Privacy Policy

Last updated: May 3, 2026

Deutsche Fassung

These legal texts are available in German and English. The German version is the authoritative version. In case of discrepancies, the German version prevails, unless mandatory consumer protection or data protection law requires otherwise.

1. Controller

The controller responsible for data processing is:

Noah Sioly UG (haftungsbeschränkt)
Hoheluftchaussee 139
20253 Hamburg
Germany
Email: support@brisko.net

2. Principle

We process personal data only to the extent necessary for operation, security, communication, authentication, contract performance, provision of connected features or compliance with legal obligations.

We do not sell personal data. We do not use personal data for advertising or profiling. We transfer personal data only to service providers, recipients or connected providers to the extent necessary for the Service or where you activate a feature that triggers such transfer.

3. Account Data

We process:

  • email address;
  • display name;
  • authentication provider, such as email/password, Google or Apple;
  • account ID, login timestamps and security-relevant authentication data.

Purpose: account creation, login, session management, security and support.

Legal basis: contract performance (Art. 6(1)(b) GDPR) and legitimate interest in security (Art. 6(1)(f) GDPR).

4. Usage and Flow Data

We process:

  • flow configurations;
  • connected services and sources;
  • scan ranges;
  • output settings;
  • schedule settings;
  • run status, error messages and technical history data.

Purpose: providing collection, organization, schedule and output features.

Legal basis: contract performance (Art. 6(1)(b) GDPR).

5. Credentials, Tokens and Session Data

For connected sources, we may process:

  • OAuth tokens;
  • API tokens;
  • session cookies;
  • IMAP credentials or app passwords;
  • technical additional data such as organization, workspace, account ID or connected domain.

These data are stored encrypted where they are stored server-side. The encryption key is managed server-side.

Purpose: connecting to sources activated by you, retrieving documents, automated collection runs and cross-device use.

Legal basis: contract performance (Art. 6(1)(b) GDPR).

6. Documents, Invoices and Receipts

Brisko may process invoices, receipts, billing documents, payment documents, PDF attachments, file metadata, email metadata, order or payment metadata and text excerpts from documents.

Original files may be processed locally in your browser, in a local output folder, in a staging folder or temporarily server-side for individual features.

For AI-assisted naming, validation or organization, filenames, document metadata and text excerpts may be processed and transmitted to the AI service used.

Purpose: collecting, naming, validating, organizing and providing documents.

Legal basis: contract performance (Art. 6(1)(b) GDPR), and in case of active upload also consent or active use of the feature (Art. 6(1)(a) or (b) GDPR depending on context).

7. Email Sources

If you connect Gmail, Outlook or IMAP, we may process email search queries, email metadata, subject lines, senders, received dates, attachment metadata and PDF attachments.

We use read-only permissions where possible. For IMAP, a password or app password may be required. We recommend using an app password instead of your main password.

Brisko is designed not to send, delete or modify emails for these functions.

8. Cloud Storage

If you connect Google Drive, Dropbox, iCloud Drive or other cloud storage providers, we may process folder selection, filenames, file metadata and selected PDF files.

We use read-only permissions where possible and limit processing to the sources and folders you activate.

9. Browser Extension and Cloud Browser

If you use the browser extension, it may read session cookies for the domain you connect and transmit them to Brisko after you actively start the process. Depending on the connector, the extension may also read service-specific browser storage values or page HTML of the connected domain for technical processing, or download files with your existing third-party session where this is required for search, recognition or download of documents.

If cloud browser technology is used, page content, session data, cookies, technical logs, screenshots or other technical session data may be processed during the session to the extent required for connection or retrieval.

Purpose: technical connection to third-party portals and automated retrieval on your behalf.

Browser- or cookie-based connections are not technically read-only permissions limited by the provider. We limit processing to the retrieval and connection features you activate.

Legal basis: contract performance (Art. 6(1)(b) GDPR).

10. AI Processing

During a collection run, filenames, metadata and short text excerpts from documents may be sent to an AI service such as OpenRouter or OpenAI. Depending on the feature, these are typically excerpts, currently for example generally less than 1,000 characters per document. These text excerpts may contain business data such as invoice numbers, amounts, company names or tax identification numbers.

The processing is used for naming, validation, categorization and sorting.

We do not use your data to train our own AI models. We select and configure AI services so that transmitted content is not used to train models under the applicable provider terms where technically and contractually available.

Legal basis: contract performance (Art. 6(1)(b) GDPR).

11. Server Logs and Security Data

When accessing the Service, IP address, timestamp, browser type, requested URL, technical error data and security events may be processed.

Purpose: operation, security, error analysis, abuse prevention and stability of the Service.

Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

12. Emails and Communication

We send transactional emails, for example:

  • verification emails;
  • password reset emails;
  • magic links;
  • export emails;
  • security- or account-related notifications.

We currently do not send marketing newsletters without separate consent.

Referral or invitation emails may only be used if the legal requirements are met. A share link or a mailto draft sent by the user is safer.

12a. Referral and Invitation Data

If you send an invitation using the referral feature or a flow invitation, we process:

  • the email address of the invited person;
  • the link between your account and the invited person;
  • the status of the invitation (sent, accepted);
  • for flow invitations, the affected flow, invite token, expiry time and later membership role.

In the invitation email, your first name or a name derived from your email address as well as your email address are shown to the invited person so that the invitation can be attributed.

The email address of the invited person is stored as long as the referral relationship, pending invitation or flow membership exists, or until you or the invited person request deletion, unless legitimate security, abuse-prevention or evidence interests require retention.

Legal basis: legitimate interest in providing the referral feature (Art. 6(1)(f) GDPR). The email address of the invited person is not collected from the invited person directly but provided by the inviting user. The invited person is informed about the data processing in the invitation email (Art. 14 GDPR). The invited person can object to the processing at any time, for example by email to support@brisko.net.

13. Data Export

You can export data. Depending on the feature, an export may be downloaded directly or provided by email as a download link.

Export links may contain personal data and should be kept confidential. Export links should be time-limited and deleted or made inaccessible after expiry.

14. Local Storage

The following data may be stored in your browser:

  • flow configurations;
  • connected services;
  • credential cache;
  • uploaded documents;
  • run history;
  • output and scan range settings.

The use of localStorage and IndexedDB is technically necessary for the functionality of the Service (Section 25(2) TDDDG).

Local data remains on your device until you delete it or use the intended deletion functions.

15. Cookies

We use technically necessary cookies for authentication, session management and security.

We do not use tracking cookies, analytics cookies or advertising pixels unless these are introduced later and appropriate information is provided.

16. Service Providers and Recipients

We may use the following service providers and recipients:

ProviderPurposeLocation
SupabaseAuthentication, database, encrypted credential storageEU/Frankfurt
VercelHosting, serverless functions, cron jobs, logsEU/USA
ResendTransactional emailsUSA
OpenRouterAI analysis for document naming and validationUSA
OpenAIAI analysis if used directlyUSA
BrowserbaseCloud browser sessions for connection or retrieval featuresDepending on configuration
GoogleGoogle login, Gmail, Google Drive if activatedDepending on provider
MicrosoftOutlook and Microsoft login if activatedDepending on provider
DropboxCloud storage connection if activatedDepending on provider
AppleApple login if activatedDepending on provider
Third-party portalsRetrieval of documents on your behalfDepending on provider

For transfers to third countries, we use appropriate safeguards, in particular EU Standard Contractual Clauses or other mechanisms permitted under the GDPR where required.

17. Retention

Account data are stored as long as your account is active.

Credentials for connected sources are stored as long as the respective connection is active or until you delete them.

Export data and export links are provided only for a limited period and deleted or made inaccessible after expiry where technically implemented.

Server logs are stored only as long as necessary for operation, security, error analysis and abuse prevention, generally no longer than 90 days.

Upon account deletion, we delete or anonymize personal data without undue delay, unless statutory retention obligations, security or abuse evidence, or technical backup periods prevent deletion.

18. Data Security

We use appropriate technical and organizational measures, including:

  • HTTPS/TLS encryption;
  • encryption of stored credentials;
  • Row Level Security in the database where applicable;
  • access restrictions;
  • two-factor authentication where activated;
  • logging of security-relevant events;
  • technical and organizational measures against unauthorized access.

Absolute security cannot be guaranteed.

19. Your Rights

Subject to the GDPR, you have in particular the following rights:

  • access (Art. 15 GDPR);
  • rectification (Art. 16 GDPR);
  • deletion (Art. 17 GDPR);
  • restriction of processing (Art. 18 GDPR);
  • data portability (Art. 20 GDPR);
  • objection (Art. 21 GDPR);
  • withdrawal of consent with effect for the future (Art. 7(3) GDPR);
  • complaint with a data protection supervisory authority.

The competent supervisory authority:

Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Strasse 22
20459 Hamburg
datenschutz-hamburg.de

Contact for privacy requests: support@brisko.net

20. Personal Data Breaches

If a personal data breach occurs, we will assess our statutory notification and communication obligations under Art. 33 and Art. 34 GDPR.

Where required, we will notify the competent supervisory authority and affected persons within the statutory deadlines.

20a. Obligation to Provide Personal Data

Providing your email address is required for creating an account and using the Service. Without this information, we cannot provide the Service. Providing additional personal data, in particular credentials for connected sources, is voluntary but required for using the respective features.

20b. Automated Decision-Making

The AI-assisted naming, categorization and sorting of documents does not constitute automated decision-making within the meaning of Art. 22 GDPR, as it does not produce legal effects or similarly significant effects concerning you. You can manually change or override AI results at any time.

21. Changes to This Privacy Policy

We may update this Privacy Policy if the Service, our data processing, service providers used or legal requirements change.

We will inform you appropriately about material changes.