ACCESS PROTOCOL
// LEGAL · PRIVACY POLICY

Privacy Policy

Effective May 27, 2026 Version v2.4 GDPR + CCPA compliant

One-Minute Summary

This is the short version. Section 02 onward is the full version.

  • We never sell your data.
  • We never use Customer Content to train any model — yours or anyone else's.
  • We collect account information (email, name, company), usage data (verifications run, API calls), and the content you submit for verification.
  • Submitted content is dispatched to the model panel only to perform the verification. The panel members do not retain it after returning a result, by contract.
  • On Enterprise plans you can configure PII / PHI redaction before dispatch.
  • EU / UK / California residents: see Section 07 for your specific rights.

Data We Collect

Account information

When you sign up, we collect your email, display name, and optionally company name. If you sign in via OAuth (GitHub, Google), we receive only the profile fields you authorize.

Usage data

We log API calls, verification metadata (timestamps, confidence scores, model panel selection, audit hashes), session info, and aggregated performance metrics.

Customer Content

The content you submit for verification — contracts, code, claims, prompts, queries — is processed to deliver the Service.

Cookies and similar

Strictly necessary cookies for authentication and session state. We do not use third-party advertising trackers.

How We Use Data

We use data to (a) deliver the Service, (b) operate, secure, and improve the Service, (c) provide support, (d) bill subscriptions, (e) comply with law. We do not use Customer Content to train any model and we do not sell data.

3.1 Aggregated Analytics

We derive anonymized, aggregated analytics from verification operations to improve our routing intelligence, compute the BRIDGE Index (a public AI performance benchmark), and generate research datasets. Aggregated data:

  • Contains no original content you submitted.
  • Contains no personally identifiable information.
  • Contains no customer-identifying metadata.
  • Contains only: model identifiers, confidence scores, agreement/disagreement classifications, latency measurements, content-type labels, and timestamp data.

This data cannot be reverse-engineered to identify any individual user, company, or document. It is used exclusively in aggregate form to measure AI model performance across the platform. See Terms §7.1 for the contractual basis. Opt-out: email privacy@getbridge.dev.

Data and the Model Panel

To produce a verification, BRIDGE dispatches the content to selected models in the panel. Each model provider (Anthropic, OpenAI, Google, xAI, DeepSeek, Meta, Mistral, Cohere, Alibaba) processes the content under a zero-retention agreement.

// ZERO-RETENTION

BRIDGE has contractual zero-retention with every panel member. Content is not stored by them, used for training by them, or visible to their staff outside emergency abuse review.

On Dedicated and On-Premise deployments, content never leaves your boundary. You can also bring your own model endpoints, in which case BRIDGE does not transmit content to public model providers at all.

Sharing & Disclosure

We disclose data to: (a) sub-processors strictly necessary to deliver the Service (hosting, payment, email), (b) the model panel as described above, (c) where required by law, (d) in a corporate event (merger, acquisition) under the same protections. The current sub-processor list is at getbridge.dev/legal/subprocessors.

Retention

DATA TYPESTARTERBUILDERTEAM / ENTERPRISE
Customer Content (input)30 days1 yearConfigurable
Audit trail (hashes, metadata)2 years7 yearsConfigurable
Account infoRetained while account active; 30 days after deletion
Billing records7 years (tax law)

Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object or withdraw consent. EEA / UK residents have rights under GDPR; California residents under CCPA / CPRA.

To exercise any right: email privacy@getbridge.dev or use the Settings → Privacy controls in your account. We respond within 30 days (45 for complex requests).

Security

TLS 1.3 in transit, AES-256 at rest, encryption keys rotatable per customer, optional bring-your-own-KMS on Enterprise. Annual SOC 2 audits (Type II in flight, Q3 2026). Penetration tests twice per year. See the Enterprise security posture for full detail.

International Transfers

Where we transfer personal data internationally, we rely on Standard Contractual Clauses (EU) or the UK IDTA, supplemented with technical measures (encryption, redaction). On Dedicated and On-Prem, you can pin processing to a specific region.

Children

The Service is not directed at children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal data from children.

Changes

We will notify you at least 30 days before any material change takes effect, by email and an in-product notice. Continued use after the effective date constitutes acceptance.

Contact & DPO

Privacy questions: privacy@getbridge.dev. Data Protection Officer: dpo@getbridge.dev. EU Representative (Article 27): listed at getbridge.dev/legal/eu-rep. UK Representative: listed at getbridge.dev/legal/uk-rep.

// REPORT A PRIVACY CONCERN

Believe your data was mishandled? Email privacy@getbridge.dev

Open a ticket →