Privacy policy
At Brivvy, Inc. ("Brivvy," "we," "us," or "our"), we take your privacy seriously. Please read this Privacy Policy to learn how we treat your personal data. By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use, and share your information as described in this Privacy Policy.
Your use of Brivvy's Services is at all times subject to our Terms of Service. Any terms we use in this Policy without defining them have the definitions given to them in the Terms of Service.
If you have questions or need this Privacy Policy in an alternative format, please contact us at support@brivvy.io.
What this Privacy Policy Covers
This Privacy Policy covers how we treat Personal Data that we gather when you access or use our Services. "Personal Data" means any information that identifies or relates to a particular individual and also includes information referred to as "personally identifiable information" or "personal information" under applicable data privacy laws, rules, or regulations. This Privacy Policy does not cover the practices of companies we don't own or control or people we don't manage.
Personal Data
Categories of Personal Data We Collect
Profile or Contact Data
We collect your first and last name, email address, display name, and optional profile avatar image. Authentication is handled via passwordless email verification (one-time passcodes and magic links) and optional federated sign-in through Google. We do not collect or store passwords. We may also collect email addresses of individuals you invite to your workspace or share documents with, even if they have not yet created an account. We share this data with service providers and parties you authorize, access, or authenticate.
Payment Data
We do not directly collect or store your payment card information. All payment processing — including card numbers, billing addresses, and related financial data — is handled exclusively by our payment processing partner, Stripe. We retain only Stripe-generated identifiers (such as customer and subscription IDs) necessary to manage your subscription. Please review Stripe's terms of service and privacy policy for information on how they handle your payment data.
Web Analytics and Usage Data
We collect non-identifiable usage data such as feature interactions, session identifiers, workspace identifiers, and general platform activity metrics. We use PostHog for product analytics. This data is shared with our analytics service providers to help us understand how the Services are used and to improve the platform.
Voice and Workspace Data
We collect the voice configurations, content rules, tone parameters, templates, documents, knowledge uploads, and other data you create or upload within the Service ("Customer Content"). This data is used to provide and improve the Services. In order to deliver AI-powered features, your Customer Content — including voice rules, prompts, and document content — is processed by third-party AI and infrastructure providers as described in the "How We Share Your Personal Data" section below. Customer Content is never sold to third parties. We do not use your Customer Content to train, fine-tune, or improve any AI or machine learning models. Our AI providers process your content solely to generate responses within your session.
Other Identifying Information You Voluntarily Provide
We collect identifying information you include in emails or messages you send us, including feedback and support requests. This data may be shared with service providers, business partners, and parties you authorize.
Categories of Sources of Personal Data
We collect Personal Data about you from the following sources:
Directly from you, when you create an account, use our tools and Services, fill out free-form text fields, respond to surveys, or contact us.
Automatically, through analytics tools and similar technologies when you use the Services, including information about your activity within the platform.
Third parties, including federated authentication providers (such as Google, when you choose to sign in with Google), analytics providers, and vendors who help us operate and improve the Services.
Our Business Purposes for Collecting Personal Data
We collect and use Personal Data for the following purposes:
Providing, customizing, and improving the Services. This includes creating and managing your account, processing payments, delivering the features you request, processing your content through AI models, providing support, conducting internal analytics and research, personalizing your experience, and maintaining the security and integrity of the platform.
Marketing the Services. We may use your data to market and communicate about Brivvy's products and features. When you create an account, you are automatically subscribed to our product changelog and marketing mailing lists. You may unsubscribe from these communications at any time using the unsubscribe link in any marketing email. We use Loops for email marketing and transactional communications.
Corresponding with you. We use your contact information to respond to your inquiries, send product updates, and communicate information we believe will be useful to you.
Meeting legal requirements and enforcing legal terms. This includes fulfilling legal obligations, preventing and investigating security incidents or illegal activity, protecting the rights and safety of users and Brivvy, enforcing our agreements, and resolving disputes.
We will not collect additional categories of Personal Data or use Personal Data we have collected for materially different or incompatible purposes without providing you notice.
How We Share Your Personal Data
AI and Infrastructure Providers. To deliver AI-powered features such as the writing assistant, brand voice extraction, and content generation, we share relevant Customer Content (including prompts, voice rules, and document content) with third-party AI providers, currently OpenAI. We also use LlamaIndex Cloud (LlamaParse) for document parsing and Firecrawl for URL content extraction during voice analysis. These providers process your data solely to deliver their services to us and do not use your data for model training. OpenAI's API platform does not train on API inputs or outputs by default.
Analytics and Observability Providers. We use PostHog for product analytics and LangSmith (by LangChain) for AI model performance monitoring. These services receive usage data, session identifiers, and AI model inputs and outputs (including prompts and generated content) to help us monitor and improve AI quality. Neither PostHog nor LangSmith uses your data for model training. User feedback (including optional comments) may also be shared with these providers.
Email and Communications Providers. We use Loops for transactional emails (such as login codes, workspace invitations, and notifications) and marketing communications. Loops receives your email address, name, and user identifier.
Payment Processing. We share workspace name and administrator email with Stripe to create and manage billing customers. All payment card processing is handled by Stripe. Please review Stripe's privacy policy for details.
Collaborative Editing. We use Tiptap Cloud for real-time collaborative document editing. Document content and editing events are processed by Tiptap's infrastructure.
Authentication Providers. We use AWS Cognito for identity management. If you sign in with Google, your authentication data flows through Google's OAuth services.
Internal Notifications. User feedback and certain operational data may be shared with Slack for internal team notifications.
Business Partners. We may share Personal Data with companies we partner with to offer joint features, integrations, or promotional opportunities.
Parties You Authorize. When you connect third-party integrations (such as MCP-compatible clients or communication tools) through the Services, you authorize those parties to access relevant data as part of that connection.
Legal Obligations. We may share Personal Data with third parties when required to comply with applicable law, regulation, or legal process, or to protect the rights, property, or safety of Brivvy, our users, or others.
Business Transfers. In connection with a merger, acquisition, bankruptcy, or other transaction in which a third party assumes control of our business (in whole or in part), your Personal Data may be transferred. We will make reasonable efforts to notify you before your information becomes subject to different privacy practices.
Aggregated or De-identified Data. We may create aggregated, de-identified, or anonymized data from Personal Data we collect and use or share it for lawful business purposes, including improving the Services and promoting Brivvy. We will not share such data in a manner that could identify you personally.
Subprocessors
We use the following third-party subprocessors to deliver, secure, and improve the Service. We will provide at least 30 days' notice before engaging a new subprocessor that processes Personal Data. To receive notifications of changes, contact us at support@brivvy.io.
Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
Amazon Web Services (AWS) | Cloud infrastructure, compute, database, storage, identity management | All service data, account data, Customer Content | United States |
OpenAI | AI content generation, voice extraction, writing assistant | Prompts, voice rules, document content | United States |
LlamaIndex Cloud (LlamaParse) | Document parsing and text extraction | Uploaded document files | United States |
Firecrawl | URL content extraction for voice analysis | URLs submitted by users | United States |
PostHog | Product analytics, usage metrics, AI quality monitoring | User IDs, workspace IDs, session IDs, feature usage, AI model inputs/outputs | United States |
LangSmith (LangChain) | AI model performance monitoring and feedback tracking | AI model inputs/outputs, trace IDs, user feedback | United States |
Stripe | Payment processing, subscription management, billing portal | Workspace name, admin email, payment card data (collected directly by Stripe) | United States |
Loops | Transactional email and marketing email | Email address, name, user ID | United States |
Slack | Internal team notifications | User feedback content, operational error summaries | United States |
Tiptap Cloud | Real-time collaborative document editing | Document content, editing events | United States |
Federated sign-in (optional, user-initiated) | Email, name, profile picture (via OAuth) | United States |
None of our AI subprocessors use your data for model training.
Tracking Tools and Opt-Out
The Services use analytics tools and similar technologies to enable our servers to recognize your sessions, understand how you use the Services, analyze trends, and improve our platform.
We use PostHog for product analytics, which may use cookies or similar session-tracking mechanisms. We use the following categories of tracking:
Essential Tracking is required to provide features and services you have requested, such as maintaining your authenticated session.
Performance and Analytical Tracking helps us understand how visitors use the Services, measure the performance of our features, and improve the platform based on that data.
You can manage or disable cookies through your browser settings. Please note that disabling cookies may affect the functionality of certain parts of the Services. To learn more about cookies and how to manage them, visit allaboutcookies.org.
Data Security and Retention
We use appropriate physical, technical, organizational, and administrative security measures to protect your Personal Data from unauthorized access, use, or disclosure. Our infrastructure is hosted on Amazon Web Services (AWS) with encryption at rest and in transit. You can help protect your data by limiting access to your devices and signing out after using your account. Please be aware that no method of transmitting or storing data over the internet is completely secure.
We retain Personal Data for as long as your account is active or as otherwise necessary to provide the Services. When you delete your account or workspace, associated data is removed from our primary systems. Operational backups may retain data for a limited period as part of standard infrastructure processes. In some cases, we retain data longer to comply with legal obligations, resolve disputes, or collect fees owed. We may retain information in anonymous or aggregated form where it no longer identifies you personally.
Personal Data of Children
The Services are not directed to individuals under the age of 13. We do not knowingly collect Personal Data from children under 13. If we learn that we have collected Personal Data from a child under 13, we will delete it as quickly as possible. If you believe a child under 13 may have provided us with Personal Data, please contact us at support@brivvy.io.
State Law Privacy Rights
California Residents. Under California Civil Code Sections 1798.83–1798.84, California residents may contact us to prevent disclosure of Personal Data to third parties for their direct marketing purposes. To submit such a request, please contact us at support@brivvy.io.
Nevada Residents. Nevada residents have the right to opt out of the sale of certain Personal Data to third parties. To exercise this right, contact us at support@brivvy.io with the subject line "Nevada Do Not Sell Request" and include your name and the email address associated with your account.
European Union Data Subject Rights
EU Residents. If you are a resident of the European Union, United Kingdom, Liechtenstein, Norway, or Iceland, you may have additional rights under the EU General Data Protection Regulation ("GDPR") with respect to your Personal Data.
Brivvy will be the controller of your Personal Data processed in connection with the Services. If there are conflicts between this section and any other provision of this Privacy Policy, the more protective provision shall control.
We will only process your Personal Data if we have a lawful basis for doing so, including contractual necessity, legitimate interests, or consent. Examples:
Contractual Necessity — Profile and contact data, workspace data, and Customer Content are processed as necessary to provide the Services under our Terms of Service.
Legitimate Interests — We may process data to provide, customize, and improve the Services; market the Services; correspond with you; meet legal requirements; and complete corporate transactions. We may also de-identify or anonymize Personal Data in furtherance of these interests.
Consent — Where we rely on your consent to process Personal Data, we will indicate this at the time of collection. You may withdraw consent at any time, though this may affect your ability to use certain parts of the Services.
You have the following rights with respect to your Personal Data. To submit a request, email us at support@brivvy.io:
Access — You can request information about the Personal Data we hold about you and obtain a copy of it.
Rectification — If you believe Personal Data we hold is incorrect or incomplete, you can request that we correct or supplement it.
Erasure — You can request that we erase some or all of your Personal Data from our systems. To delete your account, contact us at support@brivvy.io and we will process your request.
Withdrawal of Consent — If we are processing your Personal Data based on consent, you may withdraw that consent at any time.
Portability — You can request a copy of your Personal Data in a structured, machine-readable format. Please contact support@brivvy.io to initiate this process.
Objection — You may object to our processing of your Personal Data where we rely on legitimate interests as the lawful basis.
We will respond to all requests in accordance with applicable law. In some cases we may need to verify your identity before fulfilling a request.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the Services before the changes take effect. Your continued use of the Services after the effective date constitutes your acceptance of the updated Privacy Policy.
Contact Information
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: