Privacy Policy — Bravely Studios — Marketing Email & Newsletter

This policy describes how we handle your information when you subscribe to our marketing emails, our studio newsletter, product announcements, or other promotional messages we send from any @bravely.dev address. It does not cover the information our individual apps (for example, Todoing.ly, Markd.ly, Diskaroo, PrintScreen.ly, Sticki.ly, or SayCopyPaste) collect when you use them. Each app has its own privacy policy at bravely.dev/privacy/<app> that applies to the data that app handles. Service notifications about a purchase or account you already have with us — receipts, password resets, security notices, refund updates, and similar transactional messages — are also outside the scope of this policy. Those are sent under separate legal bases (contract or legal obligation) and are not part of our marketing program. If you only ever bought a Bravely app and never asked to hear from us by email, you are not on our marketing list and this policy does not describe how we use your data.

When you submit a subscription form, opt in during checkout or a trial, ask for a contact-form follow-up, confirm a double-opt-in message, or unsubscribe, we record the information needed to manage that marketing relationship: • Email address. We store the address you entered and a normalized version (trimmed, lowercased, Unicode-normalized) used for deduplication. • Email hash. We store an HMAC-SHA256 hash of the normalized email address using a server-side secret. This hash lets us enforce suppressions — such as "this address unsubscribed" — after the plain email address has been deleted from our database. • List, app, source, and consent context. We store the list you joined (for example, bravely_newsletter), the app or page the request relates to, the source type of the capture (marketing page, checkout opt-in, trial signup, contact-form follow-up, admin import, etc.), the jurisdiction classification, whether a checkbox was default-checked, the consent method, the lawful basis we relied on, the verbatim consent wording we showed you, the consent version label, and timestamps for capture, confirmation, unsubscribe, suppression, and redaction events. • Country / jurisdiction signal. Cloudflare, our hosting provider, attaches a two-letter country code (cf-ipcountry) to incoming requests. We store the resulting jurisdiction classification so we can apply the correct consent flow for your region. • IP hash and User-Agent. We store a keyed hash (the first 16 hex characters of an HMAC-SHA256) of the IP address that submitted the form and the User-Agent string sent by your browser or app. These are used for abuse prevention, debugging, and consent-record context. We do not store the raw IP address, and we do not combine these values to fingerprint you. • Form and referral context. The page URL, the section of the page (for example, homepage_footer), any utm_* parameters, the document referrer, and a snapshot of the raw capture payload needed to audit the source. • Account and lifecycle context, when present. If your subscription is linked to a Bravely account, a checkout, a trial, an app lifecycle event, or a contact-form follow-up, we may store the Bravely account identifier, the app slug, an event type, and an event timestamp needed to send the marketing you asked for and to enforce suppression rules at the right scope. • Delivery and suppression records. For sent messages we store the provider message ID, delivery status, delivery delays, bounce status, complaint status, a hashed subject line (not plaintext), a hash of the unsubscribe token, the suppression scope and reason where applicable, and a tamper-evident audit-log entry. We collect this information to send the marketing you requested, prove and manage consent, prevent abuse, deduplicate records, honor unsubscribes and objections, suppress addresses after bounces or complaints, and maintain a compliance record under GDPR Article 7(1) (controller must be able to demonstrate consent), CASL section 13, and CAN-SPAM record-keeping practice.

Your record is stored in a Cloudflare D1 database operated by us, in a workspace we call bravely-marketing. The marketing database is deliberately separated from our customer-account database so that pre-customer leads cannot become entangled with the records we use to verify your purchases and entitlements. Within the marketing database, the email hash is the deduplication key: a re-subscribe to the same address updates an existing row instead of creating a duplicate. We send marketing emails through Resend Inc. (resend.com), our email service provider. Resend acts as a processor under GDPR Article 28; Bravely Studios is the controller. When we instruct Resend to deliver an email, Resend receives the recipient address, the message contents, and a provider message ID we use to track delivery status back to our database. Resend may process this information only as needed to provide email-delivery services to us under its agreement with us. Resend sends signed webhook events back to us for delivery delays, hard bounces, soft-bounce thresholds, and spam complaints, which we use to keep our suppression list accurate. Unsubscribes are handled by our own unsubscribe endpoint and recorded directly to our consent, membership, suppression, and audit-log tables — not through Resend. Some subscription records originate through Bravely account, checkout, trial, contact-form, or app-lifecycle systems. Those systems send only the fields needed to create, link, or update the marketing contact and consent record. Resend is the only outbound marketing email provider we use.

We apply consent rules based on the jurisdiction classification attached to your request: • European Economic Area (EEA) and United Kingdom. We send marketing emails only with consent under Article 6(1)(a) of the GDPR and the UK GDPR, using a clear affirmative action (an unchecked tickbox or explicit click) and double opt-in. We do not use pre-ticked boxes for EEA or UK subscriptions. We also apply the electronic-mail marketing rules under PECR / the EU ePrivacy framework that sit alongside data-protection law. • Canada. Express consent and double opt-in under Canada's Anti-Spam Legislation (CASL), with a recorded copy of the consent wording, the date, and the manner of consent. • United States. The federal CAN-SPAM Act of 2003 applies. Where state privacy laws apply (including the California Consumer Privacy Act / California Privacy Rights Act, the Virginia CDPA, the Colorado Privacy Act, and similar comprehensive privacy laws as they take effect), we comply with those laws as well. • Australia and other countries. We default to express opt-in and double opt-in. We do not rely on inferred consent in our current system. The Australian Spam Act 2003 (Cth) and the Australian Privacy Principles apply where relevant. • Anywhere else, or where we cannot determine your jurisdiction. We default to express opt-in and double opt-in as a safe baseline. Our capture system rejects, or downgrades to an explicit opt-in flow, any submission from EEA, UK, or Canadian users that arrived with a pre-checked consent box. For users in the EEA and UK, our purpose-by-purpose lawful bases are: • Sending marketing emails: consent. • Recording and proving consent: legal obligation and our legitimate interest in demonstrating compliance. • Honoring unsubscribes, objections, suppressions, bounces, and complaints: legal obligation and our legitimate interest in not sending unwanted or unlawful marketing. • Abuse prevention, bot mitigation (including Cloudflare Turnstile), and security logging: our legitimate interest in protecting the service and the integrity of consent records. • Linking a marketing record to a Bravely account or app lifecycle event: consent for marketing sends, plus our legitimate interest in accurate suppression, deduplication, and compliance records.

For EEA, UK, Canadian, Australian, unknown, and default flows, we use double opt-in: 1. You submit your email address through one of our forms. 2. We send a confirmation email asking you to click a link to confirm. 3. Until you confirm, your list membership stays in a pending state and we do not send marketing email to you for that list. 4. When you click the confirmation link, we record the confirmation event and update your list membership to subscribed. 5. Unconfirmed pending records are redacted after 180 days. US-only lists may skip double opt-in only when that specific list has been configured for it and the capture is valid under our approved US-only flow. The confirmation email itself, the click that confirmed it, the verbatim consent wording shown, and the date and time of each step are all recorded in our consent log as the legal proof that you opted in.

Depending on where you live, you have specific rights over the personal data we hold about you. We will not discriminate against you for exercising any of them. EEA / UK (GDPR and UK GDPR). You have the right to: • Access — request a copy of the personal data we hold about you. • Rectification — ask us to correct inaccurate data. • Erasure — ask us to erase data (subject to the limited records we must retain as proof of consent and unsubscribe; see "How long we keep your data"). • Portability — receive a portable copy of data you provided in a machine-readable format. • Restriction — ask us to restrict processing in certain cases. • Object to direct marketing — at any time. When you object or unsubscribe, we stop sending marketing to the affected list or scope. • Withdraw consent — at any time, as easily as you gave it. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal. • Lodge a complaint — with your national data-protection supervisory authority. UK residents can contact the Information Commissioner's Office (ico.org.uk). A list of EEA authorities is maintained by the European Data Protection Board (edpb.europa.eu). Providing your email address for marketing is not required by law or by a contract with us. If you do not provide it, we cannot send you marketing emails. We do not use marketing-email data for solely automated decisions that produce legal or similarly significant effects; our jurisdiction routing only determines which consent flow applies. We have not appointed a Data Protection Officer; privacy requests go to privacy@bravely.dev. We have not appointed an Article 27 representative in the EEA or UK; if you are in the EEA or UK and need to escalate, you can contact privacy@bravely.dev or your local supervisory authority directly. California (CCPA / CPRA). You have the right to know what categories of personal information we have collected and our purposes for collecting it; to delete personal information (subject to legal exceptions); to correct inaccurate information; to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising (we do neither — see "No selling, no sharing"); and to limit the use of any sensitive personal information. We do not knowingly collect sensitive personal information for marketing purposes. We have not sold or shared personal information in the preceding 12 months and do not intend to. To verify access, deletion, or correction requests, we match the request to the email address or other identifiers in our marketing records and may ask for limited additional information needed only to verify and complete the request. You may designate an authorized agent in writing to act on your behalf as permitted by Cal. Civ. Code section 1798.140(i); we may verify the agent's authority and confirm the request directly with you before acting. Other US states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as they take effect). The equivalent access, correction, deletion, and opt-out rights apply. You may exercise them by emailing privacy@bravely.dev. If the law gives you a right to appeal a denied request, reply to our decision email with "Appeal" and we will respond in writing within the period required by the applicable law. Canada (PIPEDA). You have the right to access and request correction of your personal information, and you can withdraw consent at any time, subject to legal limitations and reasonable notice. Australia. You have rights of access and correction under the Australian Privacy Principles. We will respond to verifiable requests within the timeframe required by the law that applies to you (generally 30 days for GDPR, 45 days for CCPA, with a permitted extension where allowed by law). You can reach us for any rights request at privacy@bravely.dev.

Every marketing email we send includes an unsubscribe link. The link uses a signed token, does not require you to log in or create an account, and takes you to a page where the unsubscribe is submitted to our consent-revocation endpoint. You can also email privacy@bravely.dev at any time and ask to be removed. When you unsubscribe, we record a consent-revocation event, update your list membership, add a suppression entry, and append a tamper-evident audit-log entry. Our sending system checks active suppressions before sending marketing. We honor unsubscribe requests within the strictest applicable deadline: without undue delay, no later than 10 business days for CAN-SPAM (US) and CASL (Canada) messages, and no later than 5 working days for messages covered by the Australian Spam Act. Our unsubscribe mechanism remains available for at least 30 days after each US or Australian message and at least 60 days after each Canadian commercial electronic message; in practice we keep unsubscribe links valid for the life of the message. If the only active suppression on your address is a prior unsubscribe, a new opt-in can lift that unsubscribe suppression and create a fresh consent record. Other suppressions — hard bounces, complaints, DSAR redaction, invalid-address blocks, and spam-trap blocks — are not lifted by ordinary re-subscribe.

For every marketing email we send: • We identify Bravely Studios LLC as the sender, use accurate "From" and routing information, and use non-deceptive subject lines. • We disclose that the message is a marketing communication where the law requires it. • We include our contact details — email address and (where applicable) a postal contact — in the message footer. • We include a clear unsubscribe method that does not require a fee, account creation, login, or more steps than the law allows. After you opt out, we do not sell or transfer your address except to a service provider used solely to honor the opt-out or comply with the law. • For CASL, our consent requests identify Bravely Studios LLC, state the purpose of the consent, provide our contact information, and explain that you can withdraw consent. • For Australian messages, our contact details remain accurate for at least 30 days after sending, and we honor unsubscribe requests within 5 working days.

• Unconfirmed (pending) memberships: redacted after 180 days. • Contact-source payload, IP hash, and User-Agent: scrubbed after 13 months from the source event. The source row and non-PII analytics fields may remain. • Event-level IP hash, User-Agent, and payload JSON: scrubbed after 13 months; the event row and event type may remain. • Confirmed contacts, consents, and list memberships: retained indefinitely unless you request deletion or redaction and no legal exception requires us to keep them. • After deletion or redaction: your plain email address, normalized email, email domain, contact-source PII, and event PII are nulled. The email hash, the consent facts (action, lawful basis, verbatim consent text, version, and timestamps), suppression records, and audit-log entries remain so we can prove consent history, honor unsubscribes, and avoid re-adding your address by accident. • Suppressions: retained indefinitely. Suppressions survive redaction through the email hash. • Audit log: retained indefinitely. The audit log is append-only and tamper-evident; it is the compliance record for consent grants, revocations, suppressions, lifts, redactions, account links, merges, and admin actions. • Sent-message records: retained indefinitely. The subject line is stored as a hash, not as plaintext. • Resend records: Resend retains message and delivery data under its own policies and our data-processing terms.

We do not sell your marketing-email personal information or share it for cross-context behavioral advertising as those terms are used in California's CPRA, and we have not done so in the preceding 12 months. We do not load your email address into advertising networks, match it against third-party ad audiences, or use it to retarget you on social platforms or the web. We do not place advertising cookies or tracking pixels in our marketing emails for cross-site profiling. If that practice ever changes, we will update this policy and provide the opt-out rights required before any sale or sharing begins.

For this marketing program, we collect these categories of personal information from California residents (as defined under the CCPA / CPRA): • Identifiers — email address, normalized email, email hash, internal contact IDs, and Bravely account identifier where linked. • Internet or other electronic network activity — User-Agent string, page URL, page section, document referrer, UTM parameters, and delivery events. • Coarse geolocation — country / jurisdiction signal derived from your network connection. • Commercial or relationship information — list, app, source, and consent context where the subscription comes through checkout, trial, contact-form, or app lifecycle flows. • Inferences — limited to list membership, consent state, and suppression state. Sources include you, your browser or app, our Bravely account / checkout systems, and our email service provider. We use this information to manage your subscription, send the marketing you requested, prove consent, prevent abuse, measure delivery health, honor unsubscribes and suppressions, and comply with applicable law. We disclose relevant categories to service providers that host the service or send email for us (see "Third parties"). We do not sell or share this information for cross-context behavioral advertising. We do not collect, use, or disclose sensitive personal information for purposes that would trigger the right to limit. Retention is described in "How long we keep your data." Verification and authorized-agent processes are described in "Your rights."

We use the following sub-processors, each under a written data-processing agreement consistent with GDPR Article 28: • Cloudflare, Inc. — provides the web hosting, Workers runtime, and D1 database we use to operate the marketing program, and the bot-mitigation challenge (Turnstile) shown on our subscription forms. See cloudflare.com/privacypolicy and the Cloudflare Data Processing Addendum. • Resend Inc. — sends our marketing email and reports delivery events back to us. See resend.com/legal/privacy-policy and our agreement with Resend. We do not give these sub-processors data beyond what they need to provide their service to us. If we add or change a sub-processor in a way that materially changes how your data is processed, we will update this policy and provide additional notice where required by law or by our data-processing commitments.

Our marketing program is intended for adults. We do not knowingly collect personal information from anyone under 13 years old, and we do not knowingly collect personal information from anyone under 16 years old in the EEA, UK, or other jurisdictions where 16 is the relevant age of consent for information-society services. If you believe a child has subscribed, email privacy@bravely.dev and we will delete the record.

Bravely Studios LLC is a US company. We and our sub-processors may process marketing data in the United States and other countries where they operate. For personal data originating in the EEA or UK, we use appropriate transfer safeguards in our processor agreements, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent UK transfer terms, where required. You can request more information about the safeguards that apply by emailing privacy@bravely.dev.

If we make material changes to this policy — for example, adding a new category of data we collect, naming a new sub-processor, or changing the legal basis for processing — we will update the "Effective" and "Last updated" dates and provide additional notice where required by law. If a material change requires new consent under GDPR, UK GDPR, CASL, or another consent-based regime, we will ask for that consent before using your information for the new purpose. Non-material changes (typo fixes, clarifications, link updates) will be reflected by updating the "Last updated" date only.

You can reach us at: Bravely Studios LLC Email: privacy@bravely.dev Website: https://bravely.dev Postal address: available on request to privacy@bravely.dev. For California residents, an authorized agent may submit requests on your behalf at privacy@bravely.dev. We may verify the agent's authority and confirm the underlying consumer request with you before acting.