Bridge Privacy Policy

Last updated: September 25, 2025

Only Founders, Inc. d/b/a "Bridge" ("Bridge," "we," "us," "our")

380 C Street, Hayward, CA 94541, USA

1) Scope

This Privacy Policy explains how we collect, use, disclose, and retain personal data when you use Bridge websites and services that link to this Policy (the "Services"). By using the Services, you agree to this Policy.

2) Roles & responsibility (controller vs. processor)

Controller (most of the time). We act as an independent controller for account data, profiles, usage logs, product communications, payments and payouts administration, safety/abuse prevention, and analytics.

Processor / joint controller (some research). When a Provider commissions interviews/calls/surveys and we process Expert deliverables to fulfill that engagement, we may act as a processor (or joint controller) for that narrow purpose under our Data Processing Addendum (DPA) (available on request).

If anything here conflicts with a signed DPA, the DPA governs for processor-mode activities.

3) What we collect

Account & Auth. Name, email, password hash, role (Expert/Provider), and optional SSO identifiers (e.g., LinkedIn, Google if enabled).

Profile. Title, company, bio, skills/domain expertise, location region, LinkedIn URL, profile photo.

Verification. Phone number for OTP; LinkedIn URL for profile verification; payout/KYC data handled by our payments partner (we don't store full card/bank numbers).

Transactions. Bookings, invoices, payout status, tax/VAT IDs (where applicable).

Usage & Device. IP address, approximate location, device/browser type, timestamps, feature interactions, logs.

Session Content (optional). Call recordings, transcripts, notes, surveys, attachments you submit.

Marketing (optional). UTM parameters, email engagement if you opt in.

Sources. You; your device; Providers; public sources; integrated services you connect (e.g., LinkedIn OAuth); optional business enrichment.

We do not intentionally collect sensitive categories such as precise geolocation, health data, or government IDs unless required for compliance by a payments/KYC provider.

4) Why we use data (and legal bases for EEA/UK)

Provide the Services. Account creation, authentication, matching, scheduling, payments/payouts, and support. (Contract; Legitimate interests.)

Safety & integrity. Prevent abuse, fraud, spam; secure accounts and infrastructure. (Legitimate interests; Legal obligation.)

Automated matching (AI). We use LLM-assisted ranking to help Providers discover relevant Experts. Providers make final selections. You may opt out of AI ranking (manual matching may be slower). (Legitimate interests; opt-out available.)

Communications. Transactional emails/SMS (e.g., OTP, receipts, policy updates) and product updates if you subscribe. (Contract; Consent.)

Improvement & analytics. Diagnose performance, enhance accuracy, and improve workflows. We train internal models on aggregate/de-identified data only. We do not use your personal data to train third-party foundation models. (Legitimate interests.)

Compliance. Tax, accounting, auditing, lawful requests, and enforcing terms. (Legal obligation.)

5) "Notice at Collection" (CPRA)

Category	Examples	Purpose(s)	Retention
Identifiers	Name, email, phone (OTP), SSO IDs	Auth, account, security, communications	Account lifetime + 24 months inactivity, then delete/anonymize
Commercial info	Bookings, invoices, payout records	Provide Services, accounting	7 years (tax/audit)
Internet/activity	IP, device/browser, logs, usage	Security, analytics, improvement	≤ 30 days for logs; analytics per Section 13
Professional info	Title, company, expertise	Matching, profiles, discovery	Account lifetime + 24 months inactivity
Audio/visual	Call recordings, transcripts	Research engagements (optional)	36 months or earlier on request
Inferences (limited)	Match scores/tags	Suggest relevant matches	Account lifetime or until opt-out

We do not sell personal information. We may "share" personal information for cross-context behavioral advertising only if you opt-in to non-essential cookies/pixels; you can opt out at any time (see Section 11).

6) Phone numbers, messaging & OTP

We process your phone number and messaging metadata (timestamps, country/carrier codes, delivery status, error codes) for authentication, fraud prevention, and account-security notifications.

Processor: Twilio (USA/EU regions as configured). We share only what's needed to send and deliver the message.

Content: OTP codes and brief transactional text (e.g., "Bridge code 123-456"). We don't use phone numbers for marketing without your separate opt-in.

Retention: We keep phone numbers for your active account and minimal messaging metadata for a limited period to investigate abuse/disputes, then delete or de-identify. (Twilio retains its own logs per its policy.)

Your controls: You can opt out by replying STOP (or disable phone verification where supported). You can also email us to delete your number; note this may disable SMS login.

Legal bases (EEA/UK): contract (account security) and legitimate interests (fraud/abuse prevention).

International transfers: safeguarded by vendor transfer mechanisms (see "International transfers").

7) Cookies & similar tech

Essential (auth, security, payments) — always on.

Analytics (e.g., privacy-centric tools; or Google Analytics if enabled) — to measure usage and improve performance.

Marketing pixels — load only if you opt-in; we honor your choices.

Manage preferences anytime via "Cookie Settings" in the footer. We currently do not respond to DNT signals but respect your in-product cookie choices.

8) Recordings, transcripts, and content

Recording a session requires the consent of all participants. You may request deletion of a specific recording/transcript (subject to legal/audit constraints and any Provider's lawful needs). If you do not want to be recorded, decline recording or leave the session.

9) How we disclose information (processors & recipients)

We disclose personal data to service providers under contracts with confidentiality, security, and use restrictions. Typical processors include:

Payments & Payouts: Stripe (incl. Connect/KYC)

Hosting/Infra: Vercel (on AWS)

Auth & Database: Supabase

Email: Resend

SMS/voice verification & transactional messaging: Twilio Inc.

Scheduling: Cal.com

Search: Algolia

Business Enrichment (optional): Clearbit

Analytics: Privacy-centric analytics; Google Analytics only with consent

Single Sign-On: LinkedIn; Google (if enabled)

Legal & safety. We may disclose data to comply with law, protect rights/safety, or in a merger/acquisition.

Sub-processors page. We maintain a current list at https://www.bridgenow.co/subprocessors.

Google OAuth – Product-Specific Disclosures

Scopes we request

We use Google Sign-In for authentication only and request these scopes:

openid – verify your Google account
email – read your Google email address
profile – read your display name and profile photo URL (if available)

Data accessed (from Google)

Google Account ID, email address, display name, and profile photo URL. We do not access Gmail, Calendar, Drive, or other Google content.

How we use it (Data Usage)

Solely to authenticate you, prefill your Bridge profile (name/avatar), and protect your account (fraud/abuse prevention). We do not use Google user data for advertising or to train third-party foundation models. Our use complies with the Google API Services User Data Policy (Limited Use).

Sharing (Data Sharing)

We do not sell Google user data. We share it only with service providers under contract (e.g., hosting, authentication, and databases) to operate Bridge and only according to our documented instructions.

Storage & protection (Data Storage & Protection)

We store only the minimal tokens necessary for sign-in, encrypted at rest, with least-privilege access and rotation. We do not request offline access (no refresh tokens) for Google Sign-In. If a future feature requires offline access, we will update this section before launch.

Retention & deletion (Data Retention & Deletion)

Google-derived identifiers (Account ID, email, name, avatar URL) are retained for the life of your account and deleted or de-identified when your account is deleted, subject to legal/audit holds. You can revoke Bridge’s access anytime at https://myaccount.google.com/permissions.

To delete your Bridge account or request deletion of Google-derived data, email nate@bridgenow.co with subject “Delete My Account.”

LinkedIn OAuth – Sign-In, Profile Prefill, and Expert Verification

Scopes we request

We use LinkedIn OAuth for sign-in and verification and request the minimum necessary scopes, currently:

r_liteprofile – basic profile (name, profile photo URL)
r_emailaddress – email address

Data accessed

LinkedIn member ID, basic profile (display name, profile photo URL), and email address. We may store your public LinkedIn profile URL if you choose to link it to your Bridge profile.

How we use it (Data Usage)

To authenticate you, prefill your Bridge profile, verify expert identity/credentials, and prevent fraud/abuse. If you choose to publish an expert profile, your LinkedIn URL may be displayed on your public profile.

Sharing (Data Sharing)

We do not sell LinkedIn data. We share it only with service providers under contract to operate Bridge and only for our documented instructions.

Storage & protection

Minimal tokens/identifiers only, encrypted at rest, and least-privilege access. We do not request offline access (no long-lived refresh tokens) for LinkedIn Sign-In.

Retention & deletion

LinkedIn-derived identifiers follow the same retention as your account and are deleted or de-identified when your account is deleted, subject to legal/audit holds. You can revoke Bridge’s access in your LinkedIn account settings (Permitted Services). For deletion requests, email nate@bridgenow.co.

Twilio / SMS & Phone Communications

What we collect

Your phone number and limited messaging metadata (e.g., verification attempt timestamps, delivery status, carrier info) necessary to send/receive messages and prevent abuse. One-time verification codes are ephemeral and retained only for the time needed to complete verification.

How we use it (Data Usage)

Account security: one-time passcodes (OTP) and identity verification
Transactional notifications: booking confirmations, reminders, and updates related to sessions you schedule or join

We do not use SMS for marketing without your explicit opt-in.

Sharing (Data Sharing)

We use Twilio and similar messaging providers as processors to deliver SMS/voice. We do not sell your phone number or SMS metadata.

Storage & protection

Numbers and minimal logs are stored securely with encryption at rest and least-privilege access. Verification codes expire quickly and are not stored after validation.

Opt-in / Opt-out

By providing your number, you agree to receive transactional texts from Bridge. Msg & Data rates may apply.

Reply STOP to opt-out of non-essential texts; reply HELP for help. Opting out of security texts (e.g., OTP) may limit access to certain features. Carriers are not liable for delayed or undelivered messages. Message frequency varies by activity.

Retention & deletion

We retain your phone number for the life of your account and delete or de-identify it upon account deletion, subject to legal/audit holds. You can request deletion by emailing nate@bridgenow.co.

10) International transfers

Where required, we rely on Standard Contractual Clauses (SCCs) and vendor technical/organizational measures for cross-border transfers.

11) Your choices

AI matching opt-out. Ask us to exclude your profile from LLM-assisted ranking.

Email preferences. Unsubscribe links are included in non-essential emails.

Cookie controls. Use "Cookie Settings" in the footer to turn analytics/marketing on/off.

"Do Not Sell or Share." Use the footer link to opt out of cross-context behavioral advertising (if any non-essential pixels are enabled).

12) Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict/object to certain processing, and port your data.

California (CPRA) & other U.S. states. You may request to know, access, correct, delete, and opt out of sale/share/targeted advertising. We will not discriminate for exercising rights. If we deny your request, you may appeal by replying to our decision email; we'll respond within 45 days.

EEA/UK/Switzerland. You have rights to access, rectification, erasure, restriction/objection, and portability; you may lodge a complaint with your local supervisory authority.

How to exercise rights. Email nate@bridgenow.co with the subject "Privacy Request." We must verify your identity (e.g., email confirmation, logged-in request). You may use an authorized agent per applicable law.

Response times. We aim to respond within 30 days (extendable once if reasonably necessary).

13) Retention

We keep data only as long as needed for the purposes described, then delete or de-identify it.

Account & profile: Active account + 24 months of inactivity

Financial records (invoices, payouts): 7 years (tax/audit)

Recordings & transcripts: 36 months or earlier upon approved request

Security logs & backups: ≤ 30 days (longer if investigating abuse)

Marketing contacts: Until you unsubscribe or 24 months of no engagement

14) Security

We use industry-standard safeguards: encryption in transit and at rest; least-privilege access; MFA for admin access; audit logging; and periodic security testing and reviews. No method of transmission or storage is 100% secure.

15) Children

The Services are not directed to children under 16 (or the age required by your jurisdiction). Do not use the Services if you are under the applicable age.

16) Third-party sites

The Services may link to third-party sites or services. Their privacy practices are governed by their own policies.

17) Changes to this Policy

We will post updates here and notify account holders of material changes at least 14 days before they take effect. Continued use after the effective date means you accept the changes.

18) Contact

Questions, requests, or complaints: nate@bridgenow.co

Postal: Only Founders, Inc., 380 C Street, Hayward, CA 94541, USA

Your privacy powers our platform.