1. Who we are and the scope of this policy
This Privacy Policy explains how [Brevio legal entity name] ("Brevio," "we," "us") handles personal data in connection with the Brevio eDiscovery platform and our website at brevio.legal.
It covers two kinds of data with different roles. For account, billing, and usage data, Brevio is the data controller. For Customer Data that a firm uploads into the platform, the firm is the controller and Brevio is the processor, acting on the firm's instructions under our Terms of Service and Data Processing Addendum.
2. Information we collect
Account data: your name, work email, firm name, role, and authentication data (including multi-factor settings). Sign-in security data such as TOTP secrets and recovery codes are stored to operate authentication.
Billing data: your subscription plan and payment status. Card details are collected and stored by our payment processor, Stripe; Brevio does not store full card numbers.
Usage and device data: log data, IP address, browser and device information, and product-analytics events (for example, signup, document uploaded, production generated) used to operate and improve the Service. We do not record screen sessions.
Customer Data: the documents, custodian information, communications, and metadata your firm uploads or generates. This may contain personal data and sensitive information about third parties. Brevio processes it only on your firm's behalf.
Support communications: messages you send us and their contents.
3. How we use information and our legal bases
We use account, billing, and usage data to provide and secure the Service, authenticate users, process payments, provide support, send service and transactional messages, and improve the product.
Where the GDPR applies, our legal bases are performance of a contract, our legitimate interests in operating and securing the Service, and compliance with legal obligations. We process Customer Data only to provide the Service under our agreement with your firm.
4. AI processing
Some features use third-party AI providers (currently OpenAI and Anthropic) to generate summaries, suggestions, extractions, and search results. AI processing runs under your firm's configured API keys and, where available, zero-retention API terms.
Customer Data is not used to train Brevio's models or any third-party model. AI output is assistive and is reviewed by your firm before reliance.
5. How we share information — subprocessors
We do not sell, rent, or trade personal data. We share data only with subprocessors that help us run the Service, under contracts that require appropriate safeguards. Our current subprocessors and their purposes are listed at brevio.legal/security.
We may also disclose information to comply with law or valid legal process, or to protect the rights, safety, and security of Brevio, our customers, and the public.
6. Data retention
We retain account and billing data while your account is active and as needed for legal, tax, and audit purposes. Customer Data is retained for the life of your subscription.
After termination, we provide a reasonable export window of at least 30 days and then delete Customer Data in the ordinary course, subject to backups that age out on a rolling basis. You can request deletion of your account and Customer Data at any time.
7. Security
We protect personal data with encryption in transit and at rest, schema-per-tenant isolation, append-only audit logging, role-based access controls, and required multi-factor authentication for administrators. Our security practices are described at brevio.legal/security. No system is perfectly secure; we work to reduce risk and to respond quickly if an incident occurs.
8. International data transfers
Brevio hosts data in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. Where required, we rely on appropriate transfer mechanisms such as the EU Standard Contractual Clauses, available through our Data Processing Addendum.
9. Your privacy rights
Depending on where you live, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing. Under U.S. state privacy laws (including the CCPA and CPRA), you may have rights to know, delete, and correct personal information and to opt out of its sale or sharing — and we do not sell or share personal information for cross-context behavioral advertising.
To exercise rights over account data, email [email protected]. For Customer Data held on behalf of a firm, please direct requests to that firm (the controller); we will assist the firm as its processor.
10. Cookies and analytics
We use strictly necessary cookies to authenticate sessions and operate the Service, and limited product analytics (PostHog) to understand feature usage. We do not use advertising cookies and do not record screen sessions. You can control cookies through your browser settings; disabling necessary cookies may break sign-in.
11. Error and performance monitoring
We use error monitoring (Sentry) to detect and fix problems. It is configured not to forward Customer Data or document contents; it may process limited technical data such as error messages, user identifiers, and IP addresses to diagnose issues.
12. Children's privacy
The Service is for legal professionals and is not directed to children. We do not knowingly collect personal data from anyone under 18.
13. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you by email or in-app notice and update the "last updated" date above.
14. Contact
Privacy questions or requests: [email protected]. For data-protection matters, you may also contact us by mail at [Brevio mailing address].