GDPR Compliance

Last updated: January 14, 2026

1. Our Commitment to GDPR

OnBrand is committed to protecting the privacy and personal data of our users in the European Union (EU) and European Economic Area (EEA). This page explains how we comply with the General Data Protection Regulation (GDPR) and your rights under this regulation.

2. Legal Basis for Processing

We process your personal data only when we have a lawful basis to do so:

  • Contract Performance: Processing necessary to provide our AI headshot services
  • Legitimate Interests: Improving our services, fraud prevention, and security
  • Consent: Marketing communications and optional analytics
  • Legal Obligation: Compliance with laws and regulations

3. Your GDPR Rights

As an EU/EEA resident, you have the following rights:

Right of Access (Article 15)

You can request a copy of all personal data we hold about you, including uploaded photos, generated headshots, and account information.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data or completion of incomplete data through your account settings or by contacting us.

Right to Erasure (Article 17)

You can request deletion of your personal data, including all uploaded photos and generated headshots. We will comply unless we have a legal obligation to retain the data.

Right to Restrict Processing (Article 18)

You can request that we limit how we use your data while we address a concern you have raised.

Right to Data Portability (Article 20)

You can request your data in a structured, machine-readable format to transfer to another service provider.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affects you. Our AI headshot generation is a service you request and does not make decisions that affect your legal rights.

4. Data Controller Information

OnBrand Inc. is the data controller responsible for your personal data:

Company: OnBrand Inc.
Address: 123 Innovation Drive, San Francisco, CA 94105, USA
Data Protection Contact: dpo@onbrandhq.ai

5. International Data Transfers

As a US-based company, your data may be transferred outside the EU/EEA. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all sub-processors
  • Technical security measures including encryption
  • Regular compliance audits

6. Data Retention

We retain your data only as long as necessary:

  • Account data: Until account deletion requested
  • Uploaded photos: Until you delete them or close your account
  • Generated headshots: Indefinitely while account is active
  • Transaction records: 7 years for legal compliance
  • Support communications: 3 years after resolution

7. Sub-Processors

We use the following sub-processors who may access your data:

  • Cloud Infrastructure: AWS, Google Cloud (data storage and processing)
  • AI Processing: OpenAI (headshot generation)
  • Payment Processing: Stripe (payment data)
  • Email Services: Resend (transactional emails)
  • Analytics: Google Analytics (anonymized usage data)

8. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.

9. Exercising Your Rights

To exercise any of your GDPR rights:

  • Email our DPO at: dpo@onbrandhq.ai
  • Use the privacy controls in your account settings
  • Submit a request through our support portal

We will respond to your request within 30 days. Complex requests may take up to 90 days with notification.

10. Right to Lodge a Complaint

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU DPAs can be found at: https://edpb.europa.eu

11. Contact Our Data Protection Officer

For GDPR-related inquiries:

Email: dpo@onbrandhq.ai
Subject Line: GDPR Inquiry
Response Time: Within 5 business days

← Back to Home