Privacy Policy

1. Introduction

BrandBatch ("we", "our", "us") is operated by Commerce Consulting Services, SIA (registration number pending), registered in Latvia. This Privacy Policy explains how we collect, use, and protect your personal data when you use our web application at brandbatch.vercel.app (the "Service").

2. Data We Collect

We collect the following categories of data:

• Account data: email address, display name, company name (provided during registration or via Google OAuth)
• Content data: templates, images, brand assets, article text, and post copy you create or upload
• Social media tokens: OAuth access tokens for connected social media accounts (LinkedIn, Facebook, Instagram), stored encrypted
• Usage data: image generation counts, plan tier, feature usage
• Technical data: browser type, IP address, device information (collected automatically)

3. How We Use Your Data

• To provide the Service: generating images, managing templates, scheduling and publishing social media posts
• To authenticate your identity and manage your account
• To publish content to connected social media platforms on your behalf and at your direction
• To enforce usage quotas based on your subscription plan
• To improve the Service and fix issues

4. Social Media Integration

When you connect a social media account (LinkedIn, Facebook, or Instagram), we request only the permissions necessary to publish content on your behalf. We store OAuth tokens securely and use them solely to post content you have explicitly scheduled or triggered for publishing.

We do not read your social media feeds, contacts, messages, or any data beyond what is necessary for publishing. You can disconnect any social media account at any time from Settings, which immediately revokes our access.

5. Data Storage and Security

Your data is stored on Supabase (hosted on AWS) with PostgreSQL database encryption at rest. Images are stored in Supabase Storage with access controlled by Row Level Security policies. OAuth tokens are stored with encryption. All data transfers use HTTPS/TLS.

6. Data Sharing

We do not sell your personal data. We share data only with:

• Supabase: database and storage hosting
• Vercel: application hosting
• Social media platforms: only the content you explicitly choose to publish

7. Data Retention

We retain your data for as long as your account is active. You can delete your generated content, templates, and scheduled posts at any time. Upon account deletion, all associated data is permanently removed within 30 days.

8. Your Rights (GDPR)

As we are based in the EU (Latvia), you have the following rights under GDPR:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to data portability
• Right to restrict or object to processing
• Right to withdraw consent at any time

To exercise these rights, contact us at privacy@commerce-consulting-services.com.

9. Data Deletion

You can request deletion of your data by contacting us at privacy@commerce-consulting-services.com or by using the data deletion features within the application. For social media platform data deletion requests, we provide a callback endpoint that platforms can use to notify us.

10. Cookies

We use essential cookies only for authentication session management. We do not use tracking cookies, advertising cookies, or analytics cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of significant changes via email. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related inquiries:
Commerce Consulting Services, SIA
Email: privacy@commerce-consulting-services.com