Book a demo

Tell us in a minute who you are. We'll be in touch within 24 hours.

Secure submission

We only use your details to schedule the demo.

Legal Last updated · v 1.0 · April 2026
Privacy policy

Privacy policy

How Vertical Real Estate B.V. (trading as BrickPilot) collects, uses, shares, and protects your personal data when you use the BrickPilot platform and website.

EU
EU-only hosting All processing stays in the European Union.
§
GDPR-first Privacy controls are part of the product design.
×
No training Your data never trains a foundation model.

01 Introduction

This Privacy Policy explains how Vertical Real Estate B.V., registered with the Dutch Chamber of Commerce (KvK) under number 99566346, located at Zanddwarsstraat 12, 1011 HP Amsterdam, the Netherlands (“Company”, “we”, “us”, or “our”), trading under the brand name BrickPilot, collects, uses, shares, and protects your personal data when you access or use our website and the BrickPilot platform (collectively, the “Service”).

This Privacy Policy should be read together with our Terms of Service, Cookie Policy, and, where applicable, the Data Processing Agreement (“DPA”). In the event of a conflict, the order of precedence set out in the Terms of Service applies.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, you should not use the Service.

02 Privacy contact

We have not appointed a Data Protection Officer as this is not required under Article 37 GDPR given the nature and scale of our processing activities. For all privacy-related questions, requests, or complaints, you can contact our designated privacy contact:

Laurens van Duin, Privacy Contact
Email: [email protected]

03 Personal data we collect

3.1 Data you provide to us

  • Account registration data: name, email address, company name, and authentication credentials (including via Google and Microsoft SSO).
  • Payment and billing data: payment method details and transaction history. We do not store your payment card details; these are processed by our payment provider Mollie.
  • Project data: documents, files, project descriptions, addresses, and other materials you upload or create through the Platform.
  • Communications: messages, support requests, and feedback you send to us.

3.2 Data collected automatically (Usage Data)

  • Device and browser information: IP address, browser type and version, operating system, device type, unique device identifiers.
  • Usage information: pages visited, time and date of visits, time spent on pages, referral URLs, click patterns, and feature usage.
  • Log data: server logs, error reports, and diagnostic data.

3.3 Data from third-party authentication

If you register or log in through Google or Microsoft, we may collect your name, email address, and profile picture as made available by those providers. The scope of data depends on your privacy settings with the relevant provider.

3.4 Public source data

The Platform retrieves data from public sources (Kadaster, BAG, DSO, PDOK) on your behalf. This data typically does not constitute personal data, but where it does (e.g. property ownership records), we process it solely to provide the Service on the basis of the performance of our contract with you.

04 How we use your personal data

We process your personal data for the following purposes and on the following legal bases:

Purpose Description Legal basis
Providing the Service Operate, maintain, and improve the Platform; manage your account; process AI-assisted project workflows, document analysis, and data retrieval from public sources. Performance of contract (Art. 6(1)(b) GDPR)
Public source data retrieval Retrieve and process data from public registries (Kadaster, BAG, DSO, PDOK) on your behalf, which may incidentally include personal data such as property ownership records. Performance of contract (Art. 6(1)(b) GDPR)
Payment processing Process subscription payments and one-time purchases via Mollie. Performance of contract (Art. 6(1)(b) GDPR)
Communication Contact you regarding account matters, security updates, service notifications, and support requests. Legitimate interest (Art. 6(1)(f) GDPR)
Marketing Send information about products, services, and events similar to those you have used. You can opt out at any time. Legitimate interest (Art. 6(1)(f) GDPR) with opt-out
Analytics and improvement Analyse usage trends, measure campaign effectiveness, and improve the Service and AI model performance. Legitimate interest (Art. 6(1)(f) GDPR)
Security and fraud prevention Monitor for and prevent unauthorised access, misuse, or security incidents. Legitimate interest / Legal obligation (Art. 6(1)(c)/(f) GDPR)
Business transfers Evaluate or conduct mergers, acquisitions, or asset sales where personal data may be among transferred assets. Legitimate interest (Art. 6(1)(f) GDPR)

05 Who we share your data with

  • Service Providers (Sub-Processors): third-party providers who process data on our behalf to deliver the Service, as listed in section 8 below.
  • Payment provider: Mollie processes your payment data. We do not store payment card details.
  • Affiliates: we may share data with affiliates who will honour this Privacy Policy.
  • Business transfers: in the event of a merger, acquisition, or asset sale, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
  • Law enforcement and legal requirements: we may disclose data if required by law, to respond to valid requests by public authorities, to protect our rights, prevent wrongdoing, or protect user safety.
  • With your consent: we may disclose data for other purposes with your explicit consent.

06 Cookies and tracking technologies

We use cookies and similar tracking technologies on our Service. Our use of cookies, the types of cookies we use, and how you can manage your cookie preferences are described in our separate Cookie Policy, available on our website.

We only place non-essential cookies (such as analytics cookies) after obtaining your active consent via our cookie consent mechanism.

07 International data transfers

Your information, including personal data, is processed at our offices and by our Service Providers, some of which are located outside the European Economic Area (EEA), including in the United States.

Where personal data is transferred outside the EU/EEA to a country without an adequate level of data protection, transfers are protected by EU Standard Contractual Clauses (SCCs) or other approved safeguards under Chapter V GDPR, supplemented by additional measures where required.

You can request information about safeguards in place by contacting us at [email protected].

08 Service providers and sub-processors

The following third-party Service Providers may access your personal data to provide services on our behalf:

Provider Processing activities Location Transfer mechanism Category
Amazon Web Services (AWS) Cloud infrastructure, computing, storage, hosting; AI model inference via AWS Bedrock (Anthropic) EU / US AWS DPA; SCCs Infrastructure & AI
Vercel (Vercel, Inc.) Frontend hosting, serverless functions, edge network and CDN Global / US Vercel DPA; SCCs; DPF Infrastructure
Railway (Railway Corp.) Application hosting, backend services, logging, container orchestration US Railway DPA; SCCs Infrastructure
Storyblok (Storyblok GmbH) Content management system (CMS) for website and platform content EU Storyblok DPA CMS
OpenRouter (OpenRouter, Inc.) AI model routing and API gateway; forwarding prompts to Mistral and other AI providers for inference US OpenRouter DPA; SCCs AI Inference
Slack (Salesforce, Inc.) Internal team communication, including support request handling and project coordination where User data may be referenced US Slack DPA; SCCs; DPF Communication
GitHub (Microsoft) Source code hosting, version control, CI/CD pipelines US GitHub DPA; SCCs; DPF Development
Mollie B.V. Payment processing for subscriptions and purchases EU (NL) Mollie DPA Payments

Note regarding OpenRouter: OpenRouter routes inputs to downstream AI model providers (including Mistral). We require OpenRouter to contractually ensure equivalent data protection obligations from each downstream provider.

Note regarding AWS Bedrock: AI inference via Anthropic models is provided through AWS Bedrock. Data processed through Bedrock is subject to AWS’s data processing terms and does not leave the AWS infrastructure.

09 Data retention

  • Account data: retained for the duration of your active account and deleted two (2) years after deactivation or inactivity.
  • Project data: retained for the duration of your active account. Upon termination, project data is retained for ninety (90) days to allow export, after which it is securely deleted.
  • Legal compliance data: retained for one (1) year after the purpose of collection has been fulfilled, to comply with legal obligations and resolve disputes.
  • Usage data: retained for internal analysis purposes for a maximum of twenty-four (24) months, unless required for security or legal purposes.

10 Your rights

Under the GDPR and applicable data protection laws, you have the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your data, subject to legal retention obligations.
  • Restriction: request restriction of processing in certain circumstances.
  • Data portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent: where processing is based on consent, withdraw at any time.

You can exercise these rights through your account settings or by contacting us at [email protected]. We will respond within one (1) month, unless complexity requires up to two additional months.

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your national supervisory authority.

11 Data Processing Agreement

If you upload personal data to the Platform in a professional capacity, we operate as a Data Processor and you as a Data Controller under the GDPR. The Data Processing Agreement, available as a separate document, sets out the details of this arrangement.

12 Children’s privacy

The Service is not directed at anyone under 18. We do not knowingly collect personal data from minors. If we become aware of such collection without parental consent, we will delete it promptly.

13 Security

We implement appropriate technical and organisational security measures to protect your data. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

14 Changes to this privacy policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new version and, where appropriate, by email. The version date at the top indicates when it was last revised.

15 Contact us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Vertical Real Estate B.V. (trading as BrickPilot)
Zanddwarsstraat 12, 1011 HP Amsterdam
The Netherlands
KvK: 99566346
Privacy contact: Laurens van Duin
Email: [email protected]