Privacy Policy

1. Introduction and Scope

Mad Production ("we", "us", "our") operates Brand Wizard at brandbook.madproduction.ai. This Privacy Policy explains how we collect, use, store, disclose, and protect personal data when you use the Service. It also describes your rights in relation to that data.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, you must not use the Service.

This Privacy Policy applies to all users of the Service worldwide. Where applicable law provides additional rights (e.g. GDPR for EEA residents, PDPO for Hong Kong residents, CCPA for California residents), those rights are described in the relevant sections below.

2. Data Controller

Mad Production is the data controller responsible for personal data collected through Brand Wizard. For any privacy-related enquiries, contact us at: info@madproduction.ai.

3. Categories of Personal Data We Collect

3.1 Data You Provide Directly

3.2 Data Collected Automatically

3.3 Data We Do NOT Collect

We do not knowingly collect: payment card numbers or bank account details (handled exclusively by Paddle); government-issued identification numbers; health or biometric data; full prompt text or complete AI responses beyond what is necessary for audit summaries; raw image base64 data in server logs.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area, United Kingdom, or other jurisdictions requiring a legal basis for processing, we rely on the following:

• Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the Service you requested, including AI generation, order fulfilment, and PDF delivery.
• Legitimate interests (Art. 6(1)(f) GDPR): fraud prevention, security monitoring, audit logging, and service improvement — where our interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c) GDPR): retaining payment and tax records as required by applicable law.
• Consent (Art. 6(1)(a) GDPR): where we request your consent for optional processing (e.g. marketing communications). You may withdraw consent at any time.

5. How We Use Your Personal Data

We use personal data for the following purposes:

• Providing, operating, and maintaining the Service.
• Processing your Orders and delivering your PDF brand book.
• Sending transactional emails (order confirmation, download link, export success/failure notifications).
• Detecting, preventing, and responding to fraud, abuse, security threats, and policy violations.
• Maintaining our structured audit trail for business, legal, and dispute-resolution purposes.
• Complying with applicable legal obligations, court orders, and regulatory requirements.
• Analysing aggregate, anonymised usage patterns to improve the Service.
• Defending against legal claims and resolving disputes, including chargebacks.
• Conducting internal research and development using anonymised data.

We will not use your personal data for any purpose that is materially different from those listed above without providing prior notice and, where required, obtaining your consent.

6. Disclosure of Personal Data to Third Parties

We do not sell, rent, or trade your personal data. We may disclose personal data to the following categories of recipients:

6.1 Service Providers and Sub-Processors

• Paddle.com Market Limited — payment processing, tax collection, Merchant of Record. Paddle processes your billing data under their own privacy policy and as a data controller for payment transactions.
• Google LLC (Gemini API) — your brand inputs are transmitted to Google for AI text and image generation. Google processes this data as a data processor under Google's API Terms of Service and privacy policy.
• Vercel Inc. — cloud hosting, CDN delivery, and server infrastructure. Vercel may process request metadata and anonymised analytics under their privacy policy.
• Unsplash (operated by Unsplash Inc.) — stock imagery fallback when AI generation is unavailable. Search queries (keywords derived from your brand inputs) are sent to Unsplash.

6.2 Legal and Regulatory Disclosure

We may disclose personal data when we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation, court order, or valid legal process; (b) protect the rights, property, or safety of Mad Production, our users, or the public; (c) detect, prevent, or address fraud, security incidents, or technical issues; (d) enforce these Terms or our other policies.

6.3 Business Transfers

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or substantially all of our assets, personal data may be transferred as part of that transaction. We will notify affected users by posting a notice on the Service before any such transfer takes effect.

6.4 Anonymised Aggregate Data

We may share aggregated, anonymised, non-personally-identifiable data with third parties for research, analytics, or marketing purposes. Such data cannot be used to identify you.

7. International Data Transfers

7.1 The Service is operated from Hong Kong. Your data may be transferred to and processed in countries other than your country of residence, including the United States (Google, Vercel) and Ireland (Paddle's EU entity). These countries may have data protection laws that differ from those in your jurisdiction.

7.2 Where we transfer personal data from the EEA or UK to third countries, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or transfers to recipients in countries with an adequacy decision.

7.3 By using the Service, you consent to the transfer of your personal data to the countries and entities described in this policy.

8. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, subject to the following minimum retention periods:

• Anonymous unpaid drafts (browser storage only): data is stored only in your browser and is not transmitted to our servers until you trigger generation. We do not retain these on our servers.
• Brand inputs and generated content (unpaid): up to 30 days from last activity, then permanently deleted.
• Paid project data and brand book snapshots: minimum 12 months from payment date to support re-download and customer service.
• Payment and order records: 7 years, or as required by applicable accounting and tax law in Hong Kong and your jurisdiction.
• Audit event logs: minimum 180 days; extended retention for records relating to disputes or legal proceedings until final resolution.
• PDF exports (paid): minimum 12 months; we maintain a cryptographic hash of your exported PDF for the duration of any potential dispute window.
• Support correspondence: 3 years from the date of last communication.

When retention periods expire, personal data is securely deleted or anonymised so it can no longer be associated with you.

9. Security of Personal Data

9.1 We implement commercially reasonable technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include: TLS encryption in transit; hashing of IP addresses before logging; access controls limiting data access to authorised personnel; rate limiting and abuse detection on all API endpoints; and secure server infrastructure provided by Vercel.

9.2 Despite our efforts, no security system is impenetrable. We cannot guarantee the absolute security of personal data transmitted over the internet. You transmit data to us at your own risk.

9.3 In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and any applicable supervisory authority as required by applicable law.

10. Cookies and Browser Storage

10.1 Brand Wizard uses your browser's localStorage and sessionStorage to store your wizard progress and generated brand book during your session. This data remains on your device unless you explicitly trigger generation or export, at which point the relevant data is sent to our servers.

10.2 We use a session analytics identifier stored in localStorage to correlate events within a single user session. This identifier is randomly generated, not linked to your identity, and is not used for cross-site tracking.

10.3 Vercel's analytics and edge infrastructure may set minimal, privacy-preserving cookies for performance measurement. These cookies do not track you across other websites and do not contain personally identifiable information.

10.4 We do not use advertising cookies, marketing pixels, or third-party tracking cookies. We do not serve behavioural advertising and do not share your data with advertising networks.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your data, subject to our legal retention obligations.
• Restriction: request that we restrict the processing of your data in certain circumstances.
• Portability: receive your data in a structured, commonly used, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdrawal of consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Complaint: lodge a complaint with a supervisory authority in your country of residence.

To exercise any of these rights, email info@madproduction.ai with the subject line "Privacy Request — [your right]" and include: your email address used at checkout, your Order ID (if applicable), and a description of your request. We will respond within 30 days. We may ask you to verify your identity before fulfilling your request.

We reserve the right to refuse requests that are manifestly unfounded, excessive, or repetitive, or where fulfilment would adversely affect the rights of others. Where we refuse, we will explain why.

12. Children's Privacy

12.1 The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

12.2 If you believe that a child under 18 has provided personal data to us without appropriate consent, please contact us at info@madproduction.ai and we will take steps to delete such data promptly.

13. Third-Party Websites and Services

The Service may contain links to or integrations with third-party websites and services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you interact with. We are not responsible for the privacy practices of third parties.

14. AI-Specific Privacy Considerations

14.1 Your brand inputs are transmitted to Google's Gemini API for processing. You should not include sensitive personal data, confidential business information, trade secrets, or personal data of third parties in your brand inputs beyond what is strictly necessary for the purpose of brand book creation.

14.2 We do not use your brand inputs or AI outputs to train our own models. However, Google may process data submitted to the Gemini API in accordance with Google's API Terms of Service. Please review Google's policies for details on their data handling practices.

14.3 You are solely responsible for ensuring that the content you submit for AI processing does not violate applicable privacy laws, confidentiality obligations, or third-party rights.

15. Jurisdiction-Specific Rights

California (CCPA/CPRA)

California residents have the right to: know what personal information we collect, use, share, or sell; delete personal information; opt out of the sale or sharing of personal information (we do not sell personal information); non-discrimination for exercising your rights. To exercise rights, contact us at info@madproduction.ai.

European Economic Area / UK (GDPR/UK GDPR)

EEA and UK residents may lodge a complaint with the supervisory authority in their country of residence. We have set out legal bases for processing in Section 4 above.

Hong Kong (PDPO)

We comply with the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong. Data subjects have the right to access and correct personal data we hold about them. Requests should be directed to info@madproduction.ai.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will post the updated policy at this URL with a revised effective date. For material changes, we will provide additional notice by email (where we have your email address) or by prominent notice on the Service.

Your continued use of the Service after the effective date of any update constitutes acceptance of the revised policy. If you disagree with the changes, you must stop using the Service and may request deletion of your data as described in Section 11.

17. Contact and Complaints

For all privacy enquiries, rights requests, or complaints, contact Mad Production at: info@madproduction.ai

We will endeavour to acknowledge your enquiry within 5 business days and provide a substantive response within 30 days. If you are not satisfied with our response, you have the right to escalate your complaint to the relevant data protection authority in your jurisdiction.