Privacy Policy

This Privacy Policy describes how Bracy ("Bracy," "we," "us," or "our") collects, uses, stores, shares, and protects your personal data when you use our platform at bracy.ai and related services (the "Service").

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), the Brazilian General Data Protection Law ("LGPD"), and other applicable data protection laws worldwide.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

1. Data Controller

Bracy is the data controller responsible for the processing of your personal data in connection with the Service. For questions about data processing, please contact us:

• Email: privacy@bracy.ai
• Website: bracy.ai

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• First name and last name
• Email address
• Password (stored as a cryptographic hash in a secure identity management service; we never store or have access to your plain-text password)
• Country (optional, during registration)

2.2 Organization and Team Data

If you are part of an organization or team, we collect:

• Organization name
• Your role within the organization (Owner, Member)
• Team membership and access role assignments

2.3 Conversation and Content Data

When you use the AI chat feature, we collect and store:

• Your chat messages (natural language queries)
• AI-generated responses
• Generated SQL queries and their results
• Tool execution outputs (e.g., database schema information, query results)
• Visualization configurations and data
• Conversation metadata (timestamps, ordering)

2.4 Database Connection Data

When you connect an external database, we collect:

• Database type (PostgreSQL, MySQL)
• Host address and port
• Database name and username
• Database password (stored encrypted in a secure secrets management service, never in our application database)

2.5 Document Data

When you upload documents, we collect:

• Original file name, type, and size
• Document content (stored in secure cloud storage)
• Processed text chunks for semantic search
• Processing status and metadata

2.6 Payment and Billing Data

When you subscribe to a paid plan, payment data is processed by Stripe. We store:

• Stripe customer ID (a reference identifier, not payment card details)
• Subscription plan, status, and billing interval
• Current billing period dates
• Stripe webhook events related to your account

We do not store your credit card number, CVC, or full billing address. All payment card information is handled exclusively by Stripe, a PCI DSS Level 1 compliant payment processor.

2.7 Usage Data

We automatically collect information about your use of the Service:

• Daily and monthly message counts
• Last message date
• Application usage patterns
• Feature usage statistics

2.8 Analytics and Tracking Data

We use third-party analytics services that may collect:

• Google Analytics: Page views, session duration, browser type, device type, approximate geographic location, referral source, and user interaction events.
• Meta (Facebook) Pixel: Page views, conversion events, and user behavior patterns for advertising optimization.

These services use cookies and similar tracking technologies. See Section 9 (Cookies and Tracking Technologies) for more details.

2.9 Authentication Tokens

We store authentication tokens (access token, refresh token, ID token) in httpOnly secure cookies in your browser. These tokens are used to authenticate your requests, maintain your session, and automatically refresh your access without requiring repeated logins. The tokens expire after their respective validity periods (access token: 1 hour; refresh token: 30 days).

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction where GDPR applies, we process your personal data on the following legal bases:

4. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: Processing your queries, generating AI responses, executing database operations, storing conversations, and rendering visualizations.
• Account management: Creating and managing your account, authenticating your identity, and managing your subscription.
• AI processing: Transmitting your conversation messages, queries, and context to third-party LLM providers to generate responses. We do not use your data to train AI models.
• Usage enforcement: Tracking message counts and usage to enforce plan limits and rate limiting.
• Service improvement: Analyzing aggregate usage patterns to improve the Service, fix bugs, and develop new features.
• Communication: Sending service-related notifications, billing alerts, and important updates about the Service.
• Security: Detecting, preventing, and addressing fraud, abuse, and security incidents.
• Legal compliance: Complying with applicable laws, regulations, and legal processes.

5. Data Sharing and Third-Party Services

We share your personal data with the following categories of recipients:

5.1 AI/LLM Providers

Your conversation messages, database query results, and document content are transmitted to third-party AI providers for processing. These providers process your data under their own privacy policies and data processing agreements.

5.2 Cloud Infrastructure Providers

We use industry-leading cloud infrastructure providers for our core infrastructure:

• Identity Management: User authentication and identity management (stores your email, name, and password hash).
• File Storage: Document file storage.
• Secrets Management: Secure storage of database connection credentials.
• Application Hosting: Application hosting and execution.

Our cloud providers process data in accordance with their Data Processing Addenda and applicable service terms.

5.3 Stripe

Payment processing is handled by Stripe, Inc. When you make a payment, your payment card information is collected and processed directly by Stripe. We only receive and store a Stripe customer identifier and subscription metadata. Stripe is PCI DSS Level 1 compliant. For more information, see Stripe's Privacy Policy.

5.4 Google Analytics

We use Google Analytics to collect anonymized usage data about how visitors interact with our website. Google Analytics uses cookies to track page views, session duration, and user interactions. For more information, see Google's Privacy Policy. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

5.5 Meta (Facebook) Pixel

We use Meta Pixel for conversion tracking and advertising optimization. The pixel collects data about page views and user interactions, which is transmitted to Meta. For more information, see Meta's Privacy Policy.

5.6 Other Disclosures

We may also disclose your personal data if required by law, regulation, legal process, or governmental request; to enforce our Terms of Service; to protect the rights, property, or safety of Bracy, our users, or the public; or in connection with a merger, acquisition, or sale of all or a portion of our assets.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States, where our third-party service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer personal data from the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data Processing Agreements with sub-processors that include adequate data protection commitments.
• Reliance on adequacy decisions where applicable.

7. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account data: Retained for the duration of your account and deleted upon account termination, subject to legal retention requirements.
• Conversation data: Retained until you delete individual conversations or your account is terminated.
• Documents: Retained until you delete them or your account is terminated.
• Database connection credentials: Retained until you remove the connection or your account is terminated, then securely purged from our secrets management service.
• Billing data: Retained for as long as required by tax and accounting regulations (typically 5-7 years).
• Usage data: Retained in aggregate form for analytics purposes; individual usage records are deleted with account termination.
• Analytics data: Retention periods are governed by the respective analytics providers (Google Analytics, Meta).

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes such as resolving disputes or enforcing our agreements.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Rights Under GDPR (EEA/UK Residents)

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal exceptions.
• Right to restriction of processing: Request that we limit the processing of your personal data in certain circumstances.
• Right to data portability: Receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: File a complaint with your local data protection supervisory authority.

8.2 Rights Under CCPA (California Residents)

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: Request deletion of your personal information, subject to exceptions.
• Right to opt-out of sale: We do not sell your personal information. If this changes, we will provide an opt-out mechanism.
• Right to non-discrimination: You will not be discriminated against for exercising your CCPA rights.

8.3 Rights Under LGPD (Brazilian Residents)

• Confirmation of the existence of processing.
• Access to your data.
• Correction of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or deletion of unnecessary or excessive data.
• Data portability.
• Information about shared data with third parties.
• Revocation of consent.

8.4 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@bracy.ai. We will respond to your request within the timeframe required by applicable law (typically 30 days for GDPR, 45 days for CCPA).

We may need to verify your identity before processing your request. If we are unable to verify your identity, we may decline the request.

9. Cookies and Tracking Technologies

9.1 Cookies We Use

9.2 Managing Cookies

We provide a Cookie Settings tool that allows you to manage your preferences for non-essential cookies directly on our website. You can access this at any time via the "Cookie Settings" link in the footer.

Essential cookies are required for the Service to function and cannot be disabled. You can also manage analytics and marketing cookies through your browser settings.

Most browsers allow you to control cookies through their settings. You can typically find cookie controls in the "Settings," "Preferences," or "Privacy" sections of your browser.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
• Secure authentication: Authentication tokens are stored in httpOnly secure cookies, preventing access by client-side scripts (XSS protection).
• Secrets management: Database credentials and API keys are stored in a secure secrets management service with encryption at rest.
• Access controls: Role-based access controls limit data access to authorized personnel and users.
• Infrastructure security: Our application runs on industry-leading cloud infrastructure, which provides physical and network security certifications (SOC 2, ISO 27001).
• Password security: Passwords are hashed and managed by our identity management provider; we never store or have access to plain-text passwords.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we commit to promptly addressing any security incidents in accordance with applicable laws.

11. Children's Privacy

The Service is not directed to individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such information promptly. If you believe that a child has provided us with personal data, please contact us at privacy@bracy.ai.

12. Data Processing Agreements

When you connect your database to the Service, you may be acting as a data controller for the personal data contained in your database, and Bracy may act as a data processor on your behalf. In such cases:

• We process your database data only in accordance with your instructions and for the purpose of providing the Service.
• We do not independently determine the purposes or means of processing your database data.
• You are responsible for ensuring that you have the appropriate legal basis to process personal data stored in your databases through our Service.

If you require a formal Data Processing Agreement (DPA), please contact us at privacy@bracy.ai.

13. Do Not Track

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. The Service does not currently respond to DNT signals. However, you can manage tracking through cookie settings as described in Section 9.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Provide notice through the Service or via email for material changes.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

• Privacy inquiries: privacy@bracy.ai
• General support: support@bracy.ai
• Website: bracy.ai

If you are located in the EEA and believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with your local data protection supervisory authority.