← Back to BrandPilot

Privacy Policy

Effective date: April 2, 2026

1. Who we are

BrandPilot ("we", "us", "our") operates the social media management platform available at https://brandpilots.io. This policy explains what data we collect, how we use it, and your rights.

Questions? Email us at hello@brandpilots.io.

2. Data we collect

Account data

When you create an account we collect your name, email address, and a hashed password (or a Google OAuth token if you sign in with Google).

Brand and workspace data

Content you create inside BrandPilot — brand guidelines, posts, captions, images, campaign data, and scheduling information — is stored in your workspace and associated with your account.

Social media connection data

When you connect a social media account (Facebook, Instagram, Pinterest, LinkedIn), we receive and store:

  • An OAuth access token issued by that platform
  • Your platform user ID and display name
  • For Facebook/Instagram: page names and page access tokens for pages you manage
  • For Instagram: your Instagram business account username

We never store your social media password. Access tokens allow BrandPilot to publish content on your behalf. You can revoke access at any time from both BrandPilot Settings and the respective platform's app settings.

Usage and log data

We collect standard server logs (IP address, browser type, pages visited, timestamps) for security and debugging purposes. This data is retained for 30 days.

Payment data

Billing is handled by Stripe. We do not store credit card numbers. We receive and store your Stripe customer ID and subscription status.

3. How we use your data

  • To provide and operate the BrandPilot service
  • To publish content to your connected social media accounts when you request it
  • To generate AI-powered content tailored to your brand guidelines using third-party AI providers (Anthropic, OpenAI)
  • To send transactional emails (account verification, billing receipts)
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations

We do not sell your data. We do not use your content to train AI models. We do not share your data with third parties except as described in Section 4.

4. Third-party services

We share data with the following services to operate BrandPilot:

SupabaseDatabase, authentication, and file storagePrivacy Policy
VercelHosting and infrastructurePrivacy Policy
AnthropicAI content generation (Claude)Privacy Policy
OpenAIAI content and image generationPrivacy Policy
StripePayment processingPrivacy Policy
Meta (Facebook/Instagram)Social account connection and publishingPrivacy Policy
PinterestSocial account connection and publishingPrivacy Policy

5. Facebook and Instagram data

BrandPilot uses the Facebook Graph API to connect your Facebook Pages and Instagram Business accounts. By connecting these accounts you grant BrandPilot permission to:

  • Read your Page and Instagram account information
  • Publish posts, images, and videos to your Page and Instagram account
  • Read engagement data (likes, comments, reach) from your published posts

Data deletion: You can disconnect your Facebook or Instagram account at any time in BrandPilot Settings → Social Accounts → Disconnect. When you delete your BrandPilot account, all associated Facebook and Instagram tokens are permanently deleted within 30 days. You can also request data deletion via this page or by emailing hello@brandpilots.io.

BrandPilot does not share Facebook or Instagram data with any third party other than those listed in Section 4, and only to the extent necessary to operate the service.

6. Data retention

  • Account data: retained for the life of your account, deleted within 30 days of account closure
  • Social access tokens: deleted immediately when you disconnect an account or close your account
  • Posts and content: retained until you delete them or close your account
  • Server logs: 30 days
  • Billing records: 7 years (legal requirement)

7. Your rights

Depending on your location, you may have the right to:

  • Access — request a copy of your personal data
  • Correction — update inaccurate data
  • Deletion — request deletion of your data
  • Portability — receive your data in a portable format
  • Objection — object to certain processing

To exercise any of these rights, email hello@brandpilots.io. We will respond within 30 days.

8. Cookies

We use strictly necessary cookies for authentication (Supabase session cookies). We do not use tracking cookies or advertising cookies.

9. Security

We use industry-standard security measures including encryption in transit (HTTPS), encrypted storage, row-level security on all database tables, and rate limiting on all API endpoints. No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please report it to hello@brandpilots.io.

10. Children

BrandPilot is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or by posting a notice in the app. The effective date at the top of this page reflects the most recent update.

12. Contact

For privacy questions or data requests, contact us at:
hello@brandpilots.io