BreekBreek

    Privacy policy

    Last updated: May 18, 2026

    This policy describes how BREEK SAS ("Breek", "we") collects, uses and protects your personal data when you use the https://breek.ai website and the Breek application (https://app.breek.ai, https://plans.breek.ai).

    It complies with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act of 6 January 1978 as amended.

    1. Data controller

    BREEK SAS
    French SAS with share capital of €12,121.20
    RCS Paris: 989 143 011
    Registered office: 38 rue Jacques Louvel Tessier, 75010 Paris, France
    Publication director: Ted Bonnici, President
    Email: contact@breek.ai

    Breek has not appointed a Data Protection Officer (DPO) as its activities do not require one under Article 37 GDPR.

    2. Data we collect

    We collect only the data necessary to operate the platform and deliver our services.

    2.1 Account data

    • Email address
    • Name (optional, provided by Google sign-in or filled by the user)
    • Encrypted session identifiers

    2.2 Data uploaded by users (application)

    • Tender documents (DCE, drawings, technical specs, PDFs) you upload
    • Annotations, measurements, take-offs and requirements you enter
    • Project information (name, description, deadlines, status)

    2.3 Data provided via the website (forms, bookings, chat)

    • Business contact details submitted via the Calendly booking flow (name, email, phone, company, tender volume, source)
    • Messages exchanged via the chat widget

    2.4 Technical data

    • IP address (security and abuse prevention only)
    • Browser type and operating system
    • Anonymised session identifier (error correlation)
    • Activity logs (resource creation, modification, deletion)

    2.5 Data from third-party integrations

    When you use optional integrations (Google Drive, Google sign-in), we access certain data through the provider's APIs — see section 5.

    We do not collect:

    • payment card data (handled by our payment processor)
    • advertising cookies or third-party trackers for advertising purposes inside the app
    • precise geolocation data

    3. Purposes of processing

    1. Service delivery: authentication, hosting your documents and annotations, generating reports, AI analysis of tender documents
    2. Service improvement: anonymised error and performance analysis (PostHog, see section 6)
    3. Security: detecting and preventing abuse, security audits
    4. Sales communication and support: responding to your enquiries, scheduling demos, CRM follow-up
    5. Marketing measurement: measuring ad performance (Google Ads) via server-side hashed conversion events (see section 6)
    6. Legal obligations: invoicing, accounting retention

    We do not use your data for behavioural advertising, commercial profiling, or selling to third parties.

    4. Legal bases

    • Performance of a contract (Art. 6.1.b GDPR): delivering the service you subscribed to
    • Legitimate interest (Art. 6.1.f): security, fraud prevention, service improvement, B2B prospection
    • Consent (Art. 6.1.a): optional third-party integrations, non-strictly-necessary cookies
    • Legal obligation (Art. 6.1.c): accounting retention

    5. Google integrations

    5.1 Sign in with Google

    If you choose to sign in with Google, Google provides us with:

    • your email address
    • your display name
    • your profile picture (optional)

    We do not request any other access to your Google account for sign-in.

    5.2 "Open with Breek" from Google Drive

    The "Open with > Breek plans" integration lets you open a PDF stored in your Google Drive directly inside Breek to annotate it.

    What Breek accesses:

    • Only the file you explicitly selected via the Google Drive "Open with" button (OAuth scope https://www.googleapis.com/auth/drive.file)

    What Breek does NOT access:

    • No other file in your Google Drive
    • No Drive metadata (file lists, folder structure, sharing settings)
    • No other information from your Google account

    What Breek does with this file:

    • Downloads the PDF content into our secure infrastructure
    • Generates image tiles for interactive display
    • Stores it encrypted so you can come back and add annotations

    What Breek does NOT do:

    • Modify the original file in your Google Drive (the source file is never altered)
    • Share the file or its content with third parties
    • Use the content to train third-party AI models
    • Use Google data for advertising, commercial profiling, or sale to third parties

    5.3 Compliance with Google's Limited Use Policy

    Breek's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular:

    • We use Google data solely to provide or improve user-facing features visible in the Breek interface
    • We do not transfer this data to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with the user's explicit consent
    • We do not use this data for advertising purposes
    • We do not allow humans to read this data, except: (a) with your explicit consent, (b) for security purposes (e.g. abuse investigation), (c) to comply with applicable law, or (d) for aggregated and anonymised support purposes

    5.4 Revoking Google access

    You can revoke Breek's access to your Google account at any time at https://myaccount.google.com/permissions. Revocation prevents any future access, without deleting files already uploaded to Breek (use account deletion in section 9 for that).

    6. Cookies, trackers and audience measurement

    On the breek.ai website we use:

    • Strictly necessary cookies: session, security, load balancing — no consent required.
    • Google Tag Manager / Google Ads: measuring the performance of our advertising campaigns. Conversion events (CTA click, confirmed booking, meaningful page read) are sent to Google Ads. For a confirmed booking, user data (email, first name, last name) is SHA-256-hashed server-side before transmission, in line with Google Enhanced Conversions.
    • PostHog (product analytics and error correlation), hosted in the EU, no third-party cookies, no transfer outside the EU.

    No third-party profiling advertising cookies are set. You may refuse or withdraw consent at any time via the cookie banner.

    7. Recipients and sub-processors

    Your data is only accessible to:

    • authorised Breek SAS staff, strictly within their duties;
    • our technical sub-processors, bound by an Article 28 GDPR-compliant agreement.
    Sub-processorPurposeLocation
    Scaleway SASApplication and data hostingFrance (EU)
    OVH Groupe SADNS management, infrastructure hostingFrance (EU)
    SupabaseManaged database, authentication, serverless functionsEU (Frankfurt region)
    Google Cloud — Vertex AI (Gemini)AI processing of tender documentsEU regions
    PostHogProduct analytics and error correlationEU
    CalendlySales meeting bookingUSA (Standard Contractual Clauses)
    AttioSales CRM (prospect management)UK / EU (adequacy decision)
    Google AdsAdvertising performance measurementUSA (Standard Contractual Clauses)
    SlackSupport chat widget on the websiteUSA (Standard Contractual Clauses)

    We do not sell, rent or share your data for commercial purposes.

    8. Retention periods

    CategoryDuration
    Active account dataDuration of your subscription
    Documents and annotationsDuration of your subscription, then 30 days after deletion
    Technical logs90 days
    Billing data10 years (legal accounting requirement)
    Sales prospects (CRM)3 years after last contact
    Marketing audience measurement13 months

    You may request earlier deletion at any time (see section 9).

    9. Your rights

    Under the GDPR you have the following rights:

    • Access: obtain a copy of the data we hold about you
    • Rectification: correct inaccurate data
    • Erasure ("right to be forgotten"): delete your account and all your data
    • Restriction: suspend certain processing
    • Portability: receive your data in a structured format
    • Objection: object to certain processing, including prospection
    • Withdraw consent at any time
    • Set instructions for the handling of your data after death

    To exercise these rights, email contact@breek.ai with proof of identity. We reply within 30 days.

    You may also lodge a complaint with the French data protection authority, CNIL.

    10. Security

    We implement appropriate technical and organisational measures to protect your data:

    • End-to-end TLS encryption for all communications
    • Encryption at rest for stored documents
    • Secure session-based authentication
    • Regular security audits
    • Access restricted to staff strictly needed (least-privilege)
    • Regular backups

    In case of a breach affecting your rights and freedoms, we will notify you and the CNIL within 72 hours, in accordance with Article 33 GDPR.

    11. Transfers outside the European Union

    Your data is hosted in the European Union. Some sub-processors (Calendly, Google Ads, Slack) are headquartered in the United States. Such transfers are governed by the European Commission's Standard Contractual Clauses and, where applicable, by the sub-processor's certification to the EU-US Data Privacy Framework.

    Google Cloud Platform APIs used for AI processing are configured on European regions.

    12. Changes to this policy

    We may update this policy to reflect legal or technical changes. Material changes will be notified by email to active users at least 30 days before they take effect. The last-updated date is shown at the top of this page.

    13. Contact

    Email: contact@breek.ai
    Address: BREEK SAS, 38 rue Jacques Louvel Tessier, 75010 Paris, France