Community privacy notice
Last updated: 4 May 2026
The short version
- →You can vote without an account. We don't need your name, email, or LinkedIn.
- →We set one strictly-necessary cookie (
bcf_fp) so the same person can't double-vote. - →We store a hashed fingerprint and a hashed (truncated) IP. We don't store either in plain text.
- →If you give us your email it's a separate, opt-in step — and we tell you exactly what we'll send.
Who runs the Community portal?
Brikk Limited is the data controller for the Community portal at brikk.app/community. If you have a question about your data, contact privacy@brikk.app.
What we collect — and why
Anonymous fingerprint cookie
Cookie name: bcf_fp · Lifetime: 30 days
When you first land on the portal we set a server-issued random UUID in a first-party, HttpOnly, SameSite=Lax cookie. Before it ever touches our database it's SHA-256-hashed with a server-side salt. We use the hash to stop the same browser voting twice on the same idea — nothing else.
Lawful basis: strictly necessary — the portal cannot function without dedupe, so this cookie does not require consent (PECR Reg.6(4)).
Hashed IP address
Stored as SHA-256 hash · IPv4 truncated to /24
We hash a truncated form of your IP and attach it to each vote and email capture for abuse and rate-limit detection. We never log or store the raw IP.
Lawful basis: UK GDPR Art.6(1)(f) Legitimate Interest in keeping the roadmap free of brigading and bot voting. Our Legitimate Interest Assessment is available on request.
Email address (only if you give it)
Optional · Two separate consents
If you submit your email through one of the "notify me" bars, we capture it together with two separate ticks: one to confirm you accept our terms (required) and a second, unticked-by-default, opt-in for product update emails. You can untick the marketing one and still submit.
Lawful basis: UK GDPR Art.6(1)(a) Consent. You can unsubscribe from any email or email privacy@brikk.app to delete your record entirely.
Page-view and interaction events
Aggregated · No personal data
We log which ideas got viewed, voted, sorted or shared — but only ever attached to the hashed fingerprint, never to your name. We use it to spot which ideas the community is rallying around. UTM parameters from a campaign link (e.g. LinkedIn) are stored to help us measure which channels are working.
Lawful basis: Legitimate Interest in understanding how the Community portal is used.
How long we keep it
- The
bcf_fpcookie lasts 30 days from your last visit, then is reissued. - Votes are kept while the idea is in the roadmap or for 24 months, whichever is longer.
- Hashed IP records are kept for 12 months for abuse defence, then deleted on a rolling basis.
- Email captures are kept until you ask us to delete them, or until the relevant launch we promised has shipped + 12 months.
Your rights
Under UK GDPR you have rights to access, rectify, erase, restrict, object to or port your data. To exercise any of them — including withdrawing your email consent or asking us to delete every record tied to your hashed fingerprint — email privacy@brikk.app. We aim to respond within 7 working days.
You can also complain to the Information Commissioner's Office at ico.org.uk.
Who else sees this data?
Community data is stored in Supabase (EU region) and emails — when we add them — will be sent through Resend. Both are bound by data processing agreements covering UK GDPR. We do not sell or share Community data with advertising networks.
Changes
If we change this notice in any way that affects how we use your data, we'll bump the "last updated" date and, where the change is material, post a banner on the Community portal for 30 days.