BrandSure

Legal

Privacy Policy

Your trust matters. Here's how we handle your data — transparently and responsibly.

Effective date: April 2, 2026 Last updated: April 2, 2026

1. Who we are

BrandSure ("we", "us", "our") operates a product authentication platform that uses NXP NTAG 424 DNA NFC chips to provide cryptographic identity for physical products. This Privacy Policy explains how we collect, use, store, and protect information when you interact with our platform — whether you are a brand partner, a consumer verifying a product, or a visitor to our website.

Our platform is accessible through our website and through NFC-triggered verification URLs embedded in physical products. When you tap an NFC-enabled product, your phone opens a verification URL containing encrypted query parameters (picc_data, enc, cmac). No personal information is included in this URL — only cryptographic data that allows us to confirm the product's identity.

2. Information we collect

2.1 Information from consumers (product verification)

When you tap an NFC-enabled product to verify its authenticity, we process the following data in real time:

  • Encrypted PICC data (picc_data) — an AES-128 encrypted block containing the tag's unique identifier (UID) and rolling counter, generated by the chip hardware
  • Encrypted file data (enc) — optional encrypted product data from the chip, when configured
  • CMAC signature (cmac) — a cryptographic message authentication code used to verify the authenticity of the tap event
  • Timestamp — the date and time the verification request is received

Currently, verification requests are processed statelessly — we authenticate the cryptographic data and return a result. We do not persistently store individual verification events, IP addresses, device information, or location data in our current implementation.

As our platform matures, we may introduce persistent logging of verification events (scan counts, timestamps, approximate geographic data) to provide analytics to brand partners. This policy will be updated before any such data collection begins.

We do not require you to create an account, provide your name, email, or any personal contact information to verify a product.

2.2 Information from brand partners

When a brand registers for our platform, we collect:

  • Business name, contact name, and email address
  • Billing and payment information
  • API credentials and integration configuration
  • Product catalog data (SKUs, product names, metadata)

2.3 Provisioning records

When an NFC chip is provisioned for our platform, we record:

  • The tag's unique identifier (UID)
  • A SHA-256 hash of the derived cryptographic key (not the key itself)
  • The provisioning timestamp and status
  • Key version numbers

This provisioning log is used during verification to match incoming authentication requests to known chips. It does not contain any personal information.

2.4 Information collected automatically

When you visit our website, standard web server interactions occur. We do not currently use analytics services, tracking pixels, or advertising technologies.

Our website loads fonts (Inter, Instrument Serif, JetBrains Mono) from Google Fonts, which means your browser makes requests to Google's servers when visiting our site. Google's privacy policy governs how they handle these requests.

3. How we use your information

We use the information we collect to:

  • Authenticate products — verify cryptographic signatures against our records and confirm product authenticity in real time
  • Prevent fraud — detect rolling counter anomalies, replay attacks, and tamper evidence through the chip's cryptographic mechanisms
  • Provision and manage tags — maintain a registry of chip identifiers and associated key hashes for verification purposes
  • Provide analytics to brand partners — as our platform develops, we plan to offer aggregated and anonymized verification analytics including scan volumes and geographic distribution
  • Communicate — send brand partners transactional emails, security alerts, and (with consent) product updates
  • Comply with legal obligations — respond to lawful requests and enforce our terms of service

4. How we share your information

We do not sell your personal information. We may share information in the following circumstances:

  • With brand partners — aggregated and anonymized verification analytics for products they own. Brand partners may receive scan counts and counter data but never individual consumer identities
  • With service providers — trusted third parties that help us operate our platform (hosting, payment processing), bound by contractual obligations to protect your data
  • For legal compliance — when required by law, regulation, legal process, or governmental request
  • Business transfers — in connection with a merger, acquisition, or sale of assets, with continued protection of your data

5. Data storage and retention

Our current data storage includes:

| Data type | Storage method | Retention | |---|---|---| | Provisioning records (UIDs, key hashes, timestamps) | Encrypted local storage | While tags are active | | Platform cryptographic keys | AES-256-GCM encrypted files or Azure Key Vault | While tags are active; destroyed upon decommissioning | | Product catalog data | Application data store | Duration of brand partnership | | Consumer verification events | Not currently persisted | N/A |

As we build out our production infrastructure, we will implement structured data retention policies and update this section accordingly. You may request information about or deletion of your data at any time (see Section 9).

6. Data security

Security is foundational to our platform. We implement:

  • AES-128 encryption for all chip-level cryptographic operations, per the NXP NTAG 424 DNA specification
  • AES-256-GCM encryption for stored cryptographic key material
  • Key diversification — per-chip derived keys (using AES-CMAC per NXP AN10922) ensure that compromise of one key does not affect other products
  • Rolling counters — every chip interaction generates a unique cryptographic signature that cannot be replayed
  • Encrypted PICC data — tag identifiers and counters are transmitted in AES-128-CBC encrypted form, never as plaintext
  • CMAC verification — every tap is validated using AES-CMAC (NIST SP 800-38B) to detect tampering or forgery
  • TLS encryption for all data in transit when deployed with HTTPS

Cryptographic key material is stored using AES-256-GCM encryption. In production deployments, keys are managed through Azure Key Vault. Key material is never exposed in application logs or API responses.

We use WebSocket connections for real-time provisioning and verification operations. The data transmitted over WebSockets is the same cryptographic data described above and is subject to the same security protections.

7. International data transfers

Our platform may process data in jurisdictions outside your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • Standard contractual clauses approved by relevant regulatory authorities
  • Data processing agreements with all service providers
  • Compliance with applicable data protection regulations including GDPR and CCPA

8. Cookies, local storage, and tracking

We take a minimal approach to browser storage:

  • Local storage — we store your theme preference (light or dark mode) in your browser's local storage. This stays on your device and is never transmitted to our servers.
  • Cookies — we do not currently set any cookies.
  • Analytics — we do not currently use any analytics or tracking services.
  • Advertising — we do not use third-party advertising cookies or cross-site tracking.

As noted in Section 2.4, our website loads fonts from Google Fonts, which involves your browser making requests to Google's servers.

9. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Deletion — request that we delete your personal data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Restriction — request that we limit processing of your data
  • Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@brandsure.io. We will respond within 30 days.

10. Children's privacy

Our platform is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify brand partners by email
  • Post a notice on our website

Your continued use of the platform after changes are posted constitutes acceptance of the updated policy.

12. Contact us

If you have questions about this Privacy Policy or our data practices:

  • Email: privacy@brandsure.io
  • Address: BrandSure Technologies, Inc.

This policy is designed to be read alongside our Terms of Service and the technical documentation available to brand partners.