Privacy Policy
This Privacy Policy explains how Northbrik Systems Ltd (“we”, “us”, “our”), trading as Northbrik, processes personal data when you visit our websites, create an account, use our product features (including workspace and automation surfaces), connect integrations, or communicate with us. It should be read with our Cookie Policy, Terms of Service. If you work or provide services for us, see the separate Workforce privacy notice. This policy should also be read with any product-specific notices we display in-app.
1. Data controller and contact
The controller is Northbrik Systems Ltd. Registered office: 71 to 75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom.
Privacy enquiries: legal@northbrik.com. You may also contact the ICO (ico.org.uk) if you consider our processing unlawful.
2. What Northbrik is (platform overview)
Northbrik is B2B workflow software built and operated by Northbrik Systems Ltd. It helps teams discover local businesses, qualify listings, draft outreach with human review, and (where enabled) run browser automation from a desktop-style shell. The main surfaces are:
- Marketing and auth: Public pages on northbrik.com (home, pricing, about, legal notices), sign-in / sign-up, session cookies, waitlist, and static assets.
- OS: The conversational lead-search surface (and related UI) at
/os(and the same route with?embed=1inside the desktop shell). Messages, tool calls, and UI state may be stored in your browser (for example via local storage) and/or on our servers depending on feature and account type. AI models may generate replies when you use assistant features. - Lead Builder: Search and selection flows backed by third-party business directory listings (when listing integrations are configured). Results can include names, categories, addresses, ratings, and contact hints from the directory. You may generate draft outreach from selections using AI; output is advisory and should be reviewed before use.
- Workspace:
/workspacefor saving and organising leads, notes, and related records you create. - Files, account, settings: Profile and account management, file surfaces, billing hooks, and preferences where offered.
- Northbrik OS: A desktop-style experience (see
/os,/os/desktop) with docked apps, Lead Builder panels, and a streamed remote browser (Chromium in an isolated Linux instance). Video/input is delivered over encrypted WebSocket (noVNC-style) through our app; the agent may plan navigation and actions when you run a task. Technical metadata (heartbeats, task state, screenshots for debugging) may be processed on our servers. - Browser / computer-use: Optional flows (e.g.
/agent/browser) where an autonomous agent loop may drive a browser session with model-based decisions, subject to feature flags and allowlists. - Billing: Stripe for checkout, customer portal, subscriptions, and webhooks when billing is enabled.
- Email: Transactional email via providers such as Resend where configured.
- APIs and security: REST and internal routes (auth, chat, lead builder, OS instance lifecycle, agent callbacks), PostgreSQL via Prisma, rate limiting, audit-style logs, and edge configuration (for example nginx) on our production hosts.
Not every feature is available to every user tier or environment; we enable modules according to subscription, allowlists, and deployment configuration. If a third-party API key is missing (for example keys for listing providers or OpenAI), the related feature degrades gracefully or is unavailable.
3. Scope of processing
Beyond the product surfaces in section 2, we process personal data when you email us, interact with support, or when we detect abuse. If you store business records about identifiable individuals (for example sole traders) in workspace or chat exports, you are typically the controller for that content; we act as processor on your instructions within the service, while still applying the security and transparency measures in this Policy to our infrastructure.
4. Categories of personal data
- Identity and contact: name, email, organisation, role where provided; messages you send us.
- Account and authentication: credentials and session identifiers (including secure cookies such as session tokens tied to your login).
- Workspace and usage: records you create (for example leads, notes, pipelines), configuration choices, in-product actions, and technical logs associated with requests.
- OS and AI: prompts and outputs where you use AI features; these may be transmitted to model providers to generate responses.
- Integrations: tokens or identifiers needed to connect external accounts you enable; OAuth state during login flows and stored connection metadata as required to operate each integration.
- Billing: subscription status and payment-related identifiers processed by our payment provider; we typically do not store full card numbers on our servers.
- Communications: transactional or product email processed via our email delivery provider.
- Technical and security: IP address, user agent, approximate timing, error diagnostics, anti-abuse signals.
5. Purposes and lawful bases (UK GDPR / retained EU law)
| Purpose | Lawful basis |
|---|---|
| Provide and secure the Services; authenticate users | Performance of a contract; legitimate interests (security) |
| Lead Builder and directory search; display of business listings you request | Performance of a contract; legitimate interests (B2B prospecting) |
| Northbrik OS, streamed browser, agent tasks, and related technical telemetry needed to operate those features | Performance of a contract; legitimate interests (security, support) |
| Billing and accounts admin | Performance of a contract; legal obligation (tax/accounting) |
| Product analytics and reliability improvements | Legitimate interests (balanced against your rights) |
| AI-assisted responses you request | Performance of a contract; consent where required for optional AI |
| Marketing communications (where offered and not covered by soft opt-in rules) | Consent |
| Legal claims and regulatory requests | Legal obligation; legitimate interests |
Where we rely on legitimate interests, we consider necessity and your rights; you may object as described below.
6. International transfers
Our infrastructure and subprocessors may process data in the United Kingdom, European Economic Area, and other countries (including the United States) where providers host services. Where personal data is transferred outside the UK/EEA to countries without an adequacy decision, we use appropriate safeguards such as the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses, or equivalent mechanisms required by law, together with supplementary measures where appropriate.
7. Subprocessors (non-exhaustive)
We use reputable providers for hosting, payments, email delivery, analytics, AI inference, business listing directory APIs, OAuth platforms you connect, and similar functions. Categories currently or historically relevant include: UK/EU/US cloud and VPS hosting; payment processing (Stripe); email (Resend); AI inference (OpenAI or comparable); places/listings APIs; and identity or developer tools needed to run the OS and browser runtime. We will update this Policy when we materially change categories; exact vendor lists may also appear in order forms or data-processing terms for enterprise customers where agreed.
8. Retention
- Account data: while your account is active and for a reasonable period thereafter for backups, disputes, and legal obligations (typically up to 24 months after closure unless longer retention is required).
- Billing records: as required by tax and company law (often at least 6 years).
- Security logs: rotated on a risk basis (often 30–180 days unless investigation requires longer retention).
- Workspace content you delete: removed from active systems according to product behaviour; residual copies may persist briefly in backups.
9. Automated processing and profiling
Some features may involve scoring, ranking, summarisation, or suggestions derived algorithmically. Unless stated otherwise in-product, these outputs are advisory and should not be treated as sole grounds for decisions with legal or similarly significant effects concerning an individual without appropriate safeguards required by law.
10. Your rights
Subject to exemptions, you may request access, rectification, erasure, restriction, portability (where applicable), and objection to processing based on legitimate interests. You may withdraw consent where processing is consent-based without affecting prior lawful processing. Contact legal@northbrik.com. We respond within one month where feasible (extendable for complex requests).
11. Children
The Services are not directed at individuals under 18. We do not knowingly collect personal data from children.
12. Information Commissioner's Office (ICO)
Our ICO registration reference is ZC135104 (register entry for Northbrik Systems Ltd). For procurement or other formal enquiries, contact legal@northbrik.com.
13. Changes to this Policy
We may update this Policy to reflect legal, technical, or product changes. The “last updated” date below will change when we publish revisions; substantive changes may be highlighted in-app or by email where appropriate.
Last updated 1 May 2026 · Northbrik Systems Ltd.