Privacy Policy - BrandLock

BrandLock Website

brandlock.io

Our website collects PII when you voluntarily provide it — through demo requests, contact forms, newsletters, onboarding, and contracts.

Names, email addresses, phone numbers
Company name, job title, country
Billing and payment information
IP addresses, cookies, device data
CVs for career applicants

BrandLock JavaScript Services

Deployed on Customer Sites

Our core JS services (OJHP and OOIBP) are designed not to collect PII. They operate using hashed anonymous telemetry only.

Anonymous Unique ID (random number)
IP address (country-level geolocation only)
Clickstream, device type, browser, timestamps
No names, emails, billing, or account data
No cookies for personal identification

Guiding Principle: BrandLock’s core JavaScript services delivered on Customer websites do not collect or process any personal identification information (PII). The data practices described in the detailed sections below primarily apply to the BrandLock website and onboarding processes. Where a practice applies to JS Services, it is explicitly noted.

Introduction & Overview

This Privacy Policy, incorporated by reference in our Terms of Use, governs data collection and processing associated with:

Visitors — individuals who browse our Site at brandlock.io
Customers — businesses that subscribe to BrandLock services
End Users — individuals browsing a Customer’s website where BrandLock JS is deployed

For the purpose of this Privacy Policy, a Visitor, Customer, and End User shall be referred to as “You” or “Your”.

BrandLock Services

BrandLock offers Customers the following services (collectively, the “Services”):

Online Journey Hijacking Prevention (OJHP) — identifies and blocks unauthorized ads or web sessions that divert End Users from the Customer’s website
One-on-One Intent-Based Promotion (OOIBP) — offers individualized incentives to End Users to increase business metrics and revenue
Online Dashboard & Account — enables Customers and their administrators to analyze data provided by the Services

Age Restriction

You represent and warrant that You are above the age defined as “child” under applicable laws in your jurisdiction. The Services are not directed at or intended for children. We do not knowingly collect information from children. If you are under 18, please read this policy with your parent or legal guardian. If we learn that a child has provided Personal Data, we will delete it promptly. If you believe a child has shared data with us, please contact us.

California Residents

If you are a California resident, please also see our CCPA Privacy Notice for additional rights and disclosures mandated under the California Consumer Privacy Act (as amended by the CPRA and 2026 regulations).

Policy Updates

BrandLock may update this policy. We will notify you of significant changes by sending a notice to the primary email address on your account or by placing a prominent notice on the website. We recommend reviewing this policy periodically.

The Data Processed by BrandLock

Technical Services Note: When BrandLock code (JavaScript) runs on a Customer’s site, we do not collect personal identifiers such as names, emails, or billing data — only hashed identifiers and session/application telemetry, and only to the extent strictly necessary to provide the contracted Services. We do not derive or infer PII from the BrandLock JavaScript service delivery itself.

“Personal Data” means information which identifies or may identify an individual, including first and last name, phone number, email address, pictures, billing information, online identifiers, etc. We only collect PII when you voluntarily provide it through our Site, demo request forms, onboarding documents and contracts, or when you consent to receive communications.

“Non-Personal Data” means non-identifiable aggregated data, such as technical data transmitted by the user’s device and aggregated usage data for ensuring the technical functioning of our network and preventing fraudulent use.

Controller vs. Processor Roles

In some cases we act as the Data Controller (GDPR) or Business (CCPA) when processing Personal Data of our Customers or Visitors. However, we act as a Data Processor (GDPR) or Service Provider (CCPA) when processing data from End Users browsing our Customer’s website.

Data Collection Table

Data Type	Purpose	GDPR Legal Basis	Scope
Contact Info Name, email, company, job title, phone, country	Provide Services; respond to inquiries; onboard Customers	Contract performance	Site
Direct Marketing Email address	Service promotions, updates, invoices	Legitimate interest (opt-out available)	Site
Newsletter Email address	Updates, commercial promotions, new products/features	Consent (opt-out anytime via info@brandlock.io or unsubscribe link)	Site
Online Identifiers IP address	Site: Analytics and marketing Services: Country-level geolocation only	Site: Consent via cookie notice Services: Customer’s lawful basis	Both
Contact Us / Support Name, email, message content	Respond to requests, provide support	Legitimate interest	Site
Career Applications Contact details, CV	Assess suitability, eligibility, fitness to work	Legitimate interest	Site
Unique ID Random-generated anonymous number	Identify returning End Users for Service delivery (no identity revealed)	Customer’s lawful basis (processor role)	JS Services
Non-Personal Technical Data Clickstream, device/OS/browser, timestamps, approximate country, language	Provide Services, maintain Site, measure engagement, business analytics	N/A (non-personal)	Both
Payment & Billing Info Payment method, billing address	Process payments, invoicing, accounting	Contract performance	Site

How We Collect Your Data

Depending on the nature of your interaction, we may collect information as follows:

Automatically: Through cookies and similar technologies as described in our Cookie Policy. Automatic collection via cookies relates only to your interaction with the Site — not with BrandLock JavaScript Services on a Customer’s site.
Voluntarily provided by you: Through communications, support requests, registration forms, demo requests, newsletter signups, and similar interactions.
Through onboarding & contracts: Any PII collected during onboarding (signed contracts, account setup, billing) is provided directly by you and processed under the terms of the contract.

Global Privacy Control (GPC): We honor Global Privacy Control signals and other legally-recognized opt-out preference signals as required by applicable law, including the CCPA/CPRA (effective January 1, 2026) and state laws in Delaware, Indiana, Kentucky, Rhode Island, and other jurisdictions.

Sharing Personal Information

We do not sell or share your Personal Data for cross-context behavioral advertising. We do not share PII collected via our Site or onboarding with Customer services unless explicitly stated in your contract or permitted by law.

We may share PII with:

Authorized service providers (for email delivery, billing, customer support, cloud hosting) under contractual confidentiality obligations and Data Processing Agreements
Law enforcement or legal authorities when required by law, legal process, or to protect the rights, property, or safety of BrandLock, our Customers, or the public
Corporate transactions: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the successor entity subject to the same privacy commitments

JS Services data: Data processed by BrandLock JS Services on a Customer’s site remains under the Customer’s control and subject to that Customer’s privacy practices and Data Processing Agreement with BrandLock.

Data Retention

We retain Personal Data only as long as necessary to fulfill the purpose for which it was collected:

Site & onboarding PII: Retained only as needed for account setup, communication, billing, and contractual obligations
Contractual data: Retained per contract terms and applicable legal requirements (tax, accounting, regulatory)
JS Services telemetry (non-PII): Retained only as necessary to operate and improve the Services
Marketing data: Until you withdraw consent or unsubscribe
Career applications: Retained for the duration of the recruitment cycle, plus a reasonable period thereafter unless you request earlier deletion

For more information on specific retention periods, contact us at info@brandlock.io.

International Data Transfers

We use AWS cloud services to store data, which may be located in the United States or other jurisdictions. When Personal Data is transferred outside your jurisdiction, we implement appropriate safeguards:

EU/EEA transfers: We rely on the European Commission’s Standard Contractual Clauses (SCCs) — updated per the 2021 SCC framework — for transfers to countries without an adequacy decision
UK transfers: We utilize the UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs as applicable
Other jurisdictions: We apply equivalent legal mechanisms recognized under local law

JS Services data: This section does not cover data solely processed by BrandLock’s JS Services on Customer sites, which remains subject to the Customer’s data transfer practices and our mutual Data Processing Agreement.

To learn more, contact info@brandlock.io.

Your Rights as a Data Subject

Depending on your jurisdiction, you may have the following rights regarding your Personal Data:

Universal Rights

Right to Know / Access: Request confirmation of whether we process your data and obtain a copy
Right to Correct: Request correction of inaccurate Personal Data
Right to Delete: Request deletion of your Personal Data, subject to legal exceptions
Right to Portability: Receive your data in a structured, commonly-used, machine-readable format
Right to Restrict Processing: Request limitation of certain processing activities
Right to Object: Object to processing based on legitimate interests, including direct marketing
Right to Withdraw Consent: Where processing is based on consent, withdraw at any time without affecting prior lawful processing

Additional Rights under CCPA/CPRA (California Residents)

Right to Opt-Out of Sale/Sharing: We do not sell or share Personal Information. However, you can exercise this right via our CCPA notice.
Right to Limit Use of Sensitive Personal Information: Where applicable
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
Right Regarding Automated Decision-Making Technology (ADMT): Per 2026 CCPA regulations, you have the right to opt-out of ADMT used for decisions that produce legal or similarly significant effects. BrandLock’s services do not currently make automated decisions that produce such effects on consumers.

Additional US State Rights (Delaware, Indiana, Kentucky, Rhode Island, Tennessee, Minnesota, Maryland, and others)

Residents of states with comprehensive privacy laws may have rights substantially similar to those listed above, including the right to confirm, access, correct, delete, opt-out of targeted advertising, opt-out of profiling, and data portability. We honor these rights consistent with each state’s applicable law.

Additional Rights under GDPR (EU/EEA/UK Residents)

Right to Lodge a Complaint: With your local supervisory authority
Rights Relating to Automated Decision-Making: Right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects

Exercising Your Rights

To exercise any of these rights, contact us at info@brandlock.io. We will respond within the legally required timeframe (generally 30–45 days, with extensions where permitted). We may need to verify your identity before processing requests. For data processed as part of BrandLock Services on your Customer’s site, please contact the Customer directly.

Authorized Agents: California residents may designate an authorized agent to submit requests on their behalf. The agent must provide written authorization and we may verify the consumer’s identity directly.

Security

We implement reasonable and appropriate physical, technical, and organizational security measures to protect Personal Data, including:

Encryption in transit (TLS 1.2+) and at rest
Access controls with role-based permissions and multi-factor authentication
Regular vulnerability assessments and penetration testing
Employee security training and awareness programs
Incident response procedures with defined breach notification timelines
Ongoing compliance with ISO 27001:2022 certification standards

ISO 27001:2022 Certified: BrandLock FZE LLC (Certificate No. ISMS-MMXXV-12-16292) has been independently assessed and certified to ISO 27001:2022 for the scope of Software Services and E-Commerce Services. Certification was granted on December 10, 2025, with expiry on December 9, 2028. Surveillance audits are scheduled for November 2026 and November 2027. View our compliance page →

Security of data processed by BrandLock JS Services deployed on a Customer’s site is additionally governed by the Customer Agreement and relevant Data Processing Addendums. For a copy of our security policy, email info@brandlock.io.

Cookies & Tracking Technologies

Our Site uses cookies and similar technologies as described in our Cookie Policy. This includes necessary, functional, analytics, and advertising cookies.

JS Services: BrandLock JavaScript services deployed on Customer websites do not use cookies to collect personal identifiers or PII. They operate using hashed and anonymous telemetry for service delivery only.

We honor browser-based opt-out signals including Global Privacy Control (GPC), as required by the CCPA/CPRA and other applicable state privacy laws.

Do Not Sell or Share My Personal Information

BrandLock does not sell Personal Information. We do not sell, rent, or share (for cross-context behavioral advertising) any Personal Information to third parties, whether collected via our Site, onboarding, or through our JavaScript Services.

If you wish to exercise your right to opt-out of any future sale or sharing, please contact us at info@brandlock.io or visit our CCPA Privacy Notice.

Third-Party Services & Sub-Processors

We engage trusted third-party service providers who process data on our behalf, including cloud hosting (AWS), email delivery, billing/payment processing, analytics, and customer support tools. Each provider is bound by Data Processing Agreements that require:

Processing data only per our documented instructions
Implementing appropriate technical and organizational security measures
Assisting with data subject rights requests
Promptly notifying us of any data breach or security incident
Deleting or returning data upon termination of the engagement
Permitting audits and inspections of their compliance

A list of our current sub-processors is available upon request. We will notify Customers of any intended changes to sub-processors, providing an opportunity to object.

Data Protection Impact Assessments & Risk Assessments

In compliance with GDPR Article 35, CCPA/CPRA risk assessment regulations (effective January 1, 2026), and similar requirements under other state privacy laws, BrandLock conducts Data Protection Impact Assessments (DPIAs) and Privacy Risk Assessments for processing activities that present significant risk to individuals’ privacy. These include:

Processing of sensitive personal information
Use of automated processing to profile or infer consumer characteristics
Any new processing activity involving personal data at scale

Assessments identify benefits, evaluate negative impacts on privacy, and document safeguards. Summary reports are maintained by our executive management team and are available to regulators upon request, in compliance with the CCPA’s annual attestation requirement (first report due April 1, 2028, covering 2026–2027 activities).

Jurisdiction-Specific Disclosures

European Union / European Economic Area / United Kingdom

For EU/EEA/UK data subjects, BrandLock processes data under GDPR. Our lawful bases include contract performance, legitimate interests, and consent as detailed in the data table above. You have the right to lodge a complaint with your local supervisory authority. For international transfers, we use Standard Contractual Clauses (SCCs) or the UK IDTA.

California (CCPA/CPRA)

California residents have additional rights under the CCPA as amended by the CPRA and 2026 regulations. See our full CCPA Privacy Notice for details including categories collected, purposes, retention periods, and how to submit data subject requests. We comply with all CCPA/CPRA requirements including honoring Global Privacy Control signals, providing opt-out rights, and conducting required risk assessments.

Other US States

Residents of Delaware, Indiana, Kentucky, Maryland, Minnesota, Rhode Island, Tennessee, and other states with comprehensive privacy laws may exercise rights substantially similar to those described in Section 7. We honor all applicable state privacy laws based on your verified residency.

Brazil (LGPD)

If you are a Brazilian data subject, your Personal Data is processed in accordance with the Lei Geral de Proteção de Dados. You have rights to confirmation, access, correction, anonymization, portability, deletion, and information about sharing.

India (DPDP Act)

For Indian data principals, we comply with the Digital Personal Data Protection Act, 2023, as its provisions come into effect. This includes providing notice of processing, obtaining consent where required, and enabling rights of access, correction, and erasure.

Data Breach Notification

In the event of a personal data breach likely to result in risk to individuals’ rights and freedoms, BrandLock will:

Notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Article 33)
Notify affected individuals without undue delay where the breach is likely to result in high risk (GDPR Article 34)
Notify the California Attorney General and affected consumers as required by California Civil Code § 1798.82
Comply with breach notification requirements of all other applicable state and international laws
Notify affected Customers promptly where the breach involves data processed as a Processor/Service Provider

Our Incident Response Plan is reviewed and tested annually, in accordance with our ISO 27001:2022 certification and IT Security Policy.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or regulatory guidance. We will notify you of material changes by sending a notice to your primary email address or by placing a prominent notice on our website. The “Last Updated” date at the top indicates the most recent revision. We encourage you to review this policy periodically.

Contact Us

If you have questions about this policy, wish to exercise your data rights, or have concerns about our data practices:

info@brandlock.io