This policy has been drafted to cover UK GDPR, the Data Protection Act 2018, and PECR requirements. It should be reviewed by a qualified solicitor before publication to ensure it accurately reflects your specific data processing activities.
Privacy Policy
Last updated: 8 April 2026
1. Who we are
The Brand Protocol ("we", "us", "our") is a trading name of RightsTech Ltd, a company registered in England and Wales (Company No. 16602847).
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller — meaning we decide how and why your personal data is processed.
Data protection contact: hello@thebrandprotocol.ai
If you have any questions about this privacy policy or how we handle your data, contact us using the details above.
2. What data we collect
2.1 Data you provide directly
| Data type | When collected | Purpose |
|---|---|---|
| Email address | Waitlist signup, account creation | Service delivery, product updates |
| Name | Contact form, account creation | Communication, support |
| Brand inputs (business name, audience description, positioning preferences, visual preferences) | During the brand protocol | Generating your brand identity outputs |
| Payment information | Purchase (processed by Stripe) | Payment processing — we do not store card details |
| Contact form messages | Contact page submission | Responding to your enquiry |
2.2 Data collected automatically
| Data type | How collected | Purpose |
|---|---|---|
| Page views, scroll depth, button clicks, section views | Our analytics system (first-party) | Understanding how visitors use the site to improve the product |
| Session identifier (random UUID, not linked to identity) | Generated per browser session | Grouping page views into sessions for analytics |
| Referrer URL | Browser standard | Understanding traffic sources |
| UTM parameters (source, medium, campaign) | URL parameters | Measuring marketing campaign effectiveness |
| Viewport dimensions, browser type | Browser standard | Ensuring the site works across devices |
| IP address | Server logs, rate limiting | Security (rate limiting on waitlist API), fraud prevention |
2.3 Data we do NOT collect
We do not collect or process: special category data (race, health, religion, sexual orientation, political opinions), data from children under 16, financial data beyond what Stripe processes on our behalf, or social media profile data.
3. How we use your data
| Processing activity | Legal basis (UK GDPR Art. 6) |
|---|---|
| Providing the brand protocol service | Contract — necessary to deliver the service you purchased |
| Processing payments via Stripe | Contract — necessary to fulfil your purchase |
| Sending waitlist updates and product launch emails | Consent — you opted in by joining the waitlist |
| Responding to contact form enquiries | Legitimate interests — responding to your request |
| Website analytics (page views, scrolling, clicks) | Legitimate interests — improving the product and user experience |
| Rate limiting and security | Legitimate interests — protecting the service from abuse |
| AI-powered brand generation | Contract — this is the core service you purchase |
Where we rely on legitimate interests, we have conducted a balancing assessment to ensure our interests do not override your rights. You may object to processing based on legitimate interests at any time (see Section 8).
4. AI processing
The Brand Protocol uses artificial intelligence to generate brand identity outputs (strategy documents, logo concepts, colour systems, typography, guidelines, and assets) based on the information you provide during the protocol.
How it works: Your brand inputs (business name, audience description, positioning preferences) are sent to AI language model APIs to generate your brand outputs. These inputs are processed in real-time and are not used to train AI models.
Human involvement: For the Self-Serve tier, outputs are generated automatically. For the Refined tier, a human strategist reviews and refines the AI-generated outputs before delivery.
Automated decision-making: The AI generation constitutes automated processing under UK GDPR Article 22. However, as it is necessary for the performance of a contract (delivering the service you purchased), and you explicitly requested the service, this processing is lawful under Article 22(2)(a). You may request human review of any AI-generated output by contacting us.
5. Third-party processors
We share your data with the following third parties, each acting as a data processor on our behalf:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting (waitlist, analytics) | Email, session data, analytics events | EU (Frankfurt) / US — covered by DPA |
| Vercel Inc. | Website hosting and deployment | Server logs, IP addresses | Global edge — covered by DPA |
| Stripe Inc. | Payment processing | Payment card details, email, name | US — covered by DPA + SCCs |
| Formspree Inc. | Contact form processing | Name, email, message content | US — covered by DPA |
| Anthropic PBC / OpenAI Inc. | AI brand generation | Brand inputs (no personal data unless you include it) | US — covered by DPA |
We require all processors to maintain appropriate security measures and to process data only on our documented instructions. Where data is transferred outside the UK, we ensure appropriate safeguards are in place (Standard Contractual Clauses or UK adequacy decisions).
6. International transfers
Some of our third-party processors are based in the United States. For each transfer, we rely on one or more of the following safeguards:
- UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
- The provider's compliance with a UK adequacy decision (where applicable)
- The provider's binding corporate rules or equivalent safeguards
You may request details of the specific safeguards in place for any transfer by contacting us.
7. Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Waitlist email | Until product launch + 12 months, or until you unsubscribe | Communication about launch |
| Brand protocol inputs and outputs | Duration of your account + 30 days after deletion | Service delivery and support |
| Payment records | 7 years from transaction | UK tax and accounting obligations (HMRC) |
| Contact form submissions | 12 months from submission | Responding to and resolving enquiries |
| Analytics events | 90 days | Product improvement (auto-deleted after 90 days) |
| Server logs (IP addresses) | 30 days | Security and debugging |
After the retention period expires, data is securely deleted or anonymised.
8. Your rights
Under UK GDPR, you have the following rights. To exercise any of them, contact us at hello@thebrandprotocol.ai. We will respond within one month.
| Right | What it means |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Ask us to correct inaccurate or incomplete data |
| Erasure (Art. 17) | Ask us to delete your data (subject to legal retention obligations) |
| Restrict processing (Art. 18) | Ask us to limit how we use your data |
| Data portability (Art. 20) | Receive your data in a machine-readable format |
| Object (Art. 21) | Object to processing based on legitimate interests |
| Withdraw consent | Where processing is based on consent (e.g., marketing emails), withdraw at any time |
| Human review of automated decisions (Art. 22) | Request human review of any AI-generated output |
Exercising your rights is free. We may ask for proof of identity before processing your request. If we cannot fulfil a request (e.g., due to legal obligations), we will explain why.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS on all connections)
- Encryption at rest (database encryption via Supabase)
- Row-level security on all database tables
- API rate limiting to prevent abuse
- Environment variable management for secrets (never committed to code)
- Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
- Regular dependency updates and vulnerability monitoring
No system is 100% secure. If we become aware of a data breach that poses a risk to your rights, we will notify the ICO within 72 hours and notify you without undue delay as required by UK GDPR Articles 33 and 34.
10. Cookies
We use a small number of cookies and similar technologies. For full details, see our Cookie Policy.
11. Marketing
We will only send you marketing communications if you have explicitly opted in (e.g., by joining the waitlist). You can unsubscribe at any time by clicking the unsubscribe link in any email or by contacting us. We do not sell or rent your email address to third parties.
12. Children
The Brand Protocol is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.
13. Complaints
If you are unhappy with how we handle your data, please contact us first at hello@thebrandprotocol.ai so we can try to resolve the issue.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
14. Changes to this policy
We may update this privacy policy from time to time. If we make significant changes, we will notify you by email (if we have your email address) or by posting a notice on the website. The "last updated" date at the top of this page indicates when the policy was last revised.
15. Contact
RightsTech Ltd (trading as The Brand Protocol)
Company No. 16602847
Email: hello@thebrandprotocol.ai