Legal
Privacy Policy
How we collect, use, and protect your information.
Last updated: July 1, 2026
This Privacy Policy explains how Suelo Piotr Osmola ("brnd.now", "we", "us", or "our") collects, uses, stores, and protects personal data when you use brnd.now, including the marketing website, dashboard, website generator, published website runtime, social post tools, media library, billing features, and related services (the "Service").
1. Who We Are
The Service is operated by:
- Legal entity: Suelo Piotr Osmola
- Registered address: Ptaszkowa 920, 33-333 Ptaszkowa, Poland
- Company / registration number: 122557840
- VAT / tax ID: PL7343434569
- Contact: support@brnd.now
For GDPR purposes, Suelo Piotr Osmola is the controller of personal data processed to operate user accounts, subscriptions, support, product analytics, and the brnd.now dashboard. For personal data that our customers publish on generated websites or process through their own website content, the customer may be the controller and brnd.now may act as a processor or service provider.
2. Data We Collect
We collect and process the categories of data below, depending on how you use the Service.
2.1 Information You Provide
- Account data, such as email address, first name, last name, phone number, avatar, account settings, email preferences, and active profile.
- Profile data, such as profession, bio, skills, languages, city, country, profile photo, social links, and contact details you choose to add.
- Generated and edited content, such as websites, website sections, menus, style choices, blog posts, case studies, LinkedIn-ready social posts, captions, prompts, instructions, uploaded files, images, videos, and generated media.
- Billing data, such as billing email, billing contact name, company name, VAT or tax ID, billing address, subscription status, invoice-related details, and Stripe customer/subscription identifiers.
- Support and communications data, such as emails, waitlist/newsletter subscriptions, product feedback, and support requests.
2.2 Automatically Collected Data
- Authentication and security data, such as one-time sign-in code records, trusted device records, login timestamps, anonymized login IP data where available, request metadata, rate-limit signals, and webhook verification metadata.
- Usage and analytics data, such as page views, routes visited, referrers, event timestamps, browser and device type, approximate geolocation, session or device identifiers from analytics providers, and product interactions.
- Technical data, such as logs, deployment status, domain configuration, preview identifiers, cookies, local storage preferences, and error metadata.
2.3 Connected Account Data
If you connect LinkedIn, we process LinkedIn account data needed to provide the integration, such as platform user ID, username, profile URL, OAuth access token, refresh token where provided, token expiry, granted scopes, and publishing results. We use this data only to connect the account, display connection status, publish content you explicitly submit, and maintain or revoke the connection.
2.4 AI-Related Data
When you use AI-powered features, we process prompts, profile data, style choices, uploaded or selected media, draft content, and generated outputs. These may be sent to AI providers so they can generate, transform, or analyze content for the Service.
We do not intentionally collect sensitive personal data. Do not submit sensitive personal data, confidential third-party information, payment card numbers, government identifiers, health data, or other special-category data unless we have explicitly requested it and explained why it is required.
3. How We Use Your Data
We use your data to:
- Provide, operate, maintain, and secure the Service.
- Create and manage your account, profiles, websites, blog posts, case studies, social posts, media library, previews, deployments, domains, and subscriptions.
- Generate, edit, and improve AI-assisted content, styles, cover images, screenshots, and website sections.
- Authenticate users through email one-time codes and Google OAuth, maintain sessions, prevent abuse, and enforce rate limits.
- Connect and publish to LinkedIn when you explicitly authorize and submit content for publishing.
- Process subscriptions, billing details, invoices, taxes, payment status, cancellations, and failed-payment handling through Stripe.
- Send operational emails, one-time login codes, support messages, and, where you opt in, marketing or product update emails.
- Analyze usage, website traffic, referrers, and product performance.
- Debug, monitor, improve, and protect the Service.
- Comply with legal obligations, tax rules, accounting requirements, court orders, and enforceable government requests.
4. Legal Bases for Processing
Where GDPR applies, we rely on the following legal bases:
- Contract: to provide the Service, manage accounts, generate content, publish websites, process subscriptions, provide support, and deliver requested integrations.
- Legitimate interests: to secure the Service, prevent fraud and abuse, improve functionality, analyze aggregate usage, debug errors, and communicate about service-related matters.
- Consent: for optional marketing emails, optional analytics where consent is required, cookies or similar technologies that are not strictly necessary, and optional connected-account permissions.
- Legal obligation: for tax, accounting, billing, compliance, and legally required recordkeeping.
5. AI and Generated Content
The Service uses AI providers to help generate websites, style systems, blog posts, case studies, social posts, captions, images, edited photos, and related assets. Your prompts, instructions, profile data, draft content, selected media, and generated outputs may be processed by AI providers such as OpenAI, Google AI, and Replicate.
AI output may be inaccurate, incomplete, similar to other content, or unsuitable for your intended use. You are responsible for reviewing, editing, and approving generated content before publishing or using it.
6. Cookies and Similar Technologies
We use cookies, local storage, and similar technologies for the following purposes:
- Essential: authentication sessions, OAuth security state, preview identifiers, account security, rate-limit support, dashboard UI state, and cookie consent preferences.
- Analytics: first-party analytics signals used to understand traffic, referrers, routes, anonymous sessions/devices, and aggregate website usage.
- Preferences: local interface settings, onboarding hints, temporary template selections, and similar product preferences.
Essential cookies and local storage are needed to provide the Service and cannot be disabled through our consent banner. Analytics cookies or similar analytics storage are used only where enabled by your consent or where another lawful basis applies under applicable law.
You can change your browser settings to block cookies. Blocking essential cookies may prevent the Service from working correctly.
7. Website Analytics and Published Websites
The Service can publish generated websites through Vercel and display analytics for those websites. Website analytics may include page views, paths, referrers, event timestamps, content type, slugs, anonymous session identifiers, anonymous device identifiers, and the minimal raw analytics payload submitted by the published website.
If you publish a website using brnd.now, you are responsible for the content you publish and for any additional notices, consents, or policies required for your visitors, especially if you add custom content, custom domains, third-party embeds, forms, tracking tools, or collect visitor data outside the default brnd.now functionality.
8. Third-Party Services and Subprocessors
We use third-party providers to operate the Service. Depending on the feature, data may be processed by:
- Vercel, for hosting, deployments, blob storage, databases, analytics, domains, serverless functions, and infrastructure.
- Stripe, for subscriptions, checkout, billing, tax IDs, invoices, and payment portal functionality.
- Brevo / email providers, for login codes, transactional emails, waitlist/newsletter subscriptions, and product communications.
- Google, for Google OAuth, Google AI, and Google Fonts-related functionality where used.
- OpenAI, Google AI, and Replicate, for AI generation and image/photo processing.
- LinkedIn, for OAuth connection and publishing content you submit.
- Mux, for video upload, processing, streaming, thumbnails, and playback URLs.
- Pexels, for stock image/video search and media attribution.
- Redis or similar infrastructure, for rate limiting, caching, and abuse prevention.
We do not sell your personal data.
9. Data Retention
We retain personal data only for as long as reasonably necessary for the purposes described in this Policy:
- Account, profile, website, media, blog, case study, social post, and generated content data is retained while your account or related profile is active, unless deleted earlier.
- Billing, tax, invoice, subscription, and transaction records are retained as required for accounting, tax, fraud prevention, and legal compliance.
- OAuth tokens are retained until you disconnect the integration, delete the related profile/account, or the token expires or is revoked.
- Email one-time code records expire quickly and are invalidated after use or replacement; hashed code records may be retained briefly for security and audit purposes.
- Analytics records are retained for operational reporting and trend analysis according to our internal retention criteria and provider settings.
- Logs, security events, and abuse-prevention records may be retained as needed to protect the Service and investigate misuse.
You may request deletion of your account and associated data by contacting support@brnd.now. Some records may remain where required by law or legitimate security, billing, or compliance needs.
10. Data Security
We use reasonable technical and organizational measures to protect personal data, including HTTPS, access controls, provider security controls, hashed one-time sign-in codes, rate limiting, webhook signature verification, restricted environment secrets, and HttpOnly OAuth state cookies where appropriate.
No internet service is completely secure. You are responsible for keeping access to your email, connected accounts, devices, and browser sessions secure.
11. International Transfers
Your data may be processed in countries other than your country of residence, including the United States and countries where our providers operate. Where required, we rely on appropriate safeguards such as data processing agreements, standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms.
12. Your Rights Under GDPR
If you are located in the EU, you have the right to:
- Access your personal data.
- Correct inaccurate or incomplete personal data.
- Request deletion of your personal data.
- Restrict or object to certain processing.
- Receive a portable copy of certain personal data.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with your local data protection authority.
To exercise these rights, contact support@brnd.now. We may need to verify your identity before responding.
13. Marketing Communications
If you subscribe to marketing, waitlist, or product update emails, we may use your email address to send those messages. You can unsubscribe or change your preferences at any time where those controls are available, or contact support@brnd.now.
14. Children
The Service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, contact support@brnd.now.
15. Changes to This Policy
We may update this Privacy Policy from time to time. The latest version will be available on this page. If changes are material, we may provide additional notice through the Service or by email.
16. Contact
Questions, requests, privacy notices, and DPA requests should be sent to support@brnd.now.