Privacy Policy

This Privacy Policy explains how Brushfeed by Oneforge Ltd. ('we', 'us', or 'our') collects, uses, and protects your personal information when you use Brushfeed, our social media management platform.

We are committed to protecting your privacy and ensuring compliance with the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws.

By using our Services, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

This policy applies to all users of Brushfeed, including creators, artists, and businesses who use our platform to manage their social media presence.

We collect several types of information to provide and improve our Services:

Account Information: Email address, full name, username, and profile image URL when you create an account.

Subscription Data: Account tier (solo/professional/studio), subscription status, and payment information processed through secure third-party payment processors.

Social Media Credentials: Platform usernames and OAuth access/refresh tokens for your connected social media accounts. We never store your passwords.

Content Data: Post captions, hashtags, media files (images/videos), and scheduling preferences that you create through our platform.

Usage Analytics: Post performance metrics, engagement statistics, and platform usage patterns to help improve your experience.

Technical Data: Job status logs, error messages, and connection timestamps for service monitoring and troubleshooting.

We use the information we collect for the following purposes:

Service Provision: To post content to your connected social media platforms, provide analytics, and manage your account.

Account Management: To process payments, manage subscriptions, and provide customer support.

Performance Optimisation: To analyse usage patterns and improve our platform's functionality and user experience.

Platform Improvements: To develop new features and enhance existing services based on user feedback and usage data.

Legal Compliance: To comply with applicable laws, regulations, and legal processes.

Security: To protect against fraud, abuse, and security threats to our platform and users.

When you connect your social media accounts to Brushfeed, we request specific permissions:

Instagram: Basic profile information and media publishing permissions to post content on your behalf.

TikTok: Read/write access to post videos and manage your TikTok presence.

DeviantArt: Profile access and submission permissions for posting artwork.

Pinterest: Board access and pin creation capabilities.

Patreon: Post creation and audience management features.

Security Measures: We store only OAuth access tokens (encrypted) and never your passwords. Tokens are automatically refreshed before expiration.

Third-Party Data: Information from social media platforms is stored securely and used only for the services you've authorised.

Storage Location: Our primary infrastructure is hosted on AWS in UK/EU regions to ensure GDPR compliance.

Encryption: All data is encrypted at rest and in transit using industry-standard encryption protocols.

Access Control: We implement AWS IAM policies and Cognito authentication to control access to your data.

Database Security: PostgreSQL and DynamoDB databases use encrypted connections and data encryption.

API Security: JWT tokens for API access and OAuth for platform connections ensure secure data transmission.

Infrastructure: Our serverless architecture minimises attack surface and provides enhanced security.

Data Retention: Active user data is retained while your subscription is active. Job status records have a 30-day TTL, and media assets retention is configurable based on your preferences.

Account Communications: We send essential account-related emails including billing notifications and service updates.

Marketing Communications: Optional marketing emails are sent only with your explicit consent and include clear opt-out mechanisms.

In-App Notifications: Feature updates and important announcements are delivered through our platform.

Cookies: We use session cookies for authentication and analytics cookies for platform usage (with your consent).

Third-Party Sharing: We share data only with payment processors for billing, AWS for infrastructure, and social media platforms for posting content as you request. No marketing data is shared with third parties.

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access: You can request a copy of all personal data we hold about you through our API endpoints.

Right of Rectification: You can update your personal information through your account settings.

Right of Erasure: You can request deletion of your account and all associated data, which will be permanently purged.

Right to Data Portability: You can export your data in machine-readable formats for transfer to other services.

Right to Object: You have granular privacy controls and can opt out of specific data processing activities.

Right to Restrict Processing: You can limit how we process your data in certain circumstances.

Right to Withdraw Consent: You can withdraw consent for data processing at any time.

To exercise these rights, please contact us at brushfeed@oneforge.io. We will respond to your request within 30 days.

Minimum Age: You must be at least 13 years old to use Brushfeed, in line with most social media platform requirements.

Parental Consent: If you are under 18, you must have parental or guardian consent to use our Services.

Age Verification: We verify your age during registration and may request additional documentation for users under 18.

Enhanced Protection: Users under 18 receive enhanced privacy protection and limited access to certain features.

Special Handling: We implement additional safeguards for creators under 18, including restricted data processing and enhanced privacy controls.

If we become aware that we have collected personal data from a child under 13 without parental consent, we will take steps to delete such information promptly.

Primary Storage: Your data is primarily stored in UK/EU AWS data centres to ensure GDPR compliance.

Transfer Safeguards: When international transfers are necessary, we use Standard Contractual Clauses (SCCs) and conduct regular adequacy assessments.

Social Media APIs: API calls to social media platforms are handled through secure, encrypted channels regardless of platform location.

Third-Party Processors: We ensure all third-party data processors provide adequate protection for your data.

Monitoring: We regularly review and update our international transfer practices to maintain compliance with data protection laws.

Incident Response: We have established procedures to detect, report, and investigate personal data breaches.

Notification: In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and inform affected users without undue delay.

Assessment: Each security incident is thoroughly assessed to determine the scope, impact, and necessary response measures.

Remediation: We take immediate action to contain and remediate any security incidents and prevent future occurrences.

Communication: We maintain transparent communication with users about security incidents and the steps taken to address them.

Updates: We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification: We will notify you of any material changes by posting the updated policy on our website and updating the 'Last Updated' date.

Continued Use: Your continued use of our Services after any changes constitutes acceptance of the updated Privacy Policy.

Review: We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you do not agree to the updated Privacy Policy, you should stop using our Services and contact us to delete your account.

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: brushfeed@oneforge.io

Address: Oneforge Ltd., 23a Dudden Hill Lane, London, England, NW10 2ET

Data Protection Officer: For complex privacy matters, you can contact our Data Protection Officer at brushfeed@oneforge.io with the subject 'Data Protection Officer'

Last Updated: 27/07/2025