We collect only what we need to book your cleaning and communicate with you. We never sell your data. Card payments are handled by Stripe — we don't store your full card number. Chat messages with our AI concierge are PII-scrubbed before storage; IP addresses are hashed, not kept raw. Old data is automatically deleted on a monthly schedule, and you can ask us to delete your information at any time by emailing privacy@bristlehome.com.
Who We Are
This Privacy Policy explains how Bristlehome LLC ("Bristlehome," "we," "us," or "our"), a Connecticut limited liability company headquartered in Waterbury, Connecticut, collects, uses, and protects information about you when you use our website, book our services, or otherwise interact with us.
By using our website or booking a service, you agree to the practices described in this Policy.
Information We Collect
We collect information you provide directly when you book a service, request a quote, sign up for recurring cleaning, or contact us. This typically includes:
- Contact details: name, email address, phone number
- Service address: the property where you'd like us to clean
- Home details: bedrooms, bathrooms, square footage, access instructions, preferences
- Booking preferences: service type, frequency, date, time window, any special requests or add-ons
- Chat messages with our AI concierge: the text you send and receive when using the chat on our website. We scrub apparent payment card numbers, bank routing numbers, and similar sensitive identifiers from messages before storage, and never knowingly retain such data
- Concierge session identifiers: a random identifier stored in your browser for up to 24 hours so the concierge can maintain conversation context
- Hashed IP address: we compute a one-way hash of your IP address combined with a daily rotating salt for rate-limiting and abuse prevention. We do not retain raw IP addresses
- Technical metadata: approximate browser, device, and referring page, used for troubleshooting and product improvement
- Payment information: handled by our payment processor — see Section 4 below
- Communications: messages you send us (email, text, phone) and notes we make about your service
We also automatically collect limited technical information from your browser or device: IP address, browser type, pages viewed, referring URL, and timestamps. This helps us improve the site and detect abuse.
How We Use Your Information
We use your information only to operate our cleaning service and keep you informed. Specifically, we use it to:
- Schedule, perform, and follow up on cleaning visits
- Send appointment confirmations, reminders, and invoices
- Respond to questions, quote requests, and support messages
- Process payments through our payment processor
- Send occasional service-related emails (e.g., seasonal check-ins, policy updates)
- Detect and prevent fraud, abuse, or misuse of our service
- Comply with applicable laws, tax, and accounting obligations
We do not use your information for advertising purposes. We do not sell your personal information to anyone.
Payment Data
Bristlehome does not store full credit card numbers on our own systems. Payment card data is captured and tokenized directly by our payment processor, which is certified to the Payment Card Industry Data Security Standard (PCI DSS).
When you save a card on file for recurring service, we receive only a secure token and the last four digits of your card for your reference. The full card number and CVV are held by our payment processor under their own privacy and security policies.
How We Share Information
We share personal information only in the following limited situations:
- Our cleaners: the cleaner(s) assigned to your home receive your address, access instructions, and relevant preferences so they can perform the service
- Service providers (sub-processors): we rely on a small number of reputable vendors, each bound by contractual data protection obligations:
- Stripe, Inc. — payment processing and card tokenization (PCI DSS certified)
- Supabase, Inc. — managed database and server infrastructure (hosted in AWS us-west-2)
- Anthropic, PBC — large-language-model provider powering the AI concierge
- Resend — transactional email delivery (booking confirmations, receipts)
- Vercel, Inc. — web hosting and content delivery
- Legal compliance: when required by law, subpoena, or valid government request; or to protect the safety, rights, or property of Bristlehome, our clients, or our cleaners
- Business transfers: if Bristlehome is acquired, merged, or sells assets, customer data may transfer to the new owner under terms at least as protective as this Policy
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
Cookies & Analytics
Our website uses a small number of cookies: strictly necessary cookies to keep your session working, and analytics cookies to help us understand which pages people visit and where the site needs improvement. We may use a privacy-respecting analytics provider.
You can disable cookies in your browser settings. Disabling strictly necessary cookies may prevent the booking form from functioning.
Data Retention
We keep your information only as long as we reasonably need it. An automated cleanup job runs on the first day of each month and removes data that has exceeded the periods below:
- Chat concierge sessions: 12 months after your last message
- Security event logs: 12 months
- Notification logs (email and SMS records): 6 months
- Inquiries that did not result in a paid booking: 24 months, after which the record is marked deleted
- Paid booking history & invoices: 7 years, for tax and accounting obligations
- Payment and webhook records: 7 years, as required for financial record retention
- Marketing communications: until you unsubscribe
When a retention period ends, we delete or anonymize the information unless a longer period is required by law. Every cleanup run is logged internally so we can verify the policy is being enforced. You can also ask us to delete your information earlier — see Section 8.
Your Privacy Rights
Depending on where you live, different privacy laws give you different rights. Regardless of jurisdiction, we honor the core rights below for every client who asks:
- Access: confirm whether we process your personal data and receive a copy of what we hold
- Correct: ask us to correct inaccurate or incomplete information
- Delete: ask us to delete your personal data (subject to records we are legally required to keep, such as paid invoices)
- Portability: receive your data in a common, machine-readable format
- Opt-out: opt out of any targeted advertising, profiling, or sale of your data. We do not sell personal data and we do not engage in behavioral advertising
These rights are specifically protected under the Connecticut Data Privacy Act (CTDPA) if you are a Connecticut resident. If you are a California resident, the California Consumer Privacy Act (CCPA) and CPRA give you substantially the same rights plus the right to limit the use of sensitive personal information. If you are in the European Economic Area or the United Kingdom, the General Data Protection Regulation (GDPR) also applies; we rely primarily on contractual necessity and legitimate interest as lawful bases of processing.
How to exercise your rights: email privacy@bristlehome.com with your request. We will verify your identity using information you have previously given us and respond within thirty (30) days. Once verified, a deletion request is processed through our automated cleanup system, which cascades across our chat logs, session records, notification history, and lead records. Paid transaction records are retained where required by law, but we will remove all personally identifying contact information from the retained records.
If you are dissatisfied with our response, you may appeal by replying to our decision. For Connecticut residents, you may also contact the Connecticut Attorney General at portal.ct.gov/ag.
Data Security
We use reasonable administrative, technical, and physical safeguards to protect your information. These include, among others:
- TLS encryption in transit, with HTTP Strict Transport Security (HSTS) enforced for two years
- A Content Security Policy that restricts what other websites our pages will talk to
- PII scrubbing on chat messages before storage — we detect and redact apparent card numbers (Luhn-validated), bank routing numbers, and other sensitive identifiers
- Hashing of IP addresses with a rotating daily salt, so raw addresses are never retained
- Cryptographic signature verification on every payment webhook we receive from our payment processor, protecting against forged payment events
- Secrets and API keys stored in Supabase Vault (encrypted at rest), never in source code
- Limited internal access, strong passwords, and multi-factor authentication on administrative accounts
No system is perfectly secure. If we ever detect a breach that materially affects your personal information, we will notify you as required by Connecticut law.
Children's Privacy
Our services are directed at adults. We do not knowingly collect personal information from children under 13. If you believe a child has provided us information, please contact us and we will delete it.
Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top and, where appropriate, notify you by email. Continued use of our services after an update means you accept the revised Policy.
Contact Us
Questions, concerns, or requests about this Policy or your personal data:
- Email: privacy@bristlehome.com
- Mail: Bristlehome LLC, Attn: Privacy, Waterbury, Connecticut
- Phone: (860) 555-0110