Steward Brand

Privacy Policy

Effective date: April 22, 2026

1. Who we are

Steward Brand (the "Service", "we", "us", "our") is operated as a sole proprietorship by Mário Filipe Vicente de Mineiro, acting as the data controller for the personal data described in this policy. The Service is reachable at stewardbrand.com. For any privacy-related question, contact stewardbrandofficial@gmail.com.

2. Data we collect

2.1 Account information

Name, email address, hashed password (bcrypt) or Google account identifier when you sign in with Google. Used only to authenticate you and contact you about your account.

2.2 Social platform connection data

When you connect a Facebook Page, Instagram Business / Creator account, LinkedIn personal profile, LinkedIn Company Page, TikTok account, or YouTube channel via OAuth, we receive and store: the OAuth access token (encrypted at rest with AES-256-GCM), the refresh token (where applicable), the platform-issued account or page ID, the public account name, the avatar URL, and the list of scopes you explicitly granted. We never receive or store your platform password.

2.3 Content you provide

Posts, drafts, captions, hashtags, brand documents, media assets, and any text or files you upload as input to the AI agents.

2.4 Platform metrics

Public engagement metrics returned by each platform's official API (likes, comments, views, follower counts) for posts you publish through the Service. Stored to power the Analytics dashboard.

2.5 Usage and technical data

IP address, browser user-agent, pages visited, timestamps, and error logs. Used for security, abuse prevention, and reliability debugging. Retained for 90 days then aggregated.

3. Legal basis for processing (GDPR)

  • Contract (Art. 6(1)(b)) — to provide the Service you signed up for: authenticating you, publishing on your behalf, generating content, billing.
  • Consent (Art. 6(1)(a)) — for connecting each social platform; you may withdraw consent at any time by disconnecting the platform from the Connections page.
  • Legitimate interest (Art. 6(1)(f)) — security logging, abuse prevention, and product analytics that do not identify you individually.
  • Legal obligation (Art. 6(1)(c)) — when responding to lawful requests from authorities.

4. How we use your data

  • To operate the Service and authenticate you
  • To publish content to your connected accounts via official platform APIs
  • To generate content with AI providers using context you have explicitly supplied
  • To send transactional emails (account alerts, errors, post-published notifications)
  • To detect, prevent, and respond to abuse, fraud, or platform-policy violations
  • To improve and debug the Service

We never sell your personal data, share it with advertising networks, or use it to train third-party AI models for general purposes.

5. Sub-processors

We rely on the following infrastructure and AI sub-processors. Each one processes data only to deliver its stated function and under its own privacy commitments:

  • Vercel Inc. — application hosting and CDN (USA / EU edge)
  • Neon Inc. — managed PostgreSQL database (EU region)
  • Railway Corp. — background worker hosting
  • Anthropic PBC — AI text generation (Claude models)
  • OpenAI, L.L.C. — AI text generation (GPT / Codex models, when configured)
  • Google LLC — Gemini AI models, Imagen, Veo, YouTube Data API
  • Replicate Inc. — AI image and video generation
  • Resend, Inc. — transactional email delivery
  • Meta Platforms Ireland Ltd, LinkedIn Ireland UC, TikTok Technology Ltd, X Corp. — social platform APIs you explicitly connect

6. International transfers

Some sub-processors are located in the United States. Where personal data is transferred outside the European Economic Area, the transfer relies on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or an equivalent adequacy mechanism published by each provider.

7. Retention

We keep your account data for as long as your account is active. After you delete your account, identifying personal data is removed within 30 days, except where retention is required by law (e.g. invoicing records). Aggregated, non-identifying analytics may be kept indefinitely. OAuth tokens are deleted immediately on disconnect.

8. Security

OAuth tokens and AI provider keys are encrypted at rest with AES-256-GCM. All data in transit is protected by HTTPS / TLS 1.2+. Database access is restricted to authenticated application processes. Passwords are stored as bcrypt hashes only. We follow industry best practices but cannot guarantee absolute security; we will notify affected users without undue delay if a personal-data breach occurs that is likely to result in a high risk to their rights and freedoms (GDPR Art. 34).

9. Your rights under GDPR

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with equivalent protections, you have the right to:

  • Access (Art. 15) — request a copy of the personal data we hold about you.
  • Rectification (Art. 16) — correct inaccurate or incomplete data; you can edit most fields directly in Settings.
  • Erasure / right to be forgotten (Art. 17) — request deletion of your account and personal data via the data-deletion page.
  • Restriction of processing (Art. 18) — ask us to pause processing while a dispute is resolved.
  • Data portability (Art. 20) — receive your data in a machine-readable JSON export.
  • Objection (Art. 21) — object to processing based on legitimate interests.
  • Withdraw consent at any time (Art. 7(3)) by disconnecting platforms or deleting your account.
  • Lodge a complaint with your local supervisory authority. In Portugal: Comissão Nacional de Proteção de Dados (CNPD).

To exercise any of these rights, email stewardbrandofficial@gmail.com or use the in-app data-deletion page. We respond within 30 days as required by Art. 12(3).

10. Cookies

We use only first-party, strictly-necessary cookies for authentication and tenant routing. We do not use advertising or third-party tracking cookies. Full details: Cookie Policy.

11. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

12. Automated decision-making

The Service uses AI models to draft content suggestions. Suggestions are not published automatically unless you have explicitly enabled an autonomy level that allows it. You remain in control and can review, edit, approve, or reject every post.

13. Changes to this policy

We may update this Privacy Policy. Material changes will be announced by email and the effective date above will be updated. Continued use after the new effective date constitutes acceptance.

14. Contact

Mário Filipe Vicente de Mineiro (data controller) — email stewardbrandofficial@gmail.com.