LEGAL

Privacy Policy

Effective May 7, 2026

This Privacy Policy explains how Norsha Dynamics LLC, a Texas limited liability company doing business as Brensa Systems ("Brensa," "we," "us," or "our"), collects, uses, shares, retains, and protects personal information in connection with:

  • the public website at brensasystems.com and any subdomain we operate (the "Site");
  • our sales, demo, and onboarding interactions with prospective and active clients;
  • our business-to-business local business growth services (the "Services"), which include local business websites, Google Business Profile optimization, local SEO, static ad creative, UGC video ads, cinematic video ads, creative systems, AI phone receptionists, AI direct-message responders, lead reactivation, AI lead qualification, Cal.com booking integration, hot-lead SMS routing, custom call flows, failed-payment recovery, churn-save automation, review and testimonial automation, and AI tier-1 customer support; and
  • the personal information of our clients' end customers ("End-Customer Data") that flows through our infrastructure when we provide the Services.

Brensa is headquartered in Plano, Texas. We do not knowingly market to, or accept clients from, the European Economic Area or the United Kingdom at this time, but we have drafted this Policy to remain GDPR-aware so that our practices translate cleanly if we expand.

You can reach us at legal@brensasystems.com or 469-608-9691 for any privacy question, request, or complaint.

We separate this Policy by data category because the rules and our role differ.

(a) Site Visitors. People who browse brensasystems.com, request information, fill out a contact form, or correspond with us by email or phone. We are the controller for this data.

(b) Prospective and Active Client Personnel. Owners, operators, and staff at the businesses that engage Brensa (or are evaluating Brensa). We are the controller for this data.

(c) End Customers of Our Clients. Consumers and businesses who interact with our clients through the Services we operate — for example, a homeowner who calls a roofing company whose phones we run, a customer who DMs an HVAC company on Instagram, or a patron who receives an outbound reactivation call. For this data, our client is the controller and Brensa is the processor (called a "service provider" or "contractor" under California law). Our handling of this data is governed by our Data Processing Addendum and the client's Master Services Agreement.

3.1 Site Visitor Data

  • Identifiers and contact data you give us: name, business name, work email, phone number, and any free-text you write into a form, scheduled-call note, or email.
  • Device and usage data: IP address, browser type, device type, referring URL, pages viewed, time on page, and similar log data.
  • Cookies and similar technologies: strictly necessary cookies only (for example, to keep a form session alive). Brensa Systems does not currently use third-party web analytics, advertising trackers, or behavioral tracking technologies on this website. If we add analytics in the future (for example, a privacy-respecting tool such as Plausible), this policy will be updated and the change will be reflected in the "Last updated" date.

3.2 Prospective and Active Client Personnel Data

  • Business contact information (name, title, business email, phone, company, mailing address).
  • Authentication data we issue (Brensa portal credentials, if applicable).
  • Records of demos, calls, voice memos, scoping questionnaires, written proposals, and onboarding materials.
  • Billing and payment data processed through Stripe (last-four card digits, brand, expiry, country, and Stripe-issued tokens — Brensa does not store full card numbers).
  • Communications: emails, SMS, voice calls, and Slack/Notion threads with you or your team.

3.3 End-Customer Data Processed for Clients

We process whatever the Service requires. By service line, this typically includes:

  • AI Phone Receptionist: caller phone number, name, call audio recording, AI transcript, BANT qualification fields, call disposition, appointment data, and any CRM fields the client maps. Multi-language English/Spanish baseline. Every call is recorded and transcribed.
  • AI DM Responder (Instagram, Facebook, web chat): Meta-platform user ID, display name, message content, timestamps, and conversation state. Operates within Meta's 24-hour standard messaging window.
  • AI Outbound Sales Caller: contact list provided by the client, call recording, transcript, disposition, do-not-call flags, and timestamps. Throughput is 200–500 dials per agent per day.
  • Lead Reactivation Engine: dormant-lead lists (6–12 months dormant, never older than 24 months, never previously opted-out), plus voice/SMS/email engagement events.
  • AI Lead Qualification, Hot-Lead SMS Routing, Cal.com Booking, Custom Call Flows: lead identifiers, BANT scoring features, owner-routing SMS metadata, booking data, and routing logs.
  • Failed Payment Recovery: Stripe webhook events, customer email, last-four card data, retry status, AI-personalized email content, escalation call logs, and card-update flow data.
  • Churn Save Automation: cancellation-intent signals, save-flow interactions, discount/pause grants.
  • Review and Testimonial Automation: customer name, contact channel, transaction data needed to time the request, review platform routing, and a private feedback intercept channel for negative sentiment (we do not write or generate fake reviews and do not pay for reviews).
  • AI Tier-1 Customer Support: ticket text, knowledge-base content, conversation transcript, escalation context.

3.4 What We Do Not Collect

  • We do not knowingly target or collect personal information from anyone under 13. The Services are sold to businesses and not directed at children.
  • We do not sell personal information for monetary or other valuable consideration.
  • We do not engage in cross-context behavioral advertising.
  • We do not use End-Customer Data to train any general-purpose AI model. Our model providers (OpenAI, Anthropic) operate under API terms that exclude our API traffic from their model training by default.

We use personal information to:

  • operate, secure, and improve the Site;
  • respond to inquiries and schedule demos;
  • propose, scope, and deliver the Services;
  • bill and collect through Stripe and recover failed payments;
  • communicate operationally (uptime notices, change logs, maintenance windows, security incidents);
  • meet legal, tax, accounting, and audit obligations;
  • defend ourselves in disputes; and
  • with respect to End-Customer Data, only to perform the Services on the documented instructions of the client (the controller).

We rely on the following lawful bases (terminology used for GDPR-aware operation): performance of a contract; legitimate interests (running, securing, and improving our business in a way that does not override the rights of data subjects); compliance with a legal obligation; and, where required, consent.

  • AI self-disclosure on calls. Every Brensa-operated voice agent identifies itself as an AI within the first 15 seconds of the call, in English or Spanish to match the caller. We adopt this 15-second standard as our internal floor on every call regardless of which state the caller is in. We believe this exceeds what current Texas, Utah, and California AI-disclosure laws require for our use case, and we apply it universally for transparency.
  • Call recording disclosure on every call. Independently of any consent the client warrants it has obtained, our voice agent plays a recording disclosure at the start of every call. This belt-and-suspenders approach is designed to satisfy the strictest U.S. all-party-consent recording laws (see Section 9).
  • Models we use. We name our model providers (Anthropic Claude, OpenAI GPT). Our infrastructure code, prompt configurations, and model selections are documented for each client and are exportable on request — that is the substance of our Transparency Guarantee.
  • No deceptive AI claims. We do not represent the AI as a human if asked. We do not generate fake reviews, fake testimonials, or fabricated content, and our review-automation product is configured to comply with the Federal Trade Commission's rule on consumer reviews and testimonials (16 C.F.R. Part 465).

We use only a small number of strictly necessary cookies to operate the Site (for example, to keep a form session alive). We do not currently run third-party web analytics, advertising trackers, or behavioral tracking technologies on this website. We honor Global Privacy Control (GPC) signals as opt-out-of-sale and opt-out-of-targeted-advertising signals where applicable under state law. Because we do not engage in cross-context behavioral advertising or sale of personal information, the practical effect of GPC on our processing is limited, but we still record and respect the signal. If we add privacy-respecting analytics in the future, this policy will be updated and the change will be reflected in the "Last updated" date.

We work with the following providers to operate the Site, our internal business, and the Services. These are disclosed on our Site and incorporated into our Data Processing Addendum.

Brensa subprocessors (Brensa-controlled):

  • Vercel — hosting of the Site and Brensa-built application surfaces.
  • Twilio — telephony, voice transport, and SMS.
  • Vapi — voice agent orchestration platform.
  • Anthropic — Claude family models (LLM inference).
  • OpenAI — GPT family models (LLM inference).
  • Cal.com — appointment booking.
  • Stripe — Brensa's billing and the failed-payment-recovery integration we run for clients.
  • Meta (Graph API) — Instagram and Facebook DM ingestion and outbound messaging.
  • Google Workspace — internal email and document storage.
  • Notion and Linear — internal documentation and task tracking.

Client-side integrations (controlled by the client; disclosed for transparency): HubSpot, Salesforce, JobNimbus, ServiceTitan, Mindbody, Clio, Lawmatics, Airtable, and any webhook/REST destination the client designates. These are not Brensa subprocessors in the strict sense — the client is the customer of record and controller for those tools — but we list them so you can see the full data path.

We perform vendor due diligence before engagement, require written contractual data-protection terms, and maintain the right to remove or replace any subprocessor that ceases to meet our standards. A current list of subprocessors is available on request by emailing legal@brensasystems.com, and we will give clients no less than thirty (30) days' advance notice before adding or replacing a subprocessor that handles End-Customer Data, with a right to object as set out in the DPA.

We share personal information only with: (a) the subprocessors listed above, under written contracts; (b) the client whose data we process (we return End-Customer Data and analytics to the client); (c) professional advisors (lawyers, accountants, insurers) under duty of confidence; (d) acquirers in a merger, acquisition, or asset sale, subject to this Policy; and (e) governmental authorities when legally required, with notice to the affected client where lawfully permitted.

We do not sell personal information, do not rent or lease contact lists, and do not participate in cross-context behavioral advertising.

Federal law generally requires only one-party consent to record a phone call (18 U.S.C. § 2511(2)(d)). However, several states require all-party (sometimes called "two-party") consent. As of this Policy's effective date, the states most commonly identified as requiring all-party consent for telephone communications, with the relevant statutes, are:

  • California — Cal. Penal Code §§ 631, 632, 632.7
  • Connecticut — Conn. Gen. Stat. § 52-570d (civil) and § 53a-187 (criminal)
  • Delaware — 11 Del. Code § 1335
  • Florida — Fla. Stat. § 934.03
  • Illinois — 720 ILCS 5/14-1 et seq.
  • Maryland — Md. Code Ann., Cts. & Jud. Proc. § 10-402
  • Massachusetts — Mass. Gen. Laws ch. 272, § 99
  • Michigan — Mich. Comp. Laws § 750.539c (interpreted by Sullivan v. Gray as effectively one-party for participants, but still treat as all-party to be safe)
  • Montana — Mont. Code Ann. § 45-8-213
  • Nevada — Nev. Rev. Stat. § 200.620 (interpreted by Nevada Supreme Court as all-party for telephone communications)
  • New Hampshire — N.H. Rev. Stat. Ann. § 570-A:2
  • Oregon — Or. Rev. Stat. § 165.540 (in-person all-party; electronic typically one-party — treat conservatively)
  • Pennsylvania — 18 Pa. Cons. Stat. §§ 5703–5704
  • Washington — Wash. Rev. Code § 9.73.030

When a call crosses state lines, the stricter standard typically applies (see Kearney v. Salomon Smith Barney, Inc., 39 Cal. 4th 95 (2006)). Brensa's policy on every voice call we operate, regardless of jurisdiction:

  1. The voice agent plays a recording disclosure within the opening seconds; and
  2. The client warrants in the DPA that it has obtained any consent required from contacts on its outbound list.
  • Site visitor logs and analytics: up to 14 months, then aggregated or deleted.
  • Marketing and prospect data: until you opt out or up to 24 months from last engagement, whichever is sooner.
  • Active client business records: for the duration of the engagement plus seven (7) years to meet tax, accounting, and limitations-period needs.
  • End-Customer Data (call recordings, transcripts, AI logs, CRM writes): for the duration of the engagement plus the period the client instructs in the MSA/DPA. Default is 12 months for recordings/transcripts unless the client directs otherwise. On termination, End-Customer Data is returned or deleted as the client elects (see DPA Section 12).
  • Backup retention: up to 35 days after primary deletion to allow for disaster recovery, after which backup data is overwritten.

We maintain administrative, technical, and physical safeguards designed to protect personal information, including: TLS 1.2+ encryption in transit; AES-256 encryption at rest in our managed databases and object storage; role-based access controls with least-privilege; mandatory multi-factor authentication for all administrators; environment isolation between production and non-production; centralized logging and alerting; secret management; vendor security review before onboarding; an internal incident response plan; and quarterly review of access lists. No system is perfectly secure; we commit to act in good faith and with reasonable care.

If we become aware of a Personal Data Breach (as defined in our DPA) affecting End-Customer Data we process, we will notify the affected client without undue delay and in any case within seventy-two (72) hours of becoming aware. For data where Brensa is the controller (Site visitors, client personnel), we will notify affected individuals consistent with applicable law, including Tex. Bus. & Com. Code § 521.053 (Texas breach notification), and any other state notification statutes that apply based on residency.

Brensa honors the privacy rights granted by the laws that apply to you. In every case, you can reach us at legal@brensasystems.com to exercise any right.

13.1 Texas residents — Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541, effective July 1, 2024)

If you are a Texas resident interacting with us in an individual or household context, you have the right to:

  • confirm whether we process your personal data and access that data (§ 541.051(a)(1));
  • correct inaccuracies (§ 541.051(a)(2));
  • delete personal data (§ 541.051(a)(3));
  • obtain a portable copy of personal data you provided (§ 541.051(a)(4)); and
  • opt out of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects (§ 541.051(a)(5)). We do none of these activities for Texas residents but the right is preserved.

You also have the right to appeal a refusal of a request (§ 541.053). The TDPSA does not provide a private right of action; enforcement is exclusive to the Texas Attorney General (§ 541.156). Brensa qualifies for SBA-defined small-business status today; we still honor the rights above as a matter of policy.

13.2 California residents — CCPA/CPRA (Cal. Civ. Code §§ 1798.100 et seq.)

If you are a California resident, you have:

  • the right to know (§§ 1798.100, 1798.110, 1798.115);
  • the right to delete (§ 1798.105);
  • the right to correct (§ 1798.106);
  • the right to opt out of sale or sharing for cross-context behavioral advertising (§ 1798.120) — Brensa does not engage in either, but the right exists;
  • the right to limit use of sensitive personal information (§ 1798.121);
  • the right to non-discrimination (§ 1798.125); and
  • the right to data portability (§ 1798.130).

The CCPA's HR and B2B partial exemptions in former § 1798.145(m) and (n) sunset on January 1, 2023, so business-contact information is now subject to the full set of CCPA rights. Where Brensa processes personal information for a client, Brensa acts as a "service provider" or "contractor" under § 1798.140(j) and (ag) and our DPA contains the contractual provisions required by those subsections.

13.3 EEA/UK residents — GDPR

To the extent the GDPR or UK GDPR applies, you have rights of access, rectification, erasure, restriction, portability, and objection, plus the right to lodge a complaint with a supervisory authority. The lawful bases on which we rely are listed in Section 4. For international transfers we rely on the EU Commission's Standard Contractual Clauses (Decision 2021/914) and the UK International Data Transfer Addendum where applicable.

13.4 How we verify and respond

We respond within 45 days of a verifiable request (TDPSA and CCPA), extendable once by another 45 days where reasonably necessary. We will not retaliate against anyone for exercising privacy rights. To verify, we will match information you provide against records we already hold. An authorized agent may submit a request with your written, signed permission and proof of identity.

The Site and the Services are intended for businesses and adult professionals. We do not knowingly collect personal information from anyone under 13, and we do not direct any service to children. If we learn we have collected such data, we will delete it. Where a covered service incidentally captures data about a minor (for example, a homeowner's family member calling a roofing line), we treat that data as standard End-Customer Data subject to client instructions and applicable law.

Brensa is U.S.-based. If you access the Site from outside the United States, you understand that personal information will be processed in the United States, which may not provide the same level of legal protection as your home jurisdiction.

We will post updates here and revise the "Last updated" date. For material changes affecting how we process personal information, we will give notice by email to active clients and a banner on the Site for at least 30 days.

Norsha Dynamics LLC d/b/a Brensa Systems Plano, Texas Email: legal@brensasystems.com (privacy and legal); hello@brensasystems.com (general) Phone: 469-608-9691 Website: brensasystems.com

Last updated May 7, 2026