Privacy Policy

Last Updated: October 17, 2025

Brick Directory (“we”, “us”, or “our”) operates brick.directory and chat.brick.directory (the “Services”). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Services.

Data Controller: Vladimir Orany Email: privacy@brick.directory Location: Czech Republic

1. Information We Collect

1.1 Information You Provide

• Account Information: When you sign in with an external identity provider (Google or Facebook), we collect your name, email address, and profile picture from that provider. We do not create or store passwords - authentication is handled entirely by the external provider.
• Chat Messages: Conversations you have with our AI assistant are stored to provide and improve the service.
• MCP Server Usage: If you use our Model Context Protocol (MCP) server, we may log API requests for diagnostic purposes.

1.2 Automatically Collected Information

• Usage Data: We collect information about how you interact with our Services, including pages viewed, features used, and time spent.
• External Link Tracking: We track when you click external links from our Services. This includes the entity type (set, part, minifig), entity ID, link type, and timestamp. For authenticated users, we also record your user ID to improve personalized recommendations.
• Device Information: We collect device type, operating system, browser type, and IP address.
• Browser Storage: We use localStorage and sessionStorage (not cookies) to maintain sessions and improve user experience. Third-party services (Google OAuth, Sentry, AWS CloudFront) may set their own cookies. See our Cookie Policy for details.

1.3 Third-Party Data

• Rebrickable Data: We display LEGO set, part, and pricing information from Rebrickable.com. We do not control Rebrickable’s data collection practices.
• Rebrickable Authentication (Optional): If you choose to connect your Rebrickable account for advanced features (collection management, build analysis), you provide your Rebrickable username and password directly to Rebrickable.com via client-side authentication in your browser. We never receive or store your Rebrickable password. We only store the user token returned by Rebrickable to enable these features. You can disconnect your Rebrickable account at any time in Settings.
• Brickset Authentication (Optional): If you choose to connect your Brickset account for collection and wishlist management, we collect and store your Brickset API key and user hash (both encrypted with AES-256). How password is handled: Your Brickset password is sent through our backend proxy to Brickset.com only once to obtain a user hash. The password is immediately discarded after this single exchange and is never stored in our system. The user hash allows us to manage your collection without requiring your password. You can disconnect your Brickset account and delete these credentials at any time in Settings.
• BrickLink Pricing: Market pricing data is sourced from BrickLink.com.
• Brickset Public Data: We integrate with Brickset.com to provide user reviews, building instructions, additional images, and detailed set information. When you request this information, we send only the LEGO set number to Brickset’s API. No personal identifying information is transmitted to Brickset for public data requests.

2. How We Use Your Information

We use the collected information to:

• Provide Services: Operate and maintain the chat interface and MCP server
• Improve Services: Analyze usage patterns to enhance features and user experience, including analyzing external link click patterns to improve content recommendations
• Communicate: Send service-related notifications and respond to inquiries
• Security: Detect and prevent fraud, abuse, and security incidents
• Legal Compliance: Comply with legal obligations and enforce our Terms of Service

3. Data Sharing and Disclosure

We do NOT sell your personal information. We may share your information in the following circumstances:

3.1 Service Providers

We use trusted third-party service providers to help operate our Services:

• AWS (Amazon Web Services): Hosts our backend infrastructure and database
• OpenAI: Powers our AI chat assistant
• Rebrickable API: Provides LEGO data for our services. If you connect your Rebrickable account, we store your Rebrickable user token (not your password) to enable collection management and build analysis features.
• Sentry: Error monitoring and performance tracking. Sentry captures error reports and may record session replays (including user interactions, mouse movements, and page elements) to help us diagnose technical issues. Session replays are privacy-enhanced with automatic PII masking.
• Grafana Cloud: Metrics monitoring and performance tracking. Receives aggregated metrics about MCP tool usage (tool names, execution times, success/error counts) - no personal information or message content.

These providers only access data necessary to perform their functions and are contractually obligated to protect it.

3.2 External Website Navigation

When you click external links from our Services:

• We track the click event for analytics purposes (see Section 1.2)
• You are redirected to the external website where their privacy policies apply
• We do not control or take responsibility for the privacy practices of these external websites

3.3 Administrator Access to User Data

Authorized administrators have access to an administrative backoffice interface that allows them to:

• View user profiles including names, email addresses, authentication provider, and activity timestamps
• Browse conversation histories and messages
• Review user feedback submitted about AI responses
• Access system metrics and performance data

Purpose of Admin Access:

• Provide customer support and resolve technical issues
• Monitor system health and performance
• Analyze usage patterns to improve service quality
• Investigate abuse, fraud, or security incidents
• Ensure compliance with our Terms of Service

Data Protection Measures:

• Admin access is restricted to authorized personnel only
• Administrators are bound by confidentiality agreements
• Access is granted on a need-to-know basis
• Regular security training for all administrators

Your Rights: You may request information about who has accessed your data and for what purpose by contacting privacy@brick.directory.

3.4 Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect our rights, safety, or property.

3.5 Business Transfers

If Brick Directory is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

4. Data Retention

We retain your information for as long as your account is active or as needed to provide Services. You may request deletion of your account and data at any time by contacting us at privacy@brick.directory.

Retention Periods:

• Account Data: Until account deletion is requested
• Chat Messages: Retained for 2 years from last account activity, or until deletion is requested
• External Link Clicks: Retained for up to 2 years for analytics and service improvement
• Usage Logs: Retained for up to 90 days for diagnostic purposes

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest (AWS encryption)
• Access Controls: Limited access to personal data on a need-to-know basis
• Authentication: Delegated to trusted OAuth providers (Google, Facebook) - we never store passwords
• Session Management: Secure token-based authentication
• Monitoring: Regular security audits and monitoring for suspicious activity

However, no internet transmission is 100% secure. We cannot guarantee absolute security.

6. Your Rights

Depending on your location, you may have the following rights:

6.1 GDPR Rights (EU/EEA/UK)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data (note: email address comes from your identity provider)
• Erasure: Request deletion of your data (“right to be forgotten”)
• Restriction: Limit how we process your data
• Portability: Receive your data in a machine-readable format
• Objection: Object to certain types of processing
• Withdraw Consent: Withdraw consent for data processing at any time

6.2 CCPA Rights (California)

• Know: Know what personal information is collected, used, and shared
• Delete: Request deletion of your personal information
• Opt-Out: Opt-out of the sale of personal information (we do not sell data)
• Non-Discrimination: Not be discriminated against for exercising your rights

To exercise these rights, contact us at privacy@brick.directory.

7. Children’s Privacy

Our Services are not intended for users under 13 years of age. We do not knowingly collect information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.

9. Browser Storage and Tracking

We use browser storage technologies for:

• Authentication: Maintaining your logged-in session via localStorage/sessionStorage
• Preferences: Remembering your settings and preferences

Third-Party Cookies: While we don’t set cookies directly, third-party services we use (Google OAuth, Facebook OAuth, Sentry, AWS CloudFront) may set their own cookies for authentication, error tracking, and content delivery.

You can control storage and cookies through your browser settings. See our Cookie Policy for details.

10. Third-Party Links

Our Services may contain links to third-party websites (e.g., Rebrickable, BrickLink, Brickset). We are not responsible for their privacy practices. We encourage you to review their privacy policies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the updated policy on this page
• Updating the “Last Updated” date
• Sending an email notification (for material changes)

Your continued use of the Services after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us:

• Email: privacy@brick.directory
• Website: brick.directory/docs/contact.html

Data Protection Officer (for GDPR inquiries): privacy@brick.directory

---

Summary (Plain Language)

What we collect: Your name, email, and profile picture (from Google or Facebook sign-in), chat messages, and usage data.

Passwords: We don’t store passwords - you sign in with Google or Facebook.

How we use it: To provide the service, improve it, and keep it secure.

Who we share with: Only trusted service providers (AWS, OpenAI, Rebrickable, Brickset) - never sold.

Your rights: You can request access, correction, or deletion of your data anytime.

Security: We encrypt your data and follow industry best practices.

Questions? Email privacy@brick.directory