Last updated: February 2026

Privacy Policy

BrightKeep is built for families who trust us with their most important information. This policy explains exactly what we collect, how we use it, and who else touches it. No surprises.

1. What We Collect

We collect the following categories of information:

  • Account information — your name, email address, and phone number (if provided for SMS notifications)
  • Documents you upload — insurance cards, medical records, IDs, school forms, financial documents, and any other files you choose to store
  • Data extracted from documents — structured information our AI extracts, including medical records, identity details, insurance policy terms, financial account information, and more
  • Vault credentials — passwords, codes, and sensitive values you store in the encrypted vault
  • Usage data — pages visited, features used, and actions taken within the app
  • Device information — browser type, operating system, and device type (for service optimization)

2. How We Use It

We use your information to:

  • Provide the service — store, process, organize, and search your documents
  • Send you notifications, reminders, and daily digests
  • Power the AI assistant to answer your questions
  • Improve the service and fix issues

What we do NOT do with your data: We do not use your data to train AI models. We do not sell your data to anyone. We do not share your data with advertisers. We do not monetize your information in any way beyond the subscription you pay for.

3. Third-Party Services

We use the following third-party services to operate BrightKeep. Here’s exactly what data each service touches:

ClerkAuthentication

Email address, name, login sessions

Anthropic Claude APIDocument extraction & AI assistant

Document text sent for processing. Anthropic does not retain this data per their data processing terms. Your data is not used to train their models.

AWS S3File storage

Uploaded documents, stored encrypted at rest

Neon (PostgreSQL)Database

All structured data, stored encrypted at rest

PostmarkEmail delivery

Email address, notification and digest content

TwilioSMS delivery

Phone number, notification message content

StripeBilling

Payment information handled entirely by Stripe. We never store your card numbers.

VercelHosting

Application code and request logs

InngestBackground job processing

Document metadata and job status (not document content)

4. Data Retention

We keep your data for as long as your account is active and you’re using the service.

After account deletion, your data is permanently deleted within 30 days. Database backups may persist for up to 90 days before automatic deletion.

Audit logs (which record who accessed what and when) are retained for 12 months for security purposes.

Billing records (invoices, payment history) are retained by Stripe per their data retention policies. We retain your subscription status and billing dates — but not payment card details — for as long as your account is active.

5. Your Rights

You have the right to:

  • Export your data — download all of your documents and extracted data at any time
  • Delete your account — permanently remove your account and all associated data
  • Request a copy — receive a full copy of all data we hold about you
  • Correct inaccuracies — update or correct any information in your account

To exercise any of these rights, visit Settings in the app or contact us at support@brightkeep.app.

6. Cookies

We use essential cookies only — for authentication and session management. These are required for the service to function.

We do not use tracking cookies. We do not use third-party advertising cookies. We do not use analytics cookies that track you across other websites.

7. Children

BrightKeep is not directed at children under 13. We do not knowingly collect personal information from children under 13.

A note on family data: BrightKeep is designed for parents and guardians to organize information about their family — including their children. Documents about minors (school records, vaccination records, etc.) are stored as the parent’s data about their children, not data collected from children directly. The account holder (parent/guardian) controls and is responsible for this data.

8. Security Measures

We protect your data with multiple layers of security:

  • Encryption at rest — all data encrypted using AES-256 encryption
  • Encryption in transit — all connections secured with TLS
  • Vault encryption — sensitive credentials stored with per-field AES-256-GCM encryption using a separate encryption key
  • Multi-factor authentication — required for all accounts
  • Access logging — all sensitive operations are logged in an append-only audit trail
  • Re-authentication — vault access requires fresh identity verification

For a full description of our security practices, see the Data Security section in our Terms of Service.

9. Changes

We may update this privacy policy from time to time. When we make material changes, we’ll notify you via email at least 30 days before the changes take effect.

We’ll also update the “Last updated” date at the top of this page.

10. Contact

Questions about this privacy policy or how we handle your data? Contact us at support@brightkeep.app.