1. Controller

The controller responsible for data processing on this website is:

InnovationCraft UG (haftungsbeschränkt)
Im Vogelsang 22
56743 Thür, Germany
Email: support@brightbean.xyz

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g., names, email addresses, etc.).

2. Services Covered

This privacy policy covers all services operated by BrightBean, including:

BrightBean API: Our YouTube Intelligence API that provides structured data and analytics derived from publicly available YouTube content.
BrightBean Studio: Our social media management tool that enables you to manage, schedule, publish, and analyze content across social media platforms.

Together, these are referred to as the "Service" throughout this policy.

3. Overview of Data Processing

3.1 What Data We Collect

We may collect the following types of personal data:

Account data: Email address and name when you sign up for an API key, BrightBean Studio account, or waitlist.
Google account data: Google profile information (name, email address, profile picture) received when you sign in with Google.
YouTube data: YouTube channel information, videos, comments, ratings, and captions accessed through your linked YouTube account.
Google Business Profile data: Business listing information accessed through your linked Google Business Profile.
Usage data: API call logs, request timestamps, endpoints accessed, response codes associated with your API key, and activity within BrightBean Studio (e.g., scheduled posts, content drafts, and platform interactions).
Technical data: IP address, browser type, operating system, and referring URL when you visit our website.
Communication data: Content of emails or messages you send to our support address.

3.2 How We Use Your Data

We process your personal data for the following purposes:

Providing, maintaining, and improving the BrightBean API service (using publicly available YouTube data only).
Providing, maintaining, and improving BrightBean Studio (using your connected account data solely for the management features you have authorized).
Authenticating your identity via Google Sign-In.
Managing your account and API key, including monitoring usage against your plan limits.
Managing, scheduling, posting, and editing YouTube videos and interacting with comments on your behalf.
Managing your Google Business Profile listings on your behalf.
Communicating with you about your account, service updates, and support requests.
Ensuring the security and integrity of our service, including fraud prevention and abuse detection.
Complying with legal obligations.

3.3 Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide our API service to you.
Legitimate interests (Art. 6(1)(f) GDPR): Processing necessary for service security, fraud prevention, and service improvement.
Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, such as when you authorize access to your YouTube account or Google Business Profile via OAuth, or for marketing communications. You may withdraw consent or revoke access at any time.
Legal obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with applicable laws.

4. Hosting and Server Log Files

Our website and API are hosted by third-party providers. When you access our website or API, the hosting provider automatically collects and stores information in server log files that your browser or client transmits. This includes:

IP address of the requesting device
Date and time of the request
URL of the requested resource
HTTP status code
Browser type and version (for website visits)
Referring URL

This data is processed on the basis of our legitimate interest in ensuring the stable and secure operation of our service (Art. 6(1)(f) GDPR). Server log files are retained for a maximum of 30 days and then deleted.

5. Analytics

We use analytics tools to understand how visitors interact with our website. These tools may use cookies or similar technologies to collect information about your use of the website, including pages visited, time spent, and interactions. This data is processed in aggregated or pseudonymized form and is used solely to improve our website and service.

The legal basis for this processing is our legitimate interest in optimizing our online presence (Art. 6(1)(f) GDPR).

6. API and Studio Data Processing

The BrightBean API and BrightBean Studio are separate services with distinct data sources. Data from your connected accounts in BrightBean Studio is never used to power, train, or enhance the BrightBean API's intelligence features.

When you use the BrightBean API, we process the requests you make (including query parameters and endpoints called) to deliver the service. The API derives its data exclusively from publicly available YouTube content. We log API usage data (request timestamps, endpoints, response codes, and associated API key identifiers) for the purposes of rate limiting, billing, and service monitoring.

When you use BrightBean Studio, we process the content you create, schedule, and publish through the platform, as well as analytics data from your connected social media accounts, solely to provide the social media management features you have authorized.

7. Google API Services

BrightBean uses YouTube API Services and other Google API Services to provide core functionality. When you connect your accounts, we request specific permissions (OAuth scopes) to access data on your behalf:

7.1 Google Sign-In

We use Google Sign-In for authentication. This grants us access to your basic profile information (name, email address, and profile picture) to create and manage your BrightBean account.

7.2 YouTube API Services

BrightBean uses YouTube API Services. When you link your YouTube account, we request permission to:

View your YouTube account information and channel data.
Upload, edit, schedule, and manage your YouTube videos.
View, create, edit, and delete comments, ratings, and captions on your behalf.

This data is accessed, collected, and stored solely to provide the YouTube management features you have authorized within BrightBean Studio. It is not used to power, train, or enhance the BrightBean API's intelligence features. We do not use YouTube data from connected accounts for advertising, and we do not share it with third parties except as described in Section 8 of this policy.

7.3 Google Business Profile

When you link your Google Business Profile, we request permission to view, edit, create, and delete your business listings. This data is accessed, collected, and stored solely to provide the Google Business Profile management features you have authorized within BrightBean.

7.4 Compliance and Revoking Access

BrightBean's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. For more information about how Google handles your data, see Google's Privacy Policy.

You can revoke BrightBean's access to your Google data at any time by visiting the Google security settings page or by disconnecting your account within the BrightBean application. Upon revocation, we will immediately stop accessing your Google data and delete all stored Google user data, including OAuth tokens and any cached YouTube or Google Business Profile data.

8. Data Sharing and Third Parties

We may share your personal data with the following categories of recipients:

Hosting providers: For infrastructure and server operations.
Payment processors: To handle subscription payments securely. Payment processors receive only the data necessary to complete transactions and are bound by their own privacy policies.
Analytics providers: To help us understand website usage in aggregated form.
Google: We send and receive data via Google APIs (YouTube Data API, Google Business Profile API) to provide the linked account features you authorize. Data shared with Google is subject to Google's Privacy Policy.

We do not sell your personal data to third parties. We only share data with third parties as described above or when required by law.

9. International Data Transfers

Some of our service providers, including Google, may process data outside the European Economic Area (EEA), such as in the United States. In such cases, we ensure appropriate safeguards are in place, such as EU Standard Contractual Clauses or the service provider's participation in recognized data protection frameworks.

10. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account data: Retained for the duration of your account and deleted within 90 days of account closure, unless longer retention is required by law.
API usage logs: Retained for up to 12 months for service monitoring and billing purposes.
Server log files: Retained for up to 30 days.
Communication data: Retained for as long as necessary to resolve your inquiry and for up to 3 years thereafter for legal purposes.
YouTube and Google Business Profile data: Cached data from linked accounts is retained only while your account is active and the connection is authorized. Upon revocation or account closure, this data is deleted within 30 days.
OAuth tokens: Retained while your account is active and your Google account is connected. Tokens are deleted immediately upon revocation or account closure.

11. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15 GDPR): You may request information about whether and which personal data we process about you.
Right to rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17 GDPR): You may request deletion of your personal data, subject to legal retention obligations.
Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data in certain circumstances.
Right to data portability (Art. 20 GDPR): You may request to receive your data in a structured, commonly used, and machine-readable format.
Right to object (Art. 21 GDPR): You may object to the processing of your personal data based on legitimate interests at any time.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, please contact us at support@brightbean.xyz.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.

12. Cookies

Our website may use cookies - small text files stored on your device by your browser. Some cookies are essential for the website to function properly (e.g., session cookies), while others help us analyze website usage (e.g., analytics cookies).

You can configure your browser to refuse cookies or to alert you when cookies are being sent. Please note that some features of the website may not function properly if cookies are disabled.

We also use session cookies to maintain your authenticated state when you sign in with Google.

13. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encrypted data transmission (TLS/SSL), access controls, and regular security reviews.

14. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. We encourage you to review this page periodically.

15. Contact

If you have questions about this privacy policy or our data processing practices, please contact us:

InnovationCraft UG (haftungsbeschränkt)
Im Vogelsang 22
56743 Thür, Germany
Email: support@brightbean.xyz