Last updated: April 18, 2026
Privacy Policy
This policy explains what personal data Brandfy collects, why we collect it, and the rights you have under the EU General Data Protection Regulation (GDPR).
1. Data Controller
Liam Villalba (autónomo), Barcelona, Spain.
Contact: hello@brandfy.io
2. What Data We Collect
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email address | Account creation, login, communications | Contract performance |
| Full name | Display in profile and team features | Contract performance |
| Username | Public profile URL | Contract performance |
| Profile bio | Public portfolio | Consent |
| Uploaded files (images, logos, brand assets) | Core service functionality | Contract performance |
| Brand colors and typography selections | Core service functionality | Contract performance |
| Payment information | Subscription billing (processed by Stripe — we never see full card details) | Contract performance |
| Usage data (pages visited, features used) | Service improvement | Legitimate interest |
| IP address and browser info | Security, fraud prevention | Legitimate interest |
| Cookies | See Cookie Policy | Consent / Legitimate interest |
3. How We Use Your Data
- To provide and maintain the Service.
- To process payments.
- To send transactional emails (welcome, team invitations).
- To improve the Service.
We do not sell your data to third parties. We do not use your data for advertising. We do not use your uploaded content to train AI models.
4. Third-Party Services (Sub-processors)
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Clerk | Authentication | Email, name, login credentials | USA (SOC 2 certified) |
| Stripe | Payment processing | Email, payment details | USA (PCI DSS Level 1) |
| Cloudflare R2 | File storage | Uploaded files | EU (Western Europe) |
| Vercel | Hosting | IP address, usage data | Global (EU processing available) |
| Neon | Database | Account data, project data | EU (Frankfurt) |
| Resend | Transactional email | Email address, name | USA |
5. International Data Transfers
Some sub-processors are based in the USA. Transfers are protected by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework.
6. Data Retention
- Account data: retained while your account is active, plus 30 days after deletion.
- Uploaded files: deleted within 30 days of account deletion.
- Payment records: retained for 5 years as required by Spanish tax law.
- Server logs: retained for 90 days.
7. Your Rights (GDPR)
- Access: request a copy of your data.
- Rectification: correct inaccurate data.
- Erasure:request deletion of your data (the “right to be forgotten”).
- Portability: receive your data in a machine-readable format.
- Restriction: limit how we process your data.
- Objection: object to processing based on legitimate interest.
- Withdraw consent: at any time, without affecting prior processing.
To exercise any of these rights, email hello@brandfy.io. We will respond within 30 days.
8. Data Security
- HTTPS encryption in transit.
- Files stored in encrypted Cloudflare R2 buckets.
- Authentication handled by Clerk (SOC 2 certified).
- Payments handled by Stripe (PCI DSS Level 1).
- Access to production systems restricted to authorized personnel.
9. Children
Brandfy is not directed at children under 16, and we do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to This Policy
We will notify users of material changes via email. Continued use of the Service after changes constitutes acceptance of the updated policy.
11. Supervisory Authority
You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es. If you reside in another EU country, you may contact your local supervisory authority.
12. Contact
hello@brandfy.io
Liam Villalba, Barcelona, Spain.