BRBSMedia Studio ← Back to site

Privacy Policy

Last updated: 11 June 2026 · Version 1 (draft)

Draft v1 — pending legal review. This document reflects the current data flows of BRBS Media Studio and cites the applicable EU norms, but should be reviewed by a qualified lawyer before go-live.

1. Who we are (Data Controller)

The controller of your personal data (GDPR Art. 4(7)) is BRBS Trade AB, SYSTER JENNYS VÄG 10 A LGH 1001, 231 34 Trelleborg, Sweden (org. no. 559529-4686, VAT registration pending). Contact: info@brbs.se.

2. What data we process

3. Why we process it & legal basis (Art. 6)

4. AI processing & “bring your own key” (BYOK)

To generate content, the prompts and text you submit are sent to large-language-model providers. When you use your own API key (BYOK), that data is sent directly to the provider you chose, under your agreement with them. Using our managed keys, prompts are processed via the OpenAI and/or Groq APIs (and any other provider you enable). Per those providers’ API terms, your prompts are not used to train their publicly available models. Providers may operate outside the EU/EEA (see §6). You are responsible for reviewing AI-generated output before publishing it (see also our Terms and the EU AI Act transparency duties, Reg. (EU) 2024/1689, Art. 50).

5. Sub-processors

We use vetted third parties to operate the service (identity, payments, AI, social platform APIs, hosting). The current list is published in the Sub-processors document. We impose data-protection terms on each per Art. 28.

6. International transfers (Art. 44–49)

Some sub-processors (e.g. OpenAI, Stripe, Auth0) may process data in the United States. Such transfers are safeguarded by the European Commission’s Standard Contractual Clauses and/or the EU–US Data Privacy Framework where the provider is certified.

7. Retention (Art. 5(1)(e))

We keep data while your workspace is active; backups for up to 30 days; audit logs for up to 12 months; billing records for the period required by tax law. Local app data stored on your device remains until you delete it.

8. Your rights (Art. 15–22)

You have the right to access, rectify, erase (Art. 17), restrict, port (Art. 20) and object to processing, and to withdraw consent. You can export or delete your workspace data from within the app. To exercise other rights, contact info@brbs.se. You may also lodge a complaint with your supervisory authority — in Sweden, the Swedish Authority for Privacy Protection (IMY / Integritetsskyddsmyndigheten), Art. 77.

Right to be forgotten: if you are in the EEA you may request permanent deletion of your account and connected social-media tokens via the app or at info@brbs.se. Your stored access tokens and content history will be wiped from our active databases within 30 days.

9. US state privacy rights (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, to request access and deletion, and to opt out of any “sale” or “sharing” of personal information (we do not sell your personal information). Similar rights apply under other US state privacy laws. To exercise them, contact info@brbs.se. We will not discriminate against you for exercising these rights.

10. Security (Art. 32)

Encryption in transit (TLS) and at rest, access controls, tenant isolation per workspace, and an audit trail. No method is 100% secure; we notify breaches as required by Art. 33–34.

11. Changes

We will update this policy as our processing changes and revise the “last updated” date. Material changes will be notified in-app.