Privacy Policy

Last updated: April 5, 2026

FirstByte Studio, Inc. ("FirstByte," "we," "us," or "our") operates BrandElf, an AI-assisted operations platform for wholesale brands. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your choices regarding that information.

"Service" refers to the BrandElf platform accessible at brandelf.app. "You" refers to any individual or entity that accesses or uses the Service.

By using the Service you agree to the collection and use of information as described here. If you do not agree, do not use the Service.

Your use of the Service is also governed by our Terms of Service.

1. Information We Collect

a. Account Information

When you create an account we collect your name, email address, and a password or authentication credential. If you sign up on behalf of a company we also collect the company name and your role.

b. Connected Platform Data

BrandElf connects to third-party wholesale platforms (currently Faire, with Shopify planned) through OAuth. When you authorize a connection we receive an access token and, depending on the platform, may access your product catalog, orders, inventory levels, shipment records, pricing, and retailer information. We request only the scopes necessary to operate the Service.

We do not store your platform login credentials. Authentication is handled entirely through the platform's own OAuth flow. Access tokens and refresh tokens are stored encrypted at rest.

c. Conversation and Interaction Data

The Service operates through a conversational interface. We store the messages you send, the responses the AI assistant generates, the tool calls the assistant makes, and the results of those calls. This history is used to maintain context across your session, improve the quality of assistance, and provide an audit trail of actions taken on your behalf.

d. Billing Information

Payment processing is handled by Stripe. We do not store your credit card number or bank account details. Stripe may collect information as described in Stripe's Privacy Policy.

e. Usage and Technical Data

We automatically collect standard technical information when you use the Service: IP address, browser type, device type, pages viewed, and timestamps. We use cookies only for session management and authentication — not for advertising or cross-site tracking.

2. How We Use Your Information

• To operate the Service — processing your requests, executing actions on connected platforms, and maintaining conversation context.
• To process through AI providers — portions of your data (including conversation content and connected platform data relevant to your request) are sent to third-party AI model providers (currently Anthropic and OpenAI) to generate responses and execute tool calls. Anthropic and OpenAI have contractual commitments not to use Service data to train their models. We monitor these terms and will update this policy if they change.
• To execute platform actions — when you approve a staged action (such as updating inventory, creating a shipment, or modifying a product), we use your connected platform credentials to carry out that action via the platform's API.
• To communicate with you — transactional emails related to your account, security notifications, and service updates.
• To maintain and improve the Service — diagnosing technical issues, analyzing usage patterns in aggregate, and improving the AI assistant's capabilities.
• To comply with legal obligations — responding to lawful requests from governmental authorities.

3. How We Share Your Information

We do not sell your personal information. We share information only in these circumstances:

• AI model providers (Anthropic, OpenAI) — to generate AI responses. Data is transmitted over encrypted connections. Anthropic and OpenAI have contractual commitments not to use Service data to train their models. We monitor these terms and will update this policy if they change.
• Connected platforms (Faire today, Shopify planned) — to read data you've authorized and to execute actions you've approved.
• Payment processor (Stripe) — to process subscription billing.
• Email service provider (Postmark) — to deliver transactional emails.
• Infrastructure providers — our hosting provider processes data as necessary to operate the Service. Data is encrypted in transit and at rest.
• Legal requirements — if required by law, subpoena, or legal process, or to protect the rights, property, or safety of FirstByte, our users, or the public.
• Business transfers — in connection with a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

4. Data Security

We implement industry-standard security measures to protect your information:

• All data is transmitted over TLS/SSL encryption.
• Platform access tokens and refresh tokens are encrypted at rest using Rails encrypted credentials.
• All platform write operations require your explicit approval before execution.
• We maintain an audit trail of all actions taken on connected platforms.
• Access to production systems is restricted and logged.

No method of electronic transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee its absolute security.

5. Data Retention

We retain your account information and conversation history for as long as your account is active. Connected platform data is accessed in real time and cached only as needed to operate the Service. If you delete your account, we will delete your personal information and conversation history within 30 days, except where retention is required by law.

6. Your Rights and Choices

• Access and portability — you may request a copy of the personal information we hold about you.
• Correction — you may update your account information through the Service settings.
• Deletion — you may request deletion of your account and associated data by contacting us.
• Revoke platform access — you may disconnect any connected platform at any time through the Service or directly through the platform's own settings. Disconnecting immediately revokes our ability to access that platform's data.
• Opt out of communications — you may unsubscribe from non-essential emails using the link in each message.

To exercise any of these rights, contact us at privacy@brandelf.app. We will acknowledge your request within ten (10) business days and provide a substantive response within forty-five (45) days of receipt. When reasonably necessary, we may extend this period by an additional forty-five (45) days after notifying you of the extension and the reason. If we decline a request in whole or in part, we will explain the basis for our decision and, where applicable, your right to appeal (see Section 7).

You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authority and of your identity before acting on the request.

7. State-Specific Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or Texas, your state's privacy law may provide you with specific rights regarding your personal information, in addition to the rights described in Section 6. Those rights include the right to confirm whether we process your personal information and to access that information; the right to correct inaccuracies; the right to request deletion; the right to data portability; the right to opt out of the sale of personal information or targeted advertising; and the right not to be discriminated against for exercising these rights. Note: the right to correct inaccuracies is not available to Utah residents.

a. California (CCPA/CPRA)

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California residents may: know the categories of personal information we have collected, the sources of that information, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it; access the specific pieces of personal information we hold about you; request deletion; request correction; opt out of the sale or sharing of personal information; limit the use of sensitive personal information; and exercise these rights without discriminatory treatment. The categories of information we collect and the purposes for which we use them are described in Section 1 and Section 2. The categories of third parties with whom we share personal information are described in Section 3.

b. Do Not Sell or Share My Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding twelve (12) months.

c. Sensitive Personal Information

We use sensitive personal information (such as account login credentials) only to provide the Service. We do not use or disclose sensitive personal information for purposes enumerated in California Civil Code § 1798.121(a) that would give rise to your right to limit.

d. Shine the Light (California Civil Code § 1798.83)

We do not share your personal information with third parties for those parties' own direct marketing purposes.

e. Virginia, Colorado, Connecticut, Utah, and Texas

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA) may exercise the rights listed in the introduction to this Section 7, subject to the specifics of each state's law. Colorado residents may exercise the right to opt out of certain processing through a universal opt-out mechanism such as the Global Privacy Control signal.

f. Appeals (Virginia, Colorado, Connecticut, Texas)

If we decline to take action on your request, you may appeal our decision by emailing privacy@brandelf.app with the subject line "Privacy Rights Appeal" within a reasonable time after our response. We will respond within forty-five (45) days of receipt (or sixty (60) days under Colorado law), explaining the action taken or the reasons for declining to act. If your appeal is denied, you may contact your state's Attorney General.

8. Children's Privacy

The Service is designed for business use and is not directed to anyone under the age of 16. We do not knowingly collect information from children. If we learn we have collected information from a child under 16, we will delete it promptly.

9. International Data Transfers

Your information is processed in the United States, where FirstByte Studio, Inc. and our service providers operate. By using the Service you consent to this processing. We take steps to ensure that your data receives adequate protection in accordance with this Privacy Policy.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

FirstByte Studio, Inc.
2261 Market Street STE 86361
San Francisco, CA 94114
privacy@brandelf.app