BrezelScraper Logo

Legal

Privacy Policy

Last updated: May 27, 2026

This Privacy Policy describes how brezel.ai ("brezel.ai," "we," "our," or "us") collects, uses, discloses, and protects Personal Data when you visit brezelscraper.com, sign up for an account, or use BrezelScraper, our Google Maps data extraction service (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

1. When this Privacy Policy applies — and when it does not

This Privacy Policy applies to Personal Data we process as a controller: information about visitors to our website, account holders, prospective customers, billing contacts, support correspondents, and applicants.

It does not apply to the data outputs that the Service returns to you. When you submit a job, you instruct us to fetch publicly available business listings from Google Maps and, where you have enabled the relevant enrichments, related public web pages. With respect to any Personal Data contained in those outputs (for example, business owner names or contact details), you are the controller and we are the processor, acting solely on your documented instructions. Your processing of those outputs is governed by your separate Terms of Service with us and, where you are established in the European Economic Area ("EEA"), the United Kingdom, or Switzerland and the output includes Personal Data, by our standard Data Processing Addendum ("DPA"), available on request at [email protected].

You represent and warrant that, for every job you submit, you have all necessary rights, consents, and a valid legal basis to instruct us to process the Personal Data returned, and that you will discharge any transparency, notice, and data-subject-rights obligations owed to the individuals concerned under applicable law (including GDPR Articles 13 and 14, where relevant).

2. Who we are

The data controller responsible for the Personal Data described in this Privacy Policy is:

brezel.ai Ltd. Liability Company
30 N Gould St Ste N
Sheridan, WY 82801
United States
Privacy contact: [email protected]
General support: [email protected]

EEA / United Kingdom enquiries. If you are located in the EEA or UK, contact us at [email protected] and we will route your request appropriately.

3. Personal Data we collect

3.1 Personal Data you provide to us

  • Account identity data — when you sign up through our authentication provider: name, email address, profile image, the identity provider you chose for sign-in, and authentication timestamps. We assign you an internal user identifier and record your account role for permission management.
  • Billing data — when you purchase credits: your Stripe Customer ID, the country and ZIP/postal code associated with your payment method (collected by Stripe and used for tax determination), the amount and outcome of each charge (paid, refunded, partially refunded), and any resulting refund-deficit balance. We do not see, store, or transmit full payment card numbers; card data is handled directly by Stripe under their PCI-DSS-compliant infrastructure.
  • Support communications — when you write to [email protected]: your name, email address, the contents of your message, any attachments you provide, and metadata about the conversation (timestamps).
  • Integration credentials — when you connect a third-party service such as Google Sheets, we store the OAuth refresh and access tokens needed to call that service on your behalf, scoped to the permissions you grant during the OAuth flow. The specific Google user data we receive, how we use it, and the strict limitations on that use are described in detail in Section 8 (Google API Services and the Limited Use requirements). Tokens are stored encrypted at rest and you may revoke them at any time from the Integrations page or from the third party's own account settings.
  • API credentials — we generate API keys that you create from the dashboard. We store a salted, irreversible hash of the key (not the key itself) plus a short, non-sensitive prefix used to display the key to you.
  • Webhook configuration — endpoint URLs, the events you subscribe to, and the secret used to sign webhook payloads.
  • Job inputs — the search terms, geographic coordinates, radius, zoom level, language, enabled enrichments, custom job names, and any other parameters you submit when creating a scrape job. These inputs are stored on our infrastructure for the lifetime of the job record.

3.2 Personal Data we collect by automated means

  • Connection and device data — IP address, user-agent string, browser and operating system information, language preference, referring URL, and timestamps of requests to the website and API.
  • Service-usage data — records of API and dashboard actions, including jobs created, jobs cancelled, credits consumed and held, downloads requested, webhook deliveries attempted, and rate-limit events. We use this to operate, secure, debug, and improve the Service.
  • Server logs — application logs and database audit records collected via our internal log-aggregation system, retained for an operationally reasonable period (typically up to 30 days for verbose application logs; longer for security-relevant events).
  • Cookies and similar technologies — see Section 6.

3.3 Personal Data the Service processes on your behalf (output data)

The product output of BrezelScraper is data extracted from publicly available Google Maps business listings and, where you have enabled the corresponding enrichments, public business websites. Depending on the enrichments you select, outputs may include: business name, category, address, postal code, latitude/longitude, telephone number, website URL, opening hours, popular times, ratings and review counts, individual customer reviews (and, where extended reviews are enabled, reviewer display names and the public review text), photos, owner-provided information, reservation links, menu links, and email addresses appearing on the business's public website.

As stated in Section 1, we process this data strictly on your instruction and in our capacity as a processor. You are responsible for ensuring that your collection, storage, and subsequent use of this data complies with applicable law, including data-protection law (e.g. EU/UK GDPR, CCPA/CPRA, LGPD), anti-spam and telemarketing law (e.g. CAN-SPAM, CASL, TCPA, ePrivacy Directive), and the terms of service of the third-party platforms from which data is collected. See our Terms of Service §4 for the full acceptable-use rules.

4. How we use Personal Data and the legal bases

We process Personal Data only where we have a lawful basis under Article 6 of the EU/UK GDPR (where applicable) or an analogous basis under other data-protection laws. The table below maps each purpose to the corresponding legal basis.

  • Provide, operate, and maintain the Service (account creation, authentication, executing jobs, delivering results, billing, customer support) — performance of a contract with you, GDPR Art. 6(1)(b).
  • Process payments and manage credit balances (including refunds and refund-deficit balances) — performance of a contract, Art. 6(1)(b); and compliance with tax and accounting obligations, Art. 6(1)(c).
  • Secure the Service and prevent abuse (rate limiting, fraud detection, intrusion monitoring, abuse investigations) — our legitimate interest in operating a secure service, Art. 6(1)(f), balanced against your interests.
  • Debug, monitor performance, and improve features (aggregated usage analytics, error reports) — our legitimate interest in improving the Service, Art. 6(1)(f).
  • Send transactional communications (receipts, security alerts, service announcements, replies to support requests) — performance of a contract, Art. 6(1)(b).
  • Send marketing communications (product updates, newsletters) — your consent, Art. 6(1)(a), which you can withdraw at any time via the unsubscribe link in any such email.
  • Comply with legal obligations (tax, anti-money laundering, responses to lawful requests from authorities, statutory retention) — Art. 6(1)(c).
  • Establish, exercise, or defend legal claims — our legitimate interest, Art. 6(1)(f).

5. How we disclose Personal Data

We do not sell Personal Data, and we do not share it for cross-context behavioural advertising. We disclose Personal Data only to the following categories of recipients, and only to the extent necessary for the purpose stated:

  • Sub-processors acting on our behalf to deliver the Service — see Section 7 for the current list.
  • Professional advisers (lawyers, auditors, accountants) under a duty of confidentiality.
  • Public authorities, courts, or regulators where we are legally compelled to do so or where disclosure is necessary to protect our rights, your safety, or the safety of others.
  • An acquirer or successor in connection with a merger, acquisition, financing, reorganisation, bankruptcy, or sale of all or part of our assets. We will notify you of any such change and your choices as required by law.

6. Cookies and similar technologies

We use a small number of cookies and similar technologies for strictly necessary and functional purposes. We do not use cookies for cross-site advertising, behavioural profiling, or sale to third parties.

  • Authentication — Clerk session cookies, required to keep you signed in.
  • Preferences — a cookie that remembers your theme (light / dark / system).
  • Security — short-lived cookies used to mitigate cross- site request forgery and similar attacks.

Sub-processors named in §7 may set their own cookies when their components load — for example, when you sign in via our authentication provider or proceed to the payment processor's hosted checkout page. Those cookies are governed by the respective sub-processor's own cookie and privacy notices.

For full details and your choices, see our Cookie Policy.

7. Sub-processors and third-party services

We engage a limited number of sub-processors to deliver the Service. Each receives only the categories of data necessary for its function and is bound by written contractual confidentiality, security, and data-protection obligations consistent with Article 28 of the EU/UK GDPR.

The following sub-processors are user-facing — you either interact with them directly through our interface or actively authorise the connection — and we name them here for transparency:

  • Clerk, Inc. — authentication, identity, and session management. Data: account identity data, authentication timestamps. clerk.com/legal/privacy.
  • Stripe, Inc. — payment processing, tax calculation, and invoicing. Data: billing data, transaction metadata. stripe.com/privacy.
  • Google LLC — used only when you explicitly connect your Google account for Sheets export. We receive an OAuth access token scoped to drive.file (limited to files we create on your behalf) and the OpenID Connect openid + emailscopes (to confirm which Google account is connected and display its email back to you). Data: the spreadsheet exports you initiate, your Google account email. policies.google.com/privacy.

In addition, we rely on the following categories of infrastructure sub-processors:

  • Cloud infrastructure providers based in the European Union, supplying compute, managed database, and encrypted object storage for job inputs, outputs, and exports.
  • Network, DNS, and edge-protection providers, supplying DNS resolution, edge caching, and DDoS mitigation for our public endpoints.
  • Network routing providers used to fetch the public pages you instruct us to retrieve. These providers receive only the outbound request URL and necessary HTTP headers; they do not receive your account information or job configuration.
  • Operational tooling providers for transactional email delivery, logging, monitoring, and error reporting in support of running the Service securely and reliably.

A complete, up-to-date list of named sub-processors — including legal entity, processing location, and the categories of data they receive — is maintained as part of our standard Data Processing Addendum and is available to customers with an active account on request to [email protected]. Customers may subscribe to advance notice of changes to that list. We will give at least fourteen (14) days' prior notice before any new sub-processor begins processing customer Personal Data, during which a customer may object on reasonable data-protection grounds.

8. Google API Services and the Limited Use requirements

This section describes how we receive, use, store, and protect data from Google APIs ("Google user data") when you choose to connect your Google account to enable Google Sheets export from the Service.

8.1 The Google user data we receive

When you complete the Google OAuth consent flow, you grant our application the minimum set of scopes required to deliver the feature. We receive only the data those scopes authorise:

  • https://www.googleapis.com/auth/drive.file — used to create the spreadsheets you ask us to populate with your job outputs and to write your CSV data into them. This scope is restricted by Google to only the Drive files our application has created on your behalf. We cannot access, list, or modify your other Drive files or your other Google Sheets spreadsheets.
  • openid and email — the standard OpenID Connect scopes used to confirm which Google account you are connecting and to display its email address back to you on the Integrations page so you can recognise the connected account. These scopes give us your Google account email address and a stable account identifier; they do not give us access to your name, profile picture, or any other Google profile data.

8.2 Limited Use affirmation

BrezelScraper's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, and in addition to the general commitments in this Privacy Policy, we affirm that Google user data is:

  • used only to provide and improve the user-facing Google Sheets export feature that you have explicitly enabled;
  • not transferred to others except as necessary to provide or improve that user-facing feature, to comply with applicable law, or as part of a merger, acquisition, or sale of assets where users are notified;
  • not used or transferred for serving advertising, including retargeting, personalised, or interest-based advertising;
  • not sold, rented, licensed, or otherwise made available to data brokers, information resellers, or other parties for any purpose;
  • not used for determining credit-worthiness or for lending decisions;
  • not used to train, fine-tune, evaluate, or develop generalised or generative artificial-intelligence or machine-learning models;
  • not used to create, augment, or maintain databases or directories unrelated to providing the Google Sheets export feature.

8.3 Storage, retention, and deletion of Google user data

OAuth refresh and access tokens are stored encrypted at rest on our EU-based infrastructure and used only when you, or a job you have initiated, triggers an export to your Google account. Spreadsheet contents we write on your behalf reside in your Google Drive — we do not retain a copy after the write completes.

You may revoke our application's access to your Google account at any time, either (i) from the Integrations page in your BrezelScraper dashboard, or (ii) directly from your Google Account permissions page. On revocation, we delete the associated OAuth tokens from our active systems promptly and from encrypted backups on the normal backup- rotation cycle, aligned with our retention policy.

8.4 Human review

Our staff does not access Google user data routinely. Human access occurs only in narrowly scoped circumstances and is logged: (i) with your explicit prior consent — for example, when you ask our support team to investigate a specific failed export; (ii) where required to investigate a security incident or suspected abuse; or (iii) where required to comply with applicable law.

8.5 Security of Google user data

Google user data is subject to the technical and organisational measures described in Section 12 (Security) of this Privacy Policy, including TLS encryption in transit, encryption at rest for sensitive fields including OAuth tokens, role-based access control for staff access, and our Article 33/34 breach-notification commitments.

9. Data retention

We retain Personal Data only for as long as necessary to fulfil the purposes set out in this Privacy Policy and to comply with our legal obligations.

  • Account, profile, and integration records — for the duration of your account, and for up to 90 days after account closure to allow for reactivation and dispute resolution.
  • Billing, invoicing, and tax records — for up to seven (7) years after the relevant transaction to comply with tax, accounting, and audit obligations.
  • Job inputs and outputs — for as long as your account is active, until you delete the job, or until you delete your account, whichever occurs first. You may delete individual jobs (and their outputs) at any time from the dashboard or via the API.
  • Webhook delivery records — up to 90 days, after which they are removed by an automated cleanup process.
  • Application and security logs — typically 30 days for verbose application logs; up to 12 months for security-relevant events (authentication failures, abuse signals).
  • Support correspondence — up to 24 months after the conversation closes, unless a longer period is needed for legal claims.

When the retention period expires, Personal Data is deleted from active systems. Residual copies in encrypted backups are overwritten on the normal backup-rotation cycle, aligned with our retention policy.

10. Your rights

Depending on your jurisdiction, you have some or all of the following rights with respect to your Personal Data:

  • Access — confirm whether we hold Personal Data about you and obtain a copy.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure("right to be forgotten") — request deletion in the circumstances permitted by law.
  • Restriction and objection — restrict, or object to, certain processing (including processing based on legitimate interests and direct marketing).
  • Portability — receive your Personal Data in a structured, commonly used, machine-readable format.
  • Withdraw consent — where processing is based on consent, withdraw it at any time, without affecting the lawfulness of processing already carried out.
  • Lodge a complaint— with a competent supervisory authority (in the EEA, your local data-protection authority; in the UK, the Information Commissioner's Office).
  • Not be subject to solely automated decisions producing legal or similarly significant effects. We do not carry out any such decision-making (GDPR Art. 22).

California residents.Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), you have the right to know what categories of Personal Information we collect, the purposes for which we use it, the categories of recipients with whom we share it, and the retention period; the right to delete; the right to correct; the right to limit the use of sensitive Personal Information; and the right to opt out of any "sale" or "sharing" of Personal Information. We do not sell or share Personal Information as those terms are defined under the CCPA/CPRA, and we have not done so in the preceding twelve months. This Privacy Policy serves as our Notice at Collection under §1798.100 of the CCPA. The categories of Personal Information we collect are set out in Section 3 above and map to the CCPA categories: identifiers (A); commercial information (D); and internet or other electronic-network activity (F). We may derive approximate location at the city level from your IP address (CCPA category G); the precise geographic coordinates that appear in your job inputs describe the map location you wish us to search and are not user geolocation. We do not collect sensitive Personal Information as defined by the CPRA.

Residents of other U.S. states. If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, New Jersey, Tennessee, Indiana, Florida, New Hampshire, Maryland, Kentucky, Minnesota, Rhode Island, or another U.S. state with a comprehensive consumer-privacy law in force, you have substantially the same rights described above (access, correction, deletion, portability, opt-out of sale/sharing where applicable, and non- discrimination) with respect to the Personal Data we hold about you. To exercise these rights, contact [email protected].

How to exercise your rights. Email [email protected] from the address registered on your account, or from another address if you can verify your identity. We respond to verified requests within 30 days (extendable by a further 60 days for complex requests, with notice). You may also authorise an agent to act on your behalf, subject to verification. We will not discriminate against you for exercising your rights.

11. International data transfers

We are a United States entity. Our primary application infrastructure is hosted in the European Union, and some sub-processors are located in the United States or other jurisdictions. Where we transfer Personal Data out of the EEA, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the European Commission (or the equivalent UK or Swiss authority), the transfer is protected by the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, the Swiss Addendum, or another lawful mechanism. A copy of the safeguards we rely on is available on request to [email protected].

12. Security

We implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These include:

  • TLS encryption for all data in transit between you, the Service, and our sub-processors;
  • Encryption of sensitive fields at rest (including integration OAuth tokens) and full-database encrypted backups;
  • Industry-standard cryptographic hashing for API keys and session identifiers;
  • Role-based access control for internal staff access to production systems;
  • Automated dependency-vulnerability monitoring and routine application of security patches;
  • Logging, alerting, and intrusion-detection on production infrastructure.

No system of electronic transmission or storage is perfectly secure. In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours, and will notify affected data subjects where the breach is likely to result in a high risk, all as required by Articles 33 and 34 of the EU/UK GDPR (and analogous obligations elsewhere).

13. Children's privacy

The Service is intended for business users and is not directed to children. We do not knowingly collect Personal Data from children under 13 in the United States (consistent with the Children's Online Privacy Protection Act, "COPPA"), under 16 in the European Economic Area (or the equivalent age of digital consent in your country, which under GDPR Art. 8 may be set as low as 13 by some Member States), or under the equivalent threshold set by local law in other jurisdictions. If you believe we have collected Personal Data from a child, contact [email protected] and we will delete it promptly.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date above reflects the most recent revision. We will notify you of material changes by email to the address on your account and/or by prominent in-app notice at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised Privacy Policy.

15. Contact us

If you have questions, requests, or complaints about this Privacy Policy or our handling of your Personal Data, please contact:

brezel.ai
Attn: Privacy
30 N Gould St Ste N
Sheridan, WY 82801, United States
[email protected]

You also have the right to lodge a complaint with the data-protection authority in your country of residence, place of work, or place of the alleged infringement.