Your data. Your rules. In writing.

As a data processor, BrandCurb processes personal data only on your documented instructions and only to the extent necessary to deliver the agreed AI automation services. We do not process your data for our own commercial purposes, do not sell it, and do not use it to train public AI models. Processing activities are limited to: building and testing AI automation tools, integrating with your specified platforms, and providing post-launch support.

BrandCurb implements the following technical and organisational measures for all client data: TLS 1.3 encryption for all data in transit, AES-256 encryption for data at rest, role-based access controls limiting data access to project team members only, encrypted credential storage with regular rotation, and secure deletion of client data within 90 days of project completion.

We may engage the following categories of sub-processors to deliver our services: cloud infrastructure providers (AWS, Google Cloud), AI model API providers (OpenAI, Anthropic, or open-source alternatives), and project management tools. All sub-processors are subject to data processing agreements that require equivalent data protection standards. We will notify you of any material changes to our sub-processor list with reasonable notice.

We will assist you in fulfilling your obligations to respond to data subject rights requests (access, rectification, erasure, portability, restriction) within the timeframes required by applicable law. If we receive a data subject request directly relating to your personal data, we will forward it to you within 5 business days.

Client data is retained for the duration of the service agreement and deleted within 90 days of agreement termination unless you request a different timeline in writing. Backup copies are retained for a maximum of 30 days following the primary deletion. We provide written confirmation of deletion upon request.

In the event of a personal data breach affecting your data, BrandCurb will notify you within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed to address the breach.