
1. Who we are
thebrix (“Provider”, “we”) operates a software platform for retail real estate leasing. This policy explains what we collect, why, and your choices. It covers the app, the public brand-interest and inquiry forms, and the tenant portal.
2. What we collect
Account data: names, work emails, titles, hashed passwords (scrypt — we never store plain text). Customer content: the deals, properties, companies, contacts, documents, communications, meeting notes and files your organization puts into the service. Public form submissions: brand profiles, contact details and inquiry data submitted through property interest links. Technical data: IP addresses (rate limiting and security logs), session cookies. We do not sell personal data, run third-party advertising, or use tracking cookies — only essential session cookies.
3. How we use it
To operate the service (authentication, storage, notifications), to provide AI features (see 4), to bill per-seat subscriptions, to respond to support tickets, and to protect the platform (rate limiting, abuse prevention). Legal bases (where GDPR applies): contract performance, legitimate interest in securing the service, and consent for optional features like meeting recording.
4. AI processing
AI features (document analysis, drafting, sentiment, transcription analysis, brand-profile evaluation) send the relevant content to Anthropic's Claude API for processing. Meeting recording uses your browser's speech recognition, which may send audio to your browser vendor's speech service (e.g. Google for Chrome); the app itself never stores audio — only the text transcript your user reviews and saves. Recording requires the user to confirm participant consent; consent requirements vary by jurisdiction and are the customer's responsibility.
5. Where data lives and who sees it
Customer content is isolated per organization and visible only to that organization's users and, for support and platform operation, authorized Provider staff. Subprocessors: hosting infrastructure, Anthropic (AI), Stripe (billing — card data never touches our servers), Resend (email delivery), Meta (WhatsApp delivery), DocuSign (e-signature) — each only receives what its function requires.
6. Retention and deletion
Customer content is retained while the subscription is active. After termination, data is exportable for 30 days (Settings → or on request), then deleted from production systems within a further 30 days, backup cycles permitting. You may request deletion of specific personal data at any time via support.
7. Your rights
Depending on your jurisdiction (GDPR, CCPA and similar): access, correction, export (portability), deletion, and objection to processing. Organization admins can export their organization's full data from the app; individuals should contact their organization admin or our support. We respond to verified requests within 30 days.
8. Security
Passwords are scrypt-hashed; sessions and tenant links are cryptographically signed; webhooks are signature-verified; data isolation is enforced per organization at the data layer; access is least-privilege. No system is perfectly secure — we notify affected customers of any breach without undue delay and as required by law.
9. Changes and contact
We may update this policy with notice in the app; continued use after the effective date is acceptance. Questions and requests: support via Settings, or the contact address published at signup.