Privacy policy

This privacy policy explains how Brevwick (“Brevwick”, “the Service”, “we”, “us”) handles personal information. Brevwick is operated by tatlacas (Pty) Ltd, a private company registered in the Republic of South Africa, with its registered office at 6 Grandeur Crescent, Grandeur Estate, Brackenfell, 7560, Cape Town, South Africa. We are committed to processing personal information lawfully under the Protection of Personal Information Act, 2013 (POPIA), the EU and UK General Data Protection Regulations (GDPR), and other applicable privacy laws.

1. Scope and our role

Brevwick is a SaaS platform that ingests bug reports from end users of a customer’s web or mobile application via a drop-in SDK, formats those reports through an LLM, and delivers them to the customer’s triage team and external issue trackers.

For data submitted through the SDK by end users of a customer’s application, Brevwick acts as a processor on behalf of that customer (the controller). For account, billing, support, telemetry, and marketing-site data, Brevwick acts as a controllerin its own right. End users with privacy questions about reports submitted through a customer’s app should contact that customer first; we will assist on referral.

2. What we collect — dashboard accounts

When you sign up for or use a Brevwick workspace, we collect:

• Your email address, display name, and avatar URL.
• Your authentication provider (email magic link, Google, or password) and your Firebase user identifier.
• Your role within each workspace (owner, admin, triager, viewer) and the workspaces, projects, and issues you have access to.
• Billing pointers held by our payment processor (Paddle). We do not store full card numbers.

3. What we collect — SDK submissions

When an end user submits a bug report through a Brevwick SDK embedded in a customer’s app, we receive:

• The free-text title, description, expected behaviour, and actual behaviour the user typed.
• The route or screen path, the build SHA, and the environment label (dev, stg, or prod) supplied by the customer’s SDK configuration.
• Device context: user-agent string, browser locale, viewport size, platform identifier, and the SDK name and version.
• A console-log ring (up to 50 entries, deduplicated) and a network ring (up to 20 entries) captured automatically. Both are sanitised client-side and again server-side before any further processing. Only an allow-list of seven request/response headers is captured (accept, accept-language, content-language, content-type, x-request-id, x-correlation-id, x-trace-id); request and response bodies are capped at 2 KB and 4 KB respectively and redacted.
• Optional userContext and userReffields that the customer’s app may pass to Brevwick. The contents and lawfulness of these fields are the customer’s responsibility.
• A salted SHA-256 fingerprint derived from a rotating secret salt, the user-agent, the IP address truncated to /24 (IPv4) or /48 (IPv6), the optional userRef, and the workspace identifier. We retain only the hash, never the inputs. End users may opt out of fingerprinting by sending the X-Brevwick-Fingerprint-Optout: 1 header; Brevwick uses the fingerprint solely for abuse detection and rate limiting.
• Attachments — PNG, JPEG, WebP screenshots and WebM screen recordings, capped at 10 MB each and 5 per issue.

4. What we do not collect

• Full IP addresses (we truncate before hashing).
• Geolocation, GPS, or device-sensor data.
• Cross-site browsing history.
• Ambient tracking cookies on customers’ end users. The Brevwick SDK does not set marketing cookies on the customer’s domain.
• End-user names or email addresses, unless the customer’s app deliberately supplies them via userContext.

5. How we use information

• Provide the Service. Operating workspaces, authenticating users, ingesting submissions, formatting them with an LLM, and delivering issues to your chosen tracker.
• Bill and collect. Managing subscriptions, taxes, invoices, refunds, and dunning through Paddle.
• Communicate. Sending transactional email (workspace invites, receipts, security notices) and, with your consent, product updates.
• Secure and improve. Detecting abuse, debugging errors, measuring aggregate usage, and improving redaction quality.
• Comply. Meeting legal, regulatory, and contractual obligations.

6. Lawful bases (GDPR / UK GDPR)

For users in the EEA or UK, we rely on:

• Performance of a contract— account, billing, and core service delivery.
• Legitimate interests— abuse prevention via the salted fingerprint, security telemetry, and aggregate analytics, balanced against your reasonable privacy expectations.
• Consent— optional marketing communications and any analytics that require it. You may withdraw consent at any time.
• Legal obligation— tax, accounting, and lawful-request compliance.

7. Sub-processors

We engage the following sub-processors to deliver the Service. Each is bound by contractual confidentiality and security obligations.

• Google LLC (Firebase Authentication), United States — identity, magic-link delivery, ID-token verification.
• Anthropic, PBC, United States — LLM formatting of redacted issue text and console / network context. Image attachments are not sent to the LLM.
• Cloudflare, Inc. (R2), global edge network — attachment object storage.
• Paddle.com Market Ltd, United Kingdom — Merchant of Record for subscription billing, tax collection, and dunning.
• Resend, Inc., United States — transactional email delivery.
• Functional Software, Inc. (Sentry), United States — backend error telemetry. Raw authentication tokens are never logged.
• Vercel, Inc., United States — marketing site and dashboard hosting.
• Fly.io, Neon, Upstash— API runtime, Postgres database, and Redis cache. Default regions are in the United States; a South African region option for the API tier is on our roadmap and is not yet available.

A current list of sub-processors and a Data Processing Agreement (DPA) are available on request to privacy@tatlacas.com. We will give workspace owners advance notice of new sub-processors where required by law or by their contract.

8. International transfers (POPIA s.72)

Personal information processed by Brevwick is transferred to the United States by Anthropic, Google (Firebase), Sentry, Resend, and Vercel; to the United Kingdom and European Union by Paddle; and may be processed at Cloudflare’s globally distributed edge. These jurisdictions may not have data-protection laws equivalent to South Africa’s POPIA or the EU GDPR. Transfers are made on the basis of one or more of (i) the recipient’s binding corporate rules or standard contractual clauses, (ii) the data subject’s consent at the point of submission, (iii) necessity for the performance of a contract, or (iv) Brevwick’s reasonable contractual safeguards with the recipient. Customers requiring South African-only LLM processing should contact us; this option is on our roadmap and is not currently available.

9. Retention

• Attachments. Hard-deleted from Postgres and Cloudflare R2 by an automated purge job 90 days after upload. Workspace administrators can extend an individual issue’s attachment retention to a maximum of 365 days.
• Issues and feedback events. Retained indefinitely while the workspace is active. Workspace administrators can delete individual issues, and deleting a workspace cascades to all of its issues, attachments, and feedback events.
• Authentication records.Held by Firebase under Google’s policies. Brevwick ID tokens have a one-hour time-to-live.
• Operational logs. Retained at the hosting layer for 30 days.
• Workspace invitations. Tokens expire 7 days after issue. Audit rows are retained for accountability.
• Rate-limit counters. Per-minute, per-hour, and per-day counters in Redis auto-expire on rollover.
• Billing records. Retained for the period required by South African tax law (currently five years).

10. Your rights (POPIA, GDPR, and equivalents)

Subject to applicable law, you have the right to access, correct, delete, restrict, or object to the processing of your personal information; to receive your information in a portable format; and to withdraw consent where processing relies on it. POPIA and the GDPR also entitle you to lodge a complaint with the South African Information Regulator or your local supervisory authority.

To exercise a right, email privacy@tatlacas.com. We will respond within 30 days. If your request concerns data submitted through another company’s app, please contact that company first — they are the controller of that data and we are unable to act unilaterally.

11. Security

We protect personal information with TLS in transit and encryption at rest at the storage layer. Authentication is delegated to Firebase and we never see your password. ID tokens are short-lived; project API keys are HMAC-SHA256-hashed at rest. PII redaction is applied both in the SDK on the user’s device and again on our servers before any LLM processing. Raw bearer tokens are never logged. No system is perfectly secure; if a breach affecting your personal information occurs, we will notify you and the relevant supervisory authority as required by law.

12. Cookies and analytics

Our marketing site uses no advertising or cross-site tracking cookies. If a privacy-respecting analytics provider such as Plausible is enabled, it operates without cookies and without persistent identifiers. The Brevwick dashboard sets a session cookie required for authenticated access; this is strictly necessary for the Service and is not used for tracking.

13. Children

Brevwick is not directed to children under 16. We do not knowingly collect their personal information. Customers embedding the Brevwick SDK in services directed to children must comply with applicable children’s privacy laws (including POPIA s.34 and, where relevant, COPPA) and must not pass children’s personal information through userContext.

14. Changes to this policy

We may update this policy from time to time. Material changes will be posted on this page with a revised effective date and, where required, communicated to workspace owners by email.

15. Contact

tatlacas (Pty) Ltd, 6 Grandeur Crescent, Grandeur Estate, Brackenfell, 7560, Cape Town, South Africa.

• Privacy and data-subject requests: privacy@tatlacas.com
• General inquiries: info@tatlacas.com
• Complaints to the South African Information Regulator: inforegulator.org.za

See also our Terms of Service and our contact page.