Privacy Policy
How BrioSync collects, uses, stores and protects your data — and the rights you have over it.
1. Who we are
BrioSync is a product of Oracon Global Private Limited ("we", "us", "our"), a company registered in India (registered office: TF-38, The Index, Mahal Road, Sector 26, Pratap Nagar, Jaipur, Rajasthan 302017, India). Oracon Global Private Limited is the data controller for the personal data described in this policy. We provide a cloud-hosted business platform (an AI-native ERP) at briosync.com and app.briosync.com. This policy explains how we handle information when you visit our website, sign up, or use BrioSync.
2. What we collect
2.1 Account & profile data
- Name, email address, profile photo (if you upload one)
- Company name and role inside your workspace
- Authentication identifiers (Google or Microsoft account ID if you sign in with SSO)
2.2 Workspace content
- Projects, tickets, tasks, time logs, attachments, comments, and any other content you create inside BrioSync
- Customer records you input (names, email, company)
- Configuration data (rates, leave records, settings)
2.3 Technical data
- IP address, browser type, device type, operating system
- Usage logs (pages visited, features used, timestamps) for product analytics and abuse prevention
- Cookies for session management and minimal analytics — see Cookies below
2.4 Billing data (where applicable)
- Billing email, billing address
- Payment is processed by our PCI-compliant payment partner; we do not store full card numbers
3. How we use your data
- Operate the service: authenticate you, render your workspace, send transactional emails
- Improve the product: aggregate usage analytics to understand which features are used and where users get stuck
- Communicate with you: service announcements, security alerts, and (with your consent) product updates
- Comply with legal obligations (tax, accounting, regulatory)
4. Data isolation between companies
BrioSync is multi-tenant. Every document is tagged with the owning company's ID and access is enforced at the database level using Firebase Security Rules. Other companies on the platform cannot read or write your data — not through the UI, not through URL manipulation, not through API access.
5. Who we share data with
We do not sell your data. We share it only with the limited sub-processors needed to run the service:
- Google Cloud / Firebase — hosting, database, authentication, file storage
- Payment processor — billing (you'll see the processor name on your receipt)
- Email delivery service — transactional email (signup, password reset, notifications)
- Error monitoring & product analytics — to detect bugs and understand usage
All sub-processors are bound by data processing agreements with confidentiality and security obligations.
6. Where data is stored
Data is stored on Google Cloud infrastructure. Default region is configurable on enterprise agreements; otherwise the region defaults to the closest available to your team. Cross-border transfers, where they occur, rely on Standard Contractual Clauses or equivalent legal mechanisms.
7. How long we keep data
- Active workspaces: data is retained as long as the workspace is active
- Cancelled workspaces: data is kept in read-only / export-only mode for 30 days, then permanently deleted
- Backups: rolling 30-day backup retention
- Billing records: retained as required by tax law (typically 7 years)
8. Your rights
Depending on your jurisdiction (GDPR, CCPA, India DPDP, etc.) you have rights that may include:
- Access to the data we hold about you
- Correction of inaccurate data
- Deletion of your data ("right to be forgotten")
- Portability — export of your data in a machine-readable format
- Objection to certain processing
- Withdrawal of consent
- Nomination — under India's DPDP Act, you may nominate another individual to exercise your rights in the event of death or incapacity
To exercise any of these, email us at hello@briosync.com. We will respond within 30 days.
Grievance redressal (India DPDP). Our Grievance Officer can be reached at hello@briosync.com (subject line: "Grievance — DPDP"), Oracon Global Private Limited, TF-38, The Index, Mahal Road, Sector 26, Pratap Nagar, Jaipur, Rajasthan 302017, India. We acknowledge grievances promptly and resolve them within the timelines prescribed under the DPDP Act and Rules. If you are not satisfied with our response, you may escalate to the Data Protection Board of India.
9. Cookies & consent
On our marketing site we ask for your consent before setting any non-essential cookie, via a banner with equal-prominence "Accept all" and "Reject non-essential" options and granular category controls. The categories are:
- Essential (always on): session/security cookies that keep you signed in and the site working, and the stored record of your own cookie choice.
- Analytics (opt-in): Google Analytics 4 and Microsoft Clarity — aggregate usage so we can improve the product and site.
- Marketing (opt-in): Google Ads remarketing — lets us show relevant BrioSync ads on other sites. These are set only if you opt in.
Consent records. Each time you make or change a cookie choice, we record a consent receipt — your choice, the policy version, the page, a random consent ID, the date/time, your IP address and browser user-agent. We keep these receipts so we can demonstrate that consent was properly obtained and honoured (GDPR Art. 7(1) and equivalent laws); this limited processing is based on our legal obligation and legitimate interest in demonstrating compliance. Receipts are never used for advertising or profiling.
Your controls. You can change or withdraw your choice at any time via the "Cookie preferences" link in the footer — withdrawal is as easy as giving consent. We honour the Global Privacy Control (GPC) browser signal by automatically declining non-essential cookies. Consent is re-requested every 13 months, and whenever our cookie practices materially change.
10. Security
- All traffic encrypted in transit (TLS 1.3)
- Data encrypted at rest on Google Cloud infrastructure
- Multi-tenant isolation enforced at the database level via security rules
- Role-based access control inside each workspace
- Audit-log retention per your agreement (30 days up to custom multi-year)
- Annual security review on enterprise agreements
Breach notification. If a personal-data breach occurs, we will notify affected users and the Data Protection Board of India within the timelines prescribed under the DPDP Act and Rules (currently 72 hours to affected Data Principals after Board notification), with a plain-language description of what happened, what data was involved, what we are doing about it, and what you can do to protect yourself.
11. Children's privacy
BrioSync is a business tool, not intended for anyone under 18 (a "child" under India's DPDP Act), and we do not knowingly collect data from them.
12. Changes to this policy
If we make material changes, we will notify active workspace admins by email at least 30 days before the change takes effect. The "Last updated" date at the top of this page always reflects the latest version.
13. Contact
Questions about this policy: hello@briosync.com