Privacy Policy

Effective Date: May 11, 2026

Last Updated: May 11, 2026

branchpoints, LLC ("branchpoints," "we," "us," or "our") provides a software platform for pharmaceutical marketing teams (the "Service"). This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information. It should be read together with our Terms of Service.

branchpoints contracts directly with enterprise customers. If you use the Service through your employer or another organization, that organization's order form, master services agreement, data processing agreement, security addendum, or other written agreement with us (collectively, the "Customer Agreement") may include commercial, data-handling, and security commitments for that customer. If a Customer Agreement conflicts with this Policy on those topics, the Customer Agreement controls for that customer. This Policy does not limit statutory privacy rights or notices required by applicable law.

Our Key Commitments

• We do not sell your personal information. We never have and never will.
• We do not use Your Data to train AI models. As between you and branchpoints, we do not claim ownership of Your Data, subject to our Terms of Service.
• We do not process Protected Health Information (PHI). The Service is not designed for PHI and should not be used to process it.
• We minimize what we collect. We collect what we need to operate the Service, support customers, maintain security, and run our business.
• We use approved providers. We route Your Data to AI providers only when their applicable data protection terms, business/API terms, or written commitments prohibit use of that data to train or improve general models.
• We are based in the United States. We currently operate the Service primarily from U.S.-hosted infrastructure, though some providers may process information in other jurisdictions under applicable data protection terms and transfer mechanisms.

Who This Policy Covers

This Policy applies to:

1. Website visitors who browse branchpoints.ai or related marketing properties.
2. Prospects and applicants who request access, complete waitlist or demo forms, communicate with us, or evaluate the Service.
3. Authorized Users who receive access to the Service under an enterprise customer's account.

When our customer is an organization, that customer controls the personal information its Authorized Users submit through the Service. For that information, branchpoints acts as a processor or service provider for the customer.

1. Information We Collect

Website and business inquiries. We collect information you provide when you contact us, request a demo, join a waitlist, respond to a survey, or communicate with our team. This may include name, business email address, company, job title, and the content of your message.

Enterprise onboarding and Account access. When a customer is onboarded or an Authorized User receives access, we collect business identifiers such as name, email address, role, organization, account status, and access permissions. Authentication is handled by our identity provider; we receive standard profile information and do not store your password.

Your Data. Authorized Users provide inputs and receive or generate outputs through the Service. We refer to these collectively as "Your Data." Your Data does not include Resultant Data or any back-end or internal system outputs not generally available to users of the Service. As between you and branchpoints, we do not claim ownership of Your Data, subject to our Terms of Service. Section 3 explains how Your Data is handled.

Service telemetry and operational records. We collect information created when you visit our website or use the Service, such as IP address, browser and device type, operating system, pages viewed, referring URLs, timestamps, usage events, diagnostic data, performance data, security records, and records related to AI interactions where needed to operate, secure, troubleshoot, and improve the Service.

Third-party and public business sources. We may receive information from identity and authentication providers, business data providers, and publicly available professional or business sources to qualify inbound sales interest, operate the Service, and support customer-requested workflows.

Information we do not knowingly collect. We do not knowingly collect PHI, government-issued identifiers, payment card numbers, biometric data, or personal information from children. See Section 9.

2. How We Use Information

We use information for the following business and Service purposes:

• Service delivery: provide the Service, authenticate users, maintain tenant isolation, process Your Data as instructed, and support customer workflows.
• Enterprise onboarding and account administration: evaluate access requests, onboard customers, manage Accounts, communicate with customer administrators, and provide support.
• Security and reliability: monitor usage, detect abuse, troubleshoot errors, investigate incidents, maintain logs, and protect the Service.
• Customer and business communications: respond to inquiries, provide Service notices, send security or policy updates, and send optional branchpoints news where permitted.
• Business operations: maintain records, manage finances, administer contracts, evaluate product performance, and improve the Service.
• Legal and compliance: comply with legal obligations, enforce agreements, investigate fraud or misuse, and protect or assert legal rights.

We rely on our legitimate business interests and the performance of our contracts with customers for these uses. Where consent is required, such as for certain optional marketing communications, you may withdraw consent at any time.

3. Your Data and AI Processing

Because the Service uses AI-supported workflows, this section explains the lifecycle of Your Data in the Service.

What users submit and generate. Authorized Users submit Inputs and generate Outputs while using the Service. Customers control the Authorized Users, workflows, and content they choose to submit under their Account.

How branchpoints uses Your Data. We use Your Data to provide the Service to the customer that submitted it. This includes generating, organizing, refining, storing, retrieving, securing, troubleshooting, supporting, reporting on, and administering Service workflows.

What AI providers receive. To generate outputs, the Service transmits Your Data, along with relevant instructions, context, and configuration needed to provide the Service, to vetted third-party AI providers via business or API access. We do not transmit account credentials, authentication tokens, or billing information to AI providers.

No training on your content. We do not use Your Data to train or fine-tune AI models. We do not route Your Data to AI providers unless the provider's applicable data protection terms, business/API terms, or written commitments prohibit use of Your Data to train or improve general models.

Public-source research workflows. Some workflows use approved search or research providers to retrieve public scientific, professional, or business materials. Those providers may receive limited search query text needed to return the requested materials. These workflows are used to retrieve public materials; they are not used for PHI, patient-level research, or automated decisions about individuals.

Provider retention. Third-party AI providers may temporarily retain submitted inputs and generated outputs for abuse monitoring, security, debugging, or service operation for a limited period, typically 30 days or less, or may not retain them at all depending on the provider and workflow. Public-source research providers process limited search query text under their applicable terms and commitments. We do not send PHI, account credentials, authentication tokens, or billing information to these providers.

Operational records. We maintain operational records related to AI processing and provider responses for troubleshooting, abuse prevention, cost monitoring, quality review, compliance support, and enterprise reporting. Access is limited to authorized personnel and service providers who need it to operate or support the Service. To the extent these records contain Your Data, they follow the Your Data deletion rules in Section 5 unless retained for legal, security, fraud-prevention, billing, or contractual reasons, or unless they have been de-identified.

Controls and exclusions. We use technical and organizational controls designed to limit access to Your Data and restrict how providers and third-party tools are used in the Service. The Service is not designed, certified, or intended to store, process, or transmit PHI. Do not submit PHI to the Service. Customers that require HIPAA-regulated processing should contact us about alternative arrangements before submitting any PHI.

AI outputs require review. Outputs may contain factual errors, omissions, or biases and are not a substitute for human professional judgment, legal review, medical review, regulatory review, or promotional review. See our Terms of Service for the full disclaimer.

4. How We Share Information

We do not sell personal information and we do not share it for cross-context behavioral advertising. We disclose information only as described below.

Service providers and subprocessors. We use a limited set of vetted providers to host, secure, support, monitor, communicate about, bill for, and operate the Service. These providers include categories such as cloud hosting, database infrastructure, storage, AI providers, public-source research providers, authentication and identity, product telemetry and error monitoring, email and customer communications, and billing or business operations. Providers must protect the information they process for us and use it only to provide services to branchpoints. A list of named subprocessors is made available to enterprise customers through contracting or security review, typically under NDA. Customers with a Data Processing Agreement receive notice before we add a new subprocessor that handles Your Data, as described in the applicable DPA.

Corporate transactions. If branchpoints is involved in a merger, financing, acquisition, reorganization, diligence process, or sale of some or all assets, information may be disclosed to participants in that transaction. We will require the recipient to honor this Policy or provide notice where required by law.

Legal, safety, and enforcement. We may disclose information to comply with law, valid legal process, or lawful government requests; enforce our Terms of Service or Customer Agreements; protect branchpoints, customers, users, providers, or others; investigate fraud, abuse, or security incidents; or preserve, bring, or respond to legal claims. Where legally permitted, we will attempt to notify the affected customer before disclosing Your Data in response to legal process.

Customer-directed sharing. We share information with third parties when you or the customer asks us to do so, such as for an integration, export, support workflow, or other customer-directed transfer.

Aggregated or de-identified data. We may share aggregated or de-identified information that cannot reasonably be used to identify you for research, marketing, analytics, or business purposes.

5. Data Retention

Retention follows the customer lifecycle, the reason information was collected, and applicable legal, security, and contractual requirements.

• Your Data is retained for the customer's active access period or as otherwise agreed in the Customer Agreement. On termination or written deletion request, we will delete Your Data from active production systems within 30 days through our administrative deletion process and provide written confirmation to the customer. Backup copies are purged or overwritten in the ordinary course within 90 days thereafter, unless retention is required for legal, security, fraud-prevention, billing, or contractual reasons.
• Account and profile information is retained while an account is active and for a reasonable period afterward to support customer administration, legal obligations, security obligations, and contractual records.
• Website, waitlist, and business contact information is retained while it remains useful for the purpose collected and, for prospects, consistent with reasonable sales and marketing practices.
• Operational, security, and observability records, including records related to AI processing, are retained for a reasonable period based on operational needs, customer agreements, legal obligations, security requirements, and compliance support. To the extent these records contain Your Data, they follow the Your Data deletion rules above unless retained for legal, security, fraud-prevention, billing, or contractual reasons, or unless they have been de-identified.
• Required records, including billing, tax, audit, legal-hold, and fraud-prevention records, are retained for the periods required or permitted by law.

For urgent deletion requests, contact privacy@branchpoints.ai. We will review the affected systems, legal requirements, and Customer Agreement before confirming an available timeline.

6. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including:

• encryption of data in transit and at rest through our hosting, database, and storage providers;
• tenant isolation, access controls, authentication requirements, and least-privilege service roles;
• safeguards for uploaded and generated media;
• audit logging, security monitoring, application security review, and incident response procedures; and
• vendor review and contractual commitments for service providers that process information for us.

Enterprise customers can request our current security overview and may receive additional security commitments under their Customer Agreement.

Security also depends on customer-side controls. You are responsible for keeping credentials safe, configuring customer-admin settings appropriately, and monitoring activity under your Account. Contact security@branchpoints.ai if you believe your account or our Service has been compromised.

If a security incident affects personal information we hold, we will notify affected customers and users without unreasonable delay and in accordance with applicable law and any contractual commitments.

7. Your Rights and Choices

Information controlled by your employer or organization. Our enterprise customers control Your Data submitted by their Authorized Users. If you are an Authorized User and want to access, correct, delete, or export Your Data associated with your use of the Service, contact your employer's Service administrator. We assist customers with those requests as provided in their contract.

Information branchpoints controls directly. If branchpoints holds personal information about you directly, such as website visitor, waitlist, prospect, or business contact information, you can email privacy@branchpoints.ai to request access, correction, deletion, or a portable copy. We will verify and respond as required by applicable law.

Marketing communications. You can opt out of marketing emails by using the unsubscribe link in the message or by emailing privacy@branchpoints.ai. We will still send transactional and service-related messages.

U.S. state privacy rights. branchpoints does not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws, including the California Consumer Privacy Act, as amended. Residents of California and other U.S. states that grant specific privacy rights may request access to, correction of, or deletion of personal information branchpoints holds about them, subject to verification and legally available exceptions. We will not discriminate against you for exercising these rights. To exercise them, email privacy@branchpoints.ai.

When branchpoints processes personal information on behalf of a customer, we act as that customer's service provider or processor and will direct verifiable consumer requests to the customer as required by law.

8. Cookies and Online Tracking

We use cookies, local storage, session storage, and similar technologies in four limited ways:

• Strictly necessary technologies for authentication, secure sessions, account access, payment or billing flows where applicable, abuse detection, and core Service functionality.
• Preference technologies to remember interface choices and support user experience within the Service.
• Limited analytics provided by our cloud hosting or deployment provider on public marketing pages to measure aggregate pageviews and site performance. These analytics do not involve advertising cookies, cross-site tracking pixels, or third-party behavioral advertising technologies.
• Provider technologies used by authentication, payment, hosting, security, and error-monitoring providers as needed to provide their services to us.

You can block or delete cookies and local storage through browser settings. Blocking technologies needed for authentication, security, or core Service functionality may prevent parts of the Service from working.

Some browsers transmit "Do Not Track" or opt-out preference signals such as Global Privacy Control. Because we do not sell personal information or share it for cross-context behavioral advertising, those signals do not require a change to our current practices. If our practices change, we will update this Policy and honor legally required opt-out preference signals.

9. Children

The Service is built for business professionals and is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided personal information to us, contact privacy@branchpoints.ai and we will delete it.

10. International Users

branchpoints is based in the United States, and the Service is operated primarily from U.S.-hosted infrastructure. If you access the Service from outside the U.S., your information may be transferred to, stored in, and processed in the U.S. and other countries where we or our service providers operate, subject to applicable contractual and transfer safeguards. We do not currently offer the Service to individual consumers outside the U.S.; enterprise customers outside the U.S. should contact us before onboarding so appropriate contractual and transfer arrangements can be discussed.

11. Changes to This Policy

We may revise this Policy to reflect changes in the Service, law, provider requirements, security practices, or our business. When we do, we will update the "Last Updated" date above. For material changes, we will provide notice by email or through the Service at least thirty (30) days before the changes take effect, unless a shorter period is required for legal, security, or operational reasons. Continued use of the Service after the effective date means the updated Policy applies.

12. Contact Us

Questions, requests, or concerns about this Policy or our privacy practices:

• Privacy: privacy@branchpoints.ai
• Security: security@branchpoints.ai
• Support: support@branchpoints.ai
• Legal: legal@branchpoints.ai

Mailing address:

branchpoints, LLC
Mailing address available upon request; legal notices should be sent as described in our Terms of Service.
legal@branchpoints.ai