Privacy Policy

Last updated: 11 April 2026. Issued by RFBT Limited (trading as Infinity Brand Marketing), 7 Bell Yard, London, England, WC2A 2JR.

1. Who we are

Infinity Brand Marketing is an autonomous AI marketing platform operated by RFBT Limited, a company registered in England and Wales. We help businesses grow through AI-powered content creation and marketing.

Contact: hello@infinitybrandmarketing.com
Address: 7 Bell Yard, London, England, WC2A 2JR

2. What data we collect

Your name and email address when you sign up
Your business website URL for AI analysis and strategy generation
Social media account connection data (Facebook pages, LinkedIn organisations) when you connect platforms
Campaign performance metrics and content approval history
Communication records when you contact us
Technical data: IP address, browser type, and device information
Consent records: timestamps of when you agreed to our terms and opted in to communications

3. Lawful basis for processing (GDPR Article 6)

We process your personal data only where we have a valid lawful basis. The table below explains what we do with your data and why we are legally permitted to do it.

Processing activity	Lawful basis	Details
Delivering your marketing strategy and content	Contract (Art. 6(1)(b))	Necessary to perform the service you signed up for
Sending performance reports and service notifications	Contract (Art. 6(1)(b))	Necessary to deliver the contracted service
Sending marketing emails and newsletters	Consent (Art. 6(1)(a))	You may withdraw consent at any time via the unsubscribe link in any email
Processing payments	Contract (Art. 6(1)(b))	Necessary to complete the payment transaction
Improving our AI agents and platform	Legitimate interest (Art. 6(1)(f))	We have a legitimate interest in improving our service; this does not override your rights
Fraud prevention and security	Legitimate interest (Art. 6(1)(f))	Protecting our platform and clients from abuse
Complying with legal obligations	Legal obligation (Art. 6(1)(c))	Required by law (e.g. Companies Act, HMRC requirements)

4. Your rights (GDPR / UK GDPR / CCPA)

You have the right to:

Access request a copy of all data we hold about you
Rectification correct any inaccurate data
Erasure request deletion of your personal data
Portability receive your data in a machine-readable format
Objection object to processing based on legitimate interest
Withdraw consent for any processing based on consent (e.g. marketing emails), at any time
Opt out of sale of personal data (CCPA) we do not sell, rent, or share your personal data with third parties for their commercial purposes. This right is permanently satisfied. If you are a California resident, you may also request disclosure of the categories of personal information we have collected about you in the past 12 months by emailing us with the subject line "CCPA Data Request".

To exercise any of these rights, email hello@infinitybrandmarketing.com with the subject line "Data Request". We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local EU supervisory authority.

5. Data storage and security

Your data is stored in Supabase (EU-hosted, West EU Paris region). OAuth access tokens (Facebook and LinkedIn) are encrypted using AES-256-GCM before storage. We never sell your personal data to third parties. Access to your data is restricted to authorised personnel only.

Our platform is hosted on Vercel (USA). Data transfers from the EU to Vercel's US infrastructure are covered by Standard Contractual Clauses (SCCs) under GDPR Article 46.

6. AI-assisted processing disclosure

Our platform uses artificial intelligence (Claude by Anthropic) to generate marketing content, strategies, and analysis on your behalf. This constitutes automated processing under GDPR Article 22. We ensure meaningful human oversight at every stage: no content is ever published to any platform without your explicit approval. You review and approve every post before it goes live. You may request human review of any AI-generated output at any time by contacting us.

This disclosure is made in accordance with Article 13 of the EU AI Act and the UK Government's guidance on AI transparency.

7. Cookies

We use only essential cookies required for the platform to function (authentication session). We do not use tracking or advertising cookies. You can decline optional cookies via the banner shown on your first visit.

8. Data retention

We retain your data for as long as your account is active. If you close your account or request erasure, we will delete your personal data within 30 days, unless we are required by law to retain it longer (e.g. financial transaction records required by HMRC for 6 years).

9. Third-party data processors

We use the following third-party services which may process your personal data on our behalf. All processors are contractually bound to handle your data securely and only for the purposes we specify.

Processor	Purpose	Location
Supabase	Database storage and authentication	EU (West EU Paris)
Vercel	Platform hosting and serverless functions	USA (SCCs apply)
Stripe	Payment processing	USA / EU (SCCs apply)
Resend	Transactional and newsletter email delivery	USA (SCCs apply)
Mailchimp (optional)	Newsletter delivery only if client connects their Mailchimp account	USA (SCCs apply)
Brevo (optional)	Newsletter delivery only if client connects their Brevo account	EU (GDPR Article 46)
Anthropic	AI content generation and strategy analysis	USA (SCCs apply)
Replicate	AI image generation for marketing content	USA (SCCs apply)
fal.ai	AI video generation and image transcoding	USA (SCCs apply)
Zernio (optional)	Social media posting via client-connected accounts	USA (SCCs apply)
Meta (Facebook / Instagram)	Publishing approved content to connected Facebook pages and Instagram accounts	USA (SCCs apply)
LinkedIn	Publishing approved content to connected LinkedIn organisation pages	USA (SCCs apply)
Telegram	Publishing approved content to connected Telegram channels (optional)	UAE / Global

10. Data Processing Agreement (DPA)

As a B2B service provider, we act as a data processor on behalf of our clients under GDPR Article 28. When you use our platform to manage marketing for your business, you remain the data controller for any personal data belonging to your customers, subscribers, or contacts that you provide to us.

By accepting our Terms of Service, you enter into a Data Processing Agreement (DPA) with RFBT Limited. Under this agreement:

We process your customers' data only on your documented instructions
We implement appropriate technical and organisational security measures
We will not engage sub-processors without your prior consent (our processor list in section 9 constitutes this consent)
We will assist you in responding to data subject requests from your customers within 72 hours
We will notify you of any data breach affecting your customers' data without undue delay
We will delete or return all personal data upon termination of the service

If you require a separately signed DPA document (e.g. for enterprise compliance), please email hello@infinitybrandmarketing.com.

11. Governing law and jurisdiction

This Privacy Policy is governed by the laws of England and Wales. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts of England and Wales, except where mandatory local consumer law provides otherwise.

12. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email. The "Last updated" date at the top of this page will always reflect the most recent version.

13. Contact

For any privacy-related questions or to exercise your rights:

Email: hello@infinitybrandmarketing.com
Post: RFBT Limited, 7 Bell Yard, London, England, WC2A 2JR