Skip to main content
BRH.AI.SERVICES logo

Privacy Policy

Last updated: June 18, 2026

This Privacy Policy is maintained by BRH.AI.SERVICES ("we," "us," or "our") to explain what personal information we collect, how we use and share it, and the choices you have. It is written to align with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"), even though we may fall below the statutory revenue and volume thresholds. We honor the substantive California rights described below regardless of threshold status.

1. Who we are

BRH.AI.SERVICES provides AI and operations consulting services to small and mid-market businesses, primarily in Northern California. The business is located in Santa Rosa, California. You can reach our privacy contact at brh@brh-ai.com or (415) 497-5310.

2. Categories of personal information we collect

In the past 12 months we have collected the following CCPA-defined categories:

  • Identifiers — name, email, phone, IP address, account identifiers, online identifiers (cookie IDs when consented).
  • Customer records — billing address, payment-card last 4 and brand (received from Stripe; we do not store full card numbers).
  • Commercial information — products purchased, subscription status, transaction history.
  • Internet or network activity — pages viewed, referring URL, session timing, error/performance telemetry, device + browser type.
  • Geolocation data — coarse (city/region) only, derived from IP address.
  • Professional or employment information — company name, job title, business size (when you tell us).
  • Inferences — assessment results, lead-quality scoring.
  • Support content — files, tickets, and messages you submit through the client portal.

We do not intentionally collect "sensitive personal information" as defined under CPRA (e.g. SSN, precise geolocation, racial/ethnic origin, biometric data, health information). Do not submit sensitive information through our forms or portal.

3. Sources of personal information

  • Directly from you (forms, account signup, portal uploads, calls/emails).
  • Automatically from your browser/device (cookies, server logs).
  • From our service providers (Stripe for payment metadata, email delivery providers for bounce/complaint data).

4. Purposes for which we use it

  • Provide, secure, and improve our services and the client portal.
  • Process payments, manage subscriptions, and issue receipts.
  • Respond to inquiries, deliver support, and send transactional emails.
  • Measure traffic and content performance (only with your consent).
  • Detect, prevent, and respond to fraud, abuse, and security incidents.
  • Comply with legal obligations and enforce our Terms.

5. Categories we disclose and to whom

In the past 12 months we disclosed the categories above to the following types of recipients, each acting as a service provider / processor under contract:

  • Stripe — payment processing and tax handling.
  • Lovable Cloud (Supabase) — authentication, database, file storage.
  • Cloudflare — hosting, CDN, DDoS protection.
  • Google (Gmail/Workspace, Analytics 4) — email delivery and, only with your consent, web analytics.
  • Calendly — appointment scheduling.
  • Meta (Facebook) Ads / Google Ads — only if you consent to advertising cookies, to measure marketing performance.

6. "Sale" and "Sharing" of personal information

We do not sell personal information for money. However, under CPRA's broad definitions, allowing third-party advertising cookies (Google Ads, Meta Pixel) to read identifiers in your browser may be considered "sharing" for cross-context behavioral advertising. If you consent to the Advertising category in our cookie banner, treat that as opting in; if you reject it, no such sharing occurs.

You may opt out of this sharing at any time via Do Not Sell or Share My Personal Information. We also honor Global Privacy Control (GPC) signals sent by your browser as a valid opt-out.

We do not knowingly sell or share personal information of consumers under 16 years of age.

7. Retention

  • Inquiries / contact submissions — up to 24 months from last contact.
  • Account & profile data — for the life of your account plus 30 days after deletion.
  • Order & payment records — 7 years for tax and accounting compliance.
  • Support tickets and uploaded files — up to 24 months after the ticket closes.
  • Analytics & server logs — up to 14 months.
  • Email suppression list — retained indefinitely so we never re-email people who unsubscribed.

8. Your California privacy rights

California residents have the following rights, which we honor for all users regardless of CCPA/CPRA threshold status:

  • Right to know what personal information we collect, use, disclose, or share.
  • Right to access a copy of the personal information we hold about you.
  • Right to delete personal information we collected from you (subject to legal exceptions such as tax records).
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information (we do not knowingly collect such information).
  • Right to non-discrimination — we will not deny service, change pricing, or degrade your experience for exercising any right.

To exercise any right, email brh@brh-ai.com with the subject line "California Privacy Request." We will verify your request by matching the email on file and may request additional information for high-risk requests (deletion, access). We will respond within 45 days, with one 45-day extension available if reasonably necessary.

An authorized agent may submit a request on your behalf with your signed written permission.

9. Cookies, tracking, and consent

We use three categories of cookies and similar technologies:

  • Essential — sign-in session, CSRF protection, Stripe Checkout. Cannot be disabled because the site won't work without them.
  • Analytics — Google Analytics 4 with IP anonymization. Loaded only after you click Accept.
  • Advertising — Meta Pixel and Google Ads conversion tracking. Loaded only after you click Accept and may constitute "sharing" under CPRA.

Manage your choices any time by reopening the consent banner (clear your site data) or via Do Not Sell or Share. We honor the Global Privacy Control browser signal as a valid opt-out of the Advertising category.

10. Security

We use industry-standard safeguards: TLS for data in transit, encryption at rest, hardened HTTP security headers (HSTS, CSP, X-Frame-Options), signed and verified payment webhooks, row-level access controls on the database, and least-privilege server credentials. Payment card data is handled entirely by Stripe; we never see or store full card numbers. No system is perfectly secure — please use a strong, unique password for your client portal account and notify us immediately at brh@brh-ai.com if you suspect unauthorized access.

11. Children

Our services are not directed to children under 16, and we do not knowingly collect or sell/share their personal information.

12. Changes to this policy

We may update this policy from time to time. Material changes will be posted on this page with an updated "Last updated" date. Continued use of the site after a change constitutes acceptance.

13. Contact

BRH.AI.SERVICES · Santa Rosa, CA 95401 · (415) 497-5310 · brh@brh-ai.com