Privacy Policy
Last updated: February 27, 2026
Overview
BrandStudio (“we”, “us”, or “our”) is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your information when you use our platform.
Information We Collect
Account Information
When you create an account, we collect your name, email address, and company name. We store a hashed version of your password — we never store passwords in plain text.
Event & Photo Data
Photos uploaded to BrandStudio are stored securely in cloud storage (Cloudflare R2). Event data includes event names, dates, locations, and associated guest information that you provide.
Face Recognition Data
When face recognition is enabled, we process photos to detect faces and generate mathematical representations (embeddings) used for matching. Face embeddings are encrypted at rest using Fernet symmetric encryption. Face data is:
- Only processed when you explicitly enable face recognition for an event
- Never shared with third parties
- Never used for surveillance or identification outside your events
- Deletable at any time through your dashboard or by contacting us
Guest Information
Guest data (names, emails, phone numbers) is provided by you or self-registered by guests. This data is used solely for photo delivery and event management within your account.
How We Use Your Information
- Provide and improve the BrandStudio platform
- Send transactional emails (verification, password reset, team invites)
- Send onboarding emails to help you get started (opt-out available)
- Deliver photo notifications to your event guests on your behalf
- Process payments through Stripe (we never store card numbers)
- Monitor platform health and prevent abuse
Data Storage & Security
Your data is stored on secure infrastructure:
- Application and database hosted on Railway (US data centers)
- Photos stored on Cloudflare R2 (encrypted at rest)
- Face embeddings encrypted with Fernet (AES-128-CBC)
- All API communication over HTTPS with HSTS
- Passwords hashed with bcrypt
- Sensitive credentials encrypted in the database
Data Sharing
We do not sell your data. We share data only with:
- Stripe — for payment processing
- Postmark — for transactional email delivery
- Twilio — for SMS notifications (when configured by you)
- Cloudflare — for photo storage and CDN
Each provider processes data solely to deliver their service and is bound by their own privacy policies.
Your Rights
You have the right to:
- Access all data associated with your account
- Export your data at any time
- Delete your account and all associated data
- Opt out of marketing communications
- Request deletion of face recognition data
To exercise any of these rights, contact us at privacy@brandstudiohq.com.
Cookies
We use essential cookies for authentication (session token). We do not use third-party tracking cookies or analytics cookies on the application. The marketing website may use anonymous analytics in the future, with clear consent.
Contact
Questions about this policy? Contact us at privacy@brandstudiohq.com.