Applies to: the Bright Brain duo-verse (an internal operations platform used by Bright Brain's staff to manage client work) and the third-party services it reads data from on Bright Brain's behalf.
Operator: Bright Brain Marketing Technologies LLP, Mumbai, India.
Contact: info@brightbraintech.com
This page describes how the duo-verse — Bright Brain's internal operations platform — accesses, stores, and uses data from third-party services.
The duo-verse is not a consumer-facing product. It is used exclusively by Bright Brain's own staff (~25 team members) to manage client work, produce internal performance reports, and draft client-facing deliverables that go through human review before delivery. No external party uses the duo-verse directly.
This page exists because Bright Brain integrates with several third-party platforms (Meta, Google, and others listed below) that ask service operators to publish a clear privacy statement covering how data accessed through their APIs is handled.
Even though the duo-verse has no end-user-facing surface, those obligations apply, and we want our integration partners — and our clients — to be able to read a clean summary of what we do.
Meta Marketing API (Facebook + Instagram advertising data)
Scopes: adsread, businessmanagement.
We read ad-campaign metadata, performance metrics (spend, impressions, clicks, conversions, audience breakdowns by age/gender/placement), and Business-Manager-level account roster information.
We access only the ad accounts that each client (or their agency partner) has explicitly granted to Bright Brain's Meta Business Manager via standard Business Manager partnerships.
We never modify, create, or delete campaigns, ad sets, ads, or audiences through this integration; reads only.
Google services via OAuth 2.0 per-user consent
Gmail (read + send-as), Google Calendar (read + write events), Google Drive (read + selective write), Google Search Console (read site performance), Google Analytics 4 (read property data), Google Tag Manager (read container state), Google Ads (read campaign data; writes are out of scope at v1 and gated on a separate consent step).
Each Bright Brain team member who connects their own Google account does so via the standard Google OAuth consent screen, which discloses the specific scopes requested.
Fathom (meeting recordings + transcripts)
Per-user OAuth consent.
We read the user's own Fathom-recorded meetings to help them summarise calls, extract action items, and produce client-meeting notes.
We never access another user's recordings without their consent.
Ahrefs (SEO performance data)
Single Bright Brain agency-wide subscription; we read keyword rankings, backlink data, SERP snapshots, and AI-citation data for clients we work with.
LLM APIs (Anthropic, OpenAI, Perplexity, Google Gemini)
Outbound API calls only; we send prompts and receive responses to power the duo-verse's reasoning.
Client data may be included in these prompts when the agent is reasoning about a client's situation.
Each provider's own data-handling terms apply to the inbound side; Bright Brain selects providers whose terms preclude using our prompts for model training where the option exists, and configures the APIs to opt out of training data use where the option is exposed.
Authentication credentials (OAuth refresh tokens, system-user access tokens, agency API keys) are encrypted at rest using Fernet (AES-128-CBC with HMAC-SHA256) with a key held in the duo-verse server's environment variables.
The duo-verse runs on AWS Lightsail in Mumbai, India.
Cached reads from third-party services (campaign metrics, meeting transcripts, SEO snapshots, etc.) are stored at the per-client level in the duo-verse's file system on the same server. Cache contents are used to reduce redundant API calls and to give Bright Brain staff faster access to client context. Caches are purged on client offboarding.
We do not maintain a long-term centralised database of third-party content. Cached data is operational — it exists for as long as the related client engagement is active and the data is useful for ongoing reporting.
Internal reporting: weekly and monthly performance summaries reviewed by Bright Brain's account managers.
Client-facing deliverables: draft reports, draft emails, draft strategy documents that are reviewed and edited by Bright Brain staff before being sent to clients.
Operations: anomaly detection, deadline tracking, capacity planning, team coordination.
Quality improvement: aggregate, anonymised usage telemetry (which agents are used most, which queries fail, where the system can be improved) — never client-identifying.
We do not resell or share data accessed through these integrations with any third party.
We do not use client data to train AI models.
We do not expose any third-party-sourced data outside Bright Brain's internal team without explicit client consent.
We do not store individual end-user-level data from advertising platforms (Meta's Aggregated Event Measurement and equivalent aggregations are what we read; we do not access individual user-level conversion data).
To request deletion of data Bright Brain holds about you or your business, email info@brightbraintech.com.
We will remove the relevant cached data within 30 days of a verified request, except where retention is required by law (financial / regulatory records).
Clients: you may revoke Bright Brain's Business Manager partnership (Meta), Workspace OAuth grant (Google), or any equivalent third-party access at any time via the relevant platform's settings. Revocation immediately stops Bright Brain's ability to read further data from that source.
Team members: you may disconnect any of your own per-user connections (Google, Fathom) from the duo-verse's /settings/connections page at any time. Disconnection stops further reads against your account.
When this policy changes materially, we update the "Last updated" date at the top and — for changes that affect what data is accessed or how it's used — we notify affected clients directly via email before the change takes effect.
