Privacy Policy

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Fresh Wave Trading L.L.C
Office 201-A-13, R118, Al Suq Al Kabeer
12345 Dubai, United Arab Emirates
Email: [email protected]

As a company established outside the European Union that processes personal data of individuals within the EU, we are required to designate an EU representative pursuant to Article 27 of the GDPR.

Our EU representative (Art. 27 GDPR) for data protection inquiries from the EU:

We collect the following categories of personal data:

• Account Data: Name, email address, and authentication credentials when you create an account (via Google OAuth, email link, or credentials).
• Social Media Data: OAuth access tokens, refresh tokens, and profile information from connected social media accounts (Instagram, LinkedIn, TikTok, Facebook, X/Twitter, Pinterest).
• Content Data: Posts, drafts, media files, brand voice settings, and AI-generated content you create through our platform.
• Analytics Data: Post performance metrics (reach, engagement, likes, comments) retrieved from connected platforms.
• Payment Data: Subscription and billing information processed through Stripe. We do not store credit card numbers directly.
• Usage Data: Page views, feature interactions, and general usage patterns collected via PostHog (anonymous analytics).
• Communication Data: Inbox messages, comments, and mentions synced from your connected social media platforms.
• Technical Data: IP address, browser type, device information, and error logs collected via Sentry for debugging purposes.

We process your personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR / Art. 4 PDPL): Processing your account data, social media tokens, content, and payment data is necessary to provide you with the Brandlix service as agreed in our Terms of Service.
• Consent (Art. 6(1)(a) GDPR / Art. 4 PDPL): Analytics cookies (PostHog) are only activated when you explicitly consent via our cookie banner. You may withdraw consent at any time.
• Legitimate interests (Art. 6(1)(f) GDPR / Art. 4 PDPL): Error monitoring via Sentry, security measures, and service improvement. Our legitimate interest is ensuring platform stability, security, and continuous improvement while balancing your privacy rights.
• Legal obligation (Art. 6(1)(c)): Where we are required to retain data for tax, accounting, or legal purposes.

• To provide, maintain, and improve our service
• To publish and schedule your social media posts across platforms
• To generate AI-powered content suggestions using your brand voice settings
• To display analytics, performance reports, and best-time recommendations
• To sync and display your social media inbox messages
• To process payments and manage your subscription
• To send important service notifications (failed posts, weekly reports)
• To detect and fix errors in our application
• To understand usage patterns and improve the user experience

We share personal data with the following third-party processors to provide our service:

Some of our sub-processors are located in the United States and other countries outside the European Economic Area (EEA). When transferring personal data to these countries, we rely on the following safeguards:

• EU-U.S. Data Privacy Framework: Where applicable, our US-based processors are certified under the EU-U.S. Data Privacy Framework.
• Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we ensure that appropriate Standard Contractual Clauses approved by the European Commission are in place.
• UAE PDPL (Art. 22): For transfers from the UAE, we rely on explicit consent and adequacy assessments as required by Art. 22 PDPL.

We retain your data for different periods depending on the category:

• Account Data: Retained for the duration of your account. Deleted within 30 days of account deletion.
• Content & Posts: Retained while your account is active. Deleted within 30 days of account deletion (cascade delete).
• Social Media Tokens: Retained while the account connection is active. Deleted immediately upon disconnection.
• Analytics Data: Retained for up to 2 years for historical performance analysis, then anonymized or deleted.
• Payment Data: Transaction records retained for 7 years for tax and legal compliance. Stripe handles payment method storage independently.
• Error Logs (Sentry): Automatically deleted after 90 days.
• Usage Analytics (PostHog): Retained for 12 months, then automatically purged.

We use essential cookies for authentication and language preferences, and optional analytics cookies (PostHog) subject to your consent. You can accept or decline non-essential cookies through our cookie consent banner.

For a detailed list of all cookies used, please see our Cookie Policy.

Brandlix uses artificial intelligence (Anthropic Claude) for content generation, chat assistance, and autopilot features. These AI-powered features assist with content creation but do not make legally binding decisions about you.

AI-generated content is always presented for your review before publishing (unless you explicitly enable auto-publish in the autopilot settings). The AI processes your brand voice settings, topics, and platform preferences to generate suggestions. Content prompts are sent to Anthropic's API for processing. No personal data beyond what you explicitly include in your content prompts is shared with Anthropic.

Under the General Data Protection Regulation, you have the following rights:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to Restriction of Processing (Art. 18): Request restriction of processing in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent (e.g., analytics cookies). Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond within 20 working days or one month, whichever is shorter, as required by PDPL and GDPR.

If you believe that our processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority. For UAE residents: You may lodge a complaint with the UAE Data Office. For EU residents: You may lodge a complaint with your local supervisory authority in the EU member state of your habitual residence, your place of work, or the place of the alleged infringement.

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit (TLS/HTTPS) and at rest
• Social media access tokens stored encrypted in our database
• Access tokens and refresh tokens stripped from API responses to the client
• Redis-backed rate limiting to prevent abuse
• JWT-based session authentication with secure cookie configuration

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or through the platform. The "Last updated" date at the top reflects the most recent revision.

For privacy-related questions or to exercise your data protection rights, please contact us at:

Fresh Wave Trading L.L.C
Email: [email protected]