// legal

PRIVACY POLICY.

Effective date: May 28, 2026 · Last updated: May 28, 2026 · View Terms of Service →

The short version: We collect only what we need to run BroCode. We don't sell your data. Your AI-generated designs are private. You can delete your account and data at any time.

// contents

Who We Are
Information We Collect
How We Use Your Information
How We Share Your Information
Your AI-Generated Designs
Cookies & Tracking
Data Retention
Security
Your Rights (CCPA & GDPR)
Children's Privacy
Changes to This Policy
Contact Us

1. Who We Are

BroCode ("BroCode," "we," "us," or "our") operates the website brocode.me and the BroCode AI custom apparel platform. We are headquartered in the United States.

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you visit our website, create an account, use our AI design studio, or place an order with us.

By using BroCode, you agree to the practices described in this policy. If you do not agree, please do not use our services.

2. Information We Collect

Information You Provide Directly

Account information: Email address, password (stored as a secure hash — we never see your plain-text password), and display name if you register with email. If you sign in with Google, we receive your name and email from our authentication provider.
Order information: Shipping name, address, city, state, ZIP/postal code, country, and email address. Payment card details are collected and processed directly by our payment processor — we never store or see your full card number.
Design prompts: Text prompts you type into the AI generation tool, which we send to our AI image generation service to generate images.
Uploaded images: Images you upload to use as design layers.
Support communications: Any messages you send to us via email or contact forms.

Information Collected Automatically

Usage data: Pages visited, features used, time spent, clicks, and navigation patterns — collected via our self-hosted analytics platform (no third-party data sharing).
Device information: Browser type, operating system, screen resolution, and language preferences.
IP address: Used for rate limiting (to prevent abuse of AI generation), security, and approximate geolocation (country/region level only).
Cookies and local storage: Session management, cart contents, and preferences. See Section 6 for details.
Image access logs: When you view your AI-generated designs, we log the file path, your user ID, IP address, and timestamp. This is used to detect and prevent unauthorized image downloading.

Information from Third Parties

Third-party sign-in: If you sign in using a third-party provider (such as Google), we receive your name and email address from that provider.
our payment processor: We receive payment confirmation, last-four digits of your card, and card brand from our payment processor after a successful payment.
our order fulfillment center: We share your shipping address and order details with our order fulfillment center to fulfill your orders.

3. How We Use Your Information

To provide and operate our services: Process orders, generate AI designs, serve your account, and send order confirmation and shipping emails.
To prevent abuse: Rate limit AI generation requests per user account (3 images per 5 minutes), detect fraud, and protect our systems and other users.
To protect our intellectual property: Log image access to identify unauthorized downloading or redistribution of watermarked preview images.
To improve our platform: Analyze usage patterns (via our analytics platform) to improve the design studio, product catalog, and checkout experience.
To communicate with you: Send transactional emails (order confirmations, shipping updates). We do not send marketing emails without your explicit consent.
To comply with legal obligations: Retain records as required by applicable law, respond to legal requests, and enforce our Terms of Service.

We do not sell, rent, or trade your personal information. We share it only as necessary to provide our services:

Order Fulfillment Center: Your name, shipping address, and order details are sent to our order fulfillment center to print and ship your order. Our fulfillment partner's privacy policy applies to their handling of your data.
Payment Processor: Payment is processed by our payment processor. We transmit your cart total and receive confirmation. We do not transmit or store your card number.
AI Image Generation Service: Your text prompts and any reference images are sent to our AI image generation service to generate designs. our AI image generation service does not receive your name, email, or shipping information.
our cloud platform / our cloud infrastructure (infrastructure): Our platform runs on our cloud infrastructure provider. Your data is stored on secure servers in the United States.
Legal requirements: We may disclose your information if required by law, subpoena, court order, or to protect the rights, safety, or property of BroCode, our users, or the public.
Business transfers: If BroCode is acquired or merged, your information may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.

5. Your AI-Generated Designs

When you generate an image using our AI design studio:

Your prompt is sent to our AI image generation service to generate the image. Our AI image generation service's data handling is governed by their privacy policy.
The generated image is watermarked and stored privately in our our private cloud storage. It is not publicly accessible — only you (via your authenticated session) can view it.
Images are served through an authenticated proxy. Short-lived signed URLs (15 minutes) are generated on request and tied to your account. Raw storage URLs are never exposed in your browser.
The clean (unwatermarked) version of your design is sent directly to our order fulfillment center only when you place a confirmed order.
You retain ownership of designs you create on BroCode. By generating a design, you grant BroCode a limited license to store, process, and transmit it for fulfillment purposes.

6. Cookies & Tracking

What We Use

Session cookies: Our authentication system uses cookies to maintain your signed-in session. These are necessary for the service to function.
Local storage: Your cart contents are stored in your browser's local storage so they persist between visits. No personal data is stored here — only product IDs, sizes, and quantities.
our analytics platform Analytics: We use a self-hosted analytics platform. Our analytics platform uses a first-party cookie to measure page views and user sessions. Analytics data is stored on our own servers and is not shared with any third parties. Our analytics platform is configured to anonymize IP addresses.

What We Do Not Use

We do not use Google Analytics, Facebook Pixel, or any other third-party advertising trackers.
We do not serve ads or allow advertisers to track you on our site.
We do not use cross-site tracking cookies.

Your Cookie Choices

You can disable cookies in your browser settings. Note that disabling session cookies will prevent you from staying signed in. Disabling local storage will cause your cart to not persist between visits.

7. Data Retention

Account data: Retained for as long as your account is active. If you delete your account, we delete your account data within 30 days, except where we are required to retain it for legal or financial compliance reasons.
Order data: Retained for 7 years as required by US financial recordkeeping laws.
AI-generated images: Stored indefinitely while your account is active so you can reorder. Deleted when you delete your account.
Rate limit records: Deleted automatically after 10 minutes.
Image access logs: Retained for 90 days for security monitoring, then deleted.
Analytics data: Aggregated and anonymized after 13 months. Raw session data is deleted after 13 months.

8. Security

We take reasonable technical and organizational measures to protect your personal information:

All data is transmitted over HTTPS (TLS encryption).
Passwords are hashed using our cloud platform Authentication's secure hashing — we never store plain-text passwords.
AI-generated images are stored in private private cloud storage — not publicly accessible.
Image access requires a valid authenticated session and generates short-lived (15-minute) signed URLs.
Payment processing is handled entirely by our payment processor. Card data never touches our servers.
API keys (our payment processor, our AI image generation service, our order fulfillment center) are stored as server-side secrets and never exposed to browsers.

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your data.

9. Your Rights

For All Users

Access: You can request a copy of the personal data we hold about you.
Correction: You can update your account information at any time.
Deletion: You can request deletion of your account and associated personal data by emailing us at privacy@brocode.me. We will process deletion requests within 30 days.
Data portability: You can request your data in a machine-readable format.

California Residents (CCPA)

Under the California Consumer Privacy Act, California residents have the right to:

Know what personal information we collect, use, disclose, and sell (we do not sell personal information).
Request deletion of personal information, subject to certain exceptions.
Opt out of the sale of personal information (not applicable — we do not sell data).
Non-discrimination for exercising your CCPA rights.

To exercise your CCPA rights, contact us at privacy@brocode.me or by mail at the address in Section 12.

European Union / EEA Residents (GDPR)

If you are located in the EU or EEA, you have additional rights under the General Data Protection Regulation:

Legal basis for processing: We process your data based on contract performance (to fulfill your order), legitimate interests (fraud prevention, security), consent (analytics), and legal obligation (financial records).
Right to restrict processing: You can request that we limit how we use your data in certain circumstances.
Right to object: You can object to processing based on legitimate interests.
Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority.
International transfers: Your data is stored on secure servers in the United States. We rely on Standard Contractual Clauses (SCCs) for data transfers from the EU to the US.

To exercise any of these rights, contact privacy@brocode.me. We will respond within 30 days.

10. Children's Privacy

BroCode is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us at privacy@brocode.me and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or by a prominent notice on our website. We encourage you to review this policy periodically.

Your continued use of BroCode after changes take effect constitutes your acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: privacy@brocode.me
General contact: hello@brocode.me
Website: brocode.me

We aim to respond to all privacy-related inquiries within 5 business days.