Legal
Privacy Policy
How BrandForge collects, uses, and protects your data. Written in plain language, because legal documents shouldn't require a law degree.
Last updated: April 4, 2026
How BrandForge collects, uses, and protects your data. Written in plain language, because legal documents shouldn't require a law degree.
Last updated: April 4, 2026
BrandForge is an AI-powered brand creation platform operated by CMY.NL B.V., a company registered in the Netherlands.
Company name: CMY.NL B.V.
Registered address: Barendrecht, Netherlands
Chamber of Commerce (KvK): [KvK number]
Website: brandforge.com
Email: privacy@brandforge.com
When we say "BrandForge", "we", "us", or "our" in this policy, we mean CMY.NL B.V. When we say "you" or "your", we mean you — the person or organisation using our platform.
CMY.NL B.V. is the data controller for the personal data processed through BrandForge. For data processed on behalf of our white-label partners, we act as a data processor under the terms of our Data Processing Agreement (DPA).
We collect different types of data depending on how you interact with BrandForge. Here's a plain-language breakdown:
When you create an account or sign up as a partner, we collect your name, email address, company name, and password. If you sign up through a white-label partner, the partner may share this information with us to provision your account.
If you subscribe to a paid plan, we collect your billing address and payment method. Payment card details are processed and stored by our payment provider (Stripe or Mollie) — we never see or store your full card number.
When you use BrandForge to create a brand, we collect the information you provide in the prompt and any subsequent inputs — such as your business name, description, industry, target audience, and style preferences. We also store the AI-generated outputs (logos, colour palettes, websites, etc.) associated with your account.
We automatically collect technical information about how you use the platform, including your IP address, browser type, device information, pages visited, features used, and timestamps. This helps us improve the product and diagnose issues.
If you contact us via email, our contact form, or live chat, we store the content of those communications along with your name and email address.
We use cookies and similar technologies to remember your preferences, keep you logged in, and understand how you use our platform. See Section 5 for details.
We use your data for the following purposes:
| Purpose | Data used |
|---|---|
| Provide the BrandForge service | Account info, brand creation data |
| Process payments and manage subscriptions | Billing info, account info |
| Generate AI-powered brand assets | Brand creation data (prompts, preferences) |
| Improve the platform and AI models | Usage data, aggregated brand creation data |
| Send service-related communications | Email address, account info |
| Send marketing communications (with consent) | Email address, name |
| Respond to support requests | Communication data, account info |
| Prevent fraud and abuse | IP address, usage data |
| Comply with legal obligations | All data as required by law |
Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:
| Legal basis | When it applies |
|---|---|
| Contract performance (Art. 6(1)(b)) | Processing necessary to provide the BrandForge service you signed up for — account management, brand generation, asset storage, and delivery. |
| Legitimate interest (Art. 6(1)(f)) | Improving our platform, preventing fraud, analysing usage patterns, and ensuring platform security. We balance our interests against your rights and freedoms. |
| Consent (Art. 6(1)(a)) | Marketing emails, non-essential cookies, and any optional data collection. You can withdraw consent at any time. |
| Legal obligation (Art. 6(1)(c)) | Tax records, anti-money laundering requirements, and responding to lawful requests from authorities. |
We use a limited number of third-party services to operate BrandForge. Each provider is selected for their privacy and security standards, and where possible, we use EU-based providers.
| Service | Purpose | Data location |
|---|---|---|
| Stripe / Mollie | Payment processing | EU / US (SCCs) |
| Zoho CRM | Lead management and support | EU (Zoho EU DC) |
| AWS (eu-central-1) | Cloud hosting and storage | EU (Frankfurt) |
| Anthropic / OpenAI | AI model inference for brand generation | US (see Section 7) |
| Transactional email provider | Sending account and service emails | EU |
We have Data Processing Agreements (DPAs) in place with all third-party processors. Where data is transferred outside the EU, appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place.
BrandForge uses artificial intelligence to generate brand identities, logos, websites, and other creative assets. Here's how your data is handled in this process:
When you create a brand, the text prompts and preferences you provide are sent to AI model providers (such as Anthropic or OpenAI) for processing. This includes your business description, target audience, and style preferences. It does not include your name, email address, billing information, or account credentials.
We use API-based access to AI models. Under our agreements with these providers, your prompts and generated outputs are not used to train their models. Data sent via API is processed for inference only and is not retained beyond the technical minimum required to generate a response.
You own the brand assets generated through BrandForge. We do not claim intellectual property rights over AI-generated logos, colour palettes, websites, or other outputs created for your account. Our Terms of Service contain the full details on content ownership and licensing.
We may use aggregated and anonymised usage patterns (e.g. "what types of prompts lead to better results") to improve the BrandForge platform. We do not use your individual brand data to train AI models.
| Data type | Retention period |
|---|---|
| Account information | For the lifetime of your account + 30 days after deletion |
| Brand creation data and assets | For the lifetime of your account + 30 days after deletion |
| Billing records | 7 years (Dutch fiscal retention requirement) |
| Usage/analytics data | 26 months (aggregated after 6 months) |
| Support communications | 2 years after last contact |
| Cookie data | Maximum 12 months (per cookie type) |
| Marketing consent records | For as long as consent is active + 3 years |
When you delete your account, we remove your personal data and brand assets within 30 days. Anonymised, aggregated data that cannot be linked back to you may be retained indefinitely for analytics purposes.
BrandForge is operated from the European Union, and our primary hosting infrastructure is located in the EU (AWS eu-central-1, Frankfurt). However, some of our service providers are based outside the EU.
When personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:
You can request a copy of the specific safeguards in place by contacting us at privacy@brandforge.com.
If you're in the European Economic Area (EEA), you have the following rights regarding your personal data:
Right of access
You can request a copy of the personal data we hold about you.
Right to rectification
You can ask us to correct inaccurate or incomplete data.
Right to erasure
You can ask us to delete your personal data. We'll comply unless we have a legal obligation to retain it.
Right to restriction
You can ask us to restrict processing of your data in certain circumstances.
Right to data portability
You can request your data in a structured, machine-readable format and transfer it to another provider.
Right to object
You can object to processing based on legitimate interest, including profiling and direct marketing.
Right to withdraw consent
Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint
You can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.
To exercise any of these rights, email us at privacy@brandforge.com. We'll respond within 30 days. We may ask you to verify your identity before processing your request.
We take data security seriously and implement appropriate technical and organisational measures to protect your personal data, including:
BrandForge is not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete it promptly.
If you believe a child has provided us with personal data, please contact us at privacy@brandforge.com.
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
We encourage you to review this page periodically. Continued use of BrandForge after changes are posted constitutes your acceptance of the updated policy.
If you have any questions about this privacy policy, your personal data, or want to exercise your rights, you can reach us at:
Data controller: CMY.NL B.V.
Email: privacy@brandforge.com
Postal address: CMY.NL B.V., Barendrecht, Netherlands
If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority: