Brutus Analytics

Privacy Policy

Last updated: June 22, 2026

This Privacy Policy explains how Brutus Analytics (“Brutus,” “we,” “us”) handles information when an organization uses our AI transformation platform. We have written this in plain language so administrators and employees can both understand it. If something here is unclear, please email support@brutusdiagnosticsolutions.com.

Who we are

Brutus Analytics is operated by Brutus Holdings Ltd Co, a US-based (Georgia) B2B software company whose platform helps organizations run their AI transformation. We provide a multi-tenant SaaS platform where an organization’s administrators can invite their employees, run short conversational AI check-ins, and turn the results into ranked automation opportunities, employee-ready playbooks, governance, and ROI measurement.

You can reach our team at support@brutusdiagnosticsolutions.com for any privacy question, data-subject request, or security concern.

What we collect

We collect three kinds of information. We try to keep each bucket as small as we can while still delivering the service.

Org-administered information

When an administrator at your organization sets up a workspace or invites employees, we receive contact and identity information for those employees — typically email address, full name, job role or title, team or department assignment, and any optional profile metadata the organization chooses to add. This information is supplied by the organization, not collected from the employee directly.

Check-in data

When an employee completes a check-in, we store the conversation text they write, the synthesized results derived from it, and basic metadata such as timestamps and time spent. This is the substance of the check-in and is owned by the organization that ran it.

Operational data

We log a limited amount of technical information needed to operate the service: IP address and user-agent on sign-in, session cookies used to keep an authenticated user signed in, audit logs of security-relevant actions such as invitations, role changes, and data exports, and aggregate performance and error telemetry. We do not use this data for advertising or profiling.

How we use it

We use the information described above for a small, defined set of purposes:

  • Running the service. Authenticating users, routing assessment invitations, presenting questions, and displaying results to the right administrators.
  • Reporting to the organization. Producing per-employee scorecards, per-team rollups, and org-wide views for the administrators who run the workspace.
  • AI-assisted interviewing, scoring & analysis. The assessment is a conversational interview that is conducted and scored by large-language-model APIs from Anthropic (Claude) and OpenAI. To do this we send the interview transcript — which includes the employee’s first name and the answers they give — to those providers. The cohort and executive analysis we produce for administrators may also include employees’ first names, teams, and short verbatim quotes used as supporting evidence. We do not send email addresses, internal account identifiers, or other contact details, and the providers process this content on API/enterprise terms under which it is not used to train their models.
  • Security and abuse prevention. Detecting and responding to suspicious activity, account takeover attempts, and policy violations.
  • Communication. Sending transactional email such as invitations, password resets, and product notifications. We do not send marketing email to employees enrolled by an organization.

We do not sell personal information, we do not rent it, and we do not share it with third parties for their own marketing.

Who sees what

The Brutus platform is multi-tenant, and tenant isolation is the single most important property we maintain.

  • Administrators at your organization see assessment data for their own organization — their employees, their teams, their results. They cannot see anything from any other customer.
  • Brutus operators (platform administrators) have a separate, audited access path used only for support, incident response, and platform maintenance. Operator access is granted on the principle of least privilege and is logged.
  • Other organizations never see your data. Tenant separation is enforced at the database layer via row-level security policies, not just at the application layer.
  • Sub-processors listed below see only the slice of data they need to deliver their specific service, and only on our instructions.

Sub-processors

We rely on a small set of well-known infrastructure providers to run the service. Each is bound by a data-processing agreement and standard security commitments.

  • Supabase — managed Postgres database and authentication, hosted in the US-East region.
  • Vercel — application hosting, edge serving, and build infrastructure for the web app.
  • Anthropic — large-language-model API (Claude) used to conduct and score the conversational interview and to produce the cohort analysis. Content is not used to train models.
  • OpenAI — large-language-model API used for an independent scoring cross-check and parts of the analysis. Content is not used to train models.
  • Resend — transactional email delivery for invitations and account notifications.
  • Cloudflare — DNS, edge security, and DDoS protection for our domains.
  • Sentry — application error monitoring, with personal data scrubbed from telemetry.

We update this list when sub-processors change. Customers under a written agreement may request advance notification of material changes.

Data retention

We retain account data and assessment data for as long as the organization remains an active customer. When an organization terminates its workspace, we delete its production data within a reasonable operational window. Backups containing the deleted data are purged within thirty (30) days of the termination.

Administrators can also request deletion of individual employee records during the life of the workspace by emailing support@brutusdiagnosticsolutions.com or, where available, using the in-product controls.

Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you and receive a copy in a portable format.
  • Correct information that is inaccurate or incomplete.
  • Request that we delete information we hold about you, subject to legal and contractual retention obligations.
  • Export your assessment responses and results.

Because Brutus is contracted by the organization that invited you, requests from individual employees are typically routed to that organization first. If you cannot reach your organization, or if your organization no longer exists, contact us directly at support@brutusdiagnosticsolutions.com and we will help.

Security

Security is foundational to the product, not bolted on. Our baseline practices include:

  • Encryption in transit for all traffic to and from the platform.
  • Encryption at rest for the production database and storage.
  • Row-level security policies in Postgres that enforce tenant-scoped access at the database, so a query that escapes the application layer still cannot read another tenant’s data.
  • Audit logs of security-relevant actions such as invitations, role changes, exports, and administrative access.
  • Least-privilege access for our own team, with operator access separated from customer-admin access.
  • Automated dependency scanning and prompt patching for known vulnerabilities.

No system is perfectly secure. If you become aware of a vulnerability or suspected incident, please email us at support@brutusdiagnosticsolutions.com and we will respond promptly.

Cookies

Brutus uses cookies only to keep authenticated users signed in and to remember a small number of UI preferences. We do not run third-party analytics that profile individual visitors, and we do not use advertising or cross-site tracking cookies. Your browser can be configured to refuse cookies, but if you do that, you will not be able to sign in to the platform.

Children

Brutus is a workplace tool. The platform is not directed to anyone under eighteen (18) years of age, and we do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently received information from a minor, please email us and we will remove it.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to the product, our sub-processors, or applicable law. When we make a material change, we will update the “last updated” date at the top of this page and, for changes that meaningfully affect how we handle personal information, notify the administrators of each active workspace by email.

June 2026: updated to reflect that assessments now run as conversational check-ins powered by our AI interview engine, rather than fixed question-and-answer exams.

June 22, 2026: clarified that the conversational interview is conducted and scored by Anthropic and OpenAI language-model APIs (and that the transcript, including first names, is sent to them), and added Anthropic and Sentry to the sub-processor list.

Contact

For any question about this policy, a data-subject request, or a concern about how your information has been handled, please email support@brutusdiagnosticsolutions.com. We aim to respond to every privacy request within ten (10) business days.