Skip to content

Privacy Policy

How we collect, process, and protect data — for our customers, for site visitors, and for the brands and individuals named in AI engine outputs we monitor.

Last updated: May 5, 2026 · This policy is provided as a starting template and should be reviewed by qualified counsel before relying on it for compliance purposes.

1. Who we are

BrandMirror ("BrandMirror", "we", "us") is operated by an independent founder. For privacy-related questions you can reach us at hello@brandmirror.dev.

2. Data we collect

From customers and prospects

  • Account data: name, email, company, role.
  • Billing data: invoicing details, processed via our billing partner.
  • Product data: brand names, competitors, prompt libraries, alert preferences.
  • Communication data: emails, demo notes, support requests.

From AI engine outputs

To produce reports, BrandMirror queries third-party AI engines (ChatGPT, Claude, Perplexity, Google AI Overviews) with structured prompts. The responses returned by these engines may include references to brands, organizations, products, and — incidentally — names of individuals (founders, executives, public figures). We:

  • Process this data on the legal basis of legitimate interest (Art. 6(1)(f) GDPR), having documented a balancing test against data subjects' rights.
  • Do not enrich, profile, or sell personal data extracted from outputs.
  • Honor requests from data subjects to object, access, or have references removed (Art. 15–22 GDPR). Contact hello@brandmirror.dev.

From site visitors

Server logs (IP, user-agent, timestamp) for security and analytics. No third-party cookies are set without consent. We use privacy-preserving analytics; no advertising trackers.

3. How we use it

  • To operate the platform, deliver weekly reports, and provide alerts.
  • To improve product quality (aggregated, never customer-identifiable).
  • To comply with legal obligations.

4. Where data lives

Customer data is hosted in the European Union (Frankfurt) by default. US-residency available on request for Enterprise plans. We use the following sub-processors:

  • OpenAI (API, no-training Enterprise endpoint where contractually available)
  • Anthropic (API via AWS Bedrock, no-training)
  • Perplexity (API)
  • Web search providers for Google AI Overviews snapshots, where permitted
  • Hosting and CDN providers

5. Retention

Customer data: for the duration of the contract and up to 12 months after termination, then deleted unless retention is legally required. Server logs: 90 days.

6. Your rights (GDPR / CCPA)

  • Access, rectify, erase, port your data.
  • Object to processing, including for individuals named in AI outputs.
  • Lodge a complaint with your local data protection authority (CNIL in France).

Email hello@brandmirror.dev — we respond within 30 days.

7. Security

Encryption in transit (TLS 1.2+) and at rest (AES-256). SOC 2 Type I audit scheduled — report not yet issued. SSO/SAML, audit logs, and DPA on Enterprise plans.

8. Children

BrandMirror is a B2B product. We do not knowingly collect data from individuals under 16.

9. Changes to this policy

We update this page as the product evolves. Material changes will be communicated to active customers by email.

Questions? hello@brandmirror.dev