← Back to spybrand
spybrand
Privacy Policy & GDPR
Last updated: 1 April 2025
Your rights under UK GDPR: You have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. To exercise any right, contact contact us.
1. Who We Are
spybrand is the data controller for personal data collected through this website and the associated Service. Contact us at contact us.
2. What Data We Collect
| Category | Data | Source |
|---|
| Account data | Full name, email address, company name, password (hashed) | Provided by you at registration |
| Subscription & billing | Subscription tier, billing dates, Stripe customer ID | Generated through use of the Service |
| Report data | Company domain, social media links, competitor names provided for reports | Provided by you when generating reports |
| Social API credentials | API tokens and account identifiers for connected social media platforms (Twitter/X, Facebook, Instagram, LinkedIn, TikTok) — stored encrypted, used solely to fetch public metrics on your behalf | Provided by you when connecting Social Analytics |
| Usage data | Report count, login timestamps, activity logs | Automatically collected |
| Technical data | IP address, browser type, device type | Automatically collected |
| Cookies | Session cookies, preference cookies (theme, language) | Set by the Service |
We do not collect special category (sensitive) data and do not sell your data to third parties.
3. Legal Basis for Processing
| Purpose | Legal basis |
|---|
| Providing the Service (account management, generating reports) | Contract performance (Art. 6(1)(b) UK GDPR) |
| Processing payments via Stripe | Contract performance & legal obligation |
| Sending transactional emails (confirmations, alerts) | Contract performance |
| Sending marketing digest emails | Legitimate interests (you can opt out at any time) |
| Analytics and service improvement | Legitimate interests |
| Legal compliance, fraud prevention | Legal obligation / legitimate interests |
4. How We Use Your Data
- To create and manage your account and subscription.
- To generate AI-powered marketing analysis reports based on the information you provide.
- To provide the Maya AI Assistant — your conversation history is stored to provide context across sessions and improve response quality. You can delete your chat history at any time from the Maya page. Chat messages are transmitted to Anthropic for processing but are not used to train their models.
- To provide Content AI — topics, keywords and text you submit are transmitted to Anthropic to generate content ideas, SEO analysis and article drafts. We track monthly usage to enforce plan limits.
- To provide SEO Analyzer — domain names and keyword data you add are stored to enable ongoing rank tracking and technical audits.
- To send transactional emails: account confirmation, subscription updates, payment receipts, and report alerts.
- To send monthly digest emails and usage warnings (you can unsubscribe in Settings).
- To process payments securely through Stripe (we do not store card details).
- To detect and prevent fraud or abuse.
- To comply with applicable laws and regulations.
5. Cookies
We use the following cookies:
| Cookie | Purpose | Duration |
|---|
mk-theme | Stores your UI theme preference (dark/light) | Persistent (localStorage) |
mk-lang | Stores your language preference | Persistent (localStorage) |
mk-token | Authentication session token | Session / 7 days |
mk-cookie-consent | Records your cookie consent choice | 1 year |
We do not use third-party tracking or advertising cookies. You can manage cookie preferences via the banner on our homepage or by clearing your browser cookies.
6. Third-Party Processors
- Stripe — payment processing. Data processed in the UK/EU under standard contractual clauses. Stripe Privacy Policy.
- Supabase — database and authentication. Data stored in the EU. Supabase Privacy Policy.
- Resend — transactional email delivery. Resend Privacy Policy.
- Anthropic (Claude AI) — AI report generation, Maya AI Assistant chat, and Content AI writing tools. Prompts may include company/competitor names, chat messages, and content topics you provide. Data is not used to train Anthropic's models under API terms. Anthropic Privacy Policy.
- Meta (Facebook / Instagram) — when you connect Facebook Pages or Instagram Business accounts via Social Analytics, SpyBrand uses the Meta Graph API to read public page/account metrics (follower count, engagement rates, post statistics). We request only read-only permissions (
pages_read_engagement, instagram_basic). We never post content or modify your accounts. Meta Privacy Policy.
- Twitter / X — when you connect a Twitter/X account via Social Analytics, SpyBrand uses the Twitter API v2 to read public profile metrics (follower count, tweet count). Access is read-only using a Bearer Token you provide. Twitter/X Privacy Policy.
- LinkedIn — when you connect a LinkedIn Company Page via Social Analytics, SpyBrand uses the LinkedIn API to read company follower counts. Access requires an OAuth token with
r_organization_social permission. LinkedIn Privacy Policy.
6a. Social Media API Data — Additional Detail
When you use Social Analytics to connect social media accounts:
- API credentials (tokens, account IDs) you provide are stored in our database (Supabase, EU region) with row-level security — only your account can read or modify them.
- Credentials are used solely to fetch metrics from the respective platform APIs. SpyBrand never posts, follows, unfollows, or performs any write action on your behalf.
- Fetched metrics (follower counts, engagement rates, etc.) are cached in your account and included in AI-generated reports as ground-truth data.
- You can disconnect any platform and delete all associated stored credentials at any time from Social Analytics. Upon disconnection, all stored tokens for that platform are permanently deleted from our systems.
- TikTok statistics are entered manually by you and are not obtained via any third-party API.
6b. AI Content Generation — Additional Detail
When you use the Content Design feature (Premium plan) to generate social media posts:
- Brand URL scraping: If you enter a brand URL, it is sent to Jina.ai (r.jina.ai) to convert the web page to plain text. Only the URL you submit is processed; no cookies or personal data are sent. Jina.ai's privacy policy applies to this step.
- Report data usage: If you select an existing report as context, the brand name, industry and competitor data from that report are extracted server-side and used as context for generation. No raw report data is sent to external AI providers — only a condensed prompt is used.
- Prompt content: Generation prompts (containing your brand name, industry and tone) are sent to Anthropic's Claude API (US-based). Prompts do not include personal data, account details or payment information. Anthropic processes these under their API data processing agreement.
- Generated posts: Generated post text and image prompts are stored in your account (Supabase, EU region) in the content_queue table. Posts remain accessible until you delete your account.
- Image generation: If enabled, image prompts are sent to the configured image provider (OpenAI DALL-E, Ideogram or a custom endpoint as configured by the platform administrator). Only the image prompt text is transmitted — no personal data. Generated image URLs are stored alongside the post in your account.
- Usage tracking: The number of posts and images generated per month is recorded per account solely for quota enforcement. This counter resets at the start of each billing cycle.
- You can delete all generated posts and queued content by contacting us or from within the application. Deletion is permanent and not reversible.
7. Data Retention
- Account data is retained for the duration of your account plus 2 years.
- Reports are retained indefinitely unless you delete them from your dashboard.
- Activity logs are retained for 12 months.
- You can delete your account and associated data at any time from Settings or by emailing contact us.
8. Your Rights (UK GDPR)
You have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your data ("right to be forgotten").
- Restriction — request that we limit how we process your data.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
To exercise any right, email contact us. We will respond within 30 days. If you are dissatisfied with our response, you may lodge a complaint with the Information Commissioner's Office (ICO).
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords are stored as bcrypt hashes; we never store plaintext passwords.
- All data in transit is encrypted via TLS/HTTPS.
- Authentication tokens are signed JWTs with expiry.
- Database access is restricted to application services only.
10. International Transfers
Your data is primarily processed within the UK and EU. Where data is transferred outside these regions (e.g. to Anthropic's US-based API), we rely on standard contractual clauses or adequacy decisions to ensure an equivalent level of protection.
11. Children's Privacy
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us at contact us.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a notice on our website. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact
For any privacy-related queries or to exercise your rights:
Email: contact us
Website: spybrand