Privacy Policy

Brush Ltd (“Brush”, “we”, “us”) is the data controller for personal data processed through troth.shop. Contact: privacy@troth.shop.

We collect and process the following categories of personal data:

• Account data: email address, name, hashed password, email verification status, account creation date.
• Billing data: Stripe customer ID, subscription plan, payment history (full card details are held by Stripe, not Brush).
• Content data: images and videos you upload for processing. These are stored in Cloudflare R2 object storage.
• Usage data: AI tool runs, export counts, compute credits consumed, tool preferences.
• Technical data: IP address (hashed for consent log), browser user agent, session tokens.
• Communications: support emails and takedown reports you send to us.
• Analytics: aggregated product usage events via PostHog (self-hostable analytics). No behavioural advertising.

• Contract performance — providing the Service, processing payments, delivering AI outputs.
• Legitimate interests — fraud prevention, security monitoring, abuse detection, product analytics.
• Legal obligation — tax records, CSAM reporting to law enforcement.
• Consent — marketing emails (you can withdraw at any time via the unsubscribe link).

We share personal data only with:

• Stripe — payment processing. Stripe's privacy policy governs card data.
• Cloudflare — CDN, R2 object storage, and Workers runtime. Data stored in EU/UK regions by default.
• Resend — transactional email delivery.
• AI providers — images are sent to third-party AI providers (e.g., Stability AI, Replicate) for processing. We have DPAs with all providers. Providers do not retain your images beyond the processing request.
• Law enforcement — where required by law, including CSAM reports to NCMEC.

We do not sell, rent, or share personal data for advertising purposes.

Some of our sub-processors are based outside the UK and EEA. Where personal data is transferred internationally, we rely on UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs) to ensure adequate protection.

You have the right to:

• Access — request a copy of your personal data. Use the data export endpoint.
• Rectification — correct inaccurate data.
• Erasure (“right to be forgotten”) — delete your account and associated data via account settings or by emailing privacy@troth.shop.
• Portability — receive your data in a structured, machine-readable format.
• Restriction — restrict processing in certain circumstances.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — at any time, without affecting the lawfulness of prior processing.

To exercise these rights: privacy@troth.shop. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt out of the sale of personal information.

Brush does not sell personal information as defined by the CCPA. For CCPA requests: privacy@troth.shop.

Do Not Sell or Share My Personal Information — As noted above, Brush does not sell or share personal information for cross-context behavioural advertising. This section satisfies the CCPA opt-out link requirement.

Brush uses strictly necessary session cookies for authentication. We do not use third-party advertising cookies. Analytics events (PostHog) are logged server-side where possible to minimise client-side tracking.

We use industry-standard security measures including TLS in transit, encrypted storage, access controls, and automated vulnerability scanning. Despite these measures, no system is perfectly secure. Report security issues to security@troth.shop.

Brush is not directed at children under 13. If we become aware that a child under 13 has provided personal data, we will delete it immediately. Contact privacy@troth.shop if you believe we have inadvertently collected a child's data.

We may update this Privacy Policy. Material changes will be communicated by email with 14 days' notice. The latest version is always at troth.shop/legal/privacy.