Last updated: March 2026

Privacy Policy

BrightKeep is built for families who trust us with their most important information. This policy explains exactly what we collect, how we use it, and who else touches it. No surprises.

1. What We Collect

We collect the following categories of information:

  • Account information — your name, email address, and phone number (if provided for SMS notifications)
  • Documents you upload — insurance cards, medical records, IDs, school forms, financial documents, and any other files you choose to store
  • Data extracted from documents — structured information our AI extracts, including medical records, identity details, insurance policy terms, financial account information, and more
  • Vault credentials — passwords, codes, and sensitive values you store in the encrypted vault
  • Usage data — pages visited, features used, and actions taken within the app
  • Device information — browser type, operating system, and device type (for service optimization)

2. How We Use It

We use your information to:

  • Provide the service — store, process, organize, and search your documents
  • Send you notifications, reminders, and daily digests
  • Power the AI assistant to answer your questions
  • Improve the service and fix issues

What we do NOT do with your data: We do not use your data to train AI models. We do not sell your data to anyone. We do not share your data with advertisers. We do not monetize your information in any way beyond the subscription you pay for.

3. Third-Party Services

We use the following third-party services to operate BrightKeep. Here’s exactly what data each service touches:

ClerkAuthentication

Email address, name, login sessions

Anthropic Claude APIDocument extraction & AI assistant

Document text sent for processing. Anthropic does not retain this data per their data processing terms. Your data is not used to train their models. Documents are decrypted in memory only during processing.

AWS S3File storage

Uploaded documents, encrypted with per-user AES-256 encryption keys managed by AWS KMS. Each user’s files are encrypted with their own unique key.

AWS KMSKey management

Manages per-user encryption keys for document and data protection. Only encrypted key material is stored; plaintext keys exist only in memory during use.

Neon (PostgreSQL)Database

All structured data, encrypted at rest. Sensitive personal fields (Social Security numbers, document numbers, medical notes, financial account numbers) are additionally encrypted at the application level with per-user encryption keys.

CloudConvertFile conversion

Document files are converted to PDF format for processing. Files are deleted from CloudConvert servers after conversion per their data processing terms.

PostmarkEmail delivery

Email address, notification and digest content

TwilioSMS delivery

Phone number, notification message content

StripeBilling

Payment information handled entirely by Stripe. We never store your card numbers.

VercelHosting

Application code and request logs

InngestBackground job processing

Document metadata and job status (not document content)

PostHogProduct analytics

Page views, feature usage, and general interaction patterns to understand how users interact with BrightKeep and improve the product. No sensitive document content, personal identifiers (such as SSNs, passport numbers, or medical records), or encrypted field values are ever sent to PostHog.

SentryError monitoring

When an error occurs, Sentry may receive technical context such as browser type, page URL, and error details for application performance tracking. Sentry never receives document content, personal identifiers, or encrypted field values.

4. Data Retention

We keep your data for as long as your account is active and you’re using the service.

After account deletion, your data is permanently deleted within 30 days. Database backups may persist for up to 90 days before automatic deletion.

Audit logs (which record who accessed what and when) are retained for 12 months for security purposes.

Billing records (invoices, payment history) are retained by Stripe per their data retention policies. We retain your subscription status and billing dates — but not payment card details — for as long as your account is active.

5. Your Rights

You have the right to:

  • Export your data — download all of your documents and extracted data at any time
  • Delete your account — permanently remove your account and all associated data
  • Request a copy — receive a full copy of all data we hold about you
  • Correct inaccuracies — update or correct any information in your account

To exercise any of these rights, visit Settings in the app or contact us at support@brightkeep.ai.

6. Cookies

We use essential cookies only — for authentication and session management. These are required for the service to function.

We do not use tracking cookies. We do not use third-party advertising cookies. We do not use analytics cookies that track you across other websites.

7. Children

BrightKeep is not directed at children under 13. We do not knowingly collect personal information from children under 13.

A note on family data:BrightKeep is designed for parents and guardians to organize information about their family — including their children. Documents about minors (school records, vaccination records, etc.) are stored as the parent’s data about their children, not data collected from children directly. The account holder (parent/guardian) controls and is responsible for this data.

8. Security Measures

We protect your data with multiple layers of security:

  • Per-user encryption— every user gets their own unique AES-256 encryption key, managed by AWS Key Management Service. Your files are encrypted with your key before they’re stored.
  • Field-level encryption — sensitive fields like Social Security numbers, passport numbers, medical notes, and financial account numbers are encrypted at the database level with your personal key
  • Encryption in transit — all connections secured with TLS
  • Vault encryption — sensitive credentials stored with per-field AES-256-GCM encryption, requiring re-authentication to access
  • Multi-factor authentication — required for all accounts
  • Access logging — all sensitive operations are logged in an append-only audit trail

For a full description of our security practices, see the Data Security section in our Terms of Service.

9. Changes

We may update this privacy policy from time to time. When we make material changes, we’ll notify you via email at least 30 days before the changes take effect.

We’ll also update the “Last updated” date at the top of this page.

10. Contact

Questions about this privacy policy or how we handle your data? Contact us at support@brightkeep.ai.