights:

8.1 Right of access (Art. 15) โ€” you may request a copy of the personal data we hold about you.

8.2 Right to rectification (Art. 16) โ€” you may ask us to correct inaccurate or incomplete personal data.

8.3 Right to erasure (Art. 17) โ€” you may ask us to delete your personal data where we have no overriding legal basis to retain it.

8.4 Right to restriction (Art. 18) โ€” you may ask us to restrict processing of your data in certain circumstances, for example while a rectification request is resolved.

8.5 Right to data portability (Art. 20) โ€” where processing is based on contract or consent and carried out by automated means, you may receive your data in a structured, machine-readable format.

8.6 Right to object (Art. 21) โ€” you may object to processing based on legitimate interests. You may also object at any time to processing for direct marketing purposes; we will stop immediately.

8.7 Right to withdraw consent (Art. 7(3)) โ€” where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. To withdraw consent for marketing emails, use the unsubscribe link in any email. To withdraw analytics consent, adjust your browser settings or clear your cookies.

To exercise any right, contact legal@brandvert.io. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

9. Cookies & Analytics

Plain English: We use Google Analytics to understand how visitors use our site โ€” but only if you consent. By default, no analytics cookies are set. We do not use advertising or tracking cookies.

The Service uses Google Analytics 4 ("GA4") to collect anonymised information about how visitors use our website. GA4 is loaded with the following consent defaults applied before any tracking occurs:

  • analytics_storage: denied
  • ad_storage: denied
  • ad_user_data: denied
  • ad_personalization: denied

No analytics data is collected unless you explicitly grant consent. We do not use cookies for advertising, behavioural profiling, or cross-site tracking. A full cookie policy will be published when a consent management interface is deployed.

10. Supervisory Authority

Plain English: If you're not happy with how we handle your data and we can't resolve it, you have the right to complain to the Slovenian data protection authority.

You have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for BrandVert.io is:

Informacijski pooblaลกฤenec

(Information Commissioner of the Republic of Slovenia)

Dunajska cesta 22, 1000 Ljubljana, Slovenia

www.ip-rs.si gp.ip@ip-rs.si

If you are resident in another EU member state, you may also lodge a complaint with the supervisory authority in your country of habitual residence.

11. Changes to This Policy

Plain English: We'll give you 30 days' notice by email of any material changes.

We may update this Privacy Policy from time to time. For material changes we will notify you by email at least 30 days before the effective date. The current version is always published at brandvert.io/privacy. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

12. Contact

For all privacy and data protection enquiries: legal@brandvert.io โ€” Kristjan Hoareau s.p., Ulica Milana Majcna 35, 1000 Ljubljana, Slovenia.