Privacy Policy

brick'em LLC ("brick'em," "we," "us," or "our") operates the website brickem.io, the dashboard at dashboard.brickem.io, and the brick'em mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Data Controller: brick'em LLC, 1423 E Michigan Ave, Saline, MI 48176, United States. Email: [email protected]. Phone: (734) 786-0526.

2.1 Information You Provide

• Account information: display name, email address, and password when you create an account.
• Profile information: user type, revenue range, collection value, and business name provided during onboarding.
• Payment information: billing details are collected and processed by our payment processor (Stripe). We do not store your full credit card number, CVV, or bank account details on our servers. We store only your Stripe customer ID to manage your subscription.
• Photos and images: images you upload or capture using your device camera for scanning. See Section 3 for detailed information about how we process your photos.
• Inventory data: items, quantities, conditions, prices, notes, and collection information you add to your inventory.
• Support correspondence: information you provide when contacting us for support.

2.2 Information Collected Automatically

• Usage data: pages viewed, features used, scan counts, and interactions with the Service.
• Device information: browser type, operating system, device type, device model, and screen resolution.
• Log data: IP address, access times, and referring URLs.
• Cookies and local storage: we use cookies and browser local storage to maintain your session, remember preferences, and analyze usage patterns. See Section 7 for details.

2.3 Information We Do Not Collect

• We do not collect precise geolocation data.
• We do not access your contacts, calendar, or other personal device data.
• We do not collect biometric data.
• We do not track you across third-party apps or websites for advertising purposes.

The Service uses your device's camera and photo library to let you photograph or select images of LEGO minifigures and parts for identification and pricing lookup. Here is exactly what happens when you use the scanning feature:

3.1 How Your Photos Are Processed

1. You capture or select a photo on your device.
2. You draw a selection box around the item(s) you want to identify.
3. The selected area is cropped and resized on your device (client-side) to reduce file size before upload.
4. For bulk scans, the cropped image is sent to Google Cloud Vision API (operated by Google LLC) for object detection, which identifies bounding boxes around individual items in the photo.
5. Each cropped item image is then sent to the Brickognize API (operated by brickognize.com) for LEGO item identification.
6. Identification results and pricing are returned to you from our internal database.

3.2 Third-Party AI Services for Image Processing

By using the scanning feature, you expressly consent to your cropped photos being transmitted to the following third-party services for processing:

• Google Cloud Vision API (Google LLC, Mountain View, CA) — receives cropped images for object detection. Google processes these images under their Cloud Data Processing Terms. Google does not use your images to improve their products without your separate consent.
• Brickognize API (brickognize.com) — receives cropped item images for LEGO identification. Brickognize processes these images under their Privacy Policy.

3.3 Photo Retention

We do not permanently store your uploaded photos on our servers. Photos are processed in memory during the scanning session and are discarded after identification results are returned. Cropped images sent to Google Cloud Vision and Brickognize are subject to those providers' own retention policies.

3.4 Camera and Photo Library Permissions

On mobile devices, we request access to your camera and photo library solely for the purpose of photographing or selecting LEGO items for identification and pricing. We do not use your camera or photo library for advertising, marketing, data mining, or any purpose unrelated to the core scanning functionality of the Service.

We use the information we collect for the following purposes:

• Provide the Service: operate the scanner, display identification results, manage your inventory, and enable data export.
• Process payments: manage your subscriptions and billing through Stripe.
• Communicate with you: send transactional emails (account verification, password resets, subscription updates).
• Improve the Service: analyze usage patterns to improve features and user experience.
• Ensure security: detect, prevent, and address technical issues, abuse, or unauthorized access.
• Comply with law: fulfill legal obligations, respond to legal requests, and protect our rights.

We do not use your information for automated decision-making or profiling that produces legal effects concerning you.

We share information with the following third-party service providers to operate the Service. Each provider is contractually required to protect your data to the same or equivalent standard as described in this Privacy Policy.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We retain your data for the following periods:

• Account and profile data: retained for as long as your account is active. Deleted within 30 days of account deletion request.
• Inventory data: retained for as long as your account is active. Soft-deleted data is permanently purged within 90 days.
• Uploaded photos: processed in memory and discarded immediately after scan results are returned. Not permanently stored.
• Payment records: retained for 7 years as required by tax and accounting regulations.
• Server logs: retained for up to 30 days for security and debugging purposes.
• Analytics data: retained in anonymized/aggregated form for up to 24 months.
• Support correspondence: retained for up to 3 years after last communication.

When data is no longer needed, we securely delete or anonymize it. Where deletion is requested but legal retention obligations apply, we will inform you and restrict processing to the legally required minimum.

We use the following types of cookies and similar technologies:

• Essential cookies: required for authentication, session management, and security. Cannot be disabled without affecting core functionality.
• Preference cookies (localStorage): store your settings such as currency, sidebar state, dismissed prompts, and scan demo preferences.
• Analytics cookies: help us understand how visitors interact with the Service (Vercel Analytics). These are first-party, privacy-focused analytics that do not track you across other websites.

You can control cookies through your browser settings. Disabling essential cookies may affect the functionality of the Service. We do not use advertising cookies or cross-site tracking cookies.

We implement industry-standard security measures to protect your information, including:

• Encrypted connections (HTTPS/TLS) for all data in transit.
• Encrypted data at rest in our database (Supabase).
• Secure authentication with hashed passwords.
• Row-level security policies limiting data access to authorized users.
• Server-side API route validation for all data mutations.
• Regular security reviews and dependency updates.

No method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data using commercially reasonable measures. If we discover a data breach affecting your personal information, we will notify you within 72 hours as required by applicable law.

The Service is not directed to children under the age of 13 (or under 16 in the EU/EEA). We do not knowingly collect personal information from children under these ages. If we learn that we have collected personal information from a child under the applicable age, we will delete that information within 30 days. If you believe a child has provided us with personal information, please contact us at [email protected].

10.1 Rights for All Users

Regardless of where you are located, you have the right to:

• Access your personal data and receive a copy in a portable format.
• Correct inaccurate personal data.
• Delete your account and personal data.
• Export your inventory data at any time using our built-in export feature.
• Withdraw consent for optional data processing at any time.

To exercise any of these rights, email us at [email protected] or use the account deletion feature in your account settings. We will respond to verifiable requests within 30 days.

10.2 Additional Rights for EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to data portability: receive your data in a structured, commonly used, machine-readable format (JSON or CSV via our export feature).
• Right to restrict processing: request that we limit how we use your data while a dispute is resolved.
• Right to object: object to processing based on legitimate interest. We will cease processing unless we have compelling legitimate grounds.
• Right regarding automated decisions: we do not make automated decisions that produce legal effects concerning you.
• Right to lodge a complaint: you may file a complaint with your local data protection supervisory authority.

Legal Basis for Processing (GDPR Article 6):

• Consent: account creation, photo processing through third-party AI services, optional analytics.
• Contract performance: providing the Service, managing subscriptions, processing payments.
• Legitimate interest: service improvement, security monitoring, fraud prevention.
• Legal obligation: tax record retention, responding to lawful government requests.

10.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you additional rights:

Categories of personal information we collect (per CCPA definitions):

• Identifiers: name, email address, IP address, account ID.
• Commercial information: subscription history, payment records.
• Internet or electronic network activity: browsing history on the Service, search queries, interactions.
• Audio, electronic, or visual information: photos uploaded for scanning.

Your CCPA/CPRA rights:

• Right to know: request the specific pieces of personal information we have collected about you.
• Right to delete: request deletion of your personal information.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary, but you may contact us to confirm at any time.
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights.

How to submit a request: Email [email protected] with the subject line "CCPA Request." We will verify your identity by confirming your account email address. We will respond within 45 days (extendable to 90 days with notice). You may also designate an authorized agent to make requests on your behalf by providing written authorization.

Your information is processed and stored in the United States. If you are located outside the United States (including in the EU/EEA), your data will be transferred to and processed in the United States. We rely on the following mechanisms for lawful data transfers:

• The EU-U.S. Data Privacy Framework (where applicable to our service providers).
• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Your explicit consent to the transfer when you create an account and use the Service.

Our third-party service providers (Supabase, Stripe, Google, Vercel) maintain their own data transfer compliance mechanisms, including certifications under the EU-U.S. Data Privacy Framework.

We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising. We do not use your data for targeted advertising across other websites or apps.

If you believe your information has been shared in a way that violates this policy, please contact us immediately at [email protected].

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Post the updated policy on this page.
• Notify you by email for material changes that affect how your data is processed.

Your continued use of the Service after any changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to file a complaint, please contact us:

brick'em LLC
1423 E Michigan Ave
Saline, MI 48176
United States
Email: [email protected]
Phone: (734) 786-0526