Privacy Policy
Privacy Policy
Last updated: May 5, 2026
Overview
This Privacy Policy explains how Brama ("we", "us", "our") collects, uses, shares, and protects your personal data when you use our brand identity platform at brama.design. We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA / CPRA), India's Digital Personal Data Protection Act (DPDPA), and similar regulations worldwide. If you have questions about this policy, contact us at privacy@brama.design.
Information We Collect
Account data: when you sign in via Google OAuth, we receive your name, email address, and Google profile picture. We do not see or store your Google password. Brand data: the briefs you submit, the brand identities generated from them, and any uploaded assets. Usage data: page views, feature usage, error reports, browser type, device information, IP address, and approximate location (country / region only). Payment data: when you subscribe, our payment provider (Stripe) processes your card details — we never receive or store full card numbers, only the last four digits and brand for receipts.
Legal Basis for Processing (GDPR)
We process your personal data on the following legal bases: (a) Contract — to provide the Brama service you signed up for; (b) Legitimate interest — for security, fraud prevention, product improvement, and direct communication about your account; (c) Consent — for optional analytics cookies and marketing emails (you can withdraw consent at any time); (d) Legal obligation — to comply with tax, accounting, and regulatory requirements.
How We Use Your Information
We use your data to provide and improve the Brama platform, generate brand identities based on your briefs, send transactional emails about your account and product updates, prevent abuse and ensure security, comply with legal obligations, and analyze aggregated usage to improve features. We do not sell your personal data, do not share it with advertisers, and do not use it to train external AI models without your explicit consent.
Subprocessors
We share data with the following service providers, each bound by data processing agreements: Google (OAuth authentication), Supabase (PostgreSQL database), Vercel (hosting and CDN), Cloudflare (DNS and CDN), Stripe (payments), PostHog (product analytics), Sentry (error monitoring), Anthropic (AI inference for brand generation). Each subprocessor is contractually limited to processing data only for the purposes we direct. A current list with regions and links to each provider's privacy policy is available on request at privacy@brama.design.
International Data Transfers
Brama operates globally, and your data may be transferred to and processed in the United States, the European Union, India, and other countries where our subprocessors operate. For transfers from the EU/UK to other countries, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with adequacy decisions. For transfers from India, we comply with DPDPA cross-border transfer rules. If you would like a copy of the SCCs that apply to your data, contact us at privacy@brama.design.
Data Storage and Security
Your data is stored using Supabase (PostgreSQL) with row-level security policies, encryption at rest, and encrypted backups. Brand assets are stored in Cloudflare R2 with private-by-default access. All data transmission uses TLS 1.2 or higher. We monitor for security incidents and breach attempts continuously. If a breach affects your personal data, we will notify you without undue delay and within 72 hours of becoming aware where required, in accordance with GDPR Art. 33–34 and equivalent laws.
Data Retention
We retain your account and brand data for as long as your account is active. After account deletion, we permanently remove your personal data within 30 days, except where we are legally required to retain it (e.g., billing records for up to 7 years for tax purposes). Aggregated and anonymised usage data may be retained indefinitely for product improvement. Audit logs are retained for 12 months for security purposes.
Your Rights
Regardless of your location, you have the right to: access the personal data we hold about you; correct inaccurate or incomplete data; delete your data (the "right to erasure" / "right to be forgotten"); restrict or object to certain processing; receive your data in a portable, machine-readable format (data portability); withdraw consent for processing based on consent; lodge a complaint with your local data protection authority. To exercise any of these rights, email privacy@brama.design or use the data export and account deletion tools in your account settings. We respond to verifiable requests within 30 days.
California Residents (CCPA / CPRA)
If you are a California resident, you have additional rights: the right to know what personal information we collect, use, and disclose; the right to delete personal information; the right to correct inaccurate personal information; the right to opt-out of the "sale" or "sharing" of personal information (note: we do not sell or share personal information for cross-context behavioural advertising); the right to limit use of sensitive personal information; the right to non-discrimination for exercising any of these rights. To submit a request, email privacy@brama.design with the subject "CCPA Request".
Cookies and Tracking
We use essential cookies to maintain your authentication session — these cannot be disabled without breaking sign-in. We use first-party analytics cookies (PostHog) to understand how the platform is used; you can opt out at any time via your account preferences. We do not use third-party advertising cookies, do not participate in cross-site tracking, and honour the Global Privacy Control (GPC) signal automatically when sent by your browser.
Children's Privacy
Brama is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please contact privacy@brama.design and we will delete it promptly.
Automated Decision-Making and AI
Brama uses AI (specifically large language models from Anthropic) to generate brand identities from your briefs. These outputs are creative suggestions you can accept, reject, or regenerate — not legally significant decisions about you. We do not use automated decision-making for account approvals, billing decisions, or anything that would have legal or similarly significant effects on you under GDPR Art. 22. We do not use your personal data or your brands to train AI models, and our subprocessor agreements forbid them from doing so without your separate consent.
Changes to This Policy
We may update this privacy policy to reflect changes to the platform or legal requirements. For material changes, we will notify you via email or an in-product banner at least 30 days before the change takes effect. The "last updated" date at the top of this page reflects the most recent revision. Continued use of Brama after the effective date of changes constitutes acceptance of the updated policy.
Contact and Complaints
For privacy questions, data requests, or to lodge a complaint, contact us at privacy@brama.design. EU/UK users may also contact their local Data Protection Authority. California residents may contact the California Attorney General's office. Indian users may contact the Data Protection Board of India once it becomes operational.