Privacy policy

1. Definitions

Where capitalised below, these words have specific meanings used throughout this policy.

• Personal Data —information that identifies you or could reasonably be linked to you (name, email, account ID, IP address).
• Customer Data —what you submit to Briques: prompts, Brique definitions, the records and files you store inside a Brique.
• Service Data —operational telemetry generated by your use of the service: page views, action logs, performance metrics, billing events.
• AI Provider —a third-party model API we route prompts to (today: OpenAI and Anthropic).
• Sub-processor —a third party we engage to process Personal Data on our behalf to deliver the service (Supabase, Cloudflare, Microsoft, AI Providers, Resend, Apple, Google).
• Data Protection Laws —privacy laws that apply to you and to us, including the EU and UK General Data Protection Regulations (GDPR / UK GDPR), the Swiss FADP, the California Consumer Privacy Act (CCPA / CPRA) and similar US state laws, the Canadian PIPEDA, the Australian Privacy Act 1988, and India's Digital Personal Data Protection Act 2023 (DPDP Act).

2. Overview

Briques ("we", "us") is an AI-powered tool for making small, single-user Briques from natural-language descriptions. This policy explains what we collect when you use Briques on iOS, on Android, or on this website, what we do with it, what we send to AI Providers, and what choices you have. We aim to collect only what's needed to deliver a reliable, secure service.

Briques are single-user and private to you. Generated Briques and the data inside them are not shared with other users, indexed publicly, or made available to anyone else without your action.

3. What we collect

Information you provide

• Account information. Name and email when you sign in with Google or, on iOS, Sign in with Apple.
• Prompts. The natural-language descriptions you submit to generate or modify Briques.
• App content. The Briques you create (their structure and logic) and the data you store inside those Briques (records you add, files you upload, edits you make).
• Communications. Anything you send us through support, feedback, or email.

Information collected automatically

• Usage data. Pages and features used, actions taken, approximate session duration.
• Device & log data. Device model, operating system, app version, IP address, crash reports.
• Server logs. Request logs (no prompt content) for security and abuse detection.

Information from app stores

• Purchase confirmations. When you purchase a subscription or credit pack, Apple or Google shares the transaction with us so we can grant access. We do not see your full payment information; the store handles billing.
• Subscription status changes. Apple and Google notify us when subscriptions renew, lapse, are refunded, or are cancelled, so we can update your account.

Cookies and tracking

The briques.app website keeps cookies and tracking to a minimum. We use two categories:

• Functional (always on). A small amount of local storage that remembers settings you've changed, such as your selected light or dark theme, and your cookie choice itself. These are essential for the site to work the way you left it and do not track you.
• Analytics (only if you accept). Microsoft Clarity, which measures how the site is used through heatmaps and session recordings. It does not load and sets no cookies until you choose Accept on the cookie banner. Choose Decline and it never runs. You can change your mind any time using the Cookie settings link in the footer.

When Clarity is enabled, it masks text and form inputs by default, so we do not capture what you type, such as your email. We do not run advertising and we do not sell your data. The Briques iOS app does not present an App Tracking Transparency prompt because it does not track you across other apps or websites.

If you'd prefer not to be measured, email privacy@briques.app and we'll honor an opt-out where required by law.

4. Legal bases for processing

For users in the EEA, the UK, Switzerland, and other jurisdictions that require us to identify a legal basis under Data Protection Laws, we rely on the following bases:

• Performance of a contract. Operating your Account, generating Briques, storing your data, processing your subscriptions. Without this processing we can't provide the service.
• Legitimate interests. Detecting abuse and fraud, securing the service, debugging, measuring aggregated product usage. We've balanced this against your interests and concluded the processing is proportionate.
• Consent. Optional cookies (if any), marketing emails (if you opt in), and any AI-related processing where consent is the relevant basis under your local law. You can withdraw consent at any time without affecting prior processing.
• Legal obligation. Tax records, anti-fraud and anti-money-laundering checks, and responses to lawful requests by competent authorities.
• Vital interests / public interest. Rarely, to protect a person's life or comply with a public-interest obligation.

5. How we use it

We use the information we collect to:

• Provide, operate, and maintain Briques.
• Generate and modify Briques using AI models (see section 6).
• Validate purchases, grant entitlements, and reconcile subscription state with Apple and Google.
• Improve product quality, debug issues, and measure feature performance using aggregated, de-identified data only.
• Send service-related emails: account notices, security alerts, and important updates.
• Detect, prevent, and respond to abuse, fraud, and security incidents.
• Comply with legal obligations.

We do not sell your Personal Data or Customer Data. We do not use the content of your prompts or Briques to train our own models. We do not permit AI Providers to train their models on your prompts or Brique content; we send requests through API endpoints whose terms exclude training, as confirmed by each provider's published policy at the time of integration.

6. AI processing

Briques uses AI models from third-party providers to interpret prompts, generate Brique structure (pages, data, fields), and write the JSX rendered by the in-app runtime. Today's providers:

• Anthropic (Claude) — primary provider for reasoning, generation, and modification passes. See Anthropic's privacy policy.
• OpenAI (GPT models) — used for fast generation and embeddings. See OpenAI's privacy policy.
• Google (Gemini) — used for alternate generation paths. See Google's privacy policy.

We may add or change providers over time. The current set is listed here, and any change affecting how your data flows will update the "Last updated" line above.

Your consent: required before any AI processing

The first time you use any AI feature in the app (the build chat, the modify chat, or the “add view with AI” flow), Briques shows you an in-app consent sheet that names every provider listed above, explains exactly what is sent, and asks you to accept before sending anything. No prompt, chat history, or Brique schema leaves your device until you accept. You can revoke consent at any time from the app's Settings, after which Briques will ask again before the next AI call.

What we send to providers

• Your prompt text.
• The current Brique's structure (schema, page layout, field names) when relevant to the request.
• Short context excerpts from your data only when you explicitly ask the AI a question about your data (for example, AI search). Otherwise your records are not sent.

What we don't send

• Your name, email, account ID, or any direct identifier.
• Files you upload (images, PDFs, attachments).
• The bulk contents of your tables outside the relevant excerpt above.

Safety filtering

Prompts are checked against a safety classifier before generation. Prompts requesting clearly disallowed content (sexual content involving minors, instructions for violence, targeted harassment, weapons or drug instructions, regulated advice such as medical or legal direction) are blocked with a message. Generated output is also screened before it's shown to you.

AI-generated content disclosure

Briques and their structure are AI-generated. Generated output may be incorrect, incomplete, or unsuitable for a given use. Briques does not provide medical, legal, financial, or other regulated advice and you should not rely on Briques for those decisions. See our terms for the full disclaimer.

Opt-out from aggregated analysis

We do not use Customer Data for training. Aggregated, fully anonymised usage statistics may inform product decisions; if you don't want even that, contact privacy@briques.app and we will exclude your account.

7. Who we share with

We share information only in these limited cases:

• Service providers we depend on: Supabase (database and file storage), Cloudflare (DNS, email routing, hosting for this site), Microsoft (Clarity — website analytics & session replay), Anthropic, OpenAI, and Google AI (AI generation — see Section 6 for the consent flow), Resend (transactional email), Apple (App Store payments), Google (Play Store payments and authentication). Each is bound by contractual confidentiality obligations and processes data on our instructions.
• Legal & safety. If required by law, court order, or to protect the rights, safety, or property of Briques, our users, or the public.
• Business transfers. In connection with a merger, acquisition, or asset sale, subject to the same protections set out here.

Sub-processor changes

We will list any new Sub-processor that processes Customer Data on this page at least 10 days before giving them access. The "Last updated" date at the top of this page reflects the most recent change. If you object to a new Sub-processor, your remedy is to terminate your Account and request data deletion before the new Sub-processor begins processing.

8. Storage & retention

Your account data, Brique definitions, and app records are stored in Supabase Postgres. Files you upload are stored in Supabase Storage. Both live in our primary region; we do not replicate user data across regions today.

We retain account data for as long as your Account is active. Plan caps for row data and file storage are listed on the pricing page.

Crash logs and aggregated usage data are retained for up to 24 months. Server-side request logs (no prompt content) are retained for up to 90 days for security and abuse detection. AI Provider request logs are subject to each provider's retention policy; today, OpenAI and Anthropic API requests are not used for training and have provider-side retention windows documented in their public policies.

9. Security

We protect Personal Data and Customer Data using a combination of organisational and technical measures:

• Encryption in transit. All connections to Briques use TLS 1.2 or higher.
• Encryption at rest. Database and file storage at our hosting provider (Supabase, on AWS) is encrypted at rest using AES-256.
• Access controls. Internal access to production systems is limited to engineers who need it, gated by single sign-on with multi-factor authentication, and logged.
• Least privilege. Service accounts and AI Provider keys are scoped to the minimum permissions needed.
• Backups. Daily encrypted backups with point-in-time recovery; backups are purged on the same schedule as production data after account deletion.
• Vulnerability response. We monitor dependency advisories and apply security patches promptly. Report security issues to security@briques.app.
• Breach notification. If a Personal Data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law, and will notify affected users without undue delay.

No system is perfectly secure. We make these commitments in good faith but cannot guarantee absolute security.

10. International data transfers

Briques is operated from India and uses Sub-processors located in several countries (including the United States and the European Union). When your Personal Data leaves the country where you are located, we rely on transfer mechanisms recognised by the applicable Data Protection Law:

• EEA / UK / Switzerland to outside. Transfers are protected by the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and (for Switzerland) the Swiss Addendum, plus supplementary technical and organisational measures where needed.
• India to outside. Transfers comply with the Digital Personal Data Protection Act 2023, including any country-specific restrictions notified by the Government of India.
• Other regions. We follow the transfer mechanisms applicable in your jurisdiction (for example, Canadian PIPEDA accountability requirements, Australian Privacy Principles 8 for cross-border disclosure).

A copy of the SCCs we use is available on request from privacy@briques.app.

11. Your rights

Depending on where you live (GDPR in the EEA / UK, CCPA in California, similar laws elsewhere) you may have the right to:

• Access the Personal Data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your Personal Data and Account.
• Export your data in a portable format (machine-readable JSON).
• Object to or restrict certain processing.
• Withdraw consent where processing is based on consent.
• Opt out of "sale" or "sharing" of Personal Data (we do neither, but the right is yours regardless).
• Lodge a complaint with a supervisory authority.

To exercise any of these rights, email privacy@briques.app. We respond within 30 days. We will not discriminate against you for exercising your privacy rights.

If you are not satisfied with our response, you may lodge a complaint with your local supervisory authority —for example, your national data protection authority in the EU/EEA, the Information Commissioner's Office in the UK, the Office of the Australian Information Commissioner, the Office of the Privacy Commissioner of Canada, the California Privacy Protection Agency, or the Data Protection Board of India.

12. Account & data deletion

You can delete your Briques account at any time:

• From the iOS or Android app: Account → Delete account. Tap, confirm, done.
• By email: send a request from the address on your account to privacy@briques.app.

On deletion, we permanently delete your account, Briques, app records, and uploaded files within 30 days from production systems. Backup copies are purged within a further 60 days. Some records (aggregated billing reconciliation, fraud-prevention logs) may be retained longer where required by law; these are scoped, minimised, and not used for any other purpose.

If you have an active subscription, deleting your Briques account does not automatically cancel an Apple- or Google-managed subscription. To stop renewals, also cancel via your Apple ID or Google Play subscription settings.

13. Apple App Store

On iOS, in-app purchases (Pro subscription, credit packs) are processed by Apple through the App Store. Your payment method, billing address, and Apple ID are managed by Apple under Apple's privacy policy; we do not receive or store these. The same applies to Google Play purchases on Android, which are governed by Google's privacy policy.

Apple and Google share with us a transaction identifier, the product purchased, and subscription state changes (renewal, lapse, refund, cancellation) so we can correctly grant access and update your entitlement. We use this only to administer your account.

Refunds for App Store purchases are handled by Apple. Visit reportaproblem.apple.com to request one. Refunds for Google Play purchases are handled by Google through the Play Store. Briques does not have direct authority over store-managed refunds.

14. Children & age rating

Briques is rated 17+ on the App Store because the product generates content using AI, and AI output can be unpredictable. We do not direct Briques to children under 13 (or 16 in the EEA / UK), and we do not knowingly collect personal information from them.

We comply with the United States Children's Online Privacy Protection Act (COPPA): if you believe a child under 13 has provided us personal data, contact privacy@briques.app and we will delete it promptly.

15. EU/UK representative & supervisory authorities

Briques is established outside the EEA and the UK. While we finalise the appointment of a representative under Article 27 of the GDPR and the UK GDPR, EEA and UK residents may contact us directly at privacy@briques.app for any privacy matter, and we will respond within the statutory deadlines. The "Last updated" date above will change when we publish the appointed representative's contact details.

If you live in the EEA or the UK, you also have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA authorities is published by the European Data Protection Board; the UK authority is the Information Commissioner's Office (ICO).

16. Changes

We may update this policy from time to time. If we make material changes (for example, adding a new AI Provider, changing what we share), we'll notify you by email or a prominent in-product notice before the changes take effect. The "Last updated" date above always reflects the most recent revision. Older versions are available on request.

17. Contact

Questions about this policy or your data? Email privacy@briques.app or visit our contact page.