Privacy Policy

1. Who we are

Brick is a multi-tenant workspace that helps design and development studios and freelancers run their client work — CRM, proposals, e-signature contracts, invoicing and payments, projects, and recurring revenue — in one place. If you have questions about this policy or your data, contact us at support@trybrick.app.

2. How this policy applies (two-sided service)

Brick is used by workspace operators (our customers) to manage their own clients. Where an operator uploads or enters information about their clients, contacts, and business, the operator is the controller of that information and Brick processes it on their behalf as a service provider/processor. This policy describes our own practices; an operator’s use of their workspace is also governed by their agreement with us.

3. Information we collect

Account & identity

When you sign up or sign in (including with Google), we collect your email address, name, and — if you sign in with Google — your Google profile photo, which we display as your avatar.

Workspace data

Organization name, slug, brand color and logo, default currency and timezone, your plan and billing status, and your email-sending domain and its verification records.

Information operators enter about their business and clients

• Leads and CRM records (name, email, phone, company, role, website, inquiry text, public LinkedIn URLs, marketing attribution such as UTM parameters and referrer, and AI-generated scores).
• Clients, contacts, and notes.
• Proposals and contracts, including line items and — for e-signature legal evidence — the signer’s name, email, IP address, country, browser user-agent, signature image, and timestamp.
• Invoices, payments, expenses and receipts, subscriptions, and related financial records.
• Calendar events and emails you choose to connect or send through Brick (see §4).

Technical & usage data

We collect limited technical data needed to operate the Service securely — for example IP-derived rate-limiting signals and error diagnostics. We use Sentry for error monitoring; we do not log your passwords, OAuth tokens, or AI prompt contents.

4. Google user data — what we access, why, and how

Brick integrates with Google in three distinct ways. We only request the narrow scopes each feature needs, and access is always at your explicit authorization.

Sign-in with Google

Scopes openid, email, and profile. We use these to authenticate you and create your account, and we store your email, name, and profile photo.

Google Calendar

Scopes calendar.events and calendar.readonly. With your authorization, we read your calendar events to sync your availability and display your schedule, and we create or update events for meetings you book in Brick. We store event title, description, location, meeting link, start and end times, attendee email addresses, and the Google event and calendar identifiers.

Gmail (send only)

Scope gmail.send. With your authorization, Brick can send emails “from” your connected Gmail address (for example, a contract or invoice to your client). Brick cannot read, search, or access your Gmail inbox, drafts, labels, or contacts — the gmail.send scope only sends. We store your connected email address and the message content you compose in Brick; we do not store any other mailbox data.

OAuth access and refresh tokens for these connections are encrypted at rest. You can revoke Brick’s access at any time from within Brick or from your Google Account permissions; revoking stops further access.

5. Limited Use of Google user data

Brick’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide and improve user-facing features that are prominent in Brick’s interface (calendar sync and scheduling, and sending email from your connected Gmail address).
• We do not transfer Google user data to others except as necessary to provide or improve these features (with your consent), for security purposes such as investigating abuse, to comply with applicable law, or as part of a merger or acquisition with your explicit prior consent.
• We do not use or transfer Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• We do not allow humans to read your Google user data unless you give affirmative consent to view specific data, it is necessary for security or to comply with law, or the data is aggregated and anonymized and used for internal operations in accordance with applicable requirements.
• We do not sell Google user data, and we do not transfer it to data brokers, resellers, or for credit-worthiness or lending-eligibility determinations.

6. How we use information

• To provide, maintain, and improve the Service.
• To process billing and payments for your subscription.
• To secure the Service, prevent abuse, and enforce our terms.
• To provide support and respond to your requests.
• To power AI features you trigger: Brick’s AI drafts content over your workspace data on request. AI output is queued for your approval and is never sent automatically, and our AI audit log records only a content hash and model metadata — never your raw prompt or its contents.

7. Service providers and sub-processors

We share information with vendors who process it on our behalf, under contractual data protection terms and only as needed to run the Service:

• Supabase — database, authentication, and file storage.
• Stripe — payment processing. Operators connect their own Stripe account to accept client payments; Brick is the platform and does not hold funds.
• Resend — transactional and operator-domain email delivery.
• Anthropic and OpenAI — AI features, under zero-data-retention and no-training contractual terms.
• Google — Calendar and Gmail-send integrations, and Google Sign-In.
• Microsoft — optional Outlook/Microsoft 365 send-as email.
• Slack — optional workspace notifications.
• Sentry — error monitoring.
• Upstash — rate limiting and request idempotency.
• Vercel — application hosting.

We use a third-party billing provider (Polar) for Brick’s own subscriptions; where that is live, it processes your billing details as our merchant-of-record. We do not use analytics or advertising trackers.

8. Data retention and deletion

We retain personal information for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. You can disconnect a Google (or other) integration at any time, which deletes the stored connection and tokens. To request deletion of your account and associated data, contact support@trybrick.app; we will delete or anonymize it within a reasonable period, subject to legal retention requirements.

9. Security

We protect data with encryption in transit and encryption at rest for sensitive secrets such as OAuth tokens, strict tenant isolation (row-level security so one workspace can never read another’s data), and role-based access controls. No method of transmission or storage is perfectly secure, but we work to protect your information and review our practices regularly.

10. International transfers, children, and your rights

We may process information in countries other than where you live; where required, we rely on appropriate safeguards for international transfers. The Service is not directed to children under 13 (or the minimum age in your jurisdiction), and we do not knowingly collect their data. Depending on where you live, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. To exercise these rights, contact support@trybrick.app.

11. Changes to this policy

We may update this policy from time to time. If we make material changes — or before we use Google user data for any new purpose — we will update the date above and, where appropriate, notify you and obtain your consent. Questions? Email support@trybrick.app.