Privacy Policy

We collect the minimum data needed to run Brivo. We don’t sell it, we don’t use it to train AI models, and we don’t send marketing emails. When you delete your account, your personal data is deleted with it — except for financial records we’re legally required to keep for tax purposes.

Each section below starts with a plain-language summary. The formal text underneath is what’s legally binding under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and, where applicable, the EU General Data Protection Regulation.

This Privacy Policy is referenced by, and forms part of, our Terms of Service.

In short:Brivo is the Data Fiduciary for the personal data described here. We’re based in India, with some infrastructure in the EU.

In this Policy, “Brivo”, “we”, and “us” refer to Brivo, the operator of the Brivo family of services (the “Services”). For the purposes of the DPDP Act, Brivo is the Data Fiduciary in relation to the personal data described in this Policy. Where the EU GDPR applies to a user, Brivo acts as the Controller.

You can reach us at privacy@brivo.ltd. For grievances under Indian law, see section 11.

In short: Just what we need to run your account, take payment, keep things working, and answer your questions.

We collect the following categories of personal data:

• Account information — your name, email address, and password (stored as a salted, one-way hash; we never see your plaintext password).
• Payment information — handled directly by our payment processor. We receive a transaction reference, the amount, and the last four digits of the card or UPI handle for receipts. We do not store full card numbers, CVVs, or full bank details.
• Usage data — pages and features you use, actions you take, and timestamps. Collected via Umami, which is cookieless and does not use personal identifiers or cross-site tracking.
• Device and connection data — IP address, browser type, operating system, and referrer, collected automatically when you access the Services. Used for security, debugging, and aggregate analytics.
• Communications — the content of support tickets, emails, and chat messages you send us, along with your contact details.
• Content you submit — anything you upload to or create within the Services. How this is handled is governed primarily by our Terms of Service.

In short: To run your account, take payment, keep things secure, fix bugs, and respond when you reach out. Nothing else.

Under the DPDP Act, we process your personal data primarily on the basis of your consent (given when you sign up) and, where applicable, for the “legitimate uses” specified in section 7 of the Act, such as where you have voluntarily provided data for a clear purpose. Under the GDPR, our lawful bases are contract performance (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)) such as security and service improvement, and consent (Art. 6(1)(a)) where required.

Specifically, we process personal data to:

• create and authenticate your account;
• provide, maintain, and operate the Services;
• process payments and issue receipts, invoices, and tax documents;
• detect, prevent, and respond to fraud, abuse, and security incidents;
• respond to your questions, support requests, and grievances;
• send transactional and service-related communications (e.g. password resets, billing receipts, security alerts, important service updates);
• understand aggregate usage patterns to improve the Services;
• comply with our legal obligations.

We do not use your personal data to train AI or machine learning models, sell or rent it to third parties for their marketing, or build advertising profiles about you.

In short: A short list of vendors that help us run the Services. Each only gets what it needs. No data brokers, no advertisers.

We share personal data only with the categories of service providers below, each acting as a Data Processor on our behalf and bound by appropriate contractual safeguards:

• Payment processors (e.g. Razorpay, Stripe) — to process payments, issue refunds, and handle subscription billing.
• Email delivery (Resend) — to send transactional emails such as receipts, password resets, and security alerts.
• AI providers (e.g. OpenAI, Anthropic) — when you use AI Features, the relevant prompts and content needed for the feature are sent to the AI provider to generate output. We select providers that contractually commit to not training their models on our customer data.
• Analytics (Umami, self-hosted by us) — for privacy-preserving, cookieless usage analytics. No personal identifiers are sent to third parties.
• Customer support (Libredesk, self-hosted by us) — to manage your support tickets and conversations. Because this runs on our own infrastructure, no third party receives your support data.

We may also disclose personal data: (a) to comply with law or a binding order of a court or authority of competent jurisdiction; (b) to enforce our Terms of Service; (c) to protect the rights, safety, or property of Brivo, our users, or the public; or (d) to a successor in interest in connection with a merger, acquisition, or sale of all or substantially all of our assets, in which case you will be notified.

In short: On servers in India and the European Union. Some processors (like payment and AI providers) may process data in other countries.

Our primary infrastructure is located in India and the European Union. Personal data may be transferred to and processed in either region.

Where a service provider listed in section 4 is located outside India or the EU, your personal data may be transferred to that country for the limited purpose described. We rely on contractual protections (such as the EU Standard Contractual Clauses, where applicable) and on the DPDP Act’s framework for cross-border transfers, which permits transfers to any country other than those specifically restricted by the Central Government.

In short: When you delete your account, your personal data is deleted with it. The one exception is financial records — Indian tax law requires us to keep those for 8 years.

We retain your personal data only for as long as your account is active. When you delete your account, we delete your personal data promptly thereafter. Backups containing your data are overwritten in the normal course of our backup cycle, typically within 30 days.

Statutory exception. Invoices, payment records, and related financial documents are retained for a period of 8 years from the end of the relevant financial year, as required by the Income Tax Act, 1961 and the Central Goods and Services Tax Act, 2017. These retained records are stored securely and used only for tax, accounting, and audit purposes.

We may also retain limited information for longer where required to comply with a legal obligation, resolve a dispute, or enforce our agreements — for example, records of fraud, abuse, or security incidents.

In short: You can see, correct, and delete your data, and withdraw consent at any time. Email privacy@brivo.ltd.

As a Data Principal under the DPDP Act, you have the right to:

• Access a summary of the personal data we hold about you and the processing activities we have undertaken;
• Correction and erasure of inaccurate or out-of-date data, and of data no longer necessary for the purpose for which it was processed;
• Withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal, and may mean we can no longer provide certain Services to you;
• Grievance redressal — contact our Grievance Officer (section 11) if you believe your rights have been violated;
• Nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.

If you are in the European Union, you additionally have rights under the GDPR including the right to data portability, to object to processing based on legitimate interests, and to lodge a complaint with your local supervisory authority.

To exercise any of these rights, email privacy@brivo.ltd. We will respond within the timelines required by applicable law (generally within 30 days). We may need to verify your identity before acting on a request.

In short:We use industry-standard security, encrypt data in transit, and restrict access. No system is perfectly secure — but we’ll tell you promptly if something happens.

We use reasonable and appropriate technical and organisational measures to protect your personal data, including TLS encryption in transit, encryption at rest where supported by the underlying storage, access controls based on least privilege, regular backups, and logging. Passwords are stored only as one-way salted hashes.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in harm, we will notify you and the relevant authorities (including the Data Protection Board of India) as required by law.

In short:Just login session cookies. No advertising trackers, no third-party cookies. Our analytics (Umami) doesn’t use cookies at all.

We use a small number of strictly necessary cookies to keep you signed in and to remember basic preferences such as theme. These cookies are essential for the Services to function and do not require your consent under applicable law.

We do not use third-party advertising or tracking cookies. Our analytics tool, Umami, is cookieless and does not store personal identifiers in your browser.

In short:Brivo isn’t for under-18s. If you think a child has signed up, let us know and we’ll remove their data.

The Services are not directed to children under the age of 18, and we do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@brivo.ltd and we will take steps to delete the data.

In short: Indian law requires us to publish a grievance officer. Here are their details.

In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, the contact details of our Grievance Officer are:

In short:If we change anything material, we’ll email you and post a notice in the app 30 days beforehand.

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days’ notice by email to the address associated with your account and through an in-app notice. The updated Policy takes effect on the date stated in the notice. Continued use of the Services after that date constitutes acknowledgement of the updated Policy.

For any questions about this Policy or how we handle your data: