Privacy Policy

This Privacy Policy explains how Brushfeed by Oneforge Ltd. ('we', 'us', or 'our') collects, uses, and protects your personal information when you use our social media scheduling and publishing platform ('Services').

We are committed to protecting your privacy and ensuring compliance with the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws.

By using our Services, you consent to the collection and use of your information as described in this Privacy Policy.

We collect the following information to provide our Services:

Account information: Your email address and name, provided during signup.

OAuth tokens: Access and refresh tokens for your connected social media platforms (Instagram, Pinterest, TikTok, DeviantArt). We never store your platform passwords.

Uploaded media: Images and videos you upload for scheduling, stored in AWS S3.

Post content: Captions, hashtags, alt text, and scheduling preferences you create through our platform.

Engagement analytics: Performance metrics and engagement data retrieved from your connected platforms.

Payment information: Subscription status and Stripe customer ID. We do not store credit card numbers or payment details — Stripe handles all payment data directly.

We use the information we collect to:

Provide the scheduling service: Store your posts, publish content to your connected platforms at scheduled times, and display your content calendar.

Generate AI insights: Send captions and post data to AWS Bedrock (Anthropic Claude) for AI-powered caption enhancement, hashtag generation, and Artistic DNA analysis.

Display analytics: Retrieve and present engagement metrics from your connected platforms.

Manage your account: Process subscriptions, handle billing via Stripe, and provide customer support.

Improve our Services: Understand usage patterns to develop new features and fix issues.

When you use AI features (caption enhancement, hashtag generation, Artistic DNA analysis), your post content is sent to AWS Bedrock (Anthropic Claude) for processing.

All AI processing occurs in the EU (AWS eu-west-1 region).

Anthropic does not store your data or use it for model training. Data is processed in real-time and not retained by the AI provider.

AI-generated suggestions are provided as-is. You are responsible for reviewing all content before it is published to your connected platforms.

We use the following third-party services to operate Brushfeed:

Stripe: Payment processing for subscriptions. Stripe handles all credit card and payment data directly. See Stripe's privacy policy at stripe.com/privacy.

Amazon Web Services (AWS): Hosting, file storage (S3), database, and AI processing (Bedrock). All infrastructure runs in the EU (eu-west-1).

PostHog: Product analytics, used only if you consent to analytics cookies. See PostHog's privacy policy at posthog.com/privacy.

Sentry: Error tracking and monitoring to help us identify and fix issues. Error reports may include technical context but do not include your media or post content.

We do not sell your personal data to any third parties.

Session cookies: Used for authentication (keeping you logged in). These are essential and cannot be disabled.

Local storage: Used for UI preferences (e.g., sidebar state) and draft post data. This data stays in your browser.

Analytics cookies (optional): PostHog analytics cookies are loaded only if you accept analytics cookies via the cookie consent banner. You can decline without affecting functionality.

We do not use advertising cookies or tracking pixels.

Account data (email, name, preferences) is retained while your account is active.

Media files stored in S3 are retained while your posts are active. Deleted posts have their associated media removed.

OAuth tokens are stored for the duration of your platform connection and deleted when you disconnect a platform.

On account deletion, all your personal data, posts, media, and platform connections are permanently removed.

Under UK GDPR, you have the following rights:

Right of access: You can request a copy of all personal data we hold about you.

Right of rectification: You can update your personal information through your account settings.

Right of erasure: You can delete your account from your account settings, which permanently removes all your data.

Right to data portability: You can request your data in a machine-readable format.

Right to object: You can opt out of analytics processing by declining cookies.

Right to withdraw consent: You can withdraw consent for optional data processing at any time.

To exercise these rights, contact us at brushfeed@oneforge.io. We will respond within 30 days.

All data is encrypted at rest and in transit using industry-standard encryption.

OAuth tokens are stored securely and never exposed in API responses.

Our infrastructure runs on AWS with appropriate access controls and security monitoring.

We conduct regular reviews of our security practices and respond promptly to any identified vulnerabilities.

Your data is processed and stored in the EU (AWS eu-west-1, Ireland).

When you connect social media platforms, API calls are made to those platforms' servers, which may be located outside the EU. This is necessary to provide the scheduling and publishing service you have requested.

All third-party processors we use provide adequate data protection safeguards.

We may update this Privacy Policy from time to time to reflect changes in our Services or applicable laws.

We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email.

Your continued use of our Services after changes take effect constitutes acceptance of the updated policy.

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: brushfeed@oneforge.io

Address: Oneforge Ltd., 23a Dudden Hill Lane, London, England, NW10 2ET

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.

Last Updated: 22 March 2026