Privacy Policy

Data Controller

AgentBrush is operated by Favvy Corp, registered at 16 Rue du Chêne Jaunais, 44300 Nantes, France (the "Data Controller").

For any questions regarding data protection, please contact our Data Protection Officer at [email protected].

Categories of Data Collected

We collect and process the following categories of personal data in connection with your use of AgentBrush:

Legal Bases for Processing

We process your personal data based on the following legal grounds:

- Contract performance (Art. 6(1)(b)): Account management, service delivery, billing, and subscription management.

- Legitimate interest (Art. 6(1)(f)): Service improvement, security monitoring, abuse prevention, and error tracking.

- Consent (Art. 6(1)(a)): Analytics cookies and optional marketing communications. You may withdraw consent at any time.

- Legal obligation (Art. 6(1)(c)): Tax and financial record-keeping requirements.

Data Retention

We retain your personal data only as long as necessary for the purposes for which it was collected:

- Account data: Retained for the duration of your account, plus 30 days after deletion to allow recovery.

- Payment and billing data: Retained for 7 years to comply with tax and accounting obligations.

- Usage data: Aggregated and anonymized after 90 days. Raw usage logs are deleted after 90 days.

- Generated images: Subject to the three-layer cleanup policy (hot cache: 24 hours, warm storage: 30 days, cold archive: per plan).

- Error monitoring data: Retained in Sentry for 90 days.

- Security event logs: Retained for 90 days.

Third-Party Recipients

We share your data with the following third-party service providers, each acting as a data processor under written agreements:

- Clerk (US) — Authentication and identity management. Processes: email, display name, profile picture.

- Stripe (US) — Payment processing and subscription management. Processes: billing data, payment method details.

- Cloudflare (Global) — Hosting, CDN, R2 object storage, Workers serverless compute. Processes: request metadata, generated images.

- Sentry (US) — Error monitoring and performance tracking. Processes: error context data (PII scrubbed via beforeSend).

- OpenAI (US) — AI image generation (primary model). Processes: generation prompts and resulting images.

- OpenRouter (US) — AI image generation (fallback model). Processes: generation prompts and resulting images.

- Upstash (EU) — Rate limiting and quota management. Processes: usage counters and rate limit state.

For a complete list, see our {{link:/sub-processors|Sub-processors List}}.

International Data Transfers

Some of our service providers are located in the United States. For transfers of personal data outside the European Economic Area, we rely on the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or other appropriate safeguards as required by applicable law.

You may request a copy of the applicable transfer mechanisms by contacting us at [email protected].

Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

- Right of access (Art. 15): Obtain confirmation of whether we process your data and request a copy.

- Right to rectification (Art. 16): Correct inaccurate personal data.

- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").

- Right to restriction (Art. 18): Restrict processing of your personal data in certain circumstances.

- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.

- Right to object (Art. 21): Object to processing based on legitimate interests.

To exercise any of these rights, visit your {{link:/account|Account Settings}} or contact [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authority.

Data Protection Officer

Our Data Protection Officer can be reached at:

Email: [email protected]

Favvy Corp, 16 Rue du Chêne Jaunais, 44300 Nantes, France

California Online Privacy Protection Act (CalOPPA)

In accordance with CalOPPA, we disclose that:

- This Privacy Policy is posted conspicuously on our website and is accessible from our homepage via the footer.

- We honor Do Not Track (DNT) browser signals. When we detect a DNT signal or Global Privacy Control (GPC), we disable non-essential tracking.

- Third-party behavioral tracking is not used on AgentBrush.

California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, the CCPA and CPRA provide you with additional rights regarding your personal information.

Categories of personal information collected: Identifiers (email, name), commercial information (subscription and billing data), internet activity (usage data, device information), and professional information (if provided).

Categories sold or shared: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

Your rights under CCPA/CPRA:

- Right to know: Request disclosure of the personal information we collect, use, and disclose.

- Right to delete: Request deletion of your personal information.

- Right to correct: Request correction of inaccurate personal information.

- Right to opt-out: Opt out of the sale or sharing of personal information. As stated above, we do not sell or share personal information.

- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, visit your {{link:/account|Account Settings}}, contact [email protected], or use the designated request methods described in our {{link:/gdpr-rights|Data Subject Rights}} page.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email.

Your continued use of AgentBrush after any changes constitutes acceptance of the updated policy.