Policy Agreement

Overview

This Policy Agreement summarizes the key commitments between you ("Customer" or "Architect") and Spacious Enterprises LLC ("Spacious") when you use Brick-by-Brick.ai ("the Service"). By clicking "I Agree" or creating an account, you accept the full Terms of Service, Privacy Policy, Sub-Processor List, and English Language Policy, which are incorporated by reference.

This document highlights the most important points. The referenced documents contain the full legal terms.

1. The Service

Brick-by-Brick.ai is a Knowledge Architecture Builder. It produces your company's Knowledge Architecture — a structured, interconnected representation of your company's knowledge across 11 dimensions and 50 categories. The Service researches your company from public sources, optionally collects data from connectors you authorize, structures the findings, guides you through a 3-4 hour confirmation session (including a dedicated Temporal Memory Pass that captures institutional knowledge), and delivers three files: an Interactive HTML Package, a Machine-Readable JSON Export, and a Knowledge Architecture Guide.

2. Your Data — Zero Customer Data Holding (Hybrid Retention Model)

Spacious Enterprises operates under a Zero Customer Data Holding policy. Your Knowledge Architecture is delivered as files you download and own permanently. Build data is deleted from our infrastructure on the hybrid retention schedule described below, through an automated deletion process with read-back verification and a 7-year compliance audit trail.

Hybrid retention schedule:

• Build data is retained for the longer of (a) 48 hours from session start, or (b) 24 hours after delivery — whichever applies later.
• This guarantees a minimum 24-hour download window after your build completes, regardless of when during the 48-hour session the build finishes.
• Maximum total retention: 72 hours from session start.
• Incomplete builds that do not reach delivery are deleted at the 48-hour session expiration mark.

Data protection during the build:

• All build data (data points, analytical tables, interdependency graph, gap analysis, source status records) is permanently deleted from Spacious infrastructure on the hybrid retention schedule above
• Files uploaded during the build are processed in-memory and immediately discarded — never written to disk, stored in a database, or retained in any form
• OAuth tokens for connected business tools are encrypted at rest using AES-256-GCM and revoked with providers when build data is deleted
• Deletion is automated with read-back verification; a 7-year compliance audit trail records every deletion event (without retaining any company intelligence content)

Clarification on Zero Customer Data Holding: "Zero Customer Data Holding" refers to data stored on Spacious Enterprises infrastructure. During the build process, company data is processed by Anthropic's Claude API (routed via Cloudflare's AI Gateway service) and by Cloudflare's infrastructure. Anthropic may retain API data for up to 30 days for trust and safety purposes per their data processing terms. Anthropic does not use API data for model training. For the full list of sub-processors, see our Sub-Processor List.

3. Source Transparency

Before any build proceeds to the data confirmation phase, you are presented with a Source Readiness Gate showing the status of every source the system attempted to read — every URL you provided, every connector you authorized, every document you uploaded.

Each source resolves to one of five states with a plain-language explanation:

• COLLECTED — Essential data successfully retrieved
• PARTIAL — Essential data retrieved; some optional enrichment data was unavailable
• EMPTY — Source authorized but contained no data (a legitimate state, not a failure)
• LIMITED — Some essential data retrieved but below threshold; we will ask you about the missing data during the confirmation conversation
• BLOCKED — Essential data unavailable due to authentication, permission, or service issue, with explanation provided

You can click any source for detailed information about what was expected, what was retrieved, what was missing, and any recovery action available.

We make no claim that data was collected from sources where collection was incomplete or unsuccessful — those gaps are surfaced explicitly. You can proceed, re-authorize sources, or address blocked connectors before the build advances to the data confirmation phase.

4. Data Accountability — No Silent Losses

Brick-by-Brick operates on a "no silent losses" principle. Every data point the system collects, processes, or renders is accounted for at every stage:

• Every pre-collected data point is presented to you for confirmation during Phase 4a of the build — no silent exclusions
• Every confirmed data point appears in the delivered Knowledge Architecture files with source attribution
• Every gap (category without sufficient data) is explicitly labeled in the Gap Report rather than hidden
• Every node and edge in the Interdependency Graph is accounted for in the rendering verification report embedded in the delivered HTML Package
• Every source you provide is tracked through the Source Readiness Gate described in Section 3

This commitment is enforced through automated verification at multiple layers of the system, not solely through process or policy.

5. Deliverables

Upon completion of the Build, you receive three deliverable files that you download and own permanently:

• Interactive HTML Package — browse your entire Knowledge Architecture in any browser, offline. Seven sections including executive briefing, dimensions, interactive Interdependency Graph, analytical tables, Gap Report, health metrics, and metadata.
• Machine-Readable JSON Export — structured data that powers MAIA Decision OS decision rehearsals and integrates with your existing systems
• Knowledge Architecture Guide — how to use your KA, connect it to MAIA Decision OS, and keep it current through Scope Assessments and tiered updates

All build data is deleted from our systems per the hybrid retention schedule in Section 2. The files are yours permanently.

6. Data Source Connections (Optional)

You may optionally connect up to 26 data source connectors (including Salesforce, HubSpot, Google Drive, Slack, Gmail, Jira, QuickBooks, Microsoft 365, and others) to enrich your Knowledge Architecture. By connecting a data source:

• You grant Brick-by-Brick read-only access to the specified data. Write access is limited to cloud storage delivery, restricted to a Brick-by-Brick/{Company} folder.
• You confirm you have authority to grant such access
• All OAuth tokens are encrypted at rest using AES-256-GCM encryption
• Tokens are revoked with the provider when build data is deleted
• Data from these sources is processed during the Build and delivered as part of your Knowledge Architecture files
• We do not retain copies of connector data after delivery
• You can revoke access at any time

Metadata-only access for communication connectors: For Gmail, Outlook, Slack, and Microsoft Teams connectors, we extract metadata only — never message content, subject lines, or calendar event descriptions. This is enforced at the OAuth scope layer, at the agent prompt layer, and through automated verification that rejects any agent output containing message content.

Aggregate-only access for HR connectors: For HR connectors (such as BambooHR), we extract aggregate organizational structure only — never individual employee names, emails, or other personally identifying information.

For a complete list of connectors, data categories each accesses, and their current deployment status, see our Data Connector Intelligence Manifest.

7. AI Processing & Security

The Service uses AI language models (provided by Anthropic) to research, structure, and analyze company knowledge. Important things to know:

• AI-generated content may contain inaccuracies — the Confirmation Session is where you verify and correct
• Data processed through Anthropic's API is not used to train AI models. Anthropic may retain data for up to 30 days for trust and safety purposes.
• LLM API requests are routed through Cloudflare's AI Gateway service for observability and rate-limit resilience. For certain analytical agents that normally use Claude Opus, if Anthropic's rate limits are temporarily exceeded during high-concurrency periods, the AI Gateway may automatically fall back to Claude Sonnet to ensure build completion.
• Company data provided during the build is processed within structural boundaries that separate data from system instructions. AI agents treat all company-provided content as data, not as commands.
• All user input is validated for length and content type. File uploads are validated by file type signature (magic bytes), not just file extension.
• The AI does not provide advice or make recommendations — it structures and surfaces information
• You are responsible for reviewing and validating all information in your Knowledge Architecture

7a. Security Infrastructure

The Service implements the following security measures:

• Authentication: Passkey/WebAuthn biometric authentication as the primary method. Email and password (bcrypt-hashed) as a fallback for users without passkey-capable devices. Sessions managed via encrypted httpOnly cookies with 2-hour expiry.
• Encryption: All connections use HTTPS/TLS. OAuth tokens encrypted at rest (AES-256-GCM). Build session data encrypted in transit.
• Access control: All API endpoints require authentication and build ownership verification.
• Security headers: HSTS, Content Security Policy, clickjacking prevention, and additional security headers on all responses.
• Rate limiting: All endpoints are rate-limited to prevent abuse.
• Prompt injection protection: Potential injection patterns are flagged in the Knowledge Architecture export metadata for downstream consumers.
• Deletion verification: Read-back verification confirms build data deletion; a 7-year compliance audit trail records every deletion event.

8. Payment

• Initial Build — $499 USD: A complete Knowledge Architecture for one company
• Scope Assessment — $59: Upload your existing Knowledge Architecture for comparison against fresh data; produces a Change Report. Fee credited toward any Update tier.
• Tier 1 Update (Minor, under 15% change) — $99: Changes auto-applied. New Package delivered.
• Tier 2 Update (Moderate, 15–40% change) — $249: Targeted re-confirmation for affected dimensions. New Package delivered.
• Tier 3 Update (Full Rebuild, over 40% change) — $479: Complete re-collection and full confirmation. Discounted from $499 for returning Architects.

Payment is processed through Stripe. Refunds are available if the Service fails to deliver due to a technical failure on our part. Refunds are not available for dissatisfaction with content, failure to complete the Confirmation Session, or Customer-side disconnections.

9. One Build, One Company

Each Build is for one company. The company you identify during Onboarding is locked for the duration of that Build — it cannot be changed. One payment covers one Build for one company. Attempting to build a Knowledge Architecture for a different company than the one identified constitutes misuse and may result in Build termination without refund.

10. What We Collect About You

While we don't store your company data, we do collect:

• Account information (email, name, company name)
• Payment confirmation (via Stripe — we never see your card number)
• Build metadata (timestamps, completion status, aggregate statistics, source status counts) — retained for 1 year
• Basic usage data (pages visited, session duration) — retained for 90 days

Full details are in the Privacy Policy.

11. Intellectual Property

• You own your Knowledge Architecture and all company-specific data in it
• Spacious owns the Service, the 11-dimension framework, the 9-phase build methodology, the 28-agent architecture, the RVV governance framework, and all underlying technology
• Industry Knowledge Architectures (shared industry-level reference data) are owned by Spacious

12. Limitation of Liability

Spacious's total liability is limited to the amount you paid for the specific Build. We are not liable for indirect, consequential, or punitive damages, or for decisions made based on your Knowledge Architecture. Full details are in the Terms of Service.

13. Language

All Brick-by-Brick platform content — including the build session interface, pre-collected intelligence, Knowledge Architecture deliverables, and compliance disclosures — is provided exclusively in English. The Architect is solely responsible for possessing sufficient English proficiency to understand, confirm, correct, and act upon all content presented during and after the build session.

For the complete governing framework on language of service, see the English Language Policy.

14. Regional Compliance

Brick-by-Brick honors data protection rights under applicable law, including the EU/UK GDPR and the California CCPA/CPRA. For details on the rights available to you, the legal basis on which we process personal information, and how to exercise your rights, see Privacy Policy §9.

15. You Can Leave Anytime

• Close your account at any time
• Your Knowledge Architecture files are yours permanently — account closure does not affect files you've downloaded
• Revoke any data source connection at any time
• Request data deletion by contacting the email address below

Contact

Spacious Enterprises LLC
Email: [email protected]
Privacy: [email protected]
Legal: [email protected]
Website: brick-by-brick.ai