Privacy Policy

1. Introduction & Data Controller

This Privacy Policy explains how [Company Name, Inc.] ("we," "us," "our"), the operator of Brelio ("the Service"), collects, uses, stores, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable Lithuanian data protection law.

Data Controller:

• [Company Name, Inc.]
• [Registered Address, Vilnius, Lithuania]
• Email: [email protected]

By using the Service, you acknowledge that you have read and understood this Privacy Policy. This policy should be read together with our Terms of Service.

2. Data We Collect

2.1 Account Data

When you register, we collect your email address, display name, and a securely hashed version of your password. We never store passwords in plain text.

2.2 Payment Data

Payment processing is handled entirely by Stripe. We do not store, process, or have access to your full credit card number, CVV, or other sensitive payment credentials. We receive from Stripe only: the last four digits of your card, card brand, billing address, and transaction records necessary for invoicing.

2.3 Usage Data

We collect information about how you use the Service, including:

• Image generation history (prompts, parameters, timestamps)
• Chat messages from brainstorming sessions
• Workspace configuration and settings
• Feature usage patterns and session duration

2.4 Generated Content

We store the images you generate through the Service, along with the prompts and parameters used to create them. This data is associated with your account and workspace.

2.5 Brand Data

If you use the brand extraction feature, we collect the URLs you submit and the brand profile data extracted from those URLs (colors, fonts, logo analysis, brand tone). This data is stored within your workspace.

2.6 Technical Data

We automatically collect certain technical information when you access the Service, including:

• IP address
• Browser type and version
• Device type and operating system
• Referring URL
• Pages visited and interaction patterns
• Session cookies (see Section 8)

3. How We Use Your Data

We use the data we collect to:

• Provide the Service: Authenticate your account, generate images, manage your workspace, and deliver brainstorming conversations
• Process Billing: Manage subscriptions, track token usage, process payments through Stripe, and issue invoices
• Improve the Service: Analyze usage patterns, optimize AI model selection, improve generation quality, and develop new features
• Ensure Security: Detect fraud, prevent abuse, enforce our Terms of Service, and protect the integrity of the Service
• Communicate: Send transactional emails (account verification, password resets, billing notifications) and, with your consent, product updates
• Analytics: Generate aggregate, anonymized usage statistics to understand how the Service is used

4. Legal Basis for Processing

Under the GDPR, we process your personal data on the following legal bases:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service you have subscribed to — account management, image generation, billing, and workspace functionality.
• Legitimate Interest (Art. 6(1)(f)): Processing for service improvement, security, fraud prevention, and aggregate analytics, where our interests do not override your fundamental rights. You may object to processing based on legitimate interest (see Section 7).
• Consent (Art. 6(1)(a)): Where we rely on your consent (e.g., marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, such as tax record-keeping, responding to lawful data requests, or reporting illegal content.

5. Data Sharing

We share your data only with the following categories of third parties, and only to the extent necessary:

5.1 AI Providers

Your prompts and generation parameters are sent to third-party AI providers (currently Google and OpenAI) to generate images. These providers process your prompts under their own privacy policies and data processing agreements. We do not share your account details or personal information with AI providers — only the content of your generation requests.

5.2 Payment Processor

Stripe processes your payment information. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy for details.

5.3 Infrastructure Providers

Your data is stored on servers operated by our hosting provider. These providers act as data processors under written Data Processing Agreements (DPAs) that ensure GDPR compliance.

5.4 No Selling of Personal Data

We do not sell, rent, or trade your personal data to third parties for marketing or advertising purposes. We never will.

6. Data Retention

We retain your data for the following periods:

• Account Data: Retained for the duration of your account. Upon account deletion, personal data is permanently erased within 30 days, except where retention is required by law (e.g., tax records).
• Generated Images: Retained until you delete them, or until 30 days after account closure, whichever comes first. You may delete individual images at any time.
• Chat & Brainstorming Data: Retained for the duration of your account. Deleted within 30 days of account closure.
• Payment Records: Retained for the period required by applicable tax law (typically 7-10 years) even after account closure.
• Server Logs: Automatically purged after 90 days.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): You can request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16): You can request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17):You can request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
• Right to Data Portability (Art. 20): You can request your data in a structured, machine-readable format for transfer to another service.
• Right to Restriction (Art. 18): You can request that we limit processing of your data in certain circumstances.
• Right to Object (Art. 21): You can object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
• Right to Lodge a Complaint: You have the right to file a complaint with the Lithuanian State Data Protection Inspectorate (VDAI) or your local EU supervisory authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by the GDPR.

8. Cookies

Brelio uses only essential cookies required for the operation of the Service:

• Session Cookie: Maintains your authenticated session while you are logged in. This cookie is deleted when you log out or close your browser.
• CSRF Token: Protects against cross-site request forgery attacks. This is a security-only cookie.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Because we use only strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive.

9. International Data Transfers

Our servers are located within the European Union. However, some of our third-party service providers may process data outside the EU:

• AI Providers (Google, OpenAI): Prompts sent for image generation may be processed in the United States. These transfers are governed by EU-US Data Privacy Framework adequacy decisions and/or Standard Contractual Clauses (SCCs) as appropriate.
• Stripe:Payment data may be processed in the United States under Stripe's GDPR-compliant data processing agreement and applicable adequacy mechanisms.

We ensure that all international data transfers comply with GDPR Chapter V requirements through adequacy decisions, Standard Contractual Clauses, or other approved transfer mechanisms.

10. Children's Privacy

Brelio is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected data from a child under 16, we will take steps to delete such data promptly. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Secure password hashing using industry-standard algorithms
• Regular security assessments and dependency updates
• Access controls limiting employee access to personal data
• Database isolation ensuring workspace data separation between users

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify registered users via email at least 14 days before the changes take effect
• Post a prominent notice within the Service for significant changes

Continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.

13. Contact / Data Protection Officer

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Email: [email protected]
• Data Protection Officer: [DPO Name]
• Legal Entity: [Company Name, Inc.]
• Address: [Registered Address, Vilnius, Lithuania]

If you are not satisfied with our response, you have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (Valstybine duomenu apsaugos inspekcija — VDAI) at vdai.lrv.lt or with your local EU data protection authority.