← Brandomica Lab

Data Processing Addendum

Last updated: February 24, 2026

This Data Processing Addendum ("DPA") describes how Brandomica Lab processes data when you use the web app, REST API, MCP server, or CLI tool. It supplements our Privacy Policy.

What we process

  • Brand name strings submitted via the search form, API, MCP, or CLI
  • IP addresses for rate limiting (varies by endpoint, typically 5-20 requests/minute per IP)
  • Analytics events (consent-gated page views and search events via Vercel Analytics and GA4)
  • Optional local notification settings (watch webhook URL and email draft recipient) stored in your browser local storage if you enable Watch notifications

What we do not process

  • No account system or required profile data (for example username, password, billing profile, or identity verification documents)
  • No user accounts, passwords, or authentication tokens
  • No payment or financial information
  • No cookies beyond consent-gated analytics

Sub-processors

Brand name strings are forwarded to these third-party services to perform availability and safety checks:

  • Vercel (hosting, analytics, domain availability and pricing)
  • Google Analytics / GA4 (consent-gated usage analytics)
  • GitHub API (username availability)
  • Serper.dev (Google Search web presence and social index lookups)
  • Brave Search API (search/index fallback when Serper is unavailable)
  • X API v2 (official username lookup, when configured)
  • iTunes Search API (App Store check)
  • Turso (hosted SQLite — USPTO trademark search)
  • Package registries: npm, PyPI, crates.io, RubyGems, NuGet, Homebrew, Docker Hub
  • WhoisXML API (domain availability fallback)
  • Wiktionary REST API (linguistic screening)
  • Datamuse API (phonetic similar-word enrichment)
  • ProductHunt GraphQL API v2 (when configured)

Each sub-processor has its own privacy policy and terms. Brandomica Lab does not control how these services handle data.

Data retention

  • In-memory cache: search results are cached 5-30 minutes depending on endpoint, then evicted automatically
  • No application-level persistent storage: brand name queries are not written to any application database. Platform and infrastructure logs (e.g. Vercel request logs) may retain request metadata per their own retention policies
  • Analytics retention: follows Vercel and Google's standard retention policies

Security measures

  • All traffic served over HTTPS (TLS 1.2+)
  • Per-endpoint rate limiting (5-20 requests/minute per IP depending on endpoint)
  • No authentication tokens or API keys stored client-side
  • No server-side persistent storage of user queries

Contact

Questions about data processing? Open an issue on GitHub.