Privacy Policy

Dunamis Studios builds HubSpot marketplace applications. Each app reads the HubSpot CRM data your admin authorizes and uses it to provide that app’s functionality.

Apps that use AI (currently Debrief) send relevant records to Anthropic’s Claude API over an encrypted connection. Apps that do not use AI (currently Property Pulse) do not transmit data to Anthropic or any other AI provider.

Your data is not used to train any AI model. Data sent to Anthropic is deleted within seven (7) days. We do not sell personal data and we do not share it with advertising networks. The rest of this page explains exactly what we collect, why, for how long, and what rights you have.

References in this policy to “Dunamis Studios,” “Dunamis,” “we,” “us,” or “our” mean Joshua Robert Bradford, an individual resident of the State of Florida, United States, doing business under the name Dunamis Studios. See §14 Contact for postal address.

The table below lists every category of personal data Dunamis Studios collects, the source, the purpose, how long we keep it, and the relevant legal basis under GDPR. If a field is not in this table, we do not collect it.

Where GDPR or UK GDPR applies, the legal basis for each processing purpose is annotated inline in italics below.

• Providing Dunamis Studios apps to paying customers and our website to visitors. Art. 6(1)(b) Performance of a contract.
• Keeping the services secure, detecting abuse, maintaining server logs, and improving the products. Art. 6(1)(f) Legitimate interests — our interest in operating a secure, reliable service, balanced against reasonable expectations of users.
• Sending transactional emails (verification, receipts, service notices). Art. 6(1)(b) Contract.
• Sending marketing emails where you have opted in, and setting non-essential cookies where required. Art. 6(1)(a) Consent — you can withdraw at any time without affecting processing that already happened.
• Complying with tax, accounting, and legal requests. Art. 6(1)(c) Legal obligation.
• Responding to support inquiries you send us. Art. 6(1)(f) Legitimate interests — our interest in helping you and yours.

Where we rely on legitimate interests, you have the right to object (see §9).

Some Dunamis Studios applications use artificial intelligence. Currently:

• Debrief uses AI. Debrief transmits HubSpot CRM Data to Anthropic’s Claude API to generate handoff briefs and conversational handoff messages.
• Property Pulse does not use AI. Property Pulse does not transmit any Customer Data to Anthropic or to any other AI or machine-learning service provider.

For AI-enabled applications (currently Debrief):

What data is sent to AI. When a brief or message is requested, the app retrieves the relevant records from Customer’s HubSpot portal under the OAuth authorization the admin granted, and transmits them to Anthropic’s Claude API over an encrypted TLS 1.2+ connection.

Who generates the output. Output is generated by Anthropic PBC’s Claude large language model, accessed via the Anthropic API. Anthropic is our sub-processor under a written Data Processing Addendum incorporating the EU Standard Contractual Clauses (Modules 2 and 3), the UK International Data Transfer Addendum, and the Swiss Addendum.

What Anthropic does not do. Under Anthropic’s Commercial Terms of Service, Anthropic does not use API data to train its models. Anthropic retains API inputs and outputs for up to seven (7) days for abuse monitoring, after which they are deleted. Flagged content may be retained longer solely for Trust & Safety purposes. See Anthropic’s documentation at privacy.claude.com.

No automated decisions with legal effect. AI-generated output from Dunamis Studios apps is informational content intended to help a human on your team prepare for a conversation, review property changes, or otherwise make an informed decision. No Dunamis Studios app performs automated decision-making with legal or similarly significant effects within the meaning of Article 22 of the GDPR or Article 12.1 of Quebec’s Law 25, and no Dunamis Studios app is a “high-risk” AI system under the EU AI Act.

AI labeling and accuracy. Every piece of AI-generated content is clearly labeled as AI-generated in the application interface. Large language models can produce inaccurate, incomplete, or fabricated information. You are responsible for reviewing and verifying each output before acting on it.

Your controls. You can disable the AI feature in the relevant app’s workspace settings (for AI-enabled apps), delete any generated output at any time, and qualifying customers may request a zero-retention arrangement with Anthropic. We do not train AI or machine-learning models on your Customer Data for any purpose other than generating outputs for your own account.

Dunamis Studios relies on a short list of sub-processors to operate its applications and the dunamisstudios.net website. The live list — including legal name, purpose, processing location, transfer mechanism, and which Dunamis Studios applications use the sub-processor — is published at /legal/subprocessors.

We commit to thirty (30) days’ advance notice of any new sub-processor that will process Customer Personal Data. Customers may object on reasonable data-protection grounds; if the objection cannot be resolved, termination of the affected subscription or license is the remedy.

Honest asymmetry to disclose: Anthropic, our AI sub-processor (used by Debrief but not Property Pulse), commits to only fifteen (15) days’ notice of changes to its own sub-processors upstream of us. We pass those changes through to customers as soon as practicable, which may be shorter than our 30-day commitment if Anthropic notifies us late.

Dunamis Studios is based in the United States, and most of our sub-processors operate primarily in the United States. If you are in the European Economic Area, the United Kingdom, or Switzerland, personal data we process about you will be transferred to, and processed in, the United States.

We rely on the following transfer mechanisms:

• EU–US Data Privacy Framework, with the UK Extension and Swiss–US DPF where applicable, for sub-processors that are DPF-certified: Vercel, Upstash, Stripe, Resend, and HubSpot. The DPF remains valid following the CJEU’s September 2025 Latombe ruling.
• EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), Modules 2 (Controller-to-Processor) and 3 (Processor-to-Processor), plus the UK International Data Transfer Addendum and the Swiss Addendum, for Anthropic (not DPF-certified, applicable to Debrief only) and as a fallback mechanism for all other sub-processors.

Supplementary measures consistent with EDPB recommendations: TLS 1.2 or later in transit, AES-256 at rest, data minimization, role-based access controls, and a documented transfer impact assessment refreshed annually. Copies of the SCCs are available on request at privacy@dunamisstudios.net.

United States (19 state comprehensive privacy laws). If you reside in California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia (and other states as new laws come into force), you have the rights your state grants, which generally include: access, deletion, correction, portability; opt-out of sale/sharing/targeted advertising/profiling; limit use of sensitive personal information; non-discrimination for exercising rights; and where adopted (including California under 2026 regulations), opt-out of automated decision-making. We honor Global Privacy Control (GPC) signals. We do not sell or share your personal information, and we do not use it for cross-context behavioral advertising.

European Economic Area / United Kingdom (GDPR / UK GDPR). You have the rights under Articles 15–22: access, rectification, erasure, restriction, portability, objection, and not to be subject to solely automated decision-making with legal or similarly significant effects. For Customer CRM Data, direct these requests to the Dunamis Studios customer whose portal contains the data (the controller); we will assist them. For data we collect directly as controller, contact us at privacy@dunamisstudios.net. You may also lodge a complaint with your supervisory authority.

Quebec (Law 25). We disclose that automated decision-making within the meaning of Article 12.1 is not used in any Dunamis Studios service. You may request information about cross-border transfers (see §7).

Australia (Privacy Act / APPs). Australian residents may request access and correction under APPs 12 and 13 via the same privacy email. Cross-border disclosures to the US are covered by APP 8 reasonable steps described in §10.

Brazil (LGPD). Brazilian data subjects may exercise rights under LGPD Articles 18 and 19 via the same channel.

How to exercise rights. Email privacy@dunamisstudios.net with enough detail to identify you and the request. We will acknowledge within 10 business days and respond substantively within 30 days (or the shorter period required by your jurisdiction, including 45 days under CCPA/CPRA with a 45-day extension available and 30 days under GDPR). We will verify your identity before disclosing or deleting data. You can also designate an authorized agent in jurisdictions that recognize one.

We apply technical and organizational measures appropriate to the risks of processing, including: TLS 1.2+ encryption in transit; AES-256 encryption at rest; encrypted OAuth tokens with per-portal isolation; role-based access controls with principle of least privilege; secrets management; audit logging; dependency vulnerability monitoring; and a documented incident-response procedure.

No system is perfectly secure. If a personal-data breach affects your data, we will notify affected controllers without undue delay and no later than is consistent with our obligations under GDPR Article 33(2) and applicable US state breach-notification laws. For Customer CRM Data, the customer whose portal is affected will be notified first so that the customer, as the controller, can notify its own data subjects on the required timeline.

dunamisstudios.net. The marketing website uses Vercel Analytics (cookieless by default but still receives minimal request metadata — IP, user agent, referrer — to count aggregate traffic) and HubSpot tracking (a portal-level tracking script that records pageviews and visitor behavior to support our own marketing analytics). We do not set advertising cookies and do not share site data with ad networks. Visitors from the EU, UK, or Switzerland are shown a consent banner for any non-essential cookies (including HubSpot’s tracking cookies); essential cookies used to operate the site (session, CSRF) are deployed without consent under the strictly-necessary exemption.

Dunamis Studios apps inside HubSpot. Each Dunamis Studios app runs as a HubSpot CRM card or UI extension inside your HubSpot portal and does not set its own cookies. Any cookies present in those frames are HubSpot’s.

Dunamis Studios apps are B2B products directed at business users. They are not directed at children under 16, and we do not knowingly collect personal data from children. Customers must not submit personal data of children to any Dunamis Studios app (see our Terms of Service). If you believe a child’s personal data has been submitted to us in error, contact privacy@dunamisstudios.net and we will delete it.

We may update this Privacy Policy as our practices change or as law requires. For material changes, we will email the administrative contact on each active account at least thirty (30) days before the change takes effect. The effective date at the top of this page reflects the current version, and prior versions are available on request.

Privacy inquiries, rights requests, and subpoenas:

• Email: privacy@dunamisstudios.net
• Postal address: Joshua Robert Bradford d/b/a Dunamis Studios, 2269 Twin Fox Trail, St. Augustine, FL 32086, United States.

For support or product questions unrelated to privacy, use support@dunamisstudios.net.