Rebridge
FeaturesPricingContact
LoginStart Free Trial
Legal

Privacy Policy

Last updated: March 29, 2026

1. Introduction

Rebridge ("we," "us," or "our") operates the Rebridge platform from Florida, United States. This Privacy Policy describes how we collect, use, store, share, and protect your personal and business information when you use the Rebridge platform ("Service") at rebridge.ai.

By using Rebridge, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information we collect

We collect the following categories of information:

  • Account information: name, email address, company name, phone number (optional), and password (hashed, never stored in plaintext).
  • Lightspeed POS data: product catalog (descriptions, SKUs, UPCs, pricing), vendor records, category structure, and purchase order data. This data is synced via Lightspeed's authorized OAuth API with your explicit consent.
  • Invoice data: PDF invoices you upload and their parsed content, including vendor names, line items, quantities, sizes, and pricing.
  • Usage and analytics data: feature usage patterns, processing metrics, error logs, and performance data used to maintain and improve the platform.
  • Payment information: billing is processed by Stripe. We store your Stripe customer ID but do not store credit card numbers, CVVs, or full card details on our servers.

3. How we use your data

  • Core service delivery: catalog data is used to match invoice line items to your existing products, enabling automated purchase order creation in your Lightspeed POS.
  • Catalog intelligence: we build a statistical profile of your catalog's naming conventions, size systems, and color formats to improve matching accuracy. This profile is unique to your account.
  • Global vendor intelligence: anonymized, vendor-level knowledge (e.g., vendor invoice format patterns, color code mappings such as "BWH" = "Black/White") may be aggregated across tenants to improve parsing accuracy for all users. This data is structural vendor knowledge only — no individual business data, pricing, inventory levels, or customer information is ever shared or made identifiable.
  • AI processing: invoice content is parsed using Anthropic's Claude AI. Your catalog data is not sent to AI services.
  • We do not sell, rent, or trade your personal or business data. We do not use your data for advertising.

4. Data storage and security

  • All data is stored in encrypted PostgreSQL databases hosted by Supabase (AWS US-East-1 region).
  • Lightspeed OAuth tokens are encrypted at rest at the application layer.
  • PDF uploads are stored in Vercel Blob Storage with encryption at rest.
  • All data transmission uses TLS 1.2 or higher encryption.
  • All data is strictly isolated per tenant. There is no cross-tenant data access. Multi-tenancy is enforced at the database query layer with tenant-scoped access controls.
  • Access to production systems is restricted to authorized personnel only, with audit logging.

5. Data retention

  • Active accounts: your data is retained for as long as your account is active and you maintain a subscription.
  • After cancellation: upon account cancellation, your data is retained for 30 days to allow for reactivation. After 30 days, all personal data, invoice data, catalog snapshots, and uploaded PDFs are permanently deleted.
  • Lightspeed tokens: OAuth tokens are revoked immediately upon account disconnection or cancellation.
  • Global vendor intelligence: anonymized vendor-level data (invoice format patterns, color code mappings) contributed during your usage is retained in the global knowledge base and is not deleted upon cancellation, as it contains no personally identifiable or business-specific information.
  • Backups: encrypted database backups are retained for 7 days and are automatically purged thereafter.

6. AI processing and sub-processors

  • Invoice content is sent to Anthropic (Claude AI) for parsing and extraction. We use Anthropic's API tier which does not train on customer data.
  • Your catalog data is not sent to AI services. Only uploaded invoice content is transmitted for parsing.
  • Payment processing is handled by Stripe.
  • Error monitoring is handled by Sentry.
  • Background job processing is handled by Inngest.
  • Application hosting and edge functions are provided by Vercel.
  • No other third parties receive your business data.

7. Your rights

Regardless of your location, you have the following rights regarding your data:

  • Access: you may request a copy of all personal and business data we hold about you.
  • Correction: you may request correction of inaccurate data.
  • Deletion: you may request deletion of your data at any time by contacting us or closing your account. We will process deletion requests within 30 days.
  • Data portability: you may request an export of your data in a machine-readable format (JSON or CSV).
  • Withdrawal of consent: you may disconnect your Lightspeed account at any time, which immediately revokes our API access. You may delete uploaded invoices individually from your dashboard.
  • Objection: you may object to specific data processing activities by contacting us.

To exercise any of these rights, contact us at support@rebridge.ai. We will respond to all requests within 30 days.

8. GDPR compliance (EEA, UK, and Switzerland)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

  • Legal basis: we process your data on the basis of contractual necessity (to provide the Service), legitimate interest (to improve the platform), and consent (where required, such as connecting your Lightspeed account).
  • Data transfers: your data is stored and processed in the United States. We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission for data transfers outside the EEA.
  • Data protection contact: for GDPR-related inquiries, contact support@rebridge.ai.
  • Supervisory authority: you have the right to lodge a complaint with your local data protection authority.

9. CCPA compliance (California)

If you are a California resident, the following additional provisions apply under the California Consumer Privacy Act (CCPA):

  • Right to know: you have the right to request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete: you have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to opt-out: we do not sell personal information. No opt-out is necessary.
  • Non-discrimination: we will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact support@rebridge.ai.

10. PIPEDA compliance (Canada)

If you are located in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to access, correct, and request deletion of your personal information. Contact support@rebridge.ai to exercise these rights.

11. Australian Privacy Act compliance

If you are located in Australia, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988. You have the right to access and correct your personal information. If you believe we have breached the APPs, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

12. Data breach notification

In the event of a data breach that affects your personal information, we will notify affected users and applicable regulatory authorities within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, the data affected, steps we are taking to address it, and recommendations for affected users. We maintain an incident response plan and conduct regular security assessments to minimize breach risk.

13. Cookies and tracking

Rebridge uses essential cookies only — specifically a session cookie for authentication and a CSRF token for security. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Error monitoring via Sentry may collect technical data (browser type, IP address, error stack traces) for debugging purposes only.

14. Children's privacy

Rebridge is a B2B service designed for business use. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have collected data from a minor, we will delete it promptly.

15. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

16. Governing jurisdiction

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict of law principles.

17. Contact

For privacy-related questions, data requests, or complaints: