Privacy Policy
Last updated: March 25, 2026
This Privacy Policy explains how Lampa Strategy LLC ("Lampa Strategy," "we," "us," or "our"), a Wyoming limited liability company, collects, uses, stores, and protects your information when you use our website (runbrio.com) and our report generation platform, Brio ("the Service").
Lampa Strategy's founder is based in Portugal, and we serve customers globally, including in the European Economic Area (EEA). We are committed to complying with applicable data protection regulations, including the General Data Protection Regulation (GDPR).
1. Information We Collect
1.1 Information You Provide
- Account information: Name, email address, and password (or OAuth credentials via Google or Microsoft) when you create an account
- Billing information: Subscription plan selection and billing details, processed and stored exclusively by Stripe, Inc. We do not store credit card numbers or payment details
- White-label configuration: Agency logos, brand colors, company name, and consultant profile information you upload for report customization
- URLs you submit: The website addresses you enter for report generation
1.2 Information We Collect Automatically
- Usage data: Report generation timestamps, URLs scanned, feature usage, and account activity
- Technical data: IP address, browser type, device information, and referral source when you visit runbrio.com or use the Service
- Cookie data: See Section 7 (Cookies) below
1.3 Information We Generate
- Reports: Digital strategy reports generated from publicly available data about the URLs you submit. Reports contain analysis of publicly accessible website performance, technology, SEO, security, content, and competitive positioning data
1.4 Information About Third-Party Websites
When you submit a URL, Brio scans publicly available information about that website. This includes publicly accessible page content, HTTP headers, DNS records, SSL certificates, technology indicators, and data from third-party APIs (such as Google PageSpeed Insights, Google CrUX, and DataForSEO).
Brio does not collect personal data about the visitors, customers, or employees of scanned websites. We do not access non-public content, bypass authentication, or scrape personal information.
2. How We Use Your Information
We use your information for the following purposes:
- To provide the Service: Generating reports, delivering PDFs, applying white-label branding, and managing your account
- To process payments: Communicating with Stripe to manage subscriptions, process charges, and handle overage billing
- To protect the Service: Detecting and preventing abuse, fraud, and unauthorized access
- To communicate with you: Sending account-related emails (verification, billing confirmations, usage alerts), and service announcements. We do not send marketing emails without your explicit consent
- To improve the Service: Analyzing usage patterns in aggregate to improve report quality, platform performance, and user experience. We do not sell or share your data with third parties for advertising purposes
Legal bases for processing (GDPR):
- Contract performance: Processing necessary to deliver the Service you've subscribed to (account management, report generation, billing)
- Legitimate interests: Fraud prevention, service security, and aggregate usage analytics to improve the product
- Consent: Marketing communications (if applicable), cookie usage for non-essential purposes
3. What We Store and Where
All data is stored in infrastructure provided by Supabase (database and authentication) and associated cloud hosting providers. Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher.
| Data | Storage | Retention |
|---|---|---|
| Account credentials | Supabase Auth (passwords bcrypt-hashed) | Account lifetime |
| White-label configuration | Supabase Storage + PostgreSQL | Account lifetime |
| Generated reports (PDF + content) | Supabase Storage + PostgreSQL | Paid accounts: account lifetime. Free tier: 90 days |
| Raw scan data (API responses) | PostgreSQL | 30 days, then permanently deleted |
| Billing data | Stripe (not stored by Brio) | Managed by Stripe per their privacy policy |
| Usage logs | PostgreSQL | 12 months |
4. What We Do Not Store
- Credit card numbers or payment details (handled entirely by Stripe)
- Passwords in plaintext (bcrypt-hashed by Supabase Auth)
- Raw HTML from scanned websites beyond the processing window (structured data is extracted, raw content is discarded)
- Personal data about the visitors or customers of scanned websites
- Cookies or tracking data from scanned websites
5. Data Sharing
We do not sell, rent, or trade your personal information. We share data only with the following categories of service providers, solely to operate the Service:
- Stripe, Inc. — Payment processing. Subject to Stripe's privacy policy
- Supabase, Inc. — Database hosting, authentication, and file storage
- Cloud hosting providers — Infrastructure services (Vercel, Railway)
- Third-party data APIs — DataForSEO, Moz, Google APIs, and similar services receive the URLs you submit in order to return analytical data. These providers receive only the URL — not your identity or account information
We may disclose your information if required by law, legal process, or government request, or if necessary to protect Lampa Strategy's rights, property, or safety.
6. Data Security
We implement the following security measures:
- AES-256 encryption at rest for all stored data
- TLS 1.2+ encryption for all data in transit
- Row-Level Security (RLS) policies in our database ensuring strict tenant isolation — your reports and data are never accessible to other accounts
- Secure, HTTP-only cookies for session management
- API keys stored as hashed values (plaintext never retrievable after initial display)
- HTTPS enforced on all endpoints with HSTS headers
- Non-sequential UUIDs for all report and resource identifiers
No system is 100% secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security. If we become aware of a data breach affecting your account, we will notify you within 72 hours in accordance with GDPR requirements.
7. Cookies
Essential cookies: We use cookies necessary for the Service to function, including authentication session cookies. These cannot be disabled.
Analytics cookies: We may use analytics tools to understand how visitors interact with runbrio.com. If we do, we will display a cookie consent banner allowing you to opt out of non-essential cookies before they are set.
We do not use cookies for advertising or cross-site tracking.
8. Your Rights
Regardless of your location, you may:
- Access your data — View your account information, reports, and configurations through your dashboard
- Export your data — Download your reports as PDF files at any time
- Delete your account — Use the "Delete my account and all data" option in account settings. Account deletion triggers permanent removal of all associated data (reports, configurations, logos, scan data) within 30 days
- Correct your data — Update your account information through your dashboard
Additional rights for EEA residents (GDPR):
- Right to erasure — Request deletion of your personal data by emailing support@runbrio.com or using the account deletion feature
- Right to restriction — Request that we limit processing of your personal data in certain circumstances
- Right to data portability — Request a copy of your personal data in a structured, commonly used format
- Right to object — Object to processing based on legitimate interests
- Right to withdraw consent — Where processing is based on consent, withdraw that consent at any time
To exercise any of these rights, contact us at support@runbrio.com. We will respond within 30 days.
If you are an EEA resident and believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority, including the Portuguese data protection authority (Comissão Nacional de Proteção de Dados — CNPD).
9. International Data Transfers
Lampa Strategy's infrastructure may process data in locations outside the EEA. Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms as appropriate.
10. Data Processing Addendum
EU-based agency clients may request a Data Processing Addendum (DPA) by contacting support@runbrio.com. For enterprise or high-volume clients, a formal DPA is included as part of the subscription agreement.
11. Scanned Website Data
Brio processes publicly available data about third-party websites when users submit URLs for report generation. This data is processed under our legitimate interest in providing the Service.
Website owners may:
- Prevent future scans by adding
User-agent: BrioBotandDisallow: /to their robots.txt file - Request domain-level exclusion by emailing support@runbrio.com
- Request removal of an existing report containing data about their website — we will comply within 72 hours
Brio does not collect, process, or store personal data about the individuals associated with scanned websites.
12. Children's Privacy
The Service is intended for business use by adults. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected information from a minor, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice within the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.
14. Contact
For questions about this Privacy Policy or to exercise your data rights, contact us at:
Lampa Strategy LLC
Email: support@runbrio.com
Website: https://runbrio.com
Data protection inquiries: support@runbrio.com