Privacy Policy

1. Overview

Brandkept ("Brandkept," "we," "our," "us") is committed to protecting the privacy of parents, legal guardians, and the children in their care. This Privacy Policy describes how we collect, use, store, and protect information when you use the Brandkept platform at brandkept.com.

Because our service involves children's data, we take privacy especially seriously. We comply with the Children's Online Privacy Protection Act (COPPA) and its 2025 amendments, the California Consumer Privacy Act (CCPA/CPRA), and other applicable state and federal privacy laws.

This policy applies to all personal information we collect through brandkept.com and related services. By using Brandkept, you agree to the terms of this Privacy Policy.

2. Data We Collect

2a. Account Information (Parent/Guardian)

• Name and email address
• Password (stored as a one-way hash — we cannot recover it)
• Account creation date, last login, account status
• Subscription tier and billing status (payment details handled by Stripe — we do not store card numbers)

2b. Children's Information (Entered by Parent)

• Child's first and last name
• Date of birth and age
• State of residence (for Coogan law calculations)
• Coogan trust account details (if provided by parent)
• Creator platform usernames (if provided by parent)

2c. Income and Financial Data (Entered by Parent or Synced via OAuth)

• Platform earnings records (amounts, dates, platforms)
• Brand deal records (deal names, amounts, status, deliverables)
• Income categories for tax organization
• Tax documents uploaded as PDFs or images (stored encrypted)

2d. Platform OAuth Tokens

• OAuth access tokens and refresh tokens for connected creator platforms (YouTube, TikTok, Twitch, Instagram)
• These are stored encrypted using AES-256-GCM and used only to retrieve income data

2e. Usage and Technical Data

• IP address, browser type, operating system, device type
• Pages viewed, features used, session duration
• Error logs and performance data
• Audit log entries for all actions on minor data (required for COPPA compliance)

3. How We Use Your Data

We use the data we collect only for the following purposes:

• Service delivery: Providing the compliance management features you signed up for
• Coogan calculations: Computing state-specific trust set-aside estimates using child's state and income data
• Tax organization: Categorizing income records and storing tax documents for your review
• Brand deal management: Tracking deals, deliverables, and payments you enter
• Security and fraud prevention: Monitoring for unauthorized access, detecting anomalies, maintaining audit logs
• Service communications: Sending account-related emails (billing, security alerts, compliance reminders)
• Platform sync: Using OAuth tokens to retrieve creator income data from connected platforms
• Service improvement: Aggregated, anonymized analytics to understand how features are used

We do not use your data or your children's data for advertising, marketing profiling, AI model training, or any purpose other than providing and improving the Brandkept service.

4. COPPA — Children Under 13

Brandkept complies with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and its 2025 amendments effective June 23, 2025.

Who controls children's data

Children under 13 do not have Brandkept accounts. All data about children under 13 is entered by and managed by the parent or legal guardian account holder. The parent/guardian is the data controller for their child's information. Brandkept is the data processor, acting only on the parent's instructions.

What we collect and why

We collect only the minimum information necessary to provide the compliance management services: name, date of birth, state of residence, and income records for Coogan calculations and tax organization. We do not collect social security numbers, financial account numbers, or sensitive personal information about children except where explicitly provided by the parent for compliance documentation purposes.

Parental rights under COPPA

As a parent or guardian, you have the right to:

• Review the personal information we have collected about your child
• Correct inaccurate information about your child
• Request deletion of your child's information at any time
• Refuse further collection or use of your child's information (by canceling your account)
• Receive notice of material changes to this policy that affect your child's data

To exercise any of these rights, contact privacy@brandkept.com. We will respond to verifiable requests within 10 business days.

No data sharing for advertising

We do not share children's personal information with any third party for advertising, marketing, or behavioral profiling purposes. We do not condition a child's participation in any activity on the disclosure of more personal information than is reasonably necessary.

5. Children Ages 13–17

For children ages 13–17, Brandkept applies a California-baseline privacy standard to all users nationwide, consistent with the California Age-Appropriate Design Code and related frameworks.

For teen data, we implement a hybrid consent model:

• Parental consent is required when a teen is added to the account
• Teen authorization (via email or in-app confirmation) is requested for new data connections, such as linking a creator platform account
• Teens ages 13–17 may view their own data through the teen portal and may revoke platform connections at any time
• Parents retain full visibility and control over all teen data

We do not share teens' personal information for advertising or behavioral profiling without explicit consent from both parent and teen. Teens' data is used only for service delivery purposes.

6. We Do Not Sell Your Data

Brandkept does not sell, rent, trade, or otherwise transfer your personal information or your children's personal information to any third party for monetary or other valuable consideration. This applies to parent data, child data, income data, and all other information you enter into Brandkept.

We share information only with the service providers listed in Section 7, and only to the extent necessary to provide those services to you.

7. Third-Party Services

We use the following third-party service providers to operate Brandkept. Each receives only the data necessary for their function:

We do not share your data with any advertising networks, data brokers, social media platforms, or analytics providers beyond those listed above.

8. OAuth Tokens and Platform Connections

When you connect a creator platform account (YouTube, TikTok, Twitch, Instagram), Brandkept receives OAuth access tokens and refresh tokens from those platforms.

• Tokens are encrypted at rest using AES-256-GCM encryption
• Tokens are used exclusively to retrieve creator income data on your behalf
• Tokens are never shared with any third party
• You may revoke any platform connection at any time from your account settings, which immediately invalidates the stored token

Your use of connected platforms is subject to each platform's own privacy policy and terms of service. Brandkept does not have control over how those platforms collect or use data about your creator account.

9. Security Measures

We implement industry-standard technical safeguards to protect your information:

• Encryption at rest: All data stored in Supabase is encrypted at rest. Sensitive fields (OAuth tokens) use additional field-level encryption (AES-256-GCM)
• Encryption in transit: All data transferred between your browser and our servers uses TLS 1.2 minimum (TLS 1.3 preferred)
• Row-level security (RLS): Each parent account can only access their own data — database-level isolation enforced on every table
• Audit logging: Every action on minor data is logged with timestamp, user ID, IP address, and action type
• SOC 2 Type II infrastructure: Supabase, Vercel, and Stripe are all SOC 2 Type II certified
• Access controls: Multi-factor authentication (MFA) is available and recommended for all accounts

Despite these measures, no security system is impenetrable. In the event of a data breach affecting your information, we will notify you in accordance with applicable state breach notification laws. Security concerns: security@brandkept.com

10. Data Retention

We retain your data for as long as your account is active or as needed to provide you with the service. Specific retention periods:

• Active account data: Retained for the life of your account
• Children's data (under-13) after subscription cancellation: Automatically deleted 90 days after your subscription ends
• Children's data on deletion request: Permanently deleted within 10 business days of your request, following a 30-day soft-delete window
• Payment records: Retained for 7 years for tax and legal compliance purposes (required by law)
• Audit logs: Retained for 3 years following account closure for compliance and legal purposes
• OAuth tokens: Deleted immediately upon platform disconnection

11. Your Right to Delete

You have the right to request deletion of your account and all associated data at any time.

How to request deletion

1. Log in to your Brandkept account and navigate to Settings → Account → Delete Account, or
2. Email privacy@brandkept.com from the email address on your account with the subject line "Account Deletion Request"

What happens after your request

• Your account enters a 30-day soft-delete period during which deletion can be reversed
• After 30 days, all personal data is permanently deleted from active systems
• Payment records required for tax compliance may be retained separately for up to 7 years
• We will confirm deletion by email within 10 business days

You may also request a copy of all data we hold about you before deletion. Email privacy@brandkept.comwith "Data Export Request."

12. International Users (GDPR)

Brandkept is primarily designed for U.S. users. If you access Brandkept from the European Union, United Kingdom, or other regions with privacy laws that may apply to our processing of your data, please note:

• Brandkept does not have an EU data processing entity or EU/UK representative at this time. International availability is not officially supported.
• If GDPR applies to your use of Brandkept, you have the right to access, rectify, erase, restrict processing of, and port your personal data
• You may have the right to object to processing and the right not to be subject to automated decision-making
• To exercise any GDPR rights, contact privacy@brandkept.com

By using Brandkept from outside the United States, you acknowledge that your data may be transferred to and processed in the United States.

13. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:

• Right to Know: You have the right to know what personal information we collect, use, disclose, and sell
• Right to Delete: You have the right to request deletion of your personal information (subject to certain exceptions)
• Right to Correct: You have the right to request correction of inaccurate personal information
• Right to Opt Out of Sale: We do not sell your personal information. There is nothing to opt out of.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Limit Use of Sensitive Personal Information: We use sensitive personal information only as necessary to provide the service

To exercise California rights, submit a request to privacy@brandkept.com. We will respond to verifiable requests within 45 days. We will not charge a fee for processing verifiable consumer requests unless the request is excessive or repetitive.

Categories of personal information collected (CCPA disclosure): Identifiers, commercial information, internet activity information, geolocation data (state level), inferences from the above. We collect this information for the business purposes described in Section 3.

14. Other State Privacy Rights

Several additional U.S. states have enacted comprehensive privacy laws that may provide you with privacy rights similar to those described in Section 13. These include, but may not be limited to:

• Virginia (CDPA): Rights to access, correct, delete, portability, and opt out of targeted advertising and profiling
• Colorado (CPA): Similar rights to CDPA; opt-out rights for targeted advertising and profiling
• Connecticut (CTDPA): Similar rights to CPA
• Utah (UCPA): Rights to access, delete, portability, and opt out of sale and targeted advertising
• Texas (TDPSA): Rights to access, correct, delete, portability, and opt out of targeted advertising

If you are a resident of any state with an applicable privacy law and wish to exercise your rights, contact privacy@brandkept.com. We will respond in accordance with applicable law.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — particularly changes that affect how we collect, use, or share children's data — we will provide at least 30 days' advance notice via email to the address on your account.

Non-material changes (such as clarifications) may be posted without notice. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of Brandkept after the effective date of changes constitutes acceptance of the revised policy.

16. Contact Us

For privacy questions, rights requests, or concerns:

For COPPA-specific parental inquiries, please use the subject line "COPPA — Parental Request" for fastest routing.