Who we are
Weavily operates the AI logo and brand-kit generator at weavily.com (the “Service”). For the purposes of the UK GDPR and the EU GDPR, Weavily is the data controller of the personal data described in this policy. You can reach us about anything privacy-related at [email protected].
This policy covers the Service only. Third-party sites we link to — and the privacy practices of the providers listed in Section 4 when they act as independent controllers (for example Google during sign-in) — are governed by their own policies.
What we collect
Account data (from Google)
You sign in with Google OAuth. From your Google profile we receive and store your name, email address and avatar URL, plus a Google account identifier used to match your account on subsequent sign-ins. We never see or store your Google password.
Brand briefs & generated assets
When you create a project we store the brief you submit — brand name, tagline, description, industry, style, colors — and everything the pipeline produces for you: PNG and SVG logo files, animations, brand guidelines and packaged kits, together with project status and timestamps. Briefs can contain personal data if you choose to include it (for example, naming a brand after yourself).
Payment metadata
Payments are handled by Stripe. We store only payment metadata: what was purchased (credit package or commercial license), amounts, currency, timestamps, Stripe transaction identifiers, and the resulting credit balance. We never store card numbers or full payment credentials — those go directly to Stripe.
Usage analytics (only if enabled)
When analytics is enabled in your environment, we collect product-usage events (for example: signed in, wizard step completed, generation started/completed, asset downloaded, checkout started) tied to your user ID, along with standard device and page information. If analytics is not enabled, none of this is collected.
Technical logs
Like nearly every online service, our servers keep short-lived operational logs (IP address, request path, status, user agent) used for security, debugging and abuse prevention.
How we use your data
- To provide the Service — authenticate you, run the generation pipeline on your briefs, store and serve your assets, maintain your credit balance, and issue licenses.
- To process payments — create Stripe checkout and payment sessions, reconcile purchases, apply credits and attribution removal, and handle refunds.
- To support you — respond to emails, investigate failed generations, and re-credit your account where appropriate.
- To secure and improve the Service — monitor for abuse, debug failures, and (only when analytics is enabled) understand which features are used so we can improve them.
- To meet legal obligations — accounting, tax, and responding to lawful requests.
We do not sell your personal data, and we do not use your brand briefs or generated logos to advertise to other users.
Processors & subprocessors
We share data with a small set of providers, each only to the extent needed to run the Service:
| Provider | Purpose | Data involved |
|---|---|---|
| Google (OAuth) | Sign-in / authentication | Google profile (name, email, avatar), account identifier |
| Stripe | Payment processing | Payment details (collected directly by Stripe), purchase metadata, email |
| Cloudflare R2 | Asset storage and delivery | Generated logos, animations and brand-kit files |
| Google Gemini / other AI providers | Logo generation | Brand briefs (name, tagline, description, industry, style, colors) are sent to AI providers to generate your logos |
| PostHog (when analytics is enabled) | Product analytics | Usage events, user ID, email, device and page information |
AI providers process your brief to return generated imagery; we configure commercial API tiers, which under current provider terms are not used to train their public models. If we add or change a subprocessor in a way that affects your personal data, we will update this policy.
Legal bases
Under UK/EU GDPR we rely on:
- Performance of a contract (Art. 6(1)(b)) — account management, running generations on your briefs, storing your assets, processing your purchases and issuing licenses.
- Legitimate interests (Art. 6(1)(f)) — service security, abuse prevention, operational logging, and defending legal claims. We balance these interests against your rights and use the minimum data necessary.
- Consent (Art. 6(1)(a)) — usage analytics, where enabled. You can withdraw consent at any time (see Section 9), and declining analytics never affects the core Service.
- Legal obligation (Art. 6(1)(c)) — retaining transaction records for tax and accounting purposes.
How long we keep data
- Account data — kept until you delete your account, then removed within 30 days, except where law requires longer.
- Brand briefs & generated assets — kept until you delete the project or your account, whichever comes first. Deleted assets are purged from storage and from backups on the next backup rotation.
- Payment metadata — retained for up to 6 years after the transaction, as required for UK tax and accounting purposes. Stripe retains its own records under its policy.
- Analytics events (when enabled) — retained per our analytics configuration and deleted or anonymized on account deletion request.
- Operational logs — retained for no more than 90 days unless needed for an active security investigation.
Your rights
If you are in the UK or the EU (and in many other jurisdictions), you have the right to:
- Access — get a copy of the personal data we hold about you;
- Rectification — correct inaccurate or incomplete data;
- Erasure — have your account, briefs and assets deleted (“right to be forgotten”);
- Restriction — limit how we process your data while a dispute is resolved;
- Portability — receive your data in a structured, machine-readable format;
- Objection — object to processing based on legitimate interests;
- Withdraw consent — for analytics, at any time, without affecting the lawfulness of prior processing.
To exercise any of these rights, email [email protected] from the address on your account. We respond within one month. You also have the right to complain to a supervisory authority — in the UK, the Information Commissioner’s Office (ICO); in the EU, your local data-protection authority.
International transfers
Our providers operate globally, so your data may be processed outside the UK and the European Economic Area — for example, AI generation and analytics requests may be served from the United States. Where data leaves the UK/EEA, we rely on safeguards recognized under UK/EU GDPR: adequacy decisions where available (including the EU–US and UK–US Data Privacy Frameworks for certified providers) and Standard Contractual Clauses / the UK International Data Transfer Addendum otherwise. You can request details of the safeguards applicable to a specific transfer via [email protected].
Children
The Service is not directed at children and is not intended for anyone under 16. We do not knowingly collect personal data from under-16s. If you believe a child has created an account, contact [email protected] and we will delete the account and its data.
Changes to this policy
We will update this policy when our practices or providers change. Material changes — for example a new category of data or a new subprocessor handling briefs — will be announced by email or an in-app notice before they take effect. The “Last updated” date above always reflects the current version; substantive prior versions are available on request.
Contact
For privacy questions, data-subject requests, or anything in this policy: [email protected]. For the terms that govern use of the Service, see our Terms of Service; for logo usage rules, see the License page.