Legal

Privacy Policy

Effective Date: May 27, 2026

1. Introduction

This Privacy Policy explains how BrandCrux ("we," "our," or "us") collects, uses, stores, and protects your personal information when you use the BrandCrux AI Visibility Tracker platform available at brandcrux.ai (the "Service"). By using the Service, you consent to the practices described in this policy.

We are committed to protecting your privacy and handling your data transparently. If you do not agree with this policy, please do not use the Service.

2. Data We Collect

We collect the following categories of information when you use the Service:

  • Account Information: Your email address and password (hashed) when you register for an account
  • Business Information: Business name, website URL, location, products and services, and competitor details that you provide to configure your visibility scans
  • Scan Results: AI engine responses, mention data, sentiment analysis, rankings, and visibility scores generated by the Service
  • Payment Information: Payment details processed securely through Razorpay. We do not store your full credit card or bank account numbers on our servers
  • Usage Data: Pages visited, features used, timestamps, browser type, and device information collected automatically when you interact with the Service

3. How We Use Your Data

We use the information we collect for the following purposes:

  • Providing the Service: Running visibility scans, generating reports, tracking rankings, and delivering the core functionality you signed up for
  • Improving AI Analysis: Enhancing the accuracy and relevance of our query generation, mention detection, and sentiment analysis algorithms
  • Sending Notifications: Communicating scan results, account updates, credit balance alerts, and important service announcements via email
  • Customer Support: Responding to your inquiries and resolving issues with your account or the Service
  • Analytics: Understanding how users interact with the Service to improve performance and user experience

We do not sell your personal data to third parties.

4. Third-Party Services and Data Sharing

We share, transfer, or disclose your information only with the third parties listed below, only for the purposes stated, and only to the extent each service requires to function. Each provider is bound by a data processing agreement (or equivalent terms) and operates under its own privacy policy. We do not sell your personal information, and we do not share or disclose it for cross-context behavioural advertising.

  • Vercel Inc. (USA): Hosts the BrandCrux web application and serves your requests. Receives standard web traffic data (IP, user agent, request paths) and the contents of API calls necessary to render pages. Purpose: hosting infrastructure. Privacy policy.
  • Supabase Inc. (USA): Stores your account, business profile, scan results, billing records, and OAuth tokens used to connect Google Search Console and Google Analytics. Purpose: database storage, user authentication, session management. Access is restricted to BrandCrux engineering on a need-to-know basis. Privacy policy.
  • Fly.io (USA): Runs the BrandCrux backend services that process scans. Sees the contents of scan jobs (business profile, prompts, competitor names) and the responses received from AI providers. Purpose: backend hosting. Privacy policy.
  • Razorpay Software Pvt. Ltd. (India): Processes credit purchases and subscription billing. Receives the name, email, and payment instrument data you submit at checkout. Stores and handles payment details under its own PCI-DSS compliant environment. We never see or store full card or bank account numbers. Purpose: payment processing. Privacy policy.
  • Resend Inc. (USA): Delivers transactional and notification emails (account verification, scan completion alerts, billing receipts). Receives your email address and the email body. Purpose: email delivery. Privacy policy.
  • Inngest Inc. (USA): Queues and orchestrates background scan jobs. Receives scan metadata and job payloads. Purpose: job orchestration. Privacy policy.
  • AI providers (OpenAI, Anthropic, Google, Perplexity, xAI): Receive scan prompts that include the business name, website, competitor names, and topic context you have configured. Used to generate scan responses and analyse mentions. AI providers do not receive your email address, password, payment information, or Google OAuth tokens. Purpose: AI scan execution. Each provider publishes its own privacy policy and data handling commitments.
  • BrightData Ltd. (Israel) and Apify Technologies s.r.o. (Czech Republic): Execute search engine result page (SERP) lookups and public social media scrapes on your behalf. Receive keyword strings and the social handles you ask us to track. Do not receive your email, password, payment information, or any Google OAuth data. Purpose: search and social data collection. BrightData policy, Apify policy.
  • Google Analytics for our own marketing site (Measurement ID: G-2LFBLLNR7C): Helps us understand traffic patterns on the public brandcrux.ai pages (landing, pricing, help, blog). Receives anonymised page-view events. Does not have access to any data you enter inside the authenticated application.

We may also disclose information when required by law, to comply with a valid legal process, to enforce our terms, or to protect the rights, property, or safety of BrandCrux, our users, or the public. We will notify you of any such disclosure unless prohibited by law.

We do not transfer your information to any third party for that party's own marketing or independent commercial purposes.

5. Google User Data

BrandCrux integrates with Google services in two distinct ways. This section describes exactly what Google user data we receive in each case, what we do with it, and with whom we share, transfer, or disclose it. BrandCrux's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.1 Sign in with Google

When you choose to sign up or sign in using your Google account, Google returns your name, email address, profile picture URL, and a unique Google account identifier. We use this data only to create or authenticate your BrandCrux account. The information is stored in our user database (provided by Supabase, listed above), and we do not share, sell, or transfer it to any third party for any purpose unrelated to operating the BrandCrux service.

5.2 Google Search Console and Google Analytics integration

When you connect Google Search Console (GSC) or Google Analytics 4 (GA4) inside BrandCrux, you grant us the following OAuth scopes:

  • https://www.googleapis.com/auth/webmasters.readonly (read-only Search Console access): so BrandCrux can list the verified properties on your Google account and read query, page, and ranking metrics for properties you choose to connect.
  • https://www.googleapis.com/auth/analytics.readonly (read-only Analytics access): so BrandCrux can list the GA4 properties on your account and read traffic and conversion metrics for properties you choose to connect.
  • openid, email, profile: standard sign-in scopes used to identify you.

What we receive. The OAuth access token and refresh token issued by Google for the scopes you approve; the list of verified Search Console sites or GA4 properties on your account; and, for the properties you explicitly connect inside BrandCrux, the search query and analytics metrics returned by Google for your reports.

What we do with it. We use this data solely to render your Search visibility and Analytics dashboards inside the BrandCrux application, to detect ranking and traffic changes, and to power the recommendations you see in your account. We do not use it for advertising, do not use it to train machine learning models, and do not allow humans to read it except (a) at your explicit request to support staff, (b) for security investigations or to comply with applicable law, or (c) where the data has been aggregated and anonymised so individual users cannot be identified.

Where it is stored. OAuth tokens are encrypted at rest in our Supabase-hosted database. Search Console and Analytics metrics are stored alongside the rest of your scan history in the same database, scoped to your user account.

With whom we share, transfer, or disclose Google user data. We share Google user data only with the infrastructure providers listed in Section 4 that are required to operate the BrandCrux service, namely: Supabase (database storage of the encrypted tokens and the metrics you have authorised), Vercel and Fly.io (request processing while you view a Search or Analytics dashboard), and Inngest (queueing of the periodic sync jobs that refresh your metrics). These providers act as our processors under data processing agreements and may not use Google user data for their own purposes. We do not share Google user data with AI providers, with BrightData, with Apify, with Razorpay, with Resend, or with any other third party. We never sell Google user data.

How to revoke. You can revoke BrandCrux's access to your Google account at any time at myaccount.google.com/permissions, or from inside BrandCrux at Settings → Connections. Revoking access stops all future syncs immediately. Existing historical metrics already pulled into your account remain in your scan history until you delete the related business or close your account; deletion requests are handled per Section 7.

6. Cookies

The Service uses the following cookies:

  • Supabase Auth Session Cookies: Essential cookies required to maintain your authenticated session. These are strictly necessary for the Service to function and cannot be disabled
  • Google Analytics Cookies: Performance cookies used to collect anonymous usage statistics (Measurement ID: G-2LFBLLNR7C). These help us understand how users interact with the Service so we can improve it

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

7. Data Retention

We retain your data according to the following policies:

  • Scan Results: Kept indefinitely to provide historical visibility trends and reporting. You may request deletion at any time
  • Account Data: Retained for as long as your account is active. Deleted upon request when you close your account
  • Payment Records: Retained as required by applicable tax and financial regulations
  • Usage and Analytics Data: Retained in aggregate, anonymized form for service improvement

8. Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request that we correct any inaccurate or incomplete personal data
  • Deletion: Request that we delete your personal data and close your account
  • Data Export: Request a machine-readable export of your data, including scan results, business profiles, and account information
  • Withdrawal of Consent: Withdraw your consent for data processing at any time, which may result in the termination of your access to the Service

To exercise any of these rights, contact us at legal@brandcrux.ai or support@brandcrux.ai. We respond within 30 days. The fastest path to delete your account is self-serve: open BrandCrux, go to Settings → Danger Zone, and confirm the deletion — your account, businesses, scan data, prompts, citations, reports, API keys, and billing records are removed across our systems.

9. GDPR Compliance

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal Basis: We process your data based on your consent (account creation), contractual necessity (providing the Service), and legitimate interests (improving the Service and preventing fraud)
  • Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format
  • Right to Object: You may object to the processing of your personal data for direct marketing or profiling purposes
  • Right to Restrict Processing: You may request that we limit how we use your data while a complaint or request is being resolved
  • Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority

International data transfers are conducted using appropriate safeguards, including standard contractual clauses where applicable.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you specific rights regarding your personal information:

  • Right to Know: Request the categories of personal information we have collected about you, the sources, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: Request deletion of personal information we collected about you, subject to certain exceptions (legal compliance, fraud prevention, etc.).
  • Right to Correct: Request correction of inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale or Sharing: BrandCrux does not sell your personal information and does not share it for cross-context behavioral advertising. There is therefore no opt-out form to surface; if this ever changes we will publish a "Do Not Sell or Share My Personal Information" link here.
  • Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond providing the Service.
  • Right to Non-Discrimination: We will not deny you services, charge different prices, or provide a different level of quality because you exercised a privacy right.

To submit a verifiable consumer request, email legal@brandcrux.ai. We will verify your identity using your account credentials and respond within 45 days (extendable by an additional 45 days where reasonably necessary, with notice). You may also designate an authorized agent to submit a request on your behalf.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure password hashing and authentication via Supabase
  • Access controls limiting data access to authorized personnel only
  • Regular review of our security practices and third-party service configurations

While we take reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the Service. Your continued use of the Service after such modifications constitutes acceptance of the updated policy.

We encourage you to review this page periodically for the latest information on our privacy practices.

13. Contact

For any questions about this Privacy Policy or to exercise your data rights: