BrandCast Privacy Policy
Version: 1.0 Last Updated: May 7, 2026 Effective Date: May 7, 2026
This Privacy Policy explains how BrandCast Labs LLC ("BrandCast," "we," "us") collects, uses, shares, retains, and protects information in connection with the BrandCast digital signage platform, websites, mobile apps, and APIs (the "Service").
The Service is offered to U.S. residents only, and this policy is written to comply with U.S. federal and state privacy laws.
You acknowledge this policy when you check the consent box at signup or device pairing. If you don't agree, don't sign up.
1. Information We Collect
Information you give us
- Account information: name, email address, organization, job title, password (stored as a salted hash, never in plain text).
- Billing information: handled directly by Stripe; we receive only limited metadata (last four digits of card, brand, billing country, billing email).
- Customer Content: anything you upload, design, schedule, or pull in from connected integrations to display on your screens.
- Support and communications: messages you send us.
Information we collect automatically
- Usage and device data: pages viewed, features used, display activity, errors, browser type, operating system, IP address, approximate location derived from IP.
- Cookies and similar technologies: described in Section 7.
Information from third parties
- Connected integrations: when you authorize them (Google, Canva, calendar, weather, inventory, etc.), we receive the data needed to render content on your displays. See Section 4 for the Google-specific details.
We do not knowingly collect sensitive personal information. We do not collect government IDs, financial account numbers, health data, biometrics, or precise geolocation. If you send us this through Customer Content or a support message, we will delete it.
2. How We Use Information
We use information to:
- Provide and operate the Service (render your displays, schedule content, sync integrations).
- Manage your account and billing.
- Provide customer support.
- Improve, secure, and troubleshoot the Service.
- Detect, investigate, and prevent fraud, abuse, or security incidents.
- Comply with legal obligations and enforce our Terms of Service.
3. How We Share Information
We do not sell or rent personal information, and we do not share it for cross-context behavioral advertising.
We share information only as follows:
- Service providers (subprocessors). Vendors that help us run the Service under written confidentiality and data-protection terms. Categories include cloud hosting and storage, payment processing (Stripe), email and notifications, error monitoring and analytics, and customer support tooling. A current subprocessor list is available on request — email [email protected].
- Connected integrations you authorize. We exchange data with services you connect (Google, Canva, calendar providers, etc.) only as needed to display your content.
- Legal and safety. When we believe in good faith that disclosure is required by law, legal process, or to protect the rights, safety, or property of BrandCast, our users, or the public.
- Business transfers. In a merger, acquisition, financing, or sale of assets, with notice to you and continued protection consistent with this policy.
- With your direction or consent. Anywhere else, only when you tell us to.
4. Google User Data
BrandCast accesses Google user data through OAuth 2.0 with the minimum scopes needed for the features you choose to enable.
What we access (only if you connect it):
- Google Sign-In — email and profile name, used to create and authenticate your account.
- Google Photos — only photos you select via the Google Photos Picker, displayed on your signage.
- Google Tasks — task lists, displayed on your signage (read-only).
- Google Slides — presentations, rendered on your signage (read-only).
- Google Docs — documents, rendered on your signage (read-only).
- Google Sheets — spreadsheet data, displayed on your signage (read-only).
- Google Drive — only files you explicitly select via the Google Picker.
How we store it:
- OAuth tokens are encrypted at rest with AES-256-GCM and exist only for the duration of the connection. Disconnecting the integration or completing the cancellation workflow deletes them immediately.
- Rendered content (slides, docs, sheets converted to display-ready images and structured data) is stored in cloud storage and refreshed periodically against the source. It is deleted when you disconnect the integration or cancel your account.
Limited Use compliance. BrandCast's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not:
- sell or transfer Google user data to third parties, advertising platforms, data brokers, or information resellers;
- use Google user data for serving advertisements (including retargeting or interest-based advertising);
- use Google user data for credit, lending, or insurance purposes;
- share Google user data with surveillance-related entities;
- misrepresent our data collection practices or request access to data we do not need and you do not explicitly allow.
Revoking access. Disconnect any Google integration from the BrandCast admin dashboard at any time. You can also revoke access directly at https://myaccount.google.com/permissions.
5. Data Retention and Deletion
We keep information only as long as needed to provide the Service to you. Our defaults:
| Data | Retention |
|---|---|
| Account data, Customer Content, schedules, display configs | Kept while your account is active. Deleted immediately when you complete the cancellation workflow. |
| OAuth tokens | Kept while the integration is connected. Deleted immediately when you disconnect or cancel. |
| Integration content (Google, Canva, calendar, weather, etc.) | Fetched at render time. Deleted immediately when you disconnect or cancel. |
| Free-trial accounts that don't subscribe | Deleted at the end of the trial. |
| Support messages | Up to 24 months after the matter is closed. |
| Server and security logs | Up to 90 days, then deleted or fully anonymized. |
| Billing records | Retained as required by tax, accounting, and anti-fraud laws (typically 7 years). |
| Aggregated, de-identified usage statistics | May be retained indefinitely; cannot be re-associated with you. |
If you want to delete data without canceling your account, contact [email protected].
6. Your Rights
Depending on where you live, you may have the right to:
- Know and access the personal information we hold about you.
- Correct information that is inaccurate.
- Delete your personal information.
- Port your information to another service in a portable, machine-readable format.
- Opt out of any sale, sharing for cross-context advertising, or significant automated decision-making (we do none of these by default).
- Limit the use of sensitive personal information (we do not use sensitive personal information for inferring characteristics).
- Withdraw consent where processing is based on consent.
- Complain to your state attorney general or, in California, the California Privacy Protection Agency.
How to exercise these rights. Email [email protected] from the email on your account. We may need to verify your identity before acting; for sensitive requests we may ask you to confirm details we already have on file. We will respond within the timeframes required by applicable law (45 days under CCPA, with limited extensions where allowed).
Authorized agents. California residents may use an authorized agent to submit a request, with proof of authorization and your verified identity.
Non-discrimination. We will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right.
7. Cookies and Tracking
We use cookies and similar technologies for:
- Strictly necessary purposes — keeping you signed in, remembering your preferences, and securing the Service. These are always on.
- Analytics — understanding usage patterns and improving the product. We use first-party analytics by default and aggregate the data.
- Performance and security — Cloudflare for content delivery and bot protection.
We do not use cookies for advertising. To manage cookies generally, see your browser's settings or allaboutcookies.org.
8. Children
The Service is not intended for and is not directed to anyone under 18. We do not knowingly collect personal information from children under 13 in the U.S., or under the equivalent age in other jurisdictions. If you believe a child has provided us with information, contact [email protected] and we will delete it.
9. Security
We protect information with industry-standard controls, including:
- Encryption — TLS 1.2+ in transit; AES-256-GCM at rest for sensitive fields including OAuth tokens.
- Access control — least-privilege role-based permissions; multi-factor authentication for staff with access to production systems.
- Monitoring — continuous logging, anomaly detection, and incident response procedures.
- Patching and backups — regular security updates and encrypted backups.
- Vendor diligence — written data-protection terms with subprocessors.
No system is perfectly secure. If we discover a breach affecting your personal information, we will notify you without undue delay and consistent with applicable law.
10. U.S.-Only Service
BrandCast operates from the United States and is offered to U.S. residents only. We do not direct the Service to users outside the U.S. and have not implemented compliance with foreign data-protection regimes (including the EU/UK GDPR). If you are located outside the U.S., please do not use the Service.
11. CCPA / CPRA Notice (California)
In the past 12 months we have collected the following CCPA categories of personal information: identifiers; commercial information; internet or other electronic network activity; geolocation (approximate, from IP); professional or employment-related information (when you provide it); inferences drawn from the foregoing for service-improvement purposes only.
We collected this information from you, from your devices, and from services you connect. We use it for the purposes in Section 2 and share it only as described in Section 3.
We have not sold personal information, shared it for cross-context behavioral advertising, or knowingly collected or sold the personal information of consumers under 16 in the prior 12 months. We do not use sensitive personal information to infer characteristics about you.
To exercise California rights, see Section 6.
12. Other U.S. State Privacy Laws
If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another state with a comprehensive privacy law, you have rights similar to those in Section 6. Submit requests the same way.
13. Changes to This Policy
We may update this policy from time to time. If changes are material, we will give at least 30 days' notice by email or in-product notice before they take effect. The "Last Updated" date at the top reflects the current version. Continued use after the effective date is acceptance.
14. Contact
- Privacy team: [email protected]
- Security: [email protected]
- General support: [email protected]
BrandCast Labs LLC