v0 draft — counsel review in progress. This page is a placeholder posted during pre-launch. It is not legal advice and is not final contract language. Final terms will be in place before any paid customer is onboarded. Questions: legal@bridgestack.systems.

Privacy Policy

Last updated: April 17, 2026 · Version 0.1 (pre-launch draft)

1. Who we are

BridgeStack, Inc. (“Bridgestack”, “we”, “us”) is a Delaware corporation with offices at 2261 Market Street, STE 71424, San Francisco, CA 94114, United States. We are the data controller for personal data collected through the Bridgestack website, the Tom AI project manager, and the build/delivery workflow.

Privacy questions: privacy@bridgestack.systems.

2. What we collect

We collect:

  • Account data. Your name, email, and billing details at signup and checkout.
  • Voice + video brief with Tom. Audio, video, and transcripts of your voice-and-video calls with Tom, our AI project manager. We retain these so the agent fleet can build what you asked for and so you can replay or edit the brief.
  • Build content. The files, assets, copy, credentials, and third-party keys you provide (or allow Tom to generate) for your build. These are treated as yours.
  • Usage and device data. Standard web telemetry — IP address, browser, pages visited, timestamps — used for security and site analytics.
  • DRM-related telemetry. Your deliverable checks in with our servers to verify payment state during and after the 7-day evaluation window. See the Service Agreement for the exact scope of this check-in.

3. Why we use it

  • To brief the agent fleet and build your product.
  • To deliver, bill for, and support the flat-fee engagement, including DRM payment-state verification during the 7-day evaluation window.
  • To comply with tax, accounting, and other legal obligations.
  • To secure the site and the build pipeline against abuse.
  • To improve Tom, our AI agents, and the Bridgestack product itself — subject to the training-data rules in section 5.

[Counsel to finalize: specific legal bases under GDPR/UK GDPR (consent vs. contract vs. legitimate interest), and CCPA/CPRA “business purpose” disclosure.]

4. Who we share it with

We share personal data only with sub-processors that power the service, under data processing agreements:

  • Cloud hosting (AWS / GCP / Azure, per region).
  • AI / LLM providers that power Tom and the agent fleet (e.g. OpenAI, Anthropic).
  • Payment processors that handle checkout and refunds.
  • Email and transactional notification providers.
  • Error and performance monitoring.

We do not sell personal data and we do not share it with third parties for their own advertising.

[Counsel to finalize: full sub-processor list for the Trust page, international transfer mechanism (SCCs, UK IDTA, Swiss addendum, India DPDPA notified countries), and Schrems II impact assessment.]

5. Training data — opt-in by default

We do not use your voice briefs, transcripts, build content, or source code to train foundation models. Internal fine-tuning of Tom or the agent fleet on your content only happens with your explicit opt-in, and can be revoked from your account settings.

[Counsel to finalize: opt-in / opt-out mechanics per jurisdiction, alignment with EU AI Act art. 10 and US state AI laws as enacted.]

6. Retention

We keep account data for the life of the account plus a limited period required by tax / accounting law. Voice briefs and build content are kept as long as the account is active so you can return to them; you can delete them at any time from the account. DRM check-in logs are retained for the period needed to verify payment state and address disputes.

[Counsel to finalize: exact retention periods by data category, and deletion timelines for closed accounts.]

7. Your rights

Depending on where you live, you have rights to access, correct, delete, or export your personal data, and to object to certain processing. You can exercise these rights by emailing privacy@bridgestack.systems. California residents have rights under CCPA/CPRA; EU/UK residents have rights under GDPR/UK GDPR; residents of India, Thailand, and other jurisdictions have equivalent rights under local law.

[Counsel to finalize: the full rights matrix per jurisdiction and response timelines.]

8. Security

We use standard industry controls — encryption in transit and at rest, access controls, logging, least-privilege provisioning — to protect personal data. No system is perfect; we will notify affected users and regulators in line with applicable breach- notification law if we ever need to.

9. Children

Bridgestack is not directed to children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided personal data to us, email privacy@bridgestack.systems and we will delete it.

10. Changes to this policy

We may update this Privacy Policy. If we do, the new version will be posted here with an updated “Last updated” date. We will email account holders about any material changes that affect how we use existing data.

11. Contact

Privacy and data-rights inquiries: privacy@bridgestack.systems.

BridgeStack, Inc.
2261 Market Street, STE 71424
San Francisco, CA 94114, United States
Delaware corporation · File No. 10574589 · EIN 42-1793220

Related policies