Privacy Policy

1. Who We Are

Brikk is operated by Brikk Limited, a company registered in England and Wales. We provide cloud-based property management and tax compliance software for UK landlords. When we refer to “Brikk”, “we”, “us” or “our” in this policy, we mean Brikk Limited.

2. Data We Collect

We collect the following categories of personal data:

• Account data: Name, email address, phone number provided during registration.
• Property & financial data: Property details, rental income, expenses, mortgage information, and tax estimates you enter or import.
• HMRC connection data: OAuth tokens (never your HMRC password), National Insurance Number, and MTD submission references.
• Connected service data: Gmail message metadata and bank transaction data when you choose to connect these services.
• Device & usage data: IP address, browser type, screen resolution, timezone, and a device identifier stored locally on your device. These are used to fulfil HMRC fraud prevention requirements.
• Documents: Files you upload to the document vault (tenancy agreements, certificates, receipts).

3. How We Use Your Data

• To provide and maintain the Brikk service, including tax calculations and MTD submissions to HMRC.
• To submit legally required fraud prevention headers with HMRC API calls on your behalf.
• To process bank transactions and email data from connected services (only when you grant access).
• To generate reports, alerts, and compliance reminders.
• To communicate service updates, security notifications, and support responses.
• To improve our service through anonymised, aggregated usage analytics.

4. Legal Basis for Processing

We process your personal data under the following bases under UK GDPR:

• Contract: To deliver the service you signed up for.
• Legal obligation: To comply with HMRC fraud prevention and tax reporting requirements.
• Legitimate interest: To improve our service, prevent fraud, and ensure security.
• Consent: For optional features like marketing communications (which you can withdraw at any time).

5. Data Sharing & Sub-processors

We share your data only with the following categories of recipients, each operating under a written data processing agreement and (where applicable) UK GDPR Standard Contractual Clauses for transfers outside the UK / EEA.

Authorised recipients

• HMRC (UK): When you authorise MTD submissions, we transmit your income, expense, and fraud prevention data directly to HMRC via their API.
• Google (Gmail API): Read-only Gmail access via OAuth, only when you explicitly grant it. See section 11 (Google User Data) for full details, the scopes requested, and the Limited Use disclosure.
• TrueLayer (UK, FCA-regulated): Open Banking transaction and balance data, only when you connect a bank account.

Sub-processors (infrastructure)

• Supabase (EU/UK region): Database, authentication, and file storage.
• Vercel (UK region): Application hosting and edge delivery.
• Stripe: Payment processing for subscriptions. Card details are entered directly into Stripe’s PCI-compliant fields and are never stored on Brikk’s systems.
• Anthropic (US): Provides the Claude AI models that power Brikk’s AI features (transaction categorisation, the Support Agent, written summaries). Content sent to Anthropic is processed under Anthropic’s commercial terms, which prohibit training on customer data and require deletion within 30 days. Transfers to the US rely on UK GDPR Standard Contractual Clauses.
• Resend (US): Transactional email delivery (confirmations, invites, reports). Resend receives recipient name and email address only.
• Sentry: Error and performance monitoring. Personally identifying data is scrubbed before transmission where reasonably practicable.

We never sell your personal data, never use it for advertising, and never use it (or any data we receive from Google APIs) to train generalised AI or machine-learning models. AI processing is performed solely to deliver the Brikk feature you have requested, on a per-request basis.

6. Data Retention

We keep your data only as long as necessary for the purposes set out in this policy:

• Account data (name, email, contact details) is retained while your account is active. When you delete your account, this data is permanently erased within 30 days.
• Financial records (income, expenses, HMRC submission history) may be retained for up to 7 years after the relevant tax year to meet our own legal, accounting, tax-record-keeping, and fraud-prevention obligations under applicable law, including UK GDPR Article 17(3)(b) and (e). Where you delete your account, these records are anonymised so they can no longer identify you; only the anonymised records are retained.
• HMRC OAuth tokens are refreshed automatically during use and deleted immediately when you disconnect your HMRC account or delete your Brikk account.
• Gmail-derived data: When you connect Gmail, the Service may store the parsed metadata of property-related messages (sender, subject, date, amount, category) so it can appear in your transaction view. Raw email body content and attachments are processed in memory and are not persisted after categorisation completes. Stored Gmail-derived metadata is deleted within 30 days of you disconnecting Gmail or deleting your account.
• Open Banking data: Transaction history is retained while your account is active and deleted within 30 days of you revoking the bank connection or deleting your account.
• Documents you upload are deleted when you remove them or delete your account.

We do not retain identifiable personal data beyond what is strictly necessary. Where retention is required, we prefer anonymisation over continued storage of personal data.

7. Data Security

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• We use Row Level Security (RLS) in our database to ensure each user can only access their own data.
• Authentication is handled via Supabase Auth with secure session management.
• We do not store your HMRC password — we use OAuth 2.0 tokens that can be revoked at any time.
• CSRF protection, security headers, and rate limiting are enforced on all API endpoints.

8. Your Rights

Under UK GDPR, you have the right to:

• Access your personal data (via Settings > Export Data).
• Rectify inaccurate data (via Settings > Profile).
• Erase your account and personal data (via Settings > Delete Account).
• Port your data to another provider in a machine-readable format.
• Object to processing based on legitimate interest.
• Withdraw consent for optional processing at any time.

To exercise any of these rights, email us at privacy@brikk.cloud.

9. Cookies

Brikk uses essential cookies only — for authentication sessions and CSRF protection. These are strictly necessary for the Service to function and do not require consent under UK privacy regulations. We do not use advertising, analytics, or tracking cookies.

If we introduce non-essential cookies or analytics in the future, we will update this policy and, where required by law, obtain your consent before placing them on your device.

10. HMRC Fraud Prevention Data

When you connect Brikk to HMRC and make MTD submissions, we are legally required to send fraud prevention headers with each API call. This includes your device ID, IP address, browser information, screen resolution, and timezone. This data is transmitted directly to HMRC and is not used by Brikk for any other purpose.

We process this data under the legal bases described in section 4: legal obligation (HMRC mandates fraud prevention headers for all MTD API calls) and legitimate interest (protecting the integrity of tax submissions and preventing fraud). For more details, see HMRC's fraud prevention guidance.

11. Google User Data

This section explains specifically how Brikk handles user data obtained from Google APIs, in line with the Google API Services User Data Policy and Limited Use requirements.

11.1 Scopes we request

• https://www.googleapis.com/auth/gmail.readonly — read-only access to your Gmail messages and attachments. We request this scope only if you choose to connect Gmail.

11.2 What we do with Google data

• We scan messages for property-related receipts, invoices, agent statements, mortgage notices and similar financial documents.
• Identified items are summarised into structured transaction records (sender, date, amount, category) and surfaced in your Brikk dashboard for you to review and confirm.
• For categorisation, message content may be sent to the Anthropic Claude API on a per-request basis. Anthropic’s commercial terms prohibit training on customer data and require deletion within 30 days.

11.3 What we do not do

• We do not send, modify, archive, or delete email on your behalf.
• We do not use Google user data for advertising or marketing.
• We do not sell or transfer Google user data to third parties, except as needed to provide the user-facing Brikk feature you have requested.
• We do not use Google user data to develop, improve, or train generalised AI or machine-learning models.
• Brikk personnel do not read your Google user data, except (a) with your explicit consent, (b) for security investigations, (c) to comply with applicable law, or (d) in aggregated and anonymised form for internal operations.

11.4 Storage and deletion

• Raw Gmail message bodies and attachments are processed in memory and are not persisted to long-term storage.
• The structured transaction metadata derived from your Gmail (sender, date, amount, category) is stored encrypted at rest in our Supabase database (EU/UK region).
• OAuth refresh tokens are stored encrypted and deleted immediately when you disconnect Gmail or delete your Brikk account.
• All Gmail-derived data is deleted within 30 days of disconnection or account deletion.

11.5 Revoking access

You can revoke Brikk’s access to your Gmail at any time:

• In Brikk: Settings > Connected Accounts > Disconnect Gmail.
• In Google: visit myaccount.google.com/permissions and remove access for “Brikk”.

11.6 Limited Use disclosure

Brikk Limited’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes via email or an in-app notification. The “last updated” date at the top indicates when the policy was last revised.

13. Contact Us

If you have questions about this privacy policy or your personal data, contact us at: