BROKLY — PRIVACY POLICY
Last Updated: July 6, 2026
This Privacy Policy explains how Brokly Inc., a Delaware corporation (in formation) ("Brokly," "we," "us"), collects, uses, shares, and protects personal information in connection with our website (brokly.co), our platform, and related services (collectively, the "Service").
The Service is an AI-powered operations platform for real estate professionals ("Customers"): it connects a Customer's WhatsApp, calendar, and property portfolio so our AI assistant can respond to, qualify, and schedule the Customer's leads.
This Policy should be read together with our Terms of Service.
1. The Two Roles We Play (Read This First)
Brokly processes personal information in two distinct capacities:
1.1 Brokly as controller — Customer and visitor data. For personal information about our Customers, their authorized users, and visitors to our website (account details, billing, usage, support, marketing), Brokly decides how and why the data is processed and acts as the data controller (or "responsable del tratamiento" / equivalent under your local law). Sections 2–13 of this Policy primarily describe this processing.
1.2 Brokly as processor — Lead Data. When a Customer connects their WhatsApp and the AI assistant converses with the Customer's prospects and clients ("Leads"), the personal information of those Leads (names, phone numbers, messages, preferences, budgets, appointment details) is processed on behalf of and under the instructions of the Customer, who is the controller of that data. Brokly acts as a processor/service provider ("encargado del tratamiento" / equivalent).
If you are a Lead — i.e., you messaged a real estate broker or agency that uses Brokly — the broker or agency you contacted is responsible for your data, and you should direct privacy requests to them first. We will assist them in responding, and Section 14 explains more.
2. Information We Collect
2.1 Information you provide directly (Customers and users):
- Account and profile data: name, email, phone number, company/agency name, country, role, password credentials.
- Business configuration data: property inventory (listings, photos, prices, locations, descriptions), response tone and templates, zones, price ranges, calendar connections.
- Billing data: subscription plan and transaction history. Payment card details are collected and processed directly by Stripe, our payment processor; Brokly does not store full card numbers.
- Communications: support requests, feedback, survey responses, messages you send us (including via WhatsApp support).
2.2 Information collected automatically:
- Usage data: features used, pipeline activity, appointment metrics, log data, timestamps.
- Device and technical data: IP address, browser type, operating system, device identifiers, approximate location derived from IP.
- Cookies and similar technologies (see Section 10).
2.3 Information from third parties:
- WhatsApp Business data received through Kapso (an official WhatsApp Business Solution Provider) and Meta, necessary to connect and operate your number.
- Calendar data from providers you connect (e.g., Google Calendar), limited to what is needed for scheduling.
- Payment status and fraud signals from Stripe.
2.4 Lead Data (processed on the Customer's behalf):
- Conversation content between Leads and the AI assistant or the Customer.
- Lead profile data generated by the Service: qualification scores, stated budget, preferences, family composition mentioned by the Lead, visit history.
2.5 Data we ask you not to submit. The Service is designed for real estate operations. Customers must not use it to collect sensitive categories of data that are unnecessary for real estate transactions (e.g., health data, biometric data, data revealing racial or ethnic origin, religious beliefs), nor data of minors as Leads.
3. How We Use Information
We use personal information to:
- Provide the Service: operate the AI assistant, respond to and qualify Leads on the Customer's behalf, match properties, schedule visits, maintain the pipeline and CRM, and sync calendars.
- Manage accounts and billing: create accounts, process subscriptions and refunds (including the Founder Guarantee), send transactional notices.
- Support: respond to requests, troubleshoot, and provide onboarding.
- Improve the Service: analyze usage and interaction patterns to improve our product, prompts, and models — see Section 4 for the specific rules that govern this.
- Secure the Service: detect, prevent, and respond to fraud, abuse, spam, and security incidents; enforce our Terms and WhatsApp/Meta policies.
- Communicate: send service announcements and, with your consent where required, marketing communications (you can opt out at any time).
- Comply with law: meet legal, tax, and regulatory obligations and respond to lawful requests.
Legal bases (where required, e.g., under GDPR-style laws): performance of contract, legitimate interests (service improvement, security, B2B communications), consent (marketing, non-essential cookies), and legal obligation.
4. AI Models and Service Improvement
Because Brokly is an AI product, we want to be explicit about how data interacts with AI models:
4.1 To operate the Service, conversation content is processed by AI models from our vetted providers (currently OpenAI, Google, and selected open-source models hosted on our infrastructure or with vetted hosts). This processing is necessary to generate responses and is performed under contracts that restrict providers from using the data for their own purposes. We do not send sensitive personal information to third-party model providers for their training purposes.
4.2 To improve the Service, we analyze interaction patterns and structural data — such as conversation flows, qualification sequences, feature usage, and outcome metrics — to improve our prompts, models, and product. Before using data for improvement, we apply de-identification and/or aggregation so that it does not identify Customers or Leads, and we exclude sensitive personal information from improvement datasets.
4.3 AI outputs. Responses generated by the AI assistant are produced from the Customer's configured inventory and instructions. They may occasionally be inaccurate; Customers are provided with dashboards and summaries to supervise the assistant's activity.
5. How We Share Information
We do not sell personal information, and we do not share it for cross-context behavioral advertising. We share personal information only with:
- Subprocessors / service providers that help us run the Service, under contracts limiting their use of the data to providing services to us:
- Cloud infrastructure and databases: Amazon Web Services (AWS), PlanetScale, Cloudflare
- Payments: Stripe
- WhatsApp connectivity: Kapso (official WhatsApp BSP) and Meta/WhatsApp
- AI model providers: OpenAI, Google, and vetted open-source model hosts
- Analytics, support, and communications tools we may use from time to time A current subprocessor list is available at [URL] or on request at [privacy email].
- The Customer you interact with (if you are a Lead): your conversations and profile are visible to the broker/agency you contacted — that is the purpose of the Service.
- Within a Customer's organization (Enterprise accounts): data under an Enterprise account belongs to and is accessible by the contracting entity per its internal roles and permissions.
- Legal and safety recipients: authorities or other parties where required by law, to protect rights, safety, or the integrity of the Service.
- Corporate transactions: a successor entity in a merger, acquisition, financing, or sale of assets, with notice where required.
6. International Transfers
We are a U.S. company and our infrastructure providers operate globally; your information may be processed in the United States and other countries that may not provide the same level of data protection as your home jurisdiction. Where required by applicable law, we implement appropriate safeguards for international transfers (such as contractual protections with our subprocessors) and you may contact us for more information.
7. Retention
We retain personal information only as long as needed for the purposes described in this Policy:
- Account and configuration data: for the life of the account and a reasonable period afterward.
- Customer Data (including Lead Data): deleted from our production databases within 15 business days after account cancellation/deletion or after you delete specific data, except data we must retain for legal, tax, accounting, or dispute-resolution purposes, and residual encrypted backup copies deleted on our backup rotation cycle.
- Trial data: retained for a reasonable period after trial expiry so you can subscribe without losing your setup, then deleted.
- Billing records: retained as required by tax and accounting law.
- De-identified/aggregated data: may be retained indefinitely, as it no longer identifies any person.
8. Security
We implement reasonable technical and organizational measures designed to protect personal information, including encryption in transit, access controls, environment segregation, and monitoring. No method of transmission or storage is completely secure; we cannot guarantee absolute security. Customers are responsible for safeguarding their credentials and managing their users' access. If we become aware of a personal data breach affecting your data, we will notify you and/or the relevant authorities as required by applicable law.
9. Your Rights
Depending on your jurisdiction, you may have rights to:
- Access the personal information we hold about you and obtain a copy;
- Correct inaccurate or incomplete information;
- Delete your information;
- Object to or restrict certain processing, or withdraw consent where processing is based on consent (without affecting prior processing);
- Portability of data you provided;
- Opt out of marketing communications at any time (unsubscribe link or reply "stop");
- Complain to your local data protection authority (e.g., the SIC in Colombia, ANPD in Brazil, INAI in Mexico, your state Attorney General in the U.S., the OPC in Canada).
To exercise rights, contact us at [privacy email]. We will verify your identity and respond within the timeframe required by applicable law. We will not discriminate against you for exercising your rights.
Jurisdiction-specific notes:
- Colombia (Law 1581 of 2012): you may exercise your rights of access (consulta) and claims (reclamos) per Decree 1377; our privacy notice channel is [privacy email].
- Brazil (LGPD): you may also request confirmation of processing and information about sharing; our contact for data protection matters ("encarregado" equivalent) is [privacy email].
- U.S. state laws (e.g., California CCPA/CPRA): we do not "sell" or "share" personal information as defined by those laws; you may exercise access, deletion, and correction rights via [privacy email].
- Canada (PIPEDA): you may request access and correction and challenge our compliance via [privacy email].
10. Cookies and Similar Technologies
We use cookies and similar technologies on our website and app to:
- Operate the Service (strictly necessary: authentication, security, session management);
- Remember preferences (functional);
- Understand usage (analytics), to improve the product.
Where required by law, we request consent for non-essential cookies via our cookie banner, and you can manage preferences there or through your browser settings. Disabling strictly necessary cookies may break the Service.
11. If You Are a Lead (You Messaged a Broker Who Uses Brokly)
- The broker or agency you contacted is the controller of your personal information; Brokly processes it on their behalf to respond to you, qualify your inquiry, and schedule visits.
- Your messages may be answered by an AI assistant acting on the broker's behalf. Whether and how this is disclosed to you is determined by the broker, subject to the laws of their jurisdiction.
- To access, correct, or delete your data, or to object to processing, contact the broker or agency directly. If you contact us at [privacy email], we will forward your request to them and assist as required by law.
- We do not use your sensitive personal information to train AI models, and improvement data is de-identified as described in Section 4.
12. Children
The Service is intended for real estate professionals and is not directed to children. We do not knowingly collect personal information from anyone under 18 as a Customer, and Customers may not use the Service to process data of minors as Leads. If you believe a minor's data has been collected, contact us at [privacy email] and we will delete it.
13. Changes to This Policy
We may update this Policy from time to time. For material changes we will provide notice (e.g., by email or in-app) before they take effect, and we will update the "Last Updated" date above. Continued use of the Service after the effective date constitutes acceptance to the extent permitted by law; where law requires renewed consent, we will request it.
14. Contact Us
Brokly Inc. [Registered address] Privacy inquiries: [privacy email] General support: [support email]
If you are in a jurisdiction that requires a local representative or a data protection officer and wish to reach them: [details or "not currently required"].