What is Brandlight’s policy on AI model training data?

Core explainer

What consent is required for AI training on customer data?

Explicit, informed consent is required before using customer data for AI model training, with the scope and purposes clearly disclosed to the customer.

Consent must cover the data categories involved and the specific training purposes, and data usage is limited to what is disclosed; no personal data (PII) is shared in the training data. Brandlight applies data minimization and anonymization/de-identification to protect privacy, and customers may opt out where feasible. The data may be used internally for research and performance improvement, and aggregate anonymized insights may be published; ownership of any improved model remains with Brandlight, while the customer retains ownership of their data as provided. For governance resources on consent and data usage, see Brandlight governance resources.

How does Brandlight apply data minimization and anonymization in training?

Brandlight implements data minimization by collecting only what is reasonably necessary to achieve training objectives and by avoiding unnecessary data retention.

The approach emphasizes anonymization/de-identification to prevent re-identification of individuals, and it favors aggregate or synthetic data when possible. Data retained for training follows standard retention practices, and data security measures are applied to protect inputs and outputs. Brandlight may use data internally for research and performance improvement, and may publish aggregate insights that do not reveal identifyable information. These practices are designed to balance model quality with privacy protections and are described within Brandlight’s governance framework and policy disclosures.

Who owns the IP for improvements from training on customer data?

Brandlight owns the IP rights to any improvements or developments resulting from training on customer data.

The model itself is not treated as customer confidential information, and customer data remains governed by the applicable contract terms. This allocation of IP means Brandlight controls the updated model and related assets, while customers retain ownership and control over their original data as provided. If third-party IP concerns arise, Brandlight’s indemnification and dispute resolution provisions apply per the governing agreement, ensuring that improvements are defended or replaced as appropriate within the contract’s scope.

What happens to customer data after termination or in case of policy breaches?

After termination, customers have a data export right for 30 days, followed by deletion of data in accordance with Brandlight’s retention practices; unpaid fees remain due.

Termination for cause requires a 30-day cure for material breaches, while insolvency can trigger immediate termination, with licenses ceasing accordingly. During the post-termination window, customers can extract their data before deletion occurs. Brandlight’s data-retention framework and practices are designed to minimize lingering risk while ensuring customers can recover essential data, and ongoing compliance and governance activities help address any breaches or disputes within the terms of the agreement.