Privacy Policy
Last updated: 2026-05-31
Encoded Brands runs the Encoder, a paid brand-interview app that takes your inputs (your domain, your documents, your answers) and ships a Brand Context Protocol — a structured definition of your brand that you and your agents can use.
This policy says what we collect when you use the Encoder, what we do with it, who else sees it, and how to make us forget you.
It is plain on purpose. If anything below is unclear, write to us at the contact address at the end.
1. Who we are
The Encoder is operated by Estuary Group LLC, doing business as Encoded Brands ("we," "us"). We are based in the United States.
2. What we collect
When you use the Encoder we collect three categories of data:
Account data. Your name, email address, and any OAuth identifiers from the provider you signed in with. This is handled on our behalf by Clerk.
Payment data. Your card details go directly to Stripe. We never see or store them. We receive only a transaction reference and the status of your payment.
Brand and session data. This is the substance of the work. It includes the domain you submit, the URLs you point us at, the documents you upload (brand guidelines, decks, PDFs, transcripts, anything you choose), the answers you give during the interview, and the Brand Context Protocol the Encoder produces from all of it.
Usage data. We collect basic analytics about how the Encoder and our website are used: pages viewed, broad device and referrer information, and aggregate engagement. We use two tools for this. Vercel Web Analytics is cookieless and collects no personal identifiers. Google Analytics sets cookies, so it loads only if you accept them in our cookie banner (see Cookies, below).
We do not run ad pixels or session replay tools. We do not buy data from third parties to enrich your profile.
3. How we use it
We use your data to deliver the service: run the interview, do the extraction, produce your BCP, deliver it to you, and let you come back to your work later.
We send you email tied to your work: a confirmation when you publish, and occasional reminders if you start an encoding and do not finish. You can opt out of the non-essential reminders at any time, using the unsubscribe link in those emails or by writing to us. Essential account and transaction messages still apply.
We use the usage analytics described above to understand what is working and where the Encoder is confusing, so we can make it better.
We also use your inputs and the system's outputs to improve the Encoder itself, including its prompts, parsers, and the models it depends on. This may include using anonymized or derived signals to refine our products and, in the future, to train models we build or operate. If we ever decide that customer-identifiable material will be used for a purpose beyond what this policy describes, we will tell you and ask first.
4. Who we share it with
We share data only with the service providers we need to run the Encoder. None of them are permitted to use your data for their own marketing or to resell it. As of the date above, those providers are:
- Clerk — authentication and account management
- Stripe — payments
- Supabase — database and file storage (United States)
- Vercel — application hosting and cookieless web analytics (United States)
- Cloudflare — DNS, edge delivery, and Registry hosting for published BCPs
- Anthropic — language-model API calls used to power the interview, compile your BCP, and related AI features (when enabled). API traffic is governed by Anthropic's commercial terms, which prohibit using customer prompts for training.
- Resend — delivery of account and lifecycle email
- Google — Google Analytics, loaded only if you accept analytics cookies
We do not sell your data. We do not share it with advertisers. We do not share it with marketing partners. If we are ever required to disclose data to comply with a lawful legal request, we will narrow what we hand over and tell you about it where the law allows.
5. How long we keep it
We retain your account and your session data for as long as your account exists. We do not auto-expire it. Your BCP is meant to live with you — letting it disappear on a schedule would defeat the point.
When you publish your BCP, it becomes a public file at your domain and in our Registry, readable by anyone or any agent that fetches it. That is by design: the protocol works by being readable. A published BCP stays public until you unpublish or delete it.
You can delete your account and the data associated with it at any time. When you do, we remove your account, your sessions, your uploaded files, and your generated BCP from the systems we control, within thirty days.
One honest carve-out: aggregated and derived signals that have already been absorbed into our internal systems (for example: a counter that says "x percent of brands ship a sans-serif heading face") are not individually reversible. Those signals carry no identifier that points back to you. We do not maintain a "delete from the model" button because such a button would not be honest about what is technically possible.
6. Your rights and choices
Wherever you live, you can:
- See your data. Ask and we will tell you what we have.
- Export your data. Your BCP is yours. We will deliver it in machine-readable form on request.
- Delete your data. You can delete your account from the Encoder, or write to us and we will do it for you.
- Correct your data. Most of it you can edit in the app. For anything else, write to us.
- Manage emails. Opt out of non-essential lifecycle emails at any time, using the unsubscribe link in any such email or by writing to us. Essential account and transaction messages still apply.
If you are in the European Economic Area, the United Kingdom, or California, you have additional rights under the GDPR, UK GDPR, and CCPA respectively, including the right to object to certain processing and the right not to be discriminated against for exercising your rights. To exercise any of these, use the contact address below.
7. Security
We host the Encoder on Vercel and store data on Supabase. Data is encrypted in transit (TLS) and at rest (Supabase default encryption). Service-role credentials never reach the browser. Our team uses single-sign-on with hardware-key second factors.
No system is perfectly secure. If we ever discover a breach that affects your data, we will tell you promptly and tell you what we know.
8. Cookies
We use two kinds of cookies. Strictly necessary cookies run the service: a session cookie from Clerk so you stay signed in, transient cookies from Stripe during checkout, and Supabase auth cookies. These are always on. Analytics cookies come from Google Analytics and are off by default: they load only if you accept them in our cookie banner, and you can decline with no loss of function. Our other analytics tool, Vercel Web Analytics, is cookieless. We do not use advertising cookies.
9. Children
The Encoder is a business product. It is not directed at children and we do not knowingly collect data from anyone under 16.
10. International users
Your data is processed in the United States. If you are in a jurisdiction that requires specific transfer safeguards (for example, the EEA or the UK), our processing relies on the relevant Standard Contractual Clauses with the subprocessors listed above. We will sign a Data Processing Agreement with you on request.
11. Changes to this policy
We will update this policy when our practices change. The "Last updated" date at the top will move. If a change is meaningful — for example, a new category of data, a new use, or a new subprocessor that materially changes the risk picture — we will email account holders before it takes effect.
12. Contact
Privacy questions, deletion requests, DPA requests, and anything else covered above:
Estuary Group LLC d/b/a Encoded Brands
1005 Northgate Drive, #193
San Rafael, CA 94903