Privacy Policy

Last updated: May 5, 2026

Purpose

The purpose of this Privacy Policy is to establish a comprehensive framework for protecting the privacy of personal information collected, processed, and stored by Bramble. You may provide Personal Data through our Website and Platform.

This Policy ensures that Bramble respects individual privacy rights, and maintains the trust of customers, employees, and other data subjects through compliance with applicable privacy laws and regulations, including SOC2 requirements for confidentiality and privacy.

Scope

Bramble is an insurance compliance intelligence platform. We process commercial contracts and related documents to extract, verify, and monitor insurance and compliance obligations on behalf of our customers. We serve insurance brokers, their clients, and other commercial organizations with insurance compliance needs.

This Policy applies to all employees, contractors, consultants, and third-party vendors of Bramble who handle personal information.

This Policy applies only to the processing of Personal Data by us and does not address the privacy practices of other parties from which we are not responsible.

We do not knowingly process or request Personal Data from persons under the age of 18. If you are such a person, please do not use the Platform or send us your data. We delete all the Personal Data about which we learn to have been provided by a person under the age of 18 without the consent of a parent or legal guardian.

What data do we process?

Data encompasses all personal information collected, processed, stored, or transmitted by Bramble, including but not limited to: customer data, employee data, vendor data, and any other personally identifiable information, regardless of format or storage medium.

We may collect the following categories of information:

• Account Information: Name, email address, company name, job title, and phone number provided during registration.
• Compliance Documents: Commercial contracts and related documents uploaded or ingested for compliance analysis, including provisions related to insurance, indemnification, and operational requirements.
• Insurance Data: Certificates of Insurance (COI), insurance policies, endorsements, and related coverage details submitted or ingested for audit, verification, and monitoring purposes.
• Operational & Financial Data: Where provided through integrations or uploads, related operational and financial records used to contextualize compliance analysis.
• Usage & Technical Data: Log data, device information, browser type, IP address, pages visited, and interaction patterns. We and/or our authorized external service providers may automatically collect technical data when you visit or interact with our Website and Platform for statistical and analytical purposes. However, we do not use technical data to identify you as an individual outside of security and fraud-prevention purposes.
• Cookies & Similar Technologies: Information collected through cookies, pixels, and analytics tools.

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to fulfill our obligations under our service agreement with you or your organization.
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services, preventing fraud, and ensuring platform security.
• Consent: Where required by applicable law, we obtain your consent for specific processing activities such as marketing communications.
• Legal Obligation: Processing necessary to comply with applicable laws and regulations.

Specific purposes include:

We process your Personal Data for the purpose of:

• Service Provision: Provide, maintain, and improve our compliance intelligence services, including document analysis, extraction of insurance and compliance requirements, verification and auditing, ongoing monitoring, and related reporting workflows.
• Automated Analysis: Perform automated compliance analysis and generate reports for your organization.
• Communication & Support: Communicate with you about your account, updates, and support requests. This includes answering your queries about our services and resolving any problems and disputes related to the contract between us.
• Internal AI Model Training: We process your anonymised Personal Data that you have voluntarily provided to us when using the Platform for model training. You may opt-out at any time of your anonymised Personal Data being used to train our models.
• Marketing: We may offer services to you via e-mail if you have agreed to receive newsletters on our Website.

Third Parties

Your Personal Data is primarily processed by us. We do not share your Personal Data with any recipients unless one of the following circumstances occurs:

It is necessary in order for us to fulfill our obligations to you: In the event that our subcontractors with whom we work to operate our Platform need access to your Personal Data, we have taken appropriate contractual and organizational measures to ensure that your Personal Data is processed in accordance with all applicable laws and regulations.

We only use third party providers that maintain the same or above levels of data protection and security.

It is necessary for legal reasons: We may share your Personal Data with recipients outside of the Company if we believe in good faith that specific access to your Personal Data and the corresponding use is proportional and necessary to (i) comply with all applicable laws; (ii) detecting, preventing and resolving fraud and security or technical problems; and/or (iii) protect the interests, property or safety of the Company, our users or the public, in accordance with the law. If possible, we will inform you of such processing.

Integrated Systems: Where you or your organization choose to connect Bramble to third-party systems used in your business operations, we exchange data with those systems on your behalf and under your authorization. We process data received from these systems in accordance with this Policy.

Cross-Border Data Transfers

We may transfer your Personal Data to countries outside the European Union and the European Economic Area, where we cooperate with external subcontractors. We transfer your Personal Data only to a country that is considered to have an adequate level of Personal Data protection in accordance with the European Commission’s decisions, or there are appropriate measures to protect your Personal Data, such as standard contractual clauses and/or binding internal company rules. Regardless of the country in which your Personal Data is processed, the Company will take appropriate technical, legal, and organizational measures to ensure that the level of protection is the same as in the European Union and the European Economic Area. If you want to know more about the international transfer of your Personal Data and the relevant guarantees we have in place, you can contact us at info@bramble.solutions. If we participate in a merger, acquisition, or other reorganization, your data may be transferred as part of this transaction. We will inform you about each such transaction (for example, via a message to the e-mail address associated with your account) and explain your options in this situation.

Data Retention

We retain your information for as long as your account is active or as needed to provide our services. Upon termination of your account, we will delete or anonymize your data within 90 days, unless retention is required by law or for legitimate business purposes such as resolving disputes.

Data Security

We take all proportional and appropriate security measures to protect us and our customers from unauthorized access or unauthorized alteration, disclosure, or destruction of Personal Data. Measures include, where appropriate, encryption, firewalls, secure devices, and access rights systems.

Privacy compliance activities will be regularly monitored and audited to ensure compliance with this Policy and applicable regulations. This includes annual reviews of processing activities, data subject rights fulfillment, and privacy impact assessments.

Should a data breach occur despite security measures that are likely to adversely affect your privacy, we will notify you as soon as reasonably possible.

Privacy incidents and data breaches are handled according to established procedures:

• Immediate containment and assessment of privacy incidents
• Notification to supervisory authorities within required timeframes
• Communication to affected individuals when required
• Documentation of incident response and remedial actions
• Post-incident review and process improvement

Data Subject Rights

Bramble will respect and facilitate data subject rights as required by applicable privacy laws:

• Right of access to your Personal Data— you may at any time ask us to confirm whether or not your Personal Data is being processed, and if so, for what purposes, to what extent, to whom it is made available, for how long we will process it, whether you have the right to correct, delete, limit the processing or raise an objection from where we obtained Personal Data form and whether there is automatic decision-making based on the processing of your Personal Data, including possible profiling. You also have the right to obtain a copy of your Personal Data, the first provision being free of charge, and for the next provision, we may require a reasonable payment of administrative costs.
• Right to rectification— you may at any time request we correct or add to your Personal Data if it is inaccurate or incomplete.
• Right to erasure— you can also request the deletion of your Personal Data from our systems. We will comply with these requests unless we have a legitimate reason not to delete your Personal Data.
• Right to restrict processing— you can ask us to restrict certain processing of your Personal Data. If we restrict certain processing of your Personal Data, this may lead to limits on the use of our Platform and Website.
• Right to data portability— you have the right to receive your Personal Data from us in a structured, commonly used, and machine-readable format for the purpose of transferring Personal Data to another processor.

How to exercise your rights — you can exercise your rights listed above free of charge e-mail to info@bramble.solutions. Depending on your request, we may require verification of your identity.

Can you file a complaint?

If you believe that our processing of your Personal Data is not in accordance with applicable data protection laws, you may file a complaint with your local authorities.

Compliance

This policy is designed to help Bramble comply with any regulatory standards or requirements. This policy supports compliance with the following:

• SOC2

Bramble reserves the right to monitor and audit the use of its IT resources to ensure compliance with this Policy and applicable regulations. This includes but is not limited to network traffic analysis, system logs review, and periodic compliance assessments.

Enforcement

Any known violations of this policy should be reported to any/a Co-Founder. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.

Policy Review

This policy will be reviewed and updated at least annually, or more frequently as needed, to reflect changes in technology, regulations, or business practices. This document shall be stored in a secure and accessible location and made available to all employees of Bramble. It is to be referenced in conjunction with other established policies and procedures.