← Brandomica Lab

Data Handling Summary

Last updated: April 11, 2026

This page summarizes how Brandomica Lab handles data when you use the web app, REST API, MCP server, or CLI tool. It supplements our Privacy Policy. This is an informational summary for the current MVP and is not a negotiated enterprise data processing agreement.

What we process

  • Brand name strings submitted via the search form, API, MCP, or CLI
  • IP addresses for rate limiting (varies by endpoint; MCP: 30 req/min burst + 50 req/hr sustained; REST endpoints vary)
  • Analytics events (consent-gated page views and search events via Vercel Analytics and GA4)
  • Optional local notification settings (watch webhook URL and email draft recipient) stored in your browser local storage if you enable Watch notifications

What we do not process

  • No account system or required profile data (for example username, password, billing profile, or identity verification documents)
  • No user accounts, passwords, or authentication tokens
  • No payment or financial information
  • No cookies beyond consent-gated analytics

Third-party services

Brand name strings are forwarded to these third-party services to perform availability and safety checks. Some operate as independent controllers under their own privacy policies:

  • Vercel (hosting, analytics, domain availability and pricing)
  • Google Analytics / GA4 (consent-gated usage analytics)
  • GitHub API (username availability via PAT)
  • Serper.dev (Google Search web presence and social handle lookups for X/Twitter, TikTok, LinkedIn, Instagram via site: queries)
  • Turso (hosted SQLite FTS5 — USPTO trademark search, ~850K marks)
  • EUIPO Trademark Search API (European trademark search, sandbox mode while production auth is pending)
  • iTunes Search API (App Store check)
  • WhoisXML API (domain availability fallback)
  • Package registries: npm, PyPI, crates.io, RubyGems, NuGet, Homebrew, Docker Hub
  • Wiktionary REST API (linguistic screening)
  • Datamuse API (phonetic similar-word enrichment)
  • ProductHunt GraphQL API v2 (when configured; manual link fallback otherwise)

Each service has its own privacy policy and terms. Brandomica Lab does not control how these services handle data.

Data retention

  • In-memory cache: search results are cached 5-30 minutes depending on endpoint, then evicted automatically
  • Operational log: an application-level log records channel (web, API, MCP, CLI), check mode, timestamp, and a pseudonymized client fingerprint (one-way SHA-256 hash derived from IP address, user-agent string, primary accept-language tag, and infrastructure provider hint — used for rate limiting and unique visitor counting, not individual identification) for each request. Brand names are not stored. Log entries are automatically deleted after 90 days
  • Platform logs: Vercel request logs may retain request metadata per their own retention policies
  • Analytics retention: follows Vercel and Google's standard retention policies

Security measures

  • All traffic served over HTTPS (TLS 1.2+)
  • Per-endpoint rate limiting (MCP: 30 req/min burst + 50 req/hr sustained; REST endpoints vary by endpoint)
  • No authentication tokens or API keys stored client-side
  • No brand names stored in operational logs
  • Best-effort operational controls appropriate for an early MVP; no enterprise SLA is provided

Contact

Questions about data processing? Email support@brandomica.com or open an issue on GitHub. For security vulnerabilities, use security@brandomica.com.