Privacy & Security
How we protect your data and respect your privacy.
Data You Provide
When you use Brand Threader, you may provide:
- Account information: Email address for authentication
- Project content: Briefs, brand names, strategic outputs you create
- Uploaded files: Documents, research, and brand materials
How We Use Your Data
| Data Type | How It's Used | Who Can See It |
|---|---|---|
| Email address | Authentication, support, essential notifications | Brand Threader team only |
| Project content | Stored so you can access your work | Your workspace members only |
| Uploaded files | Processed to improve AI outputs, then stored | Your workspace members only |
| Usage analytics | Improve the product, fix bugs | Brand Threader team only (aggregated) |
AI Processing
Brand Threader uses Claude (by Anthropic) to generate strategic outputs. When you use AI features:
- Your inputs are sent to Anthropic's API for processing
- Anthropic does not use your data to train their models (per their API terms)
- Outputs are returned to Brand Threader and stored in your workspace
Important: Don't enter highly confidential information (passwords, financial data, trade secrets) into any AI tool. While we take precautions, AI processing involves third-party services.
Data Storage
| What | Where | Retention |
|---|---|---|
| Account data | Supabase (EU region) | Until account deletion |
| Project data | Supabase (EU region) | Until you delete it, or 30 days after account closure |
| Uploaded files | Supabase Storage (EU region) | Until you delete the project |
| Local drafts | Your browser (localStorage) | Until you clear browser data |
Security Measures
- Authentication: Cloudflare Access with one-time email codes (no passwords to steal)
- Encryption: All data encrypted in transit (TLS) and at rest
- Access control: Workspace-level isolation; your data is not visible to other workspaces
- Infrastructure: Hosted on Cloudflare and Supabase with enterprise-grade security
GDPR Compliance
Brand Threader is designed with GDPR compliance in mind:
- Lawful basis: We process data based on contract performance (providing the service) and legitimate interest (improving the product)
- Data minimisation: We only collect what's needed to provide the service
- Your rights: You can access, export, correct, or delete your data at any time
- Data location: Primary data storage is in the EU
Your Rights
You can:
- Access your data: Export projects from the app, or request a full data export
- Correct your data: Edit any project content directly in the app
- Delete your data: Delete individual projects, or request full account deletion
- Port your data: Export to Word/PDF formats for use elsewhere
Data Processing Agreement (DPA)
If your organisation requires a DPA for compliance purposes, contact us and we'll provide one.
Sub-processors
We use the following third-party services to provide Brand Threader:
| Service | Purpose | Location |
|---|---|---|
| Cloudflare | Hosting, authentication, CDN | Global (EU-compliant) |
| Supabase | Database, file storage | EU |
| Anthropic (Claude) | AI processing | US (no training on API data) |
| Stripe | Payment processing | Global (PCI-compliant) |
Incident Response
In the unlikely event of a data breach affecting your information, we will:
- Notify affected users within 72 hours
- Notify relevant authorities as required by law
- Provide details of what happened and what we're doing about it
Questions?
For privacy or security questions, email support@brandthreader.com with "Privacy" in the subject line.