Privacy Policy
1. Who We Are
BrandMe is a personal brand kit generator operated by Angelina Sorokina, sole proprietor, based in Porto, Portugal. We are the data controller for all personal data processed through this service.
Service: BrandMe (https://brandme.one) Privacy contact: lina.vsorokina@gmail.com
2. What Data We Collect
Account: your email address, collected via magic link login. We do not collect passwords, phone numbers, or social profiles.
Brand interview content: free-text answers you provide during the brand interview. Our AI extracts approximately 35 structured fields — including your professional background, values, mission, target audience, and brand voice traits.
Creative preferences: 3–4 visual direction choices made during brand kit generation.
Technical: a session identifier (run_id), a token usage counter, and a compressed conversation summary stored server-side.
Error diagnostics: Sentry (EU-hosted, Germany) captures error stack traces when something breaks. PII is minimised — IP addresses and user-agent strings are not sent.
Product analytics: PostHog (EU-hosted, Frankfurt) captures anonymous event metadata about how you use the service (e.g. signup, interview start, brand kit generation, regenerate clicks). After login, your user ID and email domain are linked to events so we can analyze the user funnel. We do not capture form contents, free-text answers, generated brand kit content, or any other personally identifiable text.
We do not collect: payment card data, biometrics, physical location, uploaded files, or photos.
Browser storage (not sent to our servers): sessionStorage for in-session interview continuity; localStorage for tracking whether you have seen certain modals. Both are erased when you clear browser data or close the tab.
3. Why We Collect It (Legal Basis)
We process your personal data on the following legal bases under GDPR Article 6:
Performance of contract (Art. 6(1)(b)): your email and interview data are necessary to deliver the brand kit you requested.
Legitimate interest (Art. 6(1)(f)): error monitoring and session identifiers are used for service security, stability, and abuse prevention. We have assessed these interests as proportionate and not overriding your rights.
Consent (Art. 6(1)(a)): when your data is transferred to AI providers in countries without EU adequacy decisions — specifically DeepSeek in China — we rely on your explicit consent. See Section 5 for details.
4. Who We Share Data With
We share data with the following third-party subprocessors:
| Service | Purpose | Location | Data shared |
|---|---|---|---|
| Supabase | Auth + database | EU region | Email, all app data |
| Vercel | Hosting + CDN | US | HTTP request logs |
| DeepSeek | Core AI processing | China | Full brand interview text, AI prompts |
| OpenRouter | AI quality evaluation | US | Synthesised agent outputs |
| Tavily | Web search for AI agents | US | AI-generated search queries derived from your inputs |
| Langfuse | AI observability | EU (Frankfurt) | Full AI message histories, token counts |
| Sentry | Error tracking | EU (Germany) | Error stack traces (PII minimised) |
| PostHog | Product analytics (event tracking) | EU (Frankfurt) | Anonymous event metadata (no PII), user ID + email domain after login |
| Resend | Email delivery | EU (Ireland) | Your email address for magic links |
5. International Transfers
Most of our subprocessors are based in the EU/EEA (Langfuse, Sentry, PostHog, Resend) or in the United States, where Standard Contractual Clauses apply.
DeepSeek processes your brand interview data in China. China is not an EU adequacy country, and we have not yet implemented Standard Contractual Clauses for this transfer. The legal basis is your explicit consent under GDPR Art. 49(1)(a). By using BrandMe, you consent to this transfer. If you do not consent, please do not use the service.
We are actively evaluating EU-hosted AI alternatives.
6. How Long We Keep Your Data
Account data (email, session records): until you request deletion.
Brand interview content and generated brand kit: until you request deletion.
Error logs (Sentry): 30 days, per Sentry's default free-tier retention.
We do not currently auto-delete inactive data. Upon a deletion request, we remove your data within 30 days and request deletion from relevant subprocessors. To request deletion, email lina.vsorokina@gmail.com.
7. Your Rights
Under GDPR, you have the following rights:
- Access — request a copy of all personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — request deletion of your data (right to be forgotten)
- Restriction — ask us to limit how we process your data
- Data portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interest
- Lodge a complaint with the Portuguese data protection authority (CNPD, cnpd.pt)
California Residents (CCPA)
You additionally have the right to know what personal information we collect and how we use it, the right to delete your personal information, and the right not to be discriminated against for exercising your rights. We do not sell your personal information.
To exercise any right, email lina.vsorokina@gmail.com. We respond within 30 days.
8. AI Processing
Your input data — brand interview answers and creative preferences — is sent to third-party AI providers to generate your brand kit. The AI conducts a multi-turn interview, researches your market, synthesises a brand platform, generates visual identity concepts, and produces communications.
AI training: we do not instruct our providers to use your data for model training. Based on our review of provider Terms of Service, your data is processed solely to generate your output.
Automated quality checks: an automated AI quality evaluation agent scores each output and may trigger regeneration. This does not constitute automated decision-making with legal or similarly significant effects on you under GDPR Art. 22 — it only affects output quality.
Accuracy: AI-generated content may contain errors, inaccuracies, or biases. Always review your brand kit before using it commercially.
9. Cookies
We use only essential cookies, which are exempt from consent requirements under EU law:
Authentication cookies (sb-*): required to keep you signed in, set by Supabase.
Locale cookie: stores your language preference.
We do not use analytics, advertising, or tracking cookies. No cookie consent banner is required for the current service.
PostHog product analytics uses memory-only persistence (no cookies, no localStorage). Anonymous event data does not persist across page reloads while logged out. After login, your identified ID is reset on logout. This memory-only configuration is GDPR-compliant without requiring a cookie consent banner.
10. Children, Changes, and Contact
Age: BrandMe is intended for adults (18 and over). We do not knowingly collect personal data from users under 18. If you believe a minor has shared data with us, please contact us for deletion.
Policy updates: we may update this Privacy Policy. If changes are material, we will notify you by email (if you have an account) or post a notice on brandme.one.
Effective date: 2026-05-08
Contact: lina.vsorokina@gmail.com