Effective date: 14 February 2026
Brikly® (“Brikly”, “we”, “us”, or “our”) provides modular business-management tools designed for food and hospitality operators. Our platform helps cafés, bakeries, restaurants, and similar businesses manage costing, menus, inventory, staffing, and financial insights.
The data controller responsible for your personal data is Brikly Ltd, a company registered in England and Wales (Company Number: 16470298), with its registered office at Unit 2 Hunters Cake Company, Ventura Park, Carterton, United Kingdom, OX18 1AD.
For any privacy-related enquiries, please contact us at privacy@brik.ly.
This Privacy Policy applies to all personal data processed through our website at brik.ly, our web application at app.brik.ly, our Chrome browser extension, and any related services, APIs, or communications (collectively, the “Services”).
Brikly is a business-to-business (“B2B”) service. The primary users of our platform are business operators and their authorised staff. Where we refer to “you” or “your” in this policy, we mean the individual user or the business entity that has subscribed to our Services.
When you use Brikly to manage your business data (recipes, ingredient costs, menu items, staff rotas, sales figures), you remain the data controller for that business information. Brikly acts as a data processor on your behalf, processing such data only in accordance with your instructions and this policy. For data we collect about you as a user of our Services (account information, usage data), we act as the data controller.
When you create an account or subscribe to our Services, we collect:
Data you input into the platform in the course of using our Services:
If you connect a Point of Sale system, we receive sales transaction data, product catalogues, and related information as provided by your POS provider’s API. The specific data fields depend on your POS provider and the permissions you grant.
If you connect accounting software, we may receive chart-of-accounts data, invoice summaries, and related financial information as provided by your accounting provider’s API.
We use cookies and similar technologies as described in the Cookies section below. This includes session identifiers, preference settings, and analytics identifiers.
If you contact us for support, provide feedback, or respond to surveys, we collect the content of those communications along with associated metadata (timestamps, email addresses).
Our Chrome browser extension captures invoice and order data from supplier websites that you explicitly choose to process. The extension only activates on pages you direct it to and transmits captured data to your Brikly account. It does not monitor general browsing activity.
Certain features use artificial intelligence to assist with tasks such as invoice parsing, data extraction, and business insights. When you use AI-enhanced features, the relevant input data is processed by our AI models or third-party AI services as described in the Data Sharing section. We do not use your business data to train general-purpose AI models.
We process your personal data on the following legal bases under UK GDPR:
Processing necessary to provide and maintain the Services you have subscribed to, including account management, data storage, and feature delivery.
Processing necessary for our legitimate business interests, provided these do not override your rights. This includes:
Where we rely on your consent, you may withdraw it at any time. We seek consent for:
Processing necessary to comply with legal or regulatory requirements, such as tax record-keeping, responding to lawful data-access requests, or cooperating with law-enforcement authorities.
We create anonymised, aggregated statistics from user data to understand industry trends, benchmark performance, and improve our Services. See the Aggregated Statistics section below for full details.
We compile anonymised, aggregated statistical data (“Aggregated Statistics”) derived from the use of our Services. This may include industry benchmarks, average costings, common operational patterns, and trend analyses across our user base.
All Aggregated Statistics are processed such that they cannot reasonably be used to identify any individual user or business. We remove, mask, or generalise personal identifiers before creating any aggregate datasets. Where datasets include fewer than five contributing businesses for any data point, we suppress that data point to prevent indirect identification.
Aggregated Statistics are owned exclusively by Brikly. While your raw business data remains yours (as set out in our Terms of Service), the anonymised, aggregated insights derived from the collective use of our platform are our intellectual property.
We may use Aggregated Statistics for:
Your use of the Services constitutes your agreement that we may create and use Aggregated Statistics as described above, without any obligation to compensate you.
Our right to use Aggregated Statistics survives any termination or expiration of your account or subscription, as such data is anonymised and cannot be attributed to you.
Aggregated Statistics are not personal data within the meaning of UK GDPR because they do not relate to an identified or identifiable individual. Your rights under data-protection law (including the right to erasure) apply to your personal data, not to Aggregated Statistics that have been properly anonymised.
We do not sell your personal data. We share data only in the following circumstances:
We use the following third-party service providers to operate and improve our Services:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and authentication | EU (Frankfurt) |
| Vercel | Application hosting and deployment | Global CDN (US primary) |
| Stripe | Payment processing and subscription management | US / EU |
| PostHog | Product analytics (with consent) | EU (Frankfurt) |
| Google (Gemini) | AI-powered features (invoice parsing, data extraction) | US |
| Resend | Transactional and marketing email delivery | US |
When you connect third-party services, data is shared with them as necessary to provide the integration:
| Integration Type | Data Shared | Direction |
|---|---|---|
| POS Systems (e.g. Square, Lightspeed) | Sales data, product catalogues | Inbound |
| Accounting Software (e.g. Xero, QuickBooks) | Chart of accounts, financial summaries | Bidirectional |
| Supplier Platforms (via Chrome Extension) | Invoice and order data | Inbound |
We may share Aggregated Statistics (as defined above) with third parties. Such data is anonymised and cannot identify you or your business.
We may disclose your data if required to do so by law, regulation, legal process, or enforceable governmental request.
In the event of a merger, acquisition, reorganisation, or sale of assets, your data may be transferred to the successor entity. We will notify you of any such change and any choices you may have regarding your data.
We do not sell, rent, or trade your personal data to third parties for their marketing purposes.
Some of our sub-processors operate outside the United Kingdom. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:
We retain your data for the following periods:
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account plus 30 days | Contract |
| User content (business data) | Duration of account plus 30 days | Contract |
| Billing records | 7 years from transaction | Legal obligation (tax) |
| Technical / analytics logs | 12 months | Legitimate interest |
| Support correspondence | 3 years from resolution | Legitimate interest |
| Aggregated Statistics | Indefinite (anonymised) | Not personal data |
Upon account deletion, we will remove or anonymise your personal data within 30 days, except where retention is required by law or for the establishment, exercise, or defence of legal claims.
Under UK GDPR, you have the following rights in relation to your personal data:
You may request a copy of the personal data we hold about you. We will provide this within one month of receiving your request.
You may request correction of inaccurate or incomplete personal data. You can update most account information directly through your Brikly account settings.
You may request deletion of your personal data where there is no compelling reason for its continued processing. This right does not apply to Aggregated Statistics, which are anonymised.
You may request that we restrict the processing of your personal data in certain circumstances, such as where you contest its accuracy.
You may request your personal data in a structured, commonly used, machine-readable format. We provide data export functionality within the platform.
You may object to processing based on legitimate interests. We will cease such processing unless we demonstrate compelling legitimate grounds that override your interests.
We do not currently make solely automated decisions that produce legal or similarly significant effects on you. Our AI-assisted features are tools to aid your decision-making, not replace it.
To exercise any of these rights, please contact us at privacy@brik.ly. We will respond within one month. We may ask you to verify your identity before processing your request. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk. We would appreciate the chance to address your concerns before you contact the ICO, so please reach out to us first.
When you first visit our site, we present a cookie banner allowing you to accept or decline non-essential cookies. You can change your preferences at any time via the “Cookie settings” link in the footer.
In addition to our cookie preference controls, you can manage cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Services.
We respect Do Not Track (DNT) browser signals. If your browser sends a DNT signal, we will not load non-essential analytics or tracking scripts.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform you without undue delay where required by law.
You are responsible for maintaining the security of your account credentials, ensuring that access permissions within your Brikly account are appropriately configured, and notifying us promptly if you suspect any unauthorised access.
Our Services are designed for business use and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete it promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or through a prominent notice on our website. The “Effective date” at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.
If you have any questions about this Privacy Policy or our data practices, please contact us:
Last updated: 14 February 2026