Privacy Policy

Last updated: 13 May 2026 · JackandAI B.V., Amsterdam, the Netherlands

This document explains how Spot the Brand ("we", "our") collects, uses and protects information when you use our brand monitoring platform.

1. What information we collect

Account data: name, email, OAuth identifier (Google ID / Facebook ID) when you sign up.
Brand setup data: brand name, product line names, reference images, hashtags, competitors.
Public social content: we scrape publicly available posts from Instagram and TikTok that match your brand's hashtags or that come from creators in your seed list. We do not access private accounts, private messages, or any non-public data.
Usage data: which dashboards you view, which filters you apply, when you trigger reports.
Billing data: handled by Stripe. We never see your card details; we only see customer ID, subscription status, invoice references.

2. How we use your information

To run brand monitoring scans on your behalf.
To generate dashboards, reports and alerts you have requested.
To process payments and manage your subscription.
To communicate operational updates (no marketing emails without opt-in).
To improve detection quality (anonymized, aggregated metrics only).

3. Legal basis (GDPR)

We process data on three bases:

Contract: providing the service you signed up for.
Legitimate interest: monitoring publicly available brand mentions for clients. Public social content was published by its authors with public visibility settings.
Consent: where required (marketing communications, optional analytics).

4. Sharing with third parties

We use the following processors:

Supabase (Frankfurt, EU) — database and authentication.
Vercel (Amsterdam, EU) — frontend hosting.
Railway (US) — scheduled workers. DPA in place.
Apify (Prague, EU) — public social scraping.
Google AI (Gemini) — image and text classification. Content is not used for model training.
Stripe (Dublin, EU) — payment processing.

We never sell your data. We do not share data with advertisers.

5. Data retention

Brand monitoring data is retained as long as you have an active subscription, plus 30 days after cancellation. You can request earlier deletion at any time.

Account data is retained for 2 years after last login for legal and accounting purposes.

6. Public creator content

If you are a content creator and want your posts excluded from our monitoring, email privacy@jackandai.com with your handle. We will exclude your account from all current and future scans across all our clients within 7 business days.

7. Your rights (GDPR)

Access: request a copy of all data we hold about you.
Rectification: correct inaccurate data.
Erasure: request deletion of your data.
Portability: receive your data in a machine-readable format.
Object: object to processing under legitimate interest.
Complaint: file with the Dutch Autoriteit Persoonsgegevens.

Email privacy@jackandai.com to exercise any of these rights.

8. Security

We use HTTPS everywhere, OAuth where possible, encrypted storage at rest, and least-privilege access. Service role keys are rotated quarterly. We are SOC 2 prep stage and target full compliance by Q4 2026.

9. Cookies

We use only essential cookies for authentication and session management. We do not use analytics or advertising trackers.

10. Changes to this policy

We will notify active customers by email of material changes at least 30 days in advance.

Contact

JackandAI B.V., Amsterdam · privacy@jackandai.com