Privacy Policy

This Privacy Policy describes how Briefcase AI (“Briefcase AI,” “we,” “us,” or “our”) collects, uses, discloses, retains, and otherwise processes information in connection with the Briefcase AI Scan software-as-a-service offering, including the web application at seetheblindspot.com, the API at api.seetheblindspot.com, the scanners, command-line utilities, documentation, and any related materials (collectively, the “Service”). By accessing or using the Service you acknowledge that you have read and understood this Privacy Policy. The Privacy Policy is incorporated by reference into the Terms of Service.

1. Roles and Scope

For information about identifiable end users and visitors that Briefcase AI processes for its own purposes (account administration, billing, security, communications, R&D), Briefcase AI is the data controller (or, under California law, the business). For information that customers (each, a “Customer”) process through the Service on behalf of others, Briefcase AI acts as a processor (or, under California law, a service provider) subject to the Customer’s instructions and to a written Data Processing Addendum incorporated into the Terms of Service.

This Policy does not govern third-party websites, AI systems, analytics services, or tracking technologies operated by Customers or third parties, even when those properties are scanned by, link to, or are interrogated by the Service. Those properties are governed by their own notices and the Customer’s relationships with the relevant third parties.

2. Categories of Information We Collect

2.1 Information you provide

• Account information: organization name, email address, password (stored using bcrypt at cost factor 12 or higher), administrator role, billing contact, signing user’s name, phone number (only if MFA SMS is enabled by the Customer).
• Scan configuration: target URLs, prompt seeds, authentication mode, surface type, assumed monthly active users, and any HTTP cookies, OAuth tokens, SAML assertions, or login credentials you voluntarily provide to authenticate a scan. Credentials are stored encrypted at rest using a per-organization data encryption key wrapped by a master key held in Google Cloud KMS-backed Secret Manager.
• Attestations: when you scan a known production AI surface, we record the target host, the user identity, the full legal name typed by the user, the three acknowledgments, the IP address used, and the UTC timestamp. Attestations are retained for the longer of (i) seven (7) years and (ii) any applicable statute of limitations.
• Payment information: billing address, tax ID where required, and the tokenized payment-method reference returned by Stripe. Briefcase AI does not store full card numbers, CVCs, or bank account numbers; those are stored by Stripe under its PCI DSS Level 1 certification.
• Support and communications: records of email, chat, and ticket interactions with Briefcase AI, including attachments and metadata.

2.2 Information generated by the Service

• Scan artifacts: HTTP Archive (HAR) files, rendered HTML and DOM snapshots, request and response bodies, screenshots, generated PDF reports, and worker output. Artifacts may contain personal data, regulated data, or trade secrets of third parties depending on the surface scanned and the credentials supplied.
• Findings and exposure scoring: structured records describing detected trackers, regulated-data patterns (PHI, PII, payment data), risk classification, and matched payload excerpts.
• Usage data: pages visited, API requests with status code and latency, scan counts, scan profiles selected, error and crash telemetry, feature-flag exposure, and similar operational data.
• Device and connection data: IP address, autonomous system, approximate geolocation derived from IP, browser User-Agent, operating system, screen size, referrer URL, and similar technical metadata.
• Audit log: tamper-resistant record of administrative actions (sign-up, login, scan creation, scan deletion, attestation creation, role change, organization rename, etc.) tied to an actor identity, IP, and timestamp. Audit logs are retained for seven (7) years for organizations using HIPAA mode and three (3) years otherwise.

2.3 Information from third parties

• Identity providers: when an organization enables single sign-on, the configured provider (Auth0, Okta, Google Workspace, Microsoft Entra, or a generic OIDC/SAML IdP) transmits the basic profile (subject, email, given name, family name) needed to authenticate the user.
• Stripe: subscription state, invoice status, card brand and last four, dispute and chargeback information, and webhook events for payment and subscription lifecycle.
• Twilio: when SMS MFA is enabled, Twilio confirms delivery status and may share carrier-reported error codes.

3. How We Use Information

We use information for the following purposes:

1. Service provision: authenticating users, processing scans, generating reports, storing artifacts, enforcing access controls, and delivering features you request.
2. Billing and fraud prevention: metering usage, charging payment methods, evaluating dispute and chargeback risk, and preventing abuse.
3. Security: monitoring for, investigating, and responding to abuse, account takeover, anomalous scan patterns, and intrusion attempts. We may use IP, device, behavior, and rate signals for this purpose and may apply automated decisions, including the denial of suspicious requests.
4. Product improvement: developing new detectors, evaluating detection accuracy, training internal machine-learning classifiers, and improving Service performance. We do not train models on identifiable Customer Data without the Customer’s prior written permission. We may use aggregated, de-identified, statistical, or anonymized data derived from the operation of the Service for any lawful purpose, including disclosure to investors, in marketing materials, or in research publications, provided that such data does not identify any individual, Customer, or surface.
5. Communications: service announcements, security advisories, billing notices, attestation reminders, and product education. Marketing emails are sent only with your prior opt-in or where permitted by law, and each email contains an unsubscribe link.
6. Legal and policy enforcement: complying with law, responding to lawful requests, enforcing the Terms of Service and Acceptable Use Policy, and protecting the rights, property, and safety of Briefcase AI, our Customers, and the public.

4. Legal Bases (GDPR / UK GDPR)

Where the European Union General Data Protection Regulation, the UK General Data Protection Regulation, or equivalent law applies, Briefcase AI processes personal data on the bases of: (a) performance of a contract with the Customer organization or with you; (b) legitimate interests in operating, securing, and improving the Service, defending against fraud and abuse, and protecting our rights, where those interests are not overridden by the data subject’s rights; (c) compliance with legal obligations to which we are subject; and (d) your consent, where we ask for it (for example, for marketing communications or for optional analytics).

5. Subprocessors

Briefcase AI engages the following categories of subprocessors to provide the Service. The current list is maintained at this URL and may be updated from time to time on at least thirty (30) days’ advance notice for new processors of Customer Data.

• Google LLC (United States) — compute, object storage, secret management, network egress, and observability through Google Cloud Platform in the us-central1 region.
• Stripe, Inc. (United States) — subscription management, hosted Checkout, Customer Portal, invoicing, and payment processing.
• GitHub, Inc. (United States) — source code, container image registry (GHCR), and continuous-deployment metadata.
• Internet Security Research Group (United States) — TLS certificate issuance via Let’s Encrypt.
• Twilio Inc. (United States) — only when SMS MFA is enabled by the Customer, used to deliver short-lived numeric codes.

Each subprocessor is bound by a written agreement that requires confidentiality, security measures appropriate to the sensitivity of the data, processing only on documented instructions, and appropriate cross-border transfer mechanisms.

6. Disclosures of Information

We disclose information only as follows:

• To subprocessors identified in Section 5, strictly for the purposes for which they were engaged.
• To members of your organization who have been granted access by an administrator. Administrators can read, export, and delete data within their organization.
• In response to lawful requests such as subpoenas, court orders, warrants, and binding government requests. We will challenge requests that we believe are overbroad or unlawful and, where legally permitted, will notify the affected Customer in advance.
• To enforce our rights under the Terms of Service, Acceptable Use Policy, and applicable law; to investigate fraud, abuse, security incidents, or technical issues; and to protect the rights, property, and safety of Briefcase AI, our Customers, and the public.
• In connection with a business transaction such as a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or substantially all of our assets, in which case we will require the recipient to honor the commitments in this Privacy Policy.
• With your direction — for example, when you configure a webhook to a destination of your choice or connect an integration to a third-party service.

Briefcase AI does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined by the California Privacy Rights Act (“CPRA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, or substantively similar state privacy laws.

7. Data Retention

We may retain information longer where required by law, where the information is needed to enforce our rights or comply with a litigation hold, or where the information has been de-identified such that it can no longer be linked to an individual.

8. Security

Briefcase AI maintains administrative, technical, and physical safeguards designed to protect information:

• encryption in transit using TLS 1.2 or higher with modern cipher suites and HSTS;
• encryption at rest of scan artifacts and credentials using AES-GCM with per-organization data encryption keys wrapped by a master key managed in Secret Manager;
• role-based access control, least-privilege provisioning, and mandatory multi-factor authentication for all Briefcase AI personnel with access to production systems;
• tenant isolation at the application layer, with all queries scoped by organization identifier and enforced through a dependency-injected session;
• audit logging of administrative and security-sensitive actions;
• vulnerability scanning of container images, signed releases, and a coordinated disclosure program at support@briefcaseai.org.

No security program is impenetrable. You are responsible for protecting your account credentials, enforcing MFA where available, restricting access to authorized personnel, and promptly notifying us at support@briefcaseai.org of suspected unauthorized access. In the event of a security incident affecting your personal data, Briefcase AI will notify the affected Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of the incident, consistent with Article 33 GDPR and applicable U.S. state breach-notification laws.

9. International Transfers

Briefcase AI is established in the United States and operates the Service from infrastructure located in the United States. By using the Service from outside the United States, you consent to the transfer of your information to the United States. For transfers of personal data from the European Economic Area, the United Kingdom, and Switzerland to the United States, Briefcase AI relies on the European Commission’s Standard Contractual Clauses (Modules 2 and 3 as applicable), the UK International Data Transfer Addendum, and Swiss FDPIC-recognized equivalents. Briefcase AI does not currently self-certify under the EU-U.S. Data Privacy Framework but will adopt it if and when commercially appropriate.

10. Your Rights and How to Exercise Them

Depending on your jurisdiction you may have the right to (a) access the personal information we hold about you, (b) correct inaccurate information, (c) request deletion, (d) request a portable copy in a machine-readable format, (e) object to or restrict certain processing, (f) withdraw consent where processing is based on consent, and (g) lodge a complaint with a supervisory authority.

To exercise these rights, email support@briefcaseai.org from the address associated with your account, or submit a request through the Briefcase AI Scan settings page. We will verify your identity before responding. We respond to verified requests within forty- five (45) days for CCPA/CPRA requests and within one (1) month for GDPR/UK GDPR requests, with one extension where permitted by law. We will not discriminate against you for exercising privacy rights. Authorized agents may submit requests with written permission and proof of identity.

California residents may additionally request a list of categories of personal information disclosed for a business purpose in the prior twelve (12) months (California Civil Code § 1798.83 “Shine the Light”). Briefcase AI does not disclose personal information to third parties for those parties’ direct marketing purposes.

11. Children

The Service is intended for organizational use by adults. We do not knowingly collect personal information from individuals under 18 years of age. If we learn that we have collected personal information from a child under 13 (or under the equivalent age of digital consent under your jurisdiction), we will delete it promptly. Contact support@briefcaseai.org if you believe a child has provided personal information.

12. Cookies and Similar Technologies

• __Host-next-auth.csrf-token: strictly necessary CSRF protection; session-scoped.
• __Secure-next-auth.callback-url: routing state during sign-in.
• __Secure-next-auth.session-token: encrypted session JWT; HttpOnly, Secure, SameSite=Lax.

Briefcase AI does not deploy advertising cookies, fingerprinting scripts, or third-party trackers on the Service surfaces it operates. Disabling cookies will prevent sign-in and most Service functionality.

13. HIPAA and Protected Health Information

Briefcase AI is not, in its standard configuration, a Business Associate within the meaning of 45 C.F.R. § 160.103. You may not transmit, upload, or scan protected health information (“PHI”) using the Service unless you have a countersigned Business Associate Agreement (“BAA”) with Briefcase AI in force and the Service is operated in HIPAA mode for your organization. PHI submitted in the absence of a BAA is processed as ordinary Customer Data, is not subject to HIPAA protections, and may be deleted at our discretion. To request a BAA, contact support@briefcaseai.org.

14. Automated Decision-Making

The Service uses automated processes to detect trackers, identify regulated data patterns, score exposure, and apply rate limits, account-protection signals, and content filtering. These processes do not produce legal or similarly significant effects on individual end users of the scanned surfaces. Briefcase AI does not engage in profiling for advertising purposes.

15. Notice of Material Changes

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or by email to the administrator address associated with the affected account at least thirty (30) days before the change becomes effective, except where a shorter period is required by law or by an active security incident. Continued use of the Service after the effective date constitutes acceptance.

16. Contact

Briefcase AI
Attn: Privacy
support@briefcaseai.org
Briefcase AI accepts service of process at the address listed on the Briefcase AI website footer or through its registered agent in the State of Delaware. EU/UK individuals may submit complaints to the supervisory authority of their habitual residence; UK residents may contact the Information Commissioner’s Office at ico.org.uk.