Privacy Policy

1. Information We Collect

We collect information you provide directly, such as your name, email address, and company information when you join our waitlist, create an account, or contact us. We also collect usage data automatically, including IP addresses, browser type, pages visited, and interaction patterns with our platform.

2. How We Use Your Information

We use collected information to provide, maintain, and improve our services; communicate with you about your account, updates, and marketing (with your consent); detect and prevent fraud or abuse; comply with legal obligations; and analyze usage patterns to improve the platform experience.

3. Data Sharing

We do not sell your personal information. We may share data with service providers who assist in operating our platform (hosting, analytics, email delivery), law enforcement when required by law, and business partners with your explicit consent. All third-party providers are contractually obligated to protect your data.

4. Data Security

We implement industry-standard security measures including end-to-end encryption, audit logging, penetration testing, and secure development practices. While no system is perfectly secure, we are committed to protecting your information using best-in-class practices.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. You may request deletion of your data at any time by contacting us. Certain data may be retained as required by law or for legitimate business purposes such as fraud prevention.

6. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data; object to or restrict processing; withdraw consent at any time; and lodge a complaint with a supervisory authority. To exercise any of these rights, contact us at info@brandog.ai.

7. Cookies

We use essential cookies required for the platform to function and analytics cookies to understand usage patterns. You can control cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

8. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of our services after changes constitutes acceptance of the updated policy.

9. Email Module — Gmail & Microsoft 365 Data

Customers who enable the Brandog Email module connect their Google Workspace or Microsoft 365 tenant to Brandog through a tenant-wide administrator consent flow. This section describes what data we access from those providers and how it is used.

9.1 Data we access

With the tenant administrator’s explicit consent, Brandog accesses the following data from the connected mailboxes:

• Message headers (sender, recipient, subject, timestamps, message-id, in-reply-to, authentication results including SPF, DKIM, and DMARC verdicts)
• Message bodies and extracted features (URLs, sender domains, display-name / address mismatches, attachment filenames and SHA256 hashes)
• Mailbox metadata required to enumerate protected users and apply labels or folder moves
• Labels and folders necessary to implement the reversible quarantine action

9.2 How we use this data

Brandog uses Gmail and Microsoft 365 data solely to provide, maintain, and improve user-facing features of the Email module: detecting phishing, business email compromise, and domain-impersonation threats; quarantining suspicious messages in a reversible manner; presenting detection results to the tenant administrator for review; and generating aggregate security telemetry visible only to that tenant.

9.3 Limited Use (Google API Services User Data Policy)

Brandog’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide or improve user-facing features of the Email module that are prominent in the Brandog application interface.
• We do not transfer Google user data to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to the affected users.
• We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• We do not allow humans to read Google user data unless (a) we have obtained the affected user’s affirmative agreement, (b) it is necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) the data has been aggregated and is used for internal operations in accordance with applicable privacy and other laws.

9.4 Microsoft 365 data

The same commitments apply to data accessed through Microsoft Graph APIs. Brandog does not sell, rent, or use Microsoft 365 customer content for advertising, and uses the minimum permissions required to deliver the Email module.

9.5 Storage, retention, and residency

Email data is stored in the European Union on infrastructure operated by Supabase (hosted in the EU) and is isolated per tenant using row-level security. OAuth refresh tokens are stored encrypted at rest. Message headers and extracted security features are retained for as long as the tenant maintains the connection; full message bodies are retained only for messages flagged as threats and are automatically purged thirty (30) days after flagging. A tenant administrator may disconnect the integration at any time, which revokes our access tokens and deletes stored message data within 30 days of disconnection, except for aggregated telemetry that does not identify individuals.

9.6 Sub-processors

For the Email module, Brandog engages the following sub-processors: Supabase (database and storage, EU region); Resend (administrator notification email delivery); OpenRouter and Google Gemini (LLM-based threat classification, with data transfer limited to extracted features and truncated bodies necessary for classification). A current list of sub-processors is available on request.

9.7 Revocation

Tenant administrators may revoke Brandog’s access at any time from the Brandog admin console or directly from their Google Workspace or Microsoft 365 admin panel. Revocation is respected immediately on our side, and stored data is deleted in accordance with section 9.5.

10. Contact

For questions about this privacy policy or your personal data, or to request a list of sub-processors or a copy of our Data Processing Addendum, contact us at info@brandog.ai.