Privacy Policy

Name: BrandKernel Excavation
Brand: BrandKernel
Price: 150 USD
Availability: InStock

Last updated: April 4, 2026

Controller: Maximilian Appelt, Wolbecker Str. 94, 48155 Münster, Germany · mail@brandkernel.io

1. Who We Are

BrandKernel.io is operated by Maximilian Appelt (hereinafter "we", "BrandKernel"). We are the data controller within the meaning of Art. 4 No. 7 GDPR for all personal data collected through this platform. Data protection inquiries: mail@brandkernel.io

2. What Data We Process and Why

2.1 Account Data

Data: Name, email address, password (stored exclusively as a hash — plaintext passwords are never stored).
Purpose: Account creation, authentication, contract performance.
Legal basis: Art. 6(1)(b) GDPR.
Retention: Until account deletion; tax-relevant data up to 10 years (§ 147 AO).

2.2 Payment Data

Data: Paddle Customer ID and payment status. We do not receive credit card details or complete payment information.
Purpose: Purchase processing, access authorization.
Legal basis: Art. 6(1)(b) GDPR.
Note: All payment processing is handled by Paddle.com Market Ltd. as Merchant of Record (see Section 5).

2.3 Conversation Data (Brand Archaeology Sessions)

Data: All inputs in the AI dialogue with Raen — text entries, uploaded documents, brand information, personality profiles, and generated outputs (Brand Kernel JSON, strategy documents, language rules).
Purpose: Delivery of the contracted service.
Legal basis: Art. 6(1)(b) GDPR.
Retention: For the duration of the active account. Upon deletion request, all data is permanently deleted within 30 days. System backups may retain data for up to 30 days beyond that; these backups are not actively used.

2.4 Product Improvement (Pseudonymized Analysis)

Data: Conversation content in pseudonymized form (no direct link to name or email address during analysis; internal reference as User ID only).
Purpose: Improving the platform and AI dialogue quality.
Legal basis: Art. 6(1)(a) GDPR. Consent is given by accepting this Privacy Policy upon registration. It may be withdrawn at any time with effect for the future (mail@brandkernel.io) without affecting access to the platform.
Note: We do not sell, share, or publish conversation content in any form.

2.5 Usage and Analytics Data

Data: IP address, browser type, pages visited, timestamps, technical metadata — collected via Google Analytics 4 and Meta Pixel.
Purpose: Reach measurement, product optimization, targeted advertising.
Legal basis: Art. 6(1)(a) GDPR (consent, obtained via cookie consent banner prior to setting any tracking cookies).

3. Cookies

Strictly necessary cookies (no consent required, § 25(2) TDDDG):
We set one session cookie for authentication. This cookie is technically essential for operating the platform and is set without consent.

Analytics and marketing cookies (consent required):
These cookies are only set after your explicit consent via our cookie consent banner. You may withdraw your consent at any time via the banner or by email.

Provider	Purpose	Third country
Google Analytics 4	Usage analysis	USA
Meta Pixel	Conversion tracking, retargeting	USA

4. Tracking Services in Detail

4.1 Google Analytics 4

Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA).
Data transfer to the USA on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Opt-out: https://tools.google.com/dlpage/gaoptout
Google Privacy Policy: https://policies.google.com/privacy

4.2 Meta Pixel

Provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (parent company: Meta Platforms Inc., USA).
Data transfer to the USA on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Opt-out: Facebook account settings → "Ad Preferences".
Meta Privacy Policy: https://www.facebook.com/privacy/policy

5. Service Providers and Third-Country Transfers

We have entered into written Data Processing Agreements with all processors pursuant to Art. 28 GDPR.

Provider	Function	Country	Basis for third-country transfer
Anthropic, PBC	AI processing (Claude API / Raen)	USA	Standard Contractual Clauses (Art. 46(2)(c) GDPR)
Xano Inc.	Backend infrastructure, database	USA	Standard Contractual Clauses
Vercel Inc.	Frontend hosting, CDN	USA	Standard Contractual Clauses
Paddle.com Market Ltd.	Payment processing (Merchant of Record)	UK	UK Adequacy Decision
Google Ireland Ltd.	Analytics	Ireland / USA	Standard Contractual Clauses
Meta Platforms Ireland Ltd.	Marketing pixel	Ireland / USA	Standard Contractual Clauses

Note on Anthropic: Anthropic does not use API inputs for AI model training. Inputs are processed to generate a response and are not retained by Anthropic beyond that request. Basis: Data Processing Agreement with Anthropic (https://privacy.anthropic.com).

We do not sell personal data. We do not share data with third parties for advertising purposes.

6. Your Rights Under the GDPR

You have the following rights (Art. 15–21 GDPR):

Access (Art. 15): Copy of all data we hold about you
Rectification (Art. 16): Correction of inaccurate data
Erasure (Art. 17): Deletion of your account and all associated data
Restriction (Art. 18): Restriction of processing
Data portability (Art. 20): Export of your Brand Kernel data and conversation history as JSON
Objection (Art. 21): Against processing based on legitimate interests
Withdrawal (Art. 7(3)): Consent (analytics, Meta Pixel, product improvement) may be withdrawn at any time without affecting your account

Submit requests to: mail@brandkernel.io — We respond within 30 days. In complex cases, we may extend this period by up to two additional months; we will inform you within the first month if this applies.

Right to lodge a complaint:
Landesbeauftragte für Datenschutz und Informationsfreiheit NRW
Kavalleriestr. 2–4, 40213 Düsseldorf, Germany · www.ldi.nrw.de

7. Data Security

We implement technical and organizational measures to protect your data (Art. 32 GDPR):

Encryption in transit: All data between your browser and our servers is encrypted via TLS. Conversation content is never transmitted in plaintext.
Encryption at rest: All data is stored encrypted in our database (Xano, PostgreSQL).
Access control: Your conversation data and Brand Kernel are accessible only to you. Our backend enforces user-level access control at the database layer — no other user can access your data, even with knowledge of your account ID.
Authentication: We use JWT-based authentication. Passwords are stored exclusively as hashes — plaintext passwords are never stored or transmitted.
Payment security: We do not store credit card data. All payment processing is handled by Paddle.com Market Ltd. as a certified payment service provider.
AI processing: Conversation content is transmitted to the Anthropic Claude API for response generation. Anthropic does not retain or train models on API data.
Internal access: Technical database access for support and operational purposes is restricted to the controller and is exercised exclusively within the scope of the purposes described in this Privacy Policy.

Security controls for our API and access mechanisms are reviewed as part of our regular development process.

8. Data Retention and Deletion

Active accounts: Data is retained for the duration of the account.
Deleted accounts: All data is permanently deleted within 30 days of a deletion request. System backups may retain data for up to 30 days beyond that; these are not actively used.
Payment records: Retained for 7 years in accordance with statutory retention obligations (§ 147 AO); managed by Paddle.

9. Children

BrandKernel.io is intended exclusively for business users within the meaning of § 14 BGB. The platform is not directed at persons under the age of 16. We do not knowingly collect data from minors.

10. Changes to This Policy

We will notify you by email of any material changes to this Privacy Policy. The current version is always available at brandkernel.io.