brily
Legal

Privacy policy

Last updated: 2026-04-18. Written to be understood. If something is ambiguous, email legal@brily.app and we will clarify or fix it.

1. Who we are

Brily ("Brily", "we", "us") is the entity providing the product-health platform available at brily.app. For GDPR purposes, we act as a data processor for the customer data you put into the platform, and as a data controller for the account-holder information you give us directly (your email, billing details, etc.).

2. What data we collect

Account data (you give us directly)

  • Name, email address, and password hash.
  • Billing information (handled by our payment processor; we never store full card numbers).
  • Team membership, role, and workspace assignments.

Product data (you put into the platform)

  • Monitor configurations, check results, incident history.
  • Status page subscriber emails, if any.
  • NPS responses, including any end-user identifier you supply and any free-text comments users write.

Operational data (we generate)

  • Server logs (IP address, request path, timestamp) retained for 30 days for security and debugging.
  • Product analytics: aggregate usage counts, never tied to individual end-users of your product.

3. What we never do

  • We never sell or rent your data to anyone.
  • We never use your product data to train machine-learning models. If we ever build ML features, they run on your workspace's data only, with explicit opt-in.
  • We never embed third-party tracking pixels, marketing cookies, or session-replay scripts in our NPS widget or status pages.

4. Legal basis (GDPR Art. 6)

  • Contract — we process account data to provide the service you signed up for.
  • Legitimate interest — we process minimal operational logs to keep the service secure and debuggable.
  • Consent — where required for optional features (e.g., product analytics opt-in).

5. How long we keep data

  • Monitor check results: raw data 30 days, hourly rollups 13 months, daily rollups 3 years. You can delete any project sooner.
  • NPS responses: retained until you delete them or close the account.
  • Account data: deleted within 30 days of account closure, with a 90-day grace period for billing reconciliation.
  • Server logs: 30 days, rolling.

6. Sub-processors

We list every sub-processor we use on the sub-processors page. We give 30 days' notice via email before adding a new one. You may object; if we cannot accommodate the objection, you may terminate.

7. Your rights

If your data is in Brily, you can exercise GDPR rights — access, rectification, erasure, restriction, portability, and objection — by emailing privacy@brily.app. We respond within 30 days; if the request is complex, we may extend by a further 60 days with notice.

8. International transfers

Where data crosses borders, we rely on the EU Standard Contractual Clauses or equivalent recognised transfer mechanisms. Our sub-processor list identifies the jurisdiction each operates from.

9. Security

  • Data at rest: AES-256 encryption.
  • Data in transit: TLS 1.2 or higher, HSTS enforced.
  • Passwords: Argon2id hashing with per-user salt.
  • Vulnerability disclosure: see contact for our security inbox.

10. Changes to this policy

Material changes get 30 days' notice by email to all account holders. Non-material clarifications (typos, broken links) we fix in place and note at the top.

11. Contact

Questions: privacy@brily.app. Legal: legal@brily.app.