SEARCH MY DATA — PRIVACY POLICY
Effective Date: [TO BE SET ON LAUNCH] Last Updated: [TO BE SET ON LAUNCH] Legal Entity: Brightstead Technologies, Inc., a Delaware corporation
DRAFTING NOTE FOR JASON AUFDERMAUR:
Modeled on the privacy policies of Notion, Linear, 1Password, and Anthropic, with adaptations for our zero-knowledge architecture. Same
[REVIEW],[CONFIRM],[TBD]flag conventions as the ToS draft.Highest-risk sections:
Section 3 (What We Collect) — must be exhaustive and accurate. Inaccuracies here are the most common source of FTC enforcement actions.
Section 4 (How We Use) — anti-AI-training commitments must match what we contractually obtain from Subprocessors.
Section 6 (Subprocessors) — must align with ToS Section 5 and the live list at /subprocessors.
Section 8 (Your Rights) — GDPR / CCPA / CPRA mechanics. Need to confirm whether we offer a self-serve right-to-deletion flow or require email request.
Section 11 (Children’s Privacy) — COPPA standard.
Section 13 (Cookies) — folded in here per request, see end of document.
Section 14 (Changes) — material change notice mechanics.
1. Introduction
Brightstead Technologies, Inc. (“Brightstead,” “Search My Data,” “we,” “us,” “our”) respects your privacy. This Privacy Policy explains what personal information we collect, how we use it, and the choices you have.
This Policy applies to information we collect when you visit our website (searchmydata.com), use our Service (app.searchmydata.com and related applications), or engage with us through email, support channels, or sales conversations. It applies to use of our hardware products (Sovereign Drive, Sovereign Bundle) where we collect operational telemetry.
This Policy does not describe our handling of Customer Content (the documents and queries you upload to the Service). Customer Content is handled per our Terms of Service and is encrypted and isolated on a per-tenant basis.
2. Our Privacy Principles
These principles guide our practices:
- We minimize what we collect. We collect personal information only when necessary to provide and improve the Service.
- We do not sell your personal information. Ever. There is no scenario in which we make money by sharing your data.
- We do not use Customer Content to train AI models. Yours or anyone’s. Our reasoning models are pre-trained before deployment.
- We protect what we hold. Encryption in transit and at rest; per-tenant isolation; minimum-necessary access for our team.
- You hold the key. In Zero-Knowledge Mode, we cannot decrypt Customer Content. We embrace this trade-off.
- Transparency. We publish our Subprocessors, our security practices, and (annually) any government data requests we receive.
3. Information We Collect
3.1 Information You Provide
When you create an Account or use the Service, you provide us:
- Identity Information: name, email address, organization name (where applicable).
- Account Credentials: password (stored as Argon2id hash; never as plaintext).
- Encryption Configuration: the encryption mode you select (Convenience or Zero-Knowledge); a salt and verification hash. In Zero-Knowledge Mode, we never receive your passphrase or recovery phrase.
- Billing Information: payment method details (handled by Stripe, our payment processor; we receive only the last four digits of payment cards and billing address).
- Communications: messages you send to us through support channels, sales inquiries, or feedback.
- Customer Content (separate handling): documents, queries, and search results you upload to the Service. Customer Content is encrypted, isolated per tenant, and governed by our Terms of Service. It is not the subject of this Privacy Policy.
3.2 Information We Collect Automatically
When you use the Service or our website, we collect:
- Usage Information: pages visited, features used, search counts, document upload counts, billing-relevant usage.
- Device and Connection: IP address, browser type, operating system, language, time zone, approximate geographic location (city/region level only, derived from IP).
- Performance and Errors: response times, error logs, stack traces (with personally identifying data scrubbed where technically feasible).
- Audit Log Metadata: for security and compliance, we record actions you perform within the Service (login, document upload, search, export) along with timestamps and IP addresses. The cryptographic chain of custody on the audit log is part of the Service’s compliance offering.
3.3 Information from Hardware Products
For Customers using Sovereign Drive or Sovereign Bundle hardware:
- Operational Telemetry: system uptime, memory and disk usage, software version, error counts.
- Telemetry does NOT include: document content, document filenames, search queries, search results, user identity, or any Customer Content.
- Telemetry transmission may be disabled by configuring the device for fully air-gapped operation.
3.4 Information from Other Sources
We may receive information from:
- Identity Providers: if you sign in via Single Sign-On (when supported), the identity provider may share your name and email.
- Business Contacts: if your organization purchases the Service, your colleagues may identify you as an authorized user.
- Marketing Partners: if you provide your information at an event or through co-marketing channels.
3.5 What We Do NOT Collect
We do not knowingly collect:
- Special categories of personal data (race, ethnicity, religion, etc.) about you as a Customer (Customer Content you upload may contain such data; that is handled per the Terms of Service).
- Information about children under thirteen (13).
- Biometric data.
- Precise geolocation.
4. How We Use Information
We use information for the following purposes:
4.1 To Provide the Service
- Authenticate and authorize Account access.
- Process documents you upload (encrypted at rest; processed by inference compute on Sovereign Rail, with optional burst routing to RunPod for transient query-time inference).
- Generate embeddings and verified answers using deterministic inference models.
- Maintain audit logs for your compliance use.
- Provide customer support.
4.2 To Bill and Operate
- Process payments through Stripe.
- Detect and prevent fraud, abuse, and security threats.
- Monitor and improve Service performance and reliability.
4.3 To Communicate
- Send transactional emails (sign-up confirmations, password resets, billing notices, security alerts) via Resend.
- Send important Service updates (changes to Terms, security incidents, scheduled maintenance).
- With your separate consent, send product updates and marketing communications. You may unsubscribe at any time.
4.4 To Comply with Law
- Meet our legal obligations (tax, accounting, regulatory).
- Respond to lawful requests from government authorities, with notice to affected Customers wherever permitted.
- Enforce our Terms of Service.
4.5 What We Do NOT Use Information For [REVIEW]
- We do not use Customer Content to train, improve, or fine-tune any AI model — ours or anyone else’s.
- We do not sell, rent, or otherwise transfer personal information for monetary or other valuable consideration.
- We do not share personal information with advertisers.
- We do not profile Customers for advertising purposes.
5. Legal Bases (for EU/UK Customers)
For Customers subject to GDPR or UK GDPR, we rely on these legal bases:
- Contract Performance: to deliver the Service you signed up for.
- Legitimate Interests: to operate, improve, and secure the Service; prevent fraud; conduct internal analytics on aggregate usage.
- Legal Obligation: to comply with tax, accounting, and other legal requirements.
- Consent: for marketing communications and certain optional features. You may withdraw consent at any time.
6. How We Share Information [REVIEW]
We share personal information only as described below:
6.1 Subprocessors
We use the following third-party service providers (“Subprocessors”) to provide functions of the Service. Each Subprocessor is bound by data protection terms substantially as protective as those in this Policy.
| Subprocessor | Purpose | Location |
|---|---|---|
| RunPod, Inc. | Burst GPU compute for transient inference | United States |
| Vercel, Inc. | Frontend application hosting | United States |
| Cloudflare, Inc. | Edge ingress, DDoS protection | Global; primary US |
| Stripe, Inc. | Payment processing | United States |
| Resend Labs, Inc. | Transactional email delivery | United States |
| Functional Software, Inc. (Sentry) | Error tracking | United States |
| Apple Inc. | Hardware procurement (Sovereign Bundle only) | United States |
The current list is maintained at searchmydata.com/subprocessors. We provide thirty (30) days’ notice before adding new Subprocessors that process Customer Content.
6.2 Business Transfers
In a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy, personal information may transfer to the successor entity. We will provide notice of any material change in ownership.
6.3 Legal Compliance
We may disclose information when required by law, subpoena, court order, or valid legal process, after challenging requests we believe are overbroad or unlawful, and after notifying affected Customers wherever permitted.
6.4 Protection of Rights
We may disclose information when necessary to enforce our Terms, investigate fraud or abuse, or protect the safety, rights, or property of Brightstead, our Customers, or the public.
6.5 With Your Consent
We may share information for purposes you have specifically consented to.
6.6 Aggregated and De-Identified Data
We may share aggregated, anonymized, or de-identified data that does not identify you for industry research or marketing.
7. International Data Transfers
We are based in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. We rely on:
- Standard Contractual Clauses for transfers from the European Economic Area, the United Kingdom, and Switzerland.
- Customer-side encryption (Zero-Knowledge Mode where applicable) to limit the scope of transferred personal information.
For Customers requiring data residency outside the United States, contact sales for Enterprise tier deployment options.
8. Your Rights and Choices [REVIEW]
8.1 General Rights
You have the right to:
- Access the personal information we hold about you.
- Correct inaccurate personal information.
- Delete your Account and associated personal information (subject to legal retention requirements).
- Export your Customer Content and audit log.
- Object to certain processing.
- Withdraw consent for marketing.
You may exercise these rights through the Account settings or by emailing privacy@searchmydata.com.
8.2 California Residents (CCPA / CPRA)
California residents have the rights described in Section 8.1, plus:
- Right to Know specific pieces of personal information we have collected.
- Right to Limit use of “sensitive personal information” (we do not collect such information for advertising or profiling).
- Right to Non-Discrimination for exercising your rights.
We do not “sell” or “share” personal information as defined under California law.
8.3 European Economic Area, UK, Switzerland (GDPR)
Customers in these regions have the rights described in Section 8.1, plus:
- Right to Restriction of processing.
- Right to Data Portability in machine-readable format.
- Right to Lodge a Complaint with your supervisory authority.
Our EU representative is [TBD if required by Article 27 GDPR; typically only if we directly target EU customers].
8.4 Authentication of Requests
To protect your information, we may verify your identity before fulfilling rights requests. We will respond within thirty (30) days (sixty (60) days for complex requests, with notice).
9. Data Retention
We retain personal information for as long as your Account is active and as needed to provide the Service. After Account closure:
- Customer Content: thirty (30) days for export, then permanently deleted within ninety (90) days.
- Account information: retained as required for legal, tax, and accounting purposes (typically seven (7) years).
- Audit logs: retained per the Plan terms; available for export prior to deletion.
- Backups: rolling encrypted backups are retained for thirty (30) days.
10. Security [REVIEW]
We implement administrative, technical, and physical safeguards including:
- Encryption in transit: TLS 1.3 or equivalent for all customer-facing connections.
- Encryption at rest: AES-256-GCM for Customer Content; per-tenant isolation in PostgreSQL with row-level security.
- Customer-side encryption: Zero-Knowledge Mode option where we cannot decrypt your data.
- Access controls: least-privilege access for our team; multi-factor authentication required.
- Audit logging: cryptographic chain-of-custody for all Service actions.
- Vulnerability management: regular security testing and patching.
- Incident response: documented procedures for breach notification.
No system is perfectly secure. If we discover a breach affecting your personal information, we will notify you per applicable law. [CONFIRM: 72-hour GDPR breach notification commitment]
11. Children’s Privacy
The Service is not intended for individuals under thirteen (13) years of age, and we do not knowingly collect personal information from children. If we learn we have collected such information, we will delete it promptly. Parents who believe their child has provided personal information may contact privacy@searchmydata.com.
12. Third-Party Links and Services
The Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of those parties. Review their privacy policies separately.
13. Cookies and Similar Technologies (Cookie Policy)
This section also serves as our Cookie Policy.
13.1 What Are Cookies
Cookies are small text files placed on your device by websites you visit. We also use similar technologies including local storage, session storage, and pixel tags.
13.2 What Cookies We Use
We use a minimal set of cookies. We do not use cookies for advertising or behavioral tracking.
| Category | Purpose | Examples | Lifetime |
|---|---|---|---|
| Strictly Necessary | Authentication, session management, security | Session token, CSRF token | Session or up to 30 days |
| Functional | Remember preferences (theme, language) | Theme preference | Up to 12 months |
| Analytics (limited) | Aggregate usage analysis (no individual profiling) | Page-view counts | Up to 12 months |
We do not use: - Advertising cookies - Cross-site tracking cookies - Third-party social-media tracking pixels (Facebook Pixel, etc.) - Behavioral profiling cookies
13.3 Your Cookie Choices
- Strictly Necessary cookies are required for the Service to function and cannot be disabled without losing access.
- Functional cookies can be disabled via your browser settings.
- Analytics cookies are first-party and limited to aggregate data. We respect Do Not Track signals.
You can manage cookies through your browser:
13.4 Subprocessor Cookies
Our Subprocessors may set their own cookies when their services are used. For example:
- Stripe sets cookies during checkout for fraud prevention.
- Vercel may set performance-related cookies.
- Cloudflare sets security cookies (cf_bm) for bot detection.
These are operational and do not track you across sites for advertising.
13.5 Cookie Banner
EU and UK Customers will see a cookie consent banner. You may accept all, reject non-essential, or customize. Your choice is recorded for twelve (12) months.
14. Changes to This Policy
We may update this Policy from time to time. Material changes will be communicated via:
- Email to your registered Account email address.
- A prominent notice on the Service.
- Updates to the “Last Updated” date at the top of this Policy.
Material adverse changes affecting paid Customers will take effect no earlier than thirty (30) days after notice.
15. Contact Us
For privacy questions or to exercise your rights, contact us at:
By Email: privacy@searchmydata.com General: hello@searchmydata.com Mailing Address: Brightstead Technologies, Inc., [ADDRESS TBD], Attn: Privacy
For EEA/UK matters, our Data Protection contact is [TBD].
END OF PRIVACY POLICY DRAFT — JASON’S REVIEW QUEUE:
- Section 3 — accuracy of “what we collect” (FTC enforcement risk)
- Section 4 — anti-AI-training commitments alignment with Subprocessor contracts
- Section 6 — Subprocessor disclosure alignment with ToS
- Section 8 — rights mechanics (self-serve vs. email request)
- Section 10 — security claims (must match what we actually do)
- Section 13 — cookie banner mechanics for EU/UK
Items marked [CONFIRM]: - 72-hour breach notification commitment - Sovereign Rail location for data residency claim
Items marked [TBD]: - EU representative requirement (Article 27 GDPR) - DPA template - Brightstead corporate address - Effective date / launch date
Subprocessor verification work (separate from Jason’s review, but blocking publication): - Confirm RunPod’s data processing terms allow our representations - Confirm Vercel, Cloudflare, Stripe, Resend, Sentry similarly - Each of these has standard DPA terms; we need to ensure none use customer data for AI training or advertising