Privacy Policy

Brikly (“we”, “our”, or “us”) is committed to protecting your privacy. This policy explains what personal and financial information we collect, how we use it, and the choices you have regarding that information.

By using Brikly you agree to the practices described in this policy. If you do not agree, please do not use the service.

We collect the following categories of information:

• Account information: email address and authentication credentials (via Google SSO or email/password).
• Property data: property addresses, purchase prices, current valuations, and property types that you enter.
• Financial data: loan balances, interest rates, repayment schedules, rental income, expense records, and depreciation entries that you enter or connect. Where the bank-feed feature is offered, transaction data may also be imported automatically from an account you authorise (see section 5).
• Usage data: pages visited, features used, and timestamps of activity, collected via server logs and Supabase Analytics.

• To provide, maintain, and improve the service.
• To calculate portfolio metrics, cashflow, and yield figures shown in the dashboard.
• To power the AI assistant features (portfolio context is sent to the AI model only when you use those features).
• To send service-related communications (account verification, security alerts).
• To comply with applicable Australian privacy laws.

We take security seriously and apply the following controls:

• Encryption at rest: sensitive financial fields are encrypted using AES-256 via pgcrypto before storage.
• Row-level security: Supabase row-level security policies ensure your data is only accessible to your authenticated account.
• Encryption in transit: all data is transmitted over HTTPS/TLS.
• Audit logs: all create, update, and delete operations are recorded with timestamps and user attribution.
• Security headers: HTTP security headers including Content-Security-Policy, HSTS, and X-Frame-Options are applied to every response.

We do not sell your personal data. We share data only in these circumstances:

• Supabase: database hosting and authentication. Supabase processes data under their own privacy policy and data processing agreement.
• Anthropic:when you use the AI assistant features, relevant portfolio context and your messages are sent to Anthropic's API. Anthropic processes this data under their usage policy.
• Nylas: our email integration provider. When you connect an email account (an optional, off-by-default feature), Nylas mediates read-only access and processes the message data needed to extract property-related documents. See section 10 for the full detail.
• Resend: transactional and contact email delivery. When we send you service email, or when you message us through the contact form, Resend processes your email address and the content of that message to deliver it.
• Vercel: application hosting and content delivery (CDN). Vercel processes request metadata and server logs (such as IP address and user-agent) as part of serving the application.
• Basiq: bank-feed connection via the Consumer Data Right (CDR), where this feature is offered. When you authorise a bank connection, Basiq processes your financial and account data to import transactions. This processing only occurs if you connect an account.
• Legal requirements: we may disclose information if required to do so by law or in response to valid requests by public authorities.

We retain your data for as long as your account is active. When you delete your account, we delete your data and cryptographically destroy any encryption keys associated with your account within 30 days.

Under the Australian Privacy Act 1988, you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your account and associated data.
• Withdraw consent for optional data processing.

To exercise these rights, use the account deletion feature in Settings → Privacy & Security, or contact us at the address below.

We use session cookies managed by Supabase for authentication. We do not use tracking cookies or third-party advertising cookies.

We may update this policy from time to time. We will notify you of material changes via email or a notice in the app. Continued use after changes constitutes acceptance.

Brikly offers an optional, user-authorised email connection so the service can extract property-related documents (rental statements, council and water rates notices, insurance policies, strata levies) and route them to the correct property. The feature is off by default and only activates after you explicitly connect an account in Settings.

• How the connection is made:Email access is mediated through Nylas, our email integration provider, which supports Gmail, Outlook, Microsoft 365, and IMAP accounts. Authorisation occurs through your provider's standard OAuth flow.
• What we access: Read-only access, limited to messages identified as property-related documents from senders such as property managers, councils, water authorities, strata managers, and insurance providers.
• What we extract: Financial figures only — amounts, dates, document types, and property addresses.
• What we store: Extracted financial data and provider-side message IDs (used to avoid duplicate ingestion). We do not store email body content.
• Data minimisation: Only the fields required to populate your property records are retained. Nothing is used for advertising, profiling, or training third-party models.
• Security: AES-256 encryption at rest on sensitive fields. OAuth tokens (including any Nylas grant identifiers) are encrypted using AES-256-GCM with a unique IV per token. Row Level Security is enforced at the database level so no other user can read your data.
• Disconnect: You can revoke access at any time from Settings → Email — disconnecting removes all stored tokens and Nylas grants immediately.
• Provider compliance:Where access originates from a Google account, our use of Google user data complies with Google's API Services User Data Policy, including the Limited Use requirements.

A small number of users authorised Brikly via direct provider OAuth (Google or Microsoft) before our Nylas integration was introduced. Those existing connections continue to operate under the same controls described in section 10 and are honoured for backward compatibility. New connections made today are established through Nylas. You can migrate or disconnect a legacy connection at any time from Settings → Email.

For privacy enquiries, please contact us at hello@brikly.com.au.