Now accepting projects for Q2 — book a discovery call → contact us →
Home Privacy Policy
Last updated · 25 April 2026

Privacy Policy.

Plain-English explanation of what data we collect, why we collect it, where it goes, and what you can ask us to do with it. We've written this policy with the spirit of the Australian Privacy Principles and India's Digital Personal Data Protection Act, 2023, because most of our clients sit in one of those two jurisdictions.

The 30-second summary

  • We only collect what we need to reply to you and run your project.
  • We never sell your data. Ever.
  • You can ask us to access, correct or delete your data at any time.
  • If you're an AU client, your project data may be processed in India by our team — we disclose every sub-processor below.

Who we are

Brandwings ("we", "us") is an India-registered design and engineering studio operating from Durgapur, West Bengal. Around 90% of our clients are Australian businesses. For the purposes of this policy, we are the data controller for the personal information you submit through our website, email, or any of our communication channels.

If you engage us to build a product, we may also act as a data processor for personal information your end-users submit through that product. In that case, our handling is also governed by your project agreement.

What we collect

Information you give us directly

  • Name, email, phone number, company name, country and project description — when you fill out a contact form, request a quote or subscribe to our blog newsletter.
  • Billing details (business name, ABN/ACN if applicable, address) — when you sign a proposal and become a client.
  • Content, files, credentials and access tokens you share with us in the course of a project.

Information we collect automatically

  • IP address (truncated), device type, browser, referring URL, pages viewed and time on page — through our website analytics.
  • Email engagement (opens, clicks) for our newsletter, where permitted by your email client.

What we do NOT collect

  • Sensitive personal information (race, religion, health) — we have no business reason to collect it.
  • Payment card numbers — handled directly by Stripe; we never see or store full card details.

Why we collect it

  • To respond to enquiries and prepare quotes.
  • To deliver, maintain and support the projects we are contracted to build.
  • To issue invoices and receive payment.
  • To send the weekly blog newsletter you opted in to.
  • To improve the website and our service offering (aggregated analytics only).
  • To comply with our tax, audit and legal obligations.

Who we share it with (sub-processors)

We use the following service providers to operate. Each is bound by data-processing terms appropriate to its category:

ProviderPurposeRegion
Google WorkspaceEmail, document collaborationGlobal / AU presence
StripeCard payments & invoicingAU + global
WiseInternational bank transfersUK + AU
SlackInternal & client communicationUS
NotionProject management, scopingUS
GitHubSource-code hostingUS
AWS SydneyApplication hosting (where chosen)Australia
Plausible / Google AnalyticsPrivacy-respecting site analyticsEU / Global

We do not sell, rent or trade personal data to anyone, ever. We share with these providers strictly to deliver the services you've asked for.

International data transfer

Because we are based in India and most of our clients are in Australia, your data is likely to be transferred between these two jurisdictions, and to the regions where our sub-processors operate (typically AU, IN, US, EU).

We rely on contractual safeguards (data-processing addenda) and the recipient's published privacy commitments to ensure transfers are lawful and your data remains protected. Where you are an Australian individual, this disclosure satisfies the cross-border-disclosure obligation under Australian Privacy Principle 8.

How long we keep it

  • Enquiry / quote data: 24 months from last contact, then deleted unless you become a client.
  • Active client project data: for the life of the engagement plus 7 years (Indian and Australian record-keeping requirements for tax and contracts).
  • Newsletter data: until you unsubscribe; deletion within 30 days of unsubscribe request.
  • Analytics data: aggregated and retained for 26 months in Google Analytics (default).

Your rights

Regardless of where you live, you can ask us at any time to:

  • Access the personal information we hold about you.
  • Correct anything that's inaccurate or out of date.
  • Delete your data, where we no longer need it for a contract or legal obligation.
  • Object to processing for marketing purposes (one-click unsubscribe in every email).
  • Port your data — receive a copy in a common format you can take elsewhere.
  • Withdraw consent previously given.

Email hello@thebrandwings.com with the subject "Privacy request" and we'll action it within 30 days, free of charge.

Cookies & analytics

Our website uses a small number of cookies and similar technologies to:

  • Remember whether you've dismissed a banner.
  • Track aggregate site traffic (privacy-respecting analytics).
  • Power embedded YouTube / form services on certain pages, where applicable.

We do not run third-party advertising or remarketing pixels. You can disable cookies in your browser at any time; the site will continue to function normally.

How we protect your data

  • All data in transit is encrypted with TLS 1.2+.
  • Internal credentials are stored in a password manager with 2-factor authentication mandatory for every team member.
  • Production access is granted on a least-privilege basis and revoked when team members leave.
  • Code is reviewed before merging; secrets are never committed to source control.
  • Backups are encrypted and access-restricted to senior engineering only.

No system is 100% secure, but we treat our security responsibilities seriously and review them periodically.

Children's data

Our services are intended for businesses and adults. We do not knowingly collect personal information from children under 16. If you believe a child has submitted information to us, please email us and we will delete it.

Data breaches

If a security incident exposes your personal information in a way that creates a serious risk to you, we will notify you and the relevant regulator within statutory timeframes:

  • Australian clients: as required under the Notifiable Data Breaches scheme of the Privacy Act 1988.
  • Indian residents: as required under the Digital Personal Data Protection Act, 2023.

Updates to this policy

We may update this policy occasionally — when our service stack changes, when laws update, or when we improve a practice. The "Last updated" date at the top reflects the current version. Material changes will be communicated to active clients and newsletter subscribers in writing.

Contact & complaints

For any privacy question, request, or complaint:

If you are an Australian individual and unsatisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC)oaic.gov.au. Indian residents may complain to the Data Protection Board of India once it is constituted under the DPDPA.

Want a clearer answer?

Privacy isn't supposed to be confusing. If anything here is unclear or doesn't seem to fit your situation, ask — we'll explain.

Get in touch