Data Processing
This page explains how BRBR GROUP LLC (“Notivo”, “we”, “our” or “us”) processes personal data on behalf of its customers, lists the sub-processors we use to deliver the Service, and tells you how to request our Data Processing Agreement (DPA). It works alongside our Privacy Policy, which describes our broader privacy practices.
1. Overview
When you use Notivo, we process personal data in two distinct ways. Some data is processed on your behalf: the notes and content you create about the people you manage. Other data we process for our own purposes: the account and usage data needed to run, secure and improve the Service. This page sets out those roles, names our sub-processors, and explains how customers can request a signed Data Processing Agreement. For full detail on what we collect and why, see our Privacy Policy.
2. Controller and processor roles
Whether Notivo is a controller or a processor depends on which data is involved:
- Content you create about Subjects. When you write notes, observations and related entries about the people you manage (“Subjects”), you (or your organization) act as the controller of that content, and Notivo acts as a processor handling it on your behalf and on your instructions.
- Your account and usage data. For the personal data we need to provide, secure and improve the Service, such as your account details, authentication data, and usage and diagnostic data, Notivo acts as the controller.
This mirrors the framing in our Privacy Policy. You remain responsible for recording information about Subjects lawfully, fairly and for legitimate management purposes.
3. Requesting a DPA
Customers who need a signed Data Processing Agreement (for example, to satisfy Article 28 of the GDPR) can request one by emailing hello@notivo.com. Our DPA incorporates the EU Standard Contractual Clauses to cover international transfers of personal data, and governs how we process content on your organization’s behalf.
4. Sub-processors
We engage the trusted third-party providers below to help us deliver the Service. Each is bound by contractual terms requiring appropriate confidentiality and security safeguards.
| Sub-processor | Purpose | Location | Data processed |
|---|---|---|---|
| Google LLC (Google Cloud / Firebase) | Cloud infrastructure, database, authentication, file storage, serverless functions | USA & global regions | All Service data |
| Google LLC (Vertex AI / Gemini) | Automatic AI insights and on-demand assistant. On paid plans with AI insights enabled, the title and text of each saved note is processed automatically to derive private insights (themes, sentiment, follow-ups); the on-demand assistant processes relevant notes on request. Not used for model training. Black Box notes are excluded. Consent-gated. | USA | Note title & content (excluding Black Box) |
| Google LLC (Google Analytics) | Marketing-site analytics & advertising measurement (only with your consent) | USA | Usage/analytics data, ad identifiers (e.g. gclid) |
| Vercel Inc. | Marketing website hosting (notivo.com) | USA | Site requests and logs |
| Stripe, Inc. | Subscription billing & payment processing | USA | Billing and payment data |
| Resend (Resend, Inc.) | Transactional & notification email delivery | USA | Email address, message content |
| Functional Software, Inc. (Sentry) | Error & performance monitoring | USA | Diagnostic / technical data |
| Meta Platforms, Inc. (WhatsApp Business Platform) | WhatsApp message capture, where you enable it | USA / EU | WhatsApp phone number & the message content you send to Notivo |
WhatsApp capture is optional and only engages a provider above when you choose to send messages to Notivo over WhatsApp. We keep this list current; see section 7 on changes to sub-processors.
5. Security measures
We apply technical and organizational measures designed to protect the personal data we process, including encryption in transit, access controls, scoped per-user data isolation, authenticated access, and monitoring of our systems. No method of transmission or storage is perfectly secure, but we work to protect your information and to limit access to it.
6. International transfers
We are based in the United States and use providers located in the United States and other countries. Where we transfer personal data of individuals in the European Economic Area, the United Kingdom or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, together with any additional measures required to protect that data.
7. Changes to sub-processors
We keep this list current and will provide a way to be notified of material additions to our sub-processors before they take effect. If you object to a new sub-processor, you can raise your objection with us at hello@notivo.com, and we will work with you in good faith to address it.
8. Contact
Questions about this page, our sub-processors or our Data Processing Agreement? Email us at hello@notivo.com.