Privacy Policy
Last updated: 2026-07-11
This Privacy Policy explains how Andre Blunt Kft. ("Brandappl", "we", "us", or "our") collects, uses, shares, and protects personal data when you use brandappl.com and the Brandappl web application (the "Service"). For this personal data, we act as the data controller.
We follow the EU General Data Protection Regulation (GDPR) and Hungarian data protection law. If you have any question about your privacy or want to exercise your rights, contact us at hello@brandappl.com.
1. Who we are and how to contact us
The controller of your personal data is Andre Blunt Kft. (registered as Andre Blunt Korlátolt Felelősségű Társaság), a limited liability company organized under the laws of Hungary, with its registered seat at 1085 Budapest, József körút 69. fsz. 1., Hungary. Its company registration number is 01-09-451918 and its EU VAT number is HU32967656.
You can reach us about privacy matters at hello@brandappl.com.
2. The data we collect
We collect the following categories of personal data:
- Account data: your email address, your name if you provide it, and your password, which is stored in hashed form by our authentication provider. We do not see or store your password in plain text.
- Brand inputs: the answers you give in the guided discovery flow, brand names, and any reference URLs you choose to provide.
- Brand outputs: the brand assets the Service generates for you, such as palettes, typography, wordmarks, guidelines, and applied assets.
- Technical data: server logs and error logs (captured through our error-monitoring provider), which can include your IP address, device and browser information, pages or actions, and timestamps.
- Cookies: a locale-preference cookie (brandappl_locale) and authentication and session cookies. See section 5.
3. How we use your data and our legal bases
We use your personal data for the purposes below, each with a legal basis under the GDPR:
- To create and run your account and provide the Service, including generating your brand assets. Legal basis: performance of our contract with you (Article 6(1)(b)).
- To send your inputs to our AI provider so it can generate your brand assets. Legal basis: performance of our contract with you (Article 6(1)(b)).
- To keep the Service secure, prevent abuse and fraud, debug and fix errors, and maintain and improve the Service. Legal basis: our legitimate interests in operating a secure and reliable product (Article 6(1)(f)).
- To send you service and administrative messages about your account or important changes. Legal basis: performance of our contract and our legitimate interests (Article 6(1)(b) and (f)).
- To handle billing and keep required records once paid plans are enabled. Legal basis: performance of our contract (Article 6(1)(b)) and compliance with our legal obligations, such as tax law (Article 6(1)(c)).
- For any optional feature that specifically asks for your consent, such as future marketing emails. Legal basis: your consent (Article 6(1)(a)), which you can withdraw at any time.
- To comply with legal obligations and to establish, exercise, or defend legal claims. Legal basis: legal obligation and legitimate interests (Article 6(1)(c) and (f)).
4. AI processing of your brand inputs
To generate your brand assets, we send the relevant brand inputs you provide to our AI provider, Anthropic, through its API. Anthropic processes this data on our behalf to produce the output and then returns it to us. Anthropic does not use data submitted through its API to train its models by default.
This processing may take place outside the European Economic Area. Where it does, we rely on appropriate safeguards as described in section 7. Please do not enter sensitive personal data, or personal data about other people that you are not entitled to share, into the discovery questions or other inputs.
5. Cookies and similar technologies
We keep our use of cookies minimal. We currently use only:
- Authentication and session cookies, which are needed to sign you in and keep you signed in.
- A locale-preference cookie (brandappl_locale), which remembers your language or region preference.
6. Who we share your data with
We do not sell your personal data. We share it only with service providers that help us run the Service, and only as needed for them to perform their function. Our main providers are:
- Supabase: database, authentication, and file storage, hosted in the EU region (eu-central-1).
- Vercel: application hosting and content delivery (CDN).
- Anthropic (Claude): AI generation of your brand assets from your inputs, as described in section 4.
- Sentry: error monitoring and diagnostics, which may capture technical data and parts of a request when an error occurs.
- Resend: delivery of account and authentication emails, such as sign-in links, password resets, and confirmations. Resend receives the recipient email address and the content of these messages in order to send them on our behalf.
- Google: if you choose Continue with Google to sign in, Google authenticates you and provides us with basic profile information, such as your name and email address, for that sign-in. This applies only when you use Google sign-in.
- Fonts: the web fonts used in generated brand pages are served through our own domain. We fetch and cache them from Google's public font service on the server side, so your browser does not connect to Google to load fonts and your IP address is not shared with Google for them.
- Stripe: payment processing. This integration is dormant while the Service is free, and it will be used only once billing is enabled.
- We may also disclose personal data where required by law, to enforce our Terms, to protect our rights, users, or the public, or as part of a merger, acquisition, or other business transfer.
7. International transfers
We aim to keep your core account and brand data stored in the EU. Some of our providers, including Anthropic, Vercel, Sentry, and Resend, and, if you use Google sign-in, Google, may process personal data outside the European Economic Area, including in the United States.
Where personal data is transferred outside the EEA, we rely on appropriate safeguards under the GDPR, such as the European Commission's Standard Contractual Clauses and, where it applies, an adequacy decision such as the EU-US Data Privacy Framework. You can ask us for more information about the safeguards that apply by contacting hello@brandappl.com.
8. How long we keep your data
We keep personal data only for as long as we need it for the purposes described in this policy.
In general, we keep your account and brand data for as long as your account is active. If you delete your account, or ask us to erase your data, we delete it within 30 days, unless we are required to keep some of it by law. Server and error logs are kept for up to 90 days for security and debugging. Once billing is enabled, we will keep invoicing and tax records for the period required by Hungarian law, which is currently eight years for accounting records.
9. Your rights
Under the GDPR, and subject to its conditions, you have the following rights over your personal data:
- Access: to know what personal data we hold about you and to get a copy.
- Rectification: to have inaccurate or incomplete data corrected.
- Erasure: to have your data deleted in certain circumstances.
- Restriction: to ask us to limit how we use your data in certain circumstances.
- Portability: to receive certain data in a portable format and, where feasible, have it sent to another provider.
- Objection: to object to processing based on our legitimate interests.
- Withdraw consent: where we rely on your consent, you can withdraw it at any time, without affecting processing that already happened.
- The Service generates creative assets and does not make automated decisions that produce legal or similarly significant effects about you.
- To exercise any of these rights, email us at hello@brandappl.com. You also have the right to lodge a complaint with the Hungarian data protection authority, the Nemzeti Adatvedelmi es Informacioszabadsag Hatosag (NAIH, naih.hu), or with the supervisory authority in your own country.
10. How we protect your data
We use reasonable technical and organizational measures to protect personal data, including encryption in transit, access controls, and reputable infrastructure providers. No product or method of transmission or storage is completely secure, so we cannot guarantee absolute security, and we do not claim any formal security certification.
If a personal data breach occurs that is likely to affect you, we will notify the relevant supervisory authority and, where required, you, in line with our legal obligations.
11. Children
The Service is not directed to children. You must be at least 16 years old to use it, or older if the age of digital consent in your country is higher. We do not knowingly collect personal data from children below that age. If you believe a child has provided us with personal data, contact us at hello@brandappl.com and we will take steps to delete it.
12. Payments
The Service is currently free, and we do not collect or store payment card details at this time. Our payment integration with Stripe is in place but dormant.
When we enable paid plans, payments will be processed by Stripe. Stripe will handle your card and payment data under its own terms and privacy policy, and we will receive only limited billing information needed to manage your subscription and meet our record-keeping obligations. We will update this policy before billing begins.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will post the updated version with a new effective date, and for material changes we will make reasonable efforts to notify you by email or within the Service.
14. Contact and complaints
If you have any question, request, or complaint about how we handle your personal data, please contact us first at hello@brandappl.com so we can try to resolve it.
You also have the right to contact the Hungarian data protection authority, NAIH (naih.hu), or the supervisory authority in your country of residence.