Privacy Policy

1. Introduction and Scope

Bravio provides a specialized Business-to-Business (B2B) Software-as-a-Service platform for clinical engineering and biomedical service organizations ("Tenants"). This Privacy Policy applies to all information collected through the Service, including information inputted by Tenant administrators, technicians, and other authorized users.

This Policy does not apply to the practices of third-party services that may be integrated with or linked from the Platform. Each third-party service has its own privacy policy, and we encourage you to review those policies separately.

2. Information We Collect

2.1 Account and Registration Information
When a Tenant registers for the Service, we collect: organization name, administrator name and email address, billing information, and account credentials.

2.2 User Information
For users operating within a Tenant's account, we collect: full name, email address, role (e.g., Technician, Administrator), and profile information.

2.3 Operational and Business Data
In the course of using the Service, Tenants and their Users input and generate: facility names, addresses, and contact information; asset details including equipment models, serial numbers, and service histories; work order notes, technician assignments, labor records, and parts usage; service reports, estimates, and invoices; preventive maintenance schedules; and automated notification logs (SMS and email records).

2.4 Google Account Data
When a User connects a Google account for authentication or Google Calendar synchronization, we receive: the User's Google email address, basic profile information (name and profile picture), and access to the User's primary Google Calendar (read and write permissions for syncing work orders).

2.5 Technical and Usage Data
We automatically collect certain technical data when you access the Service, including: IP addresses, browser type and version, device identifiers, operating system, pages visited, features used, and timestamps. This data is used for security monitoring, platform improvement, and troubleshooting.

2.6 Communications
We retain records of automated communications dispatched through the Platform (e.g., SMS and email notifications sent to facilities regarding service events) for operational and audit purposes.

3. How We Use Your Information

We use collected information solely for the following purposes:

• Service Delivery: To provide, operate, and maintain the Platform and its features, including asset management, work order processing, scheduling, invoicing, and communications.
• Authentication: To verify user identity and manage access to the Platform.
• Google Calendar Sync: To synchronize work orders with Users' Google Calendars where that feature is enabled.
• Automated Notifications: To dispatch transactional SMS and email notifications via our third-party providers on behalf of Tenants.
• Security and Fraud Prevention: To monitor for suspicious activity, protect against unauthorized access, and maintain the integrity of the Platform.
• Platform Improvement: To analyze aggregated, anonymized usage patterns to improve features and user experience. We do not use individual Tenant Data for this purpose without de-identification.
• Customer Support: To respond to support requests and resolve technical issues.
• Legal Compliance: To comply with applicable laws, regulations, court orders, or legal processes.

We do not use your data for advertising, marketing to third parties, or any purpose not listed above. We do not sell your data. Ever.

4. Google API Data — Limited Use Disclosure

Bravio FSM's access to and use of information received from Google APIs strictly adheres to the Google API Services User Data Policy, including its Limited Use requirements. Specifically:

• We use Google account data (email, profile) solely to manage user authentication and account identity within the Platform.
• We use Google Calendar access solely to synchronize Bravio work orders with the User's primary Google Calendar.
• We do not share, transfer, sell, or disclose Google user data to any third party, except to our hosting infrastructure providers (Vercel and Supabase) solely as necessary to operate the Platform.
• We do not use Google user data for advertising or to train machine learning models.
• We do not allow humans to read Google user data unless you have given us explicit permission, it is necessary for security purposes, or we are required to do so by law.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal or business data. We may share data only in the following limited circumstances:

5.1 Authorized Third-Party Service Providers
We engage trusted third-party vendors to help deliver the Service. These providers are permitted to access data only to the extent necessary to perform specific functions and are bound by confidentiality obligations. Current providers include:

• Resend — for dispatching system-generated emails and service reports.
• Twilio — for delivering SMS notifications to facilities.
• Vercel — for application hosting and delivery.
• Supabase — for database hosting and storage.

We periodically review our service providers and will update this list as providers change. By using the Service, you consent to data being processed by these providers as necessary to deliver the Service.

5.2 Legal Requirements
We may disclose your data if required to do so by law, regulation, court order, or lawful request from a government or law enforcement authority. We will make reasonable efforts to notify you of such disclosure requests where legally permissible.

5.3 Business Transfers
In the event of a merger, acquisition, sale of assets, or reorganization, your data may be transferred to a successor entity. We will provide notice prior to data being transferred and becoming subject to a different privacy policy.

5.4 Protection of Rights
We may disclose data where we believe in good faith that doing so is necessary to protect the rights, property, or safety of Bravio, our customers, or the public.

6. Multi-Tenant Data Isolation

The Service uses a strict multi-tenant architecture. Each Tenant's data is logically segregated so that it cannot be accessed by any other Tenant. Bravio employs technical controls including row-level security, access control policies, and encrypted database configurations to enforce this isolation. While no system is perfectly secure, we take data isolation seriously and apply industry-standard practices to prevent cross-tenant data exposure.

7. Data Security

7.1 We implement commercially reasonable administrative, technical, and physical safeguards to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS), encryption at rest, access controls, authentication protocols, and regular security monitoring.

7.3 Security Incident Notification. In the event of a confirmed data breach that affects your Tenant Data, we will notify you in accordance with applicable law and our security incident response procedures. Notification will be provided to the Tenant Administrator's registered email address.

8. Data Retention

8.1 Active Account Data: We retain your Tenant Data for the duration of your active Subscription, plus thirty (30) days following expiration or termination to facilitate data export.

8.2 Deleted Data: When you or your Tenant Administrators delete data within the Platform (e.g., individual records or assets), that data may persist in encrypted backups for up to ninety (90) days before permanent deletion.

8.3 Technical Logs: System access logs and audit trails may be retained for up to twelve (12) months for security and troubleshooting purposes.

8.4 Legal Hold: Notwithstanding the above, we may retain data for longer periods where required by law, regulation, or in connection with ongoing legal proceedings.

9. Tenant Administrator Responsibilities

Bravio provides data management tools to Tenant Administrators, who are responsible for:

• Managing and revoking user access within their organization.
• Ensuring that all data entered into the Platform is done with appropriate legal authorization.
• Responding to data subject access or deletion requests from individuals (e.g., facility staff or technicians) whose information is stored in the Platform.
• Ensuring that the organization's use of the Platform complies with applicable privacy laws, including HIPAA, GDPR, and any other applicable regulation.

Bravio is a data processor acting on behalf of the Tenant (data controller) with respect to personal data inputted into the Service. The Tenant bears primary responsibility for the lawfulness of data processing within the Platform.

10. Individual Data Rights

Where applicable under laws such as GDPR or CCPA, individuals whose personal data is stored within a Tenant's environment may have rights including access, correction, deletion, and data portability. Individuals wishing to exercise these rights should contact their organization's Tenant Administrator directly. Bravio will assist Tenant Administrators in responding to such requests where technically feasible and legally required.

For requests directed at Bravio directly (relating to information Bravio holds about Tenant organizations), please contact us at legal@hellobravio.com.

11. Cookies and Tracking Technologies

The Platform may use essential cookies and similar technologies to maintain session state, authentication, and user preferences. We do not use third-party advertising cookies, behavioral tracking cookies, or tracking pixels for marketing purposes. You may configure your browser to reject cookies, but doing so may affect the functionality of the Service.

12. Children's Privacy

The Service is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe that a minor's information has been entered into the Service, please contact us immediately at legal@hellobravio.com and we will take appropriate steps to remove such information.

13. International Data Transfers

The Service is hosted and operated from infrastructure that may be located in the United States or other countries. If you access the Service from outside those jurisdictions, your data may be transferred to and processed in a country with different data protection laws than your own. By using the Service, you consent to such transfers. We implement appropriate safeguards for international transfers where required by applicable law.

14. Limitation of Liability for Privacy Incidents

15. Changes to This Policy

We reserve the right to update or modify this Privacy Policy at any time. We will notify Tenant Administrators of material changes via email or an in-application notification. Your continued use of the Service after such notification constitutes acceptance of the revised Policy. We encourage you to review this Policy periodically.

16. Contact Us

For questions, concerns, or requests relating to this Privacy Policy or Bravio's data practices, please contact:

• Email: legal@hellobravio.com
• Website: hellobravio.com

Last Updated: February 24, 2026