Privacy policy
Last updated: 15 December 2025
1. Introduction
This Privacy Policy explains how Brixy Tech Limited, Company No. 16811724 (“Brixy”, “we”, “us”) processes personal data when providing its services.
Brixy provides an AI-native workflow automation platform for property management operators.
We take data protection seriously and process personal data in accordance with:
- the UK General Data Protection Regulation (UK GDPR)
- the Data Protection Act 2018
- applicable guidance from the UK Information Commissioner’s Office (ICO)
This Privacy Policy should be read together with our Terms of service and Data Processing Agreement (DPA).
2. Our Role Under Data Protection Law
In most cases:
Brixy acts as a Data Processor, processing personal data on behalf of:
- Letting agencies and property management operators, who act as Data Controllers
This means:
- Controllers decide why and how personal data is processed
- Brixy processes personal data only on documented instructions from Controllers
In limited cases (e.g. website contact forms, business communications), Brixy may act as an independent Data Controller.
3. Personal Data We Process
When providing our services, we may process the following categories of personal data on behalf of our customers.
3.1 Agency Users
- Name
- Work email address
- Role and permissions
- Authentication credentials (hashed passwords, OAuth tokens)
- Activity logs and audit records
3.2 Tenants (including former or prospective)
- Name and contact details
- Property address
- Repair issue descriptions
- Email communications
- Attachments (e.g. photos or videos of issues)
3.3 Landlords
- Name and contact details
- Property ownership information
- Communications related to repairs or reports
3.4 Contractors
- Name or business name
- Contact details
- Trade specialisation
- Communications related to repair jobs
3.5 Communications Data
- Email metadata (sender, recipient, timestamps)
- Email content
- Attachments
- System-generated messages
3.6 System & Technical Data
- User IDs
- Timestamps
- Logs and audit trails
- Security and performance monitoring data
4. Special Category Data
Brixy does not intentionally process special category data (such as health, biometric, religious or political data).
However, such data may be incidentally included in emails or attachments sent to our customers.
Where this occurs, processing is limited, automated, and strictly within the Controller’s instructions.
5. Purposes of Processing
Brixy processes personal data solely to:
- provide and operate the Brixy platform
- ingest and process email-based repair requests
- coordinate communications between tenants, agencies and contractors
- automate workflow steps such as triage, scheduling and status updates
- maintain security, auditability and service reliability
- comply with legal obligations
Brixy does not sell personal data, and does not use customer data for advertising.
6. Legal Basis for Processing
Where Brixy acts as a Processor, the legal basis is determined by the Controller.
Where Brixy acts as a Controller, processing is based on:
- performance of a contract
- legitimate business interests
- compliance with legal obligations
7. Use of AI and Automation
Brixy uses AI models to:
- classify incoming communications
- extract structured data
- generate draft responses
- automate workflow actions
AI processing:
- occurs only within the scope of providing services
- does not involve profiling for marketing
- does not train general-purpose models on customer data, unless explicitly agreed
8. Sub-Processors
Brixy uses carefully selected sub-processors, including (non-exhaustive):
- Google Cloud Platform (hosting & infrastructure)
- Supabase (authentication & database services)
- Redis (caching & queues)
- Gmail API / Microsoft Graph API (email ingestion)
- OpenAI and Anthropic (AI processing)
We remain fully responsible for our sub-processors and ensure contractual data protection obligations are in place.
An up-to-date list of sub-processors is available upon request or via our website.
9. International Data Transfers
Where personal data is transferred outside the UK, Brixy relies on appropriate safeguards, including:
- UK Addendum to EU Standard Contractual Clauses (SCCs), or
- UK International Data Transfer Agreement (IDTA)
These mechanisms are incorporated into our DPA.
10. Data Retention
Personal data is retained only for as long as necessary to provide the services
- Email and communication content is subject to an internal 24-hour retention policy, unless required for ongoing workflows
- Backup data is retained securely and deleted in accordance with standard schedules
- Controllers may request deletion or return of data upon termination of services.
11. Data Security
Brixy implements appropriate technical and organisational measures, including:
- role-based access control
- encryption in transit and at rest
- secure authentication and token handling
- logging and monitoring
- incident detection and response
- regular security reviews
Security measures are reviewed and updated without materially reducing protection.
12. Data Subject Rights
Where Brixy acts as a Processor:
- requests from data subjects are forwarded to the relevant Controller
- Brixy does not respond directly unless instructed
Where Brixy acts as a Controller, individuals may exercise their rights under UK GDPR, including access, rectification and erasure.
13. Personal Data Breaches
In the event of a personal data breach affecting customer data:
- Brixy will notify the relevant Controller without undue delay
- Brixy will assist with investigation and mitigation
- Notification does not constitute admission of fault
14. Changes to This Policy
We may update this Privacy Policy from time to time.
Material changes will be communicated via our website or directly to customers where appropriate.
15. Contact Information
For data protection questions or requests, contact: