Privacy Policy

1. Overview

Korogaru Ishi, LLC ("Company", "we") operates brandspec.tools ("Service"), a SaaS platform for creating, managing, and distributing brand identities. This Privacy Policy explains how we collect, use, share, and protect your personal information. It applies to all users of the Service, including organization owners, team members, and visitors accessing public brand portals.

2. Information We Collect

2.1 Information you provide

• Account information — Email address and password when you sign up
• Organization details — Organization name, slug, and plan selection
• Team member information — Email addresses of people you invite to your organization
• Brand content — brand.yaml files, brand assets (logos, images, icons), guidelines text, design tokens, and any other data you create or upload
• Workshop and Consult conversations — Messages you exchange with AI features, including prompts and brand context
• Payment information — Processed entirely by Stripe. We receive your plan tier and subscription status but never see or store credit card numbers
• Support communications — Emails or messages you send to us

2.2 Information collected automatically

• Usage data — Pages visited, features used, brands created, exports generated, AI tokens consumed
• Device and browser information — Browser type, operating system, screen resolution, language preference
• IP address — Used for security, abuse prevention, and approximate geolocation (country level)
• Cookies and similar technologies — See our Cookie Policy for details
• Referrer data — The URL that referred you to the Service

3. How We Use Your Information

• Service delivery — Host your brands, render public portals, generate token exports, run AI features, manage team access
• Authentication and security — Verify your identity, protect against unauthorized access, detect abuse
• Payments — Process subscriptions, manage plan changes, handle AI token add-on purchases
• Transactional emails — Send account verification, password resets, team invitations, billing receipts, and subscription change confirmations via SendGrid
• Analytics — Understand how the Service is used to improve features, fix issues, and prioritize development (via Google Analytics)
• Support — Respond to your inquiries and resolve issues
• Legal compliance — Fulfill legal obligations, enforce our Terms of Service, protect our rights

We do not sell your personal information. We do not use your data for advertising. We do not send marketing emails unless you opt in.

4. AI Features and Your Data

Brand Workshop and Brand Consult are powered by Anthropic (Claude). When you use these features:

• Your prompts and brand context are sent to Anthropic's API to generate responses
• Anthropic processes this data under their Privacy Policy and commercial API terms, which prohibit using customer data for model training
• We do not use your conversations or brand content to train or fine-tune any AI models
• Workshop conversation history is stored in our database to enable session continuity and the decision log feature. You may delete workshop sessions from your dashboard
• AI-generated output (brand names, copy, color suggestions) becomes part of Your Content and is subject to the same ownership and export rights described in our Terms of Service

5. Public Brand Portals

When you publish a brand to a public portal, the following information becomes publicly accessible to anyone with the URL:

• Brand name, description, and all brand.yaml content
• Uploaded brand assets (logos, images, icons)
• Design tokens, color palettes, and typography settings
• Guidelines text
• Organization name and slug (as part of the URL)

Public portals do not expose team member information, account details, billing information, or workshop conversations. You can unpublish a brand portal at any time.

6. Public API

The Service provides a public API that exposes published brand data programmatically. The same data available on a public brand portal is accessible via the API. API requests are logged for rate-limiting and abuse prevention purposes.

7. Third-Party Services

We share data with the following third-party services to operate the Service:

Each provider processes data under their respective privacy policies and data processing agreements. We do not share your data with any other third parties except as required by law.

8. Data Retention

• Active accounts — Your data is retained for as long as your account is active.
• Cancelled subscriptions — Your account and data remain accessible (at the Free plan level) after cancellation.
• Deleted accounts — All personal data and brand content are permanently deleted within 30 days of account deletion. Public brand portals become inaccessible immediately.
• Workshop conversations — Retained until you delete the workshop session or your account.
• Server logs — Retained for up to 90 days for security and debugging purposes.
• Aggregated analytics — Anonymized, aggregated usage data may be retained indefinitely for service improvement.

9. Data Security

We implement the following security measures to protect your data:

• All connections are encrypted with TLS (HTTPS)
• Passwords are hashed using industry-standard algorithms (handled by Supabase Auth)
• Authentication tokens are securely managed with HTTP-only cookies
• Database access is restricted by role-based access controls
• Payment data is handled entirely by Stripe (PCI DSS Level 1 certified)
• Team member access is scoped to their organization
• API tokens can be revoked at any time from your dashboard

While we strive to protect your information, no method of transmission over the internet is 100% secure. We encourage you to use a strong password and enable two-factor authentication when available.

10. Your Rights

You have the right to:

• Access — View the personal information we hold about you through your account settings
• Correction — Update your account information at any time
• Deletion — Delete your account and all associated data from your account settings
• Export — Download your brand data as brand.yaml files at any time. The brandspec format is open and portable.
• Restriction — Request that we limit processing of your data in certain circumstances
• Objection — Object to processing of your data for analytics purposes
• Withdraw consent — Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at support@brandspec.tools. We will respond within 30 days.

11. International Data Transfers

The Company is based in Japan. Your data may be processed in countries where our service providers operate, including the United States (Vercel, Stripe, Anthropic, SendGrid, Google) and the EU (Supabase). By using the Service, you consent to the transfer of your information to these countries. We ensure that our service providers maintain appropriate data protection standards.

12. Children's Privacy

The Service is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance via email or a prominent notice within the Service. The "Last updated" date at the top of this page indicates the most recent revision. Your continued use after changes constitutes acceptance.

14. Contact

For privacy-related inquiries, data access requests, or complaints, please contact us at support@brandspec.tools.

Korogaru Ishi, LLC
3-42-5-101 Otsuka, Bunkyo-ku, Tokyo, Japan