brandID Privacy Policy

Effective Date: June 1, 2026

1. Introduction and Scope

This Privacy Policy (“Policy“) describes how brandID, operated by WATCHTHEMLIVE, a corporation incorporated under the laws of Ontario, Canada, with its registered office at 41 Old Indian Trail, Ramara, Ontario, Canada, L0K1B0 (collectively, “brandID,” “we,” “us,” or “our“), collects, uses, discloses, retains, secures, transfers, and otherwise processes personal information.

This Policy applies to:

The brandID website at https://brandID.app and all subdomains;
Our mobile and desktop applications;
Our browser extensions, including the ContactUs AI extension;
Our application programming interfaces (APIs);
All marketing properties, support portals, and developer documentation; and
The integrated suite of products and services described below (collectively, the “Services“).

The Services include:

Product	Function
brandID Core	Link-in-bio profile creation, hosting, and visitor analytics
bookme by brandID (“bookme”)	Appointment scheduling and calendar synchronization
Chatgram	Multi-channel live chat, helpdesk, and ticketing
signID	Electronic signature, document workflow, and audit trail management
ContactUs AI	Browser-based contact discovery and outbound message automation
DMpro	Conversational and messaging automation across third-party platforms

By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree, you must not access or use the Services.

This Policy is incorporated by reference into our Terms of Service and our Data Processing Addendum (“DPA“). Capitalized terms used but not defined here have the meanings set out in the Terms of Service or DPA.

2. Definitions

For the purposes of this Policy:

“Personal Information” or “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable law (including the GDPR, UK GDPR, PIPEDA, Quebec Law 25, the CCPA/CPRA, and equivalent statutes).
“Customer” means an individual or entity that has registered for a brandID account and uses the Services to interact with their own End-Users.
“End-User” means any individual whose Personal Information is collected, transmitted, or processed by us as a result of a Customer’s use of the Services — including invitees, signatories, chat visitors, link-in-bio visitors, message recipients, and contacts.
“Data Controller” means the entity that determines the purposes and means of processing Personal Information.
“Data Processor” (also “Service Provider” under the CCPA/CPRA) means an entity that processes Personal Information on behalf of, and under the documented instructions of, a Data Controller.
“Google User Data” means any data accessed, collected, processed, or stored by us through Google APIs, including data from Google Calendar, Google Contacts, Google Drive, Google Profile, and Google authentication services.
“Sensitive Personal Information” has the meaning given by applicable law and, in the context of the Services, may include government identifiers contained in signed documents, precise geolocation, and authentication credentials.
“Sub-processor” means a third party engaged by us to assist in providing the Services that processes Personal Information on our behalf.

3. Our Role: Controller, Processor, and Joint Capacities

Our role with respect to Personal Information depends on the context in which it is processed.

3.1 brandID as Data Controller

We act as a Data Controller for Personal Information we collect when you:

Register for or maintain a brandID account;
Authenticate using Third-Party Single Sign-On (SSO);
Manage subscription billing or financial transactions;
Browse our marketing websites and properties;
Contact our support, sales, or legal teams;
Participate in surveys, webinars, beta programs, or promotional activities; or
Communicate with us in any other capacity.

3.2 brandID as Data Processor

We act as a Data Processor on behalf of our Customers when Personal Information is collected, generated, transmitted, or stored through a Customer’s use of the Services. In this capacity:

The Customer is the Data Controller and is responsible for the lawfulness of the processing it instructs;
We process End-User Personal Information strictly in accordance with the Customer’s documented instructions and the DPA executed between us;
End-Users seeking to exercise privacy rights with respect to data processed by a Customer should contact that Customer directly; we will assist the Customer in fulfilling such requests as required by law.

3.3 Data Processing Addendum

A Data Processing Addendum incorporating:

The European Commission’s Standard Contractual Clauses (SCCs, 2021/914);
The UK International Data Transfer Addendum;
Swiss-equivalent safeguards endorsed by the FDPIC; and
A current list of authorized Sub-processors

is available to all Customers and is automatically incorporated into our Terms of Service for any Customer subject to the GDPR, UK GDPR, Swiss FADP, or analogous laws.

4. Information We Collect

We collect Personal Information in the following ways: (a) directly from you; (b) automatically from your use of the Services; (c) from third-party platforms you connect; and (d) from publicly available sources where lawful.

4.1 Information You Provide Directly

Account & Profile Data: name, email address, hashed password, company name, role, telephone number, country, time zone, profile photo, and language preferences.
Single Sign-On (SSO) Data: when you register or sign in using Google, Apple, Microsoft, Facebook, or any other supported identity provider, we receive basic profile information (name, email, profile picture, account identifier, and verification status) strictly to authenticate your identity and provision your account. We do not request additional permissions from your SSO provider beyond what is necessary for authentication unless you separately authorize a feature that requires them (e.g., Google Calendar for bookme).
Billing Data: payment method tokens (we do not store full card numbers), billing address, VAT/tax identifiers, invoices, refund history, and subscription tier.
Communications: support tickets, chat transcripts with our team, survey responses, and other content you submit to us.

4.2 Information Collected Automatically

Usage & Device Data: IP address, browser type and version, operating system, device identifiers, referring and exit URLs, pages viewed, features used, timestamps, crash logs, and performance telemetry.
Cookies & Similar Technologies: as described in Section 11.
Approximate Location: derived from IP address for security, fraud prevention, localization, and regulatory routing.

4.3 Product-Specific Personal Information

The specific Personal Information we process depends on which Services you and your End-Users use.

4.3.1 brandID Core (Link-in-Bio)

Profile content you publish: display name, bio, avatar, links, embedded media, custom HTML/CSS where supported, and theme settings.
Visitor analytics: hashed visitor identifiers, IP-derived country and region, referring source, device class, click events, and timestamps. We do not collect precise GPS location.

4.3.2 bookme by brandID (Scheduling)

From the Customer (host): calendar connection metadata, event types, availability rules, meeting locations (including video conferencing URLs), buffer times, and rescheduling policies.
From the End-User (invitee): name, email address, phone number (optional), responses to intake questions, time zone, and selected meeting time.
From connected calendar providers: the minimum calendar data required to determine free/busy windows and to create the events the Customer’s invitees explicitly book — see Section 7.A for full Google Calendar disclosures.

4.3.3 Chatgram (Helpdesk and Live Chat)

Chat transcripts, attachments, ticket histories, internal agent notes, satisfaction ratings, and automated routing tags.
End-User identifiers passed by the Customer (such as customer ID, order number, or email) and device/browser metadata for troubleshooting.
Voice and video session metadata where the Customer enables those modalities (we do not record audio or video content unless the Customer expressly enables recording and obtains its own consents).

4.3.4 signID (Electronic Signatures)

Document content uploaded for signature by the Customer.
Signatory information: name, email address, IP address, geolocation derived from IP, device identifiers, authentication method, timestamps, hash values, and signature artifacts.
Audit trail data retained for the lifetime of the executed document to satisfy non-repudiation, eIDAS, ESIGN Act, UETA, and PIPEDA evidentiary requirements.
Where applicable, knowledge-based authentication (KBA) or government-ID verification metadata. We do not retain images of identification documents beyond the verification window unless the Customer explicitly enables long-term retention.

4.3.5 ContactUs AI (Outreach Automation)

Browser extension telemetry: extension version, browser type, sites on which the extension is invoked by you, and feature usage events.
Contact data: business names, business URLs, business email addresses, business contact forms, and publicly available professional contact details that you choose to capture or have us discover.
Outbound message content authored or approved by you, delivery status, bounce data, and reply tracking.
CASL & CAN-SPAM compliance metadata: consent basis recorded by the Customer, unsubscribe events, suppression list entries, and sending identity records. The Customer is responsible for ensuring that all outreach complies with applicable anti-spam laws, including Canada’s Anti-Spam Legislation (CASL), the U.S. CAN-SPAM Act, the UK PECR, and the EU ePrivacy Directive.

4.3.6 DMpro (Messaging Automation)

OAuth access tokens and platform user identifiers for Meta (Facebook, Instagram, WhatsApp Business), TikTok, Telegram, and LinkedIn.
Inbound messages routed through the connected platforms to your automations.
Outbound messages, chatbot flow definitions, subscriber lists, broadcast histories, and conversation state.
Permission scopes are limited to those necessary to deliver the messaging features the Customer configures; we do not request access to a Customer’s personal feed, friends list, or unrelated platform data.

4.4 Information from Third Parties and Public Sources

We may receive Personal Information from: connected third-party platforms (per your explicit authorization); identity verification providers; payment processors; fraud-detection partners; analytics partners; and publicly available business directories (limited to professional contact information used by ContactUs AI, and only where such use is permitted by applicable law).

5. How We Use Personal Information

We use Personal Information for the following purposes. For Customers and visitors subject to the GDPR, UK GDPR, or Swiss FADP, the corresponding legal basis appears in Section 6.

Provide, operate, and maintain the Services, including hosting profiles, synchronizing calendars, processing electronic signatures, routing messages, and storing chat history.
Authenticate users and provision access via direct sign-up or SSO providers.
Process payments, send invoices, and manage subscriptions and renewals.
Communicate with you about transactional matters, security alerts, service announcements, and customer support.
Send marketing communications (only where permitted by law and subject to your consent and opt-out rights).
Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms of Service or applicable law.
Improve and develop the Services, including diagnosing performance issues, building new features, and conducting internal analytics — subject to the AI/ML restrictions in Section 9.
Comply with legal obligations, respond to lawful requests from public authorities, and enforce our agreements.
Maintain evidentiary records required for the legal validity of executed signID documents.

We do not use Personal Information for any purpose materially different from those described in this Policy without providing further notice and, where required, obtaining your consent.

6. Legal Bases for Processing (GDPR / UK GDPR / Swiss FADP)

Where the GDPR, UK GDPR, or Swiss FADP applies, we rely on the following legal bases:

Purpose	Legal Basis
Delivering the Services to you	Performance of a contract (Art. 6(1)(b))
Authentication, security, fraud prevention	Legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c))
Billing and tax records	Legal obligation (Art. 6(1)(c))
Marketing communications	Consent (Art. 6(1)(a)) or legitimate interests where permitted
Connecting third-party platforms (Google, Meta, etc.)	Consent (Art. 6(1)(a))
signID audit trails and document retention	Legal obligation and legitimate interests
Aggregated and anonymized analytics	Legitimate interests (Art. 6(1)(f))

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

7. Third-Party Integrations and API Usage

Our Services connect to third-party platforms only at your direction. Your use of any third-party platform is governed by that platform’s own terms and privacy policy. We are committed to data minimization, scope-limited access, and secure API usage.

7.A Google API Services — Limited Use Disclosure (Calendar, Drive, Profile, and Contacts)

This section governs all use of Google User Data by brandID and applies in particular to bookme by brandID and to Google SSO across the Services.

7.A.1 Limited Use Affirmation

brandID’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

7.A.2 Scopes We Request and Why

For bookme by brandID, we request only the minimum Google Calendar scopes required to deliver scheduling. The specific scopes, their purposes, and the data they access are:

Scope	Purpose	Data Accessed
`https://www.googleapis.com/auth/calendar.events`	Create, update, and cancel calendar events for meetings booked through bookme	Event titles, descriptions, times, attendees, and conferencing links for events created by bookme
`https://www.googleapis.com/auth/calendar.readonly`	Read free/busy availability to prevent double-booking and surface available time slots to invitees	Start/end times of existing events on selected calendars; we do not read event titles, descriptions, attendees, or attachments of pre-existing events except where strictly required to detect a conflict and only for the duration of that calculation
`https://www.googleapis.com/auth/userinfo.email` `https://www.googleapis.com/auth/userinfo.profile`	Authenticate the Customer and provision their account	Email address, name, profile picture, and Google account identifier

We do not request, and we do not access, the following Google scopes for bookme: Gmail content, Google Drive files outside of explicit user-initiated attachments, Google Photos, Google Contacts beyond those explicitly invited to a meeting, location history, or any other Google API not listed above.

7.A.3 How We Use Google User Data

We use Google User Data solely to provide and improve the user-facing scheduling features of bookme that are prominent in the bookme user interface. Specifically:

Reading free/busy windows on calendars the Customer has explicitly connected, to compute available meeting slots offered to invitees;
Creating, modifying, or cancelling calendar events that result from a bookme invitee’s booking action;
Attaching the conferencing link (such as Google Meet) generated for that booking;
Sending calendar invitations to invitees with the Customer’s selected event details.

We do not:

Read, copy, store, modify, or delete pre-existing events created outside of bookme;
Alter, reorganize, or restructure the Customer’s calendar;
Use Google User Data to serve advertisements of any kind;
Sell, rent, license, or transfer Google User Data to data brokers, information resellers, or any third party for independent use;
Use Google User Data to train, develop, fine-tune, or evaluate any generalized artificial intelligence or machine learning model (including large language models), whether our own or those of any third party.

7.A.4 Human Access to Google User Data

Consistent with the Google API Services User Data Policy, brandID personnel and contractors do not read, view, or otherwise access Google User Data, except:

With the Customer’s explicit, contemporaneous consent (for example, when the Customer requests support that requires us to examine a specific calendar event);
Where necessary for security investigations (such as investigating a suspected account compromise or unauthorized access);
To comply with applicable law or valid legal process;
For aggregated, anonymized operational analysis where individual Google User Data cannot be identified or re-identified.

All such access is logged, restricted to authorized personnel bound by confidentiality obligations, and subject to internal audit.

7.A.5 Storage, Retention, and Deletion of Google User Data

Free/busy data read for slot calculation is held only in transient memory during the calculation and is not persisted to long-term storage.
Event identifiers and minimum metadata for events that bookme has created are retained for the lifetime of the corresponding scheduled event and for a reasonable post-event window for rescheduling, refunds, and dispute resolution (default: 90 days after event completion), after which they are deleted unless the Customer has separately exported the data.
OAuth refresh tokens are stored encrypted at rest using AES-256 and are revoked automatically when the Customer disconnects their Google account from bookme, deletes their bookme account, or revokes access from their Google account settings.
A Customer may revoke brandID’s access to their Google data at any time by:
1. Disconnecting the Google integration in bookme Settings → Integrations; or
2. Visiting https://myaccount.google.com/permissions and removing brandID/bookme.
Upon revocation, we cease all access immediately and delete associated tokens and bookme-managed Google User Data within 30 days, except where legal retention obligations require otherwise.

7.A.6 Sharing of Google User Data

We do not share Google User Data with any third party except:

Sub-processors strictly necessary to provide bookme (such as our cloud hosting provider for encrypted-at-rest storage). A current list is available in our DPA, and all sub-processors are bound by data-protection terms no less protective than this Policy and the Google API Services User Data Policy.
The Customer’s invitee receiving the calendar invitation the Customer created.
As required by law or to protect the rights, safety, and security of users and the public.

We do not provide Google User Data to any advertiser, data broker, model trainer, or analytics partner.

7.A.7 Security Measures Specific to Google User Data

In addition to the security measures described in Section 13, we apply the following controls to Google User Data:

Encryption in transit via TLS 1.2 or higher;
Encryption at rest via AES-256;
Strict role-based access control with multi-factor authentication for production systems;
Continuous logging and monitoring for anomalous access patterns;
An annual independent security assessment (CASA Tier 2 or equivalent) where applicable to the scopes in use;
A documented vulnerability disclosure and incident-response program.

7.B Meta Platforms (Facebook, Instagram, WhatsApp Business)

DMpro and Chatgram connect to Meta platforms only with the Customer’s explicit OAuth authorization. We access only the messaging endpoints and page or account metadata necessary to deliver the configured automations. We do not post to a Customer’s personal timeline, access friends lists outside of message recipients, or use platform data for unrelated purposes. Our use of Meta platform data complies with the Meta Platform Terms and Developer Policies.

7.C TikTok, Telegram, and LinkedIn

DMpro and Chatgram integrate with TikTok, Telegram, and LinkedIn for messaging and chatbot functionality. We request only the minimum permission scopes required, and we comply with each platform’s developer terms, including the TikTok for Business Terms, the Telegram Bot API Terms, and the LinkedIn API Terms of Use.

7.D Shopify, WooCommerce, and WordPress

Chatgram and DMpro can integrate with Shopify, WooCommerce, and WordPress to surface order, product, and customer information inside helpdesk tickets and chatbot flows. Data is accessed only at the Customer’s direction and is used solely to deliver contextual support and commerce features the Customer has configured.

7.E Payment Processors

Payments are processed by PCI-DSS-compliant providers (including Stripe and Paddle, as applicable to your region). We do not store full payment card numbers on our systems; we store only the tokens and metadata necessary for billing.

7.F Email and Notification Providers

Transactional and marketing email delivery is performed through reputable providers (such as Amazon SES, SendGrid, or equivalent) bound by contractual data-protection obligations.

8. Cookies and Similar Tracking Technologies

We use cookies, local storage, pixels, and similar technologies for:

Strictly necessary purposes (session management, authentication, security, load balancing);
Functional purposes (remembering preferences, language, time zone);
Analytics purposes (understanding aggregate usage to improve the Services); and
Marketing purposes (where permitted and consented to).

You can manage cookies via:

Our cookie banner (where required by law, including the EU/UK and Quebec);
Your browser settings;
Industry opt-out tools such as the Digital Advertising Alliance (optout.aboutads.info) and the European IAB TCF.

We honor Global Privacy Control (GPC) signals as a valid opt-out of “sale” or “sharing” of Personal Information under the CCPA/CPRA and analogous laws.

A separate Cookie Notice with the full list of cookies, their categories, durations, and providers is available at https://brandID.app/cookies.

9. Artificial Intelligence and Machine Learning Use Disclosure

We take a conservative, transparent approach to AI/ML use.

9.1 What We Do Not Do

We do not use Google User Data (Calendar, Profile, Contacts, or otherwise) to train, fine-tune, evaluate, or otherwise develop any generalized AI or ML model — our own or any third party’s. This restriction is binding regardless of any other provision of this Policy.
We do not use the content of signID documents to train AI/ML models.
We do not use End-User Personal Information processed by us in our capacity as a Data Processor for AI/ML training unless the Customer has explicitly opted in on behalf of the End-User where lawful, or the data has been irreversibly anonymized.

9.2 What We May Do

We may use aggregated, anonymized, and de-identified usage data that cannot reasonably be linked to a specific individual to improve service reliability, detect abuse, and develop new features.
Certain Services may offer opt-in AI-assisted features (such as smart reply suggestions in Chatgram or message drafting in ContactUs AI). These features are governed by separate in-product disclosures and may rely on third-party AI providers that operate as our Sub-processors under contractual restrictions consistent with this Policy and the Google API Services User Data Policy.
Customers may opt out of AI-assisted features in their account settings.

9.3 Automated Decision-Making

We do not engage in solely automated decision-making that produces legal or similarly significant effects on individuals as defined under Article 22 of the GDPR. Where the Services include profiling for fraud prevention or abuse detection, human review is available upon request.

10. Sharing and Disclosure of Personal Information

We do not sell Personal Information for monetary consideration. We do not “share” Personal Information for cross-context behavioral advertising as defined under the CCPA/CPRA.

We disclose Personal Information only as follows:

Sub-processors and service providers (cloud hosting, payment processing, email delivery, customer support tooling, analytics, fraud prevention) under contracts requiring confidentiality and data protection no less protective than this Policy. A current list of authorized Sub-processors is maintained in the DPA and is available to Customers on request.
Customers and their End-Users as necessary to deliver the Services (for example, an invitee receives a calendar invitation; a signatory receives a document).
At your direction, including third-party platforms you choose to connect.
Affiliates within the WATCHTHEMLIVE corporate group, under terms consistent with this Policy.
Legal and regulatory authorities in response to valid legal process, or where we believe in good faith that disclosure is necessary to comply with law, protect our rights, prevent harm, or respond to an emergency.
In connection with a corporate transaction (merger, acquisition, financing, reorganization, sale of assets, or bankruptcy), in which case we will require the successor to honor this Policy or provide affected individuals notice and choice as required by law.

10.1 Categories Disclosed (CCPA/CPRA)

In the 12 months preceding the Effective Date, we have disclosed the following categories of Personal Information for business purposes: identifiers; commercial information (subscription details); internet activity; geolocation (approximate); professional or employment-related information; and inferences drawn for security and product analytics. We have not sold or shared Personal Information as those terms are defined under the CCPA/CPRA.

11. International Data Transfers

brandID is headquartered in Canada and processes data in Canada, the United States, and the European Economic Area, and may use Sub-processors located in other jurisdictions.

Where we transfer Personal Information out of the EEA, UK, or Switzerland to a country not deemed adequate by the relevant authority, we rely on appropriate safeguards, including:

The European Commission Standard Contractual Clauses (2021/914);
The UK International Data Transfer Addendum and/or the UK IDTA;
Swiss-equivalent SCCs endorsed by the FDPIC;
Transfer impact assessments documenting the legal and technical safeguards applied; and
Supplementary measures including encryption, pseudonymization, and contractual restrictions on government access requests.

A copy of the relevant transfer mechanism is available on request to [email protected].

For transfers to and from Canada, we comply with PIPEDA and, where applicable, Quebec Law 25, including conducting privacy impact assessments before transferring Personal Information outside Quebec.

12. Data Retention

We retain Personal Information only for as long as necessary to fulfill the purposes set out in this Policy and to comply with our legal obligations. Our default retention periods are:

Data Category	Retention
Active account data	Lifetime of the account
Billing and tax records	7 years (or longer where required by tax law)
Marketing preferences and consent records	Lifetime of relationship + 3 years
brandID Core visitor analytics	26 months in identifiable form, then aggregated
bookme calendar event metadata (created by bookme)	90 days post-event, then deleted
bookme free/busy queries	Transient — not persisted
Google OAuth tokens	Until revocation; deleted within 30 days of disconnection
Chatgram chat transcripts	Customer-configurable; default 24 months
signID executed documents and audit trails	Lifetime of the contract + statutory limitations period; minimum 7 years
ContactUs AI suppression lists	Indefinite (required for CASL/CAN-SPAM compliance)
DMpro message logs	Customer-configurable; default 12 months
Security and access logs	24 months

Upon termination of a Customer’s account, we will delete or anonymize Personal Information within 30 days, except (i) signID executed documents and audit records retained for legal validity, (ii) billing and tax records, (iii) suppression lists, and (iv) data we are otherwise required by law to retain. Customers may export their data prior to deletion using the in-product export tools.

13. Security Measures

We implement administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, alteration, disclosure, or destruction. These include:

Encryption: TLS 1.2+ in transit; AES-256 at rest.
Access controls: Role-based access, least-privilege provisioning, and multi-factor authentication for all production systems.
Network security: Web application firewall, DDoS mitigation, network segmentation, and intrusion detection.
Secure development: Code review, static and dynamic application security testing, dependency scanning, and a documented secure SDLC.
Vendor management: Risk assessment and contractual security obligations for all Sub-processors.
Monitoring and logging: Continuous monitoring of production systems and centralized audit logs.
Business continuity: Encrypted, geographically distributed backups and a tested incident-response plan.
Personnel: Background checks where permitted by law, mandatory privacy and security training, and confidentiality obligations.

No system is impenetrable, and we cannot guarantee absolute security. If we become aware of a personal data breach affecting your Personal Information, we will notify you and applicable regulators as required by law.

14. Your Privacy Rights

Subject to applicable law and verification of your identity, you have the rights described below. To exercise any right, contact [email protected]. We will respond within the timeframes required by applicable law (generally 30–45 days; we will notify you if we require an extension).

14.1 Rights Under the GDPR / UK GDPR / Swiss FADP

Access to your Personal Information;
Rectification of inaccurate Personal Information;
Erasure (“right to be forgotten”) subject to legal exceptions;
Restriction of processing;
Data portability in a structured, machine-readable format;
Objection to processing based on legitimate interests, including for direct marketing;
Withdrawal of consent at any time;
The right to lodge a complaint with a supervisory authority in your jurisdiction (in the EU, the data protection authority of your habitual residence; in the UK, the Information Commissioner’s Office; in Switzerland, the FDPIC).

14.2 Rights Under the CCPA / CPRA and Other U.S. State Laws

If you are a California resident (and to the extent equivalent rights apply under Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, and similar U.S. state laws), you have the right to:

Know what categories and specific pieces of Personal Information we collect, use, disclose, and (if applicable) sell or share;
Delete Personal Information, subject to legal exceptions;
Correct inaccurate Personal Information;
Opt out of any “sale” or “sharing” of Personal Information — we honor Global Privacy Control signals as an opt-out;
Limit the use of Sensitive Personal Information;
Non-discrimination for exercising any right;
Appeal a denial of a privacy request (where required by state law).

You may submit a request through https://brandid.app/contact-us/ or by emailing [email protected]. You may use an authorized agent; we will require verification of the agent’s authority.

We do not knowingly sell or share the Personal Information of consumers under 16 without affirmative opt-in.

14.3 Rights Under PIPEDA (Canada) and Quebec Law 25

If you are a resident of Canada, including Quebec, you have the right to:

Access your Personal Information held by us;
Request correction of inaccurate Personal Information;
Withdraw consent (subject to legal or contractual restrictions);
Receive information about transfers of your Personal Information outside Quebec or Canada;
Request that we cease disseminating your Personal Information or de-index it where permitted under Quebec Law 25;
Lodge a complaint with the Office of the Privacy Commissioner of Canada or the Commission d’accès à l’information du Québec.

Our Privacy Officer for purposes of PIPEDA and Law 25 can be reached at [email protected].

14.4 Rights for Other Jurisdictions

If you reside in a jurisdiction not specifically listed above (including Brazil under the LGPD, Australia under the Privacy Act, South Africa under POPIA, or other jurisdictions with comprehensive privacy laws), you may have similar rights. Contact us and we will honor the rights available to you under applicable law.

15. Marketing Communications and Anti-Spam Compliance

15.1 Your Choices

You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, adjusting your in-product preferences, or emailing [email protected]. Transactional and service messages necessary for your account will continue.

15.2 Customer Obligations (CASL, CAN-SPAM, ePrivacy)

Customers using ContactUs AI, DMpro, or any other Service to send commercial electronic messages are solely responsible for:

Obtaining all required consents (express or implied as defined by CASL; opt-out as defined by CAN-SPAM; opt-in as defined by GDPR/PECR);
Including required identification and unsubscribe mechanisms;
Honoring unsubscribe requests within statutory timeframes (10 business days under CAN-SPAM; immediately upon receipt under CASL where technologically feasible and in any event within 10 business days);
Maintaining records of consent for the periods required by law.

brandID provides tools to assist with compliance but is not the sender of Customer-originated messages and does not warrant the lawfulness of any specific Customer campaign. Violations of anti-spam laws by a Customer may result in immediate suspension under our Acceptable Use Policy.

16. Children’s Privacy

The Services are not directed to children under the age of 16 (or the equivalent minimum age in the user’s jurisdiction). We do not knowingly collect Personal Information from children. If we learn that we have collected Personal Information from a child without verifiable parental consent, we will delete it promptly. Parents and guardians who believe their child has provided Personal Information may contact [email protected].

Customers using brandID Core or other Services to interact with audiences that may include children must independently comply with COPPA, the GDPR (Article 8), the UK Age Appropriate Design Code, and equivalent laws.

17. Personal Data Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will:

Notify the relevant supervisory authorities within the timeframes required by law (e.g., 72 hours under the GDPR);
Notify affected individuals without undue delay where required;
Notify affected Customers of breaches involving Personal Information processed on their behalf, with sufficient information to enable them to meet their own notification obligations;
Document the breach, its effects, and the remedial actions taken.

18. Third-Party Links and Content

The Services may contain links to third-party websites, services, or platforms not operated by us. This Policy does not apply to those third parties. We are not responsible for the content or privacy practices of any third-party properties. We encourage you to review the privacy policies of any third party before providing them with Personal Information.

19. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (where you are a registered Customer) and by posting a prominent notice on our website at least 30 days before the changes take effect, except where immediate updates are required by law. The “Last Updated” date at the top of this Policy reflects the most recent revision. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

Prior versions of this Policy are available on request.

20. Contact Us

For privacy questions, requests, or complaints:

brandID (WATCHTHEMLIVE) Attention: Privacy Officer / Data Protection Officer 208 – 69 Yorkville Avenue Toronto, Ontario, Canada Email: [email protected] Legal/DPO: [email protected] Privacy request portal: https://brandid.app/contact-us/ EU/UK Representative: Upon request, we will provide the contact details of our Article 27 GDPR representative and UK GDPR representative where required.

If you are not satisfied with our response, you may contact the data protection authority in your jurisdiction, including the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca), the Commission d’accès à l’information du Québec, your EU/EEA supervisory authority, the UK Information Commissioner’s Office (https://ico.org.uk), or your applicable U.S. state Attorney General.