Privacy Policy

Last updated: 11 June 2026 · Version 1 (draft)

⚠ Draft v1 — pending legal review. This document reflects the current data flows of BRBS Media Studio and cites the applicable EU norms, but should be reviewed by a qualified lawyer before go-live.

1. Who we are (Data Controller)

The controller of your personal data (GDPR Art. 4(7)) is BRBS Trade AB, SYSTER JENNYS VÄG 10 A LGH 1001, 231 34 Trelleborg, Sweden (org. no. 559529-4686, VAT registration pending). Contact: [email protected].

2. What data we process

• Account & identity — name, email and authentication identifiers (via Auth0).
• Workspace content — channels, prompts, generated posts, tasks, schedules and media you upload.
• Connected platform credentials — OAuth tokens for the social platforms you link (stored to publish on your behalf).
• Billing data — subscription and invoice data via Stripe. We do not store full card numbers; card data is handled by Stripe.
• Usage, diagnostics & audit logs — technical logs, model-run/cost records and an audit trail of actions, for security and reliability.

3. Why we process it & legal basis (Art. 6)

• To provide the service — performance of a contract, Art. 6(1)(b).
• Security, fraud prevention, diagnostics, product improvement — legitimate interests, Art. 6(1)(f).
• Tax, accounting and legal compliance — legal obligation, Art. 6(1)(c).
• Optional features & communications where applicable — consent, Art. 6(1)(a), which you may withdraw at any time.

4. AI processing & “bring your own key” (BYOK)

To generate content, the prompts and text you submit are sent to large-language-model providers. When you use your own API key (BYOK), that data is sent directly to the provider you chose, under your agreement with them. Using our managed keys, prompts are processed via the OpenAI and/or Groq APIs (and any other provider you enable). Per those providers’ API terms, your prompts are not used to train their publicly available models. Providers may operate outside the EU/EEA (see §6). You are responsible for reviewing AI-generated output before publishing it (see also our Terms and the EU AI Act transparency duties, Reg. (EU) 2024/1689, Art. 50).

5. Sub-processors

We use vetted third parties to operate the service (identity, payments, AI, social platform APIs, hosting). The current list is published in the Sub-processors document. We impose data-protection terms on each per Art. 28.

6. International transfers (Art. 44–49)

Some sub-processors (e.g. OpenAI, Stripe, Auth0) may process data in the United States. Such transfers are safeguarded by the European Commission’s Standard Contractual Clauses and/or the EU–US Data Privacy Framework where the provider is certified.

7. Retention (Art. 5(1)(e))

We keep data while your workspace is active; backups for up to 30 days; audit logs for up to 12 months; billing records for the period required by tax law. Local app data stored on your device remains until you delete it.

8. Your rights (Art. 15–22)

You have the right to access, rectify, erase (Art. 17), restrict, port (Art. 20) and object to processing, and to withdraw consent. You can export or delete your workspace data from within the app. To exercise other rights, contact [email protected]. You may also lodge a complaint with your supervisory authority — in Sweden, the Swedish Authority for Privacy Protection (IMY / Integritetsskyddsmyndigheten), Art. 77.

Right to be forgotten: if you are in the EEA you may request permanent deletion of your account and connected social-media tokens via the app or at [email protected]. Your stored access tokens and content history will be wiped from our active databases within 30 days.

9. US state privacy rights (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, to request access and deletion, and to opt out of any “sale” or “sharing” of personal information (we do not sell your personal information). Similar rights apply under other US state privacy laws. To exercise them, contact [email protected]. We will not discriminate against you for exercising these rights.

10. Security (Art. 32)

Encryption in transit (TLS) and at rest, access controls, tenant isolation per workspace, and an audit trail. No method is 100% secure; we notify breaches as required by Art. 33–34.

11. Changes

We will update this policy as our processing changes and revise the “last updated” date. Material changes will be notified in-app.