Security
Last updated: June 1, 2026
1. Overview
Breeze is built with security and data privacy as core requirements. Every customer account is completely isolated from every other. Your documents, projects, reports, and team data are never accessible to other companies using Breeze, and we never use your data to improve or train any AI model.
This page describes the technical and organizational measures we take to protect your data, the sub-processors we rely on, and how you can request permanent deletion of all your company data at any time.
2. Per-company data isolation
Every piece of data in Breeze is scoped to a single company. This isolation is enforced at the database level on every query — it is not a UI restriction that can be bypassed. No company can read, modify, or delete another company's records, documents, or AI outputs.
- All database rows carry a
companyIdforeign key. - Every server-side API request verifies the authenticated session's
companyIdbefore returning or mutating any data. - Admin-only operations (settings, billing, team management, data deletion) are enforced server-side against the
AuthorizedUsertable — not just the client session.
3. AI processing — Google Gemini paid API
Breeze processes your documents and answers your questions using the Google Gemini paid API. Under Google's paid API terms, Google does not use your inputs or outputs to train its models.Your project documents are processed in Google's secure infrastructure and are not retained by Google beyond what is needed to fulfill the request.
Breeze itself does not retain your raw documents for reuse, resale, or AI training. Documents you upload are stored only to enable the service features you requested (reports, follow-up Q&A). You own your documents and all AI-generated outputs produced from them.
For full details, see Google's Gemini API Terms of Service.
4. Your documents are yours
- You retain full ownership of all documents you upload or email to Breeze.
- Breeze does not share, sell, or reuse your documents for any purpose other than delivering the service to you.
- AI-generated reports and answers produced from your documents belong to you and may be used freely for your business.
- We do not use any customer document content to improve Breeze features or train AI models.
5. Encryption & access controls
- All data in transit is encrypted via TLS (HTTPS).
- All data at rest is encrypted by our infrastructure providers (Vercel, Neon).
- Passwords are hashed with bcrypt and are never stored in plain text.
- Dashboard sessions are protected by signed JWT tokens issued by NextAuth.
- Admin-only routes and API endpoints are enforced server-side on every request.
6. Sub-processors
We rely on the following third-party sub-processors to deliver the Breeze service:
| Provider | Purpose | Data processed |
|---|---|---|
| Google Gemini | AI document processing & Q&A | Project documents, questions |
| Stripe | Subscription billing & payments | Payment information |
| Resend | Transactional email delivery | Email addresses, report content |
| Postmark | Inbound email receive & routing | Inbound email content & attachments |
| Vercel | Application hosting & file storage | All application data; uploaded files |
| Neon | PostgreSQL database hosting | All structured application data |
| Cloudflare | DNS proxy & email routing | Inbound email metadata |
7. Delete your data
Account admins can permanently delete all company data — including all documents, projects, reports, team members, and AI outputs — directly from the Settings page in the dashboard. This action is immediate and irreversible.
Deletion removes all data from Breeze's database and file storage. It does not affect data held by Stripe (billing history) or email providers (delivered emails), which are governed by their own retention policies.
8. Contact
For security or privacy questions, contact us at privacy@breeze.expert.