Privacy Policy

Effective Date: October 1, 2025

The Brief is committed to protecting your privacy. This Privacy Policy (“Policy”) explains how we collect, use, share, and protect personal data when you use our Services.

We provide key information upfront, with region-specific information at the end for additional details. Please read this Policy carefully to understand how we handle your personal data and your rights. By using our Services, you agree to the practices described in this Policy. Capitalized terms not defined in this Policy have the meanings set forth in our Terms of Use.

1. SCOPE
   1. This Policy applies to any information relating to an identified or identifiable natural person, or as otherwise defined under applicable privacy laws. This includes data that directly identifies you (e.g., your name) or can indirectly identify you when combined with other information (e.g., IP address) processed by us (“Personal Data”). This includes Personal Data processed when you use The Brief’s website(s), online software-as-a-service platform, The Brief AI, APIs, applications, and related add-ons (collectively, the “Services”).
   2. This Policy does not apply to any third-party websites, services or applications, even if they are accessible through our Services.
2. PERSONAL DATA WE PROCESS
   1. Categories of Personal Data.
      1. Personal Data you provide to us:
         1. Contact Information: Name, email address, phone number, mailing or billing address, job title, and social media profile (if you choose to provide them).
         2. Account Credentials: Username and encrypted password. We use strong encryption (pbkdf2-sha256 algorithm) to store passwords, and we never store passwords in plain text.
         3. Transaction Data: Payment information and transaction history. Please note: We use third-party payment processors to handle your payment information securely. We do not store your full payment card numbers on our systems.
         4. Support and Communications: Records of your communications with us (emails, chat, support tickets, survey responses) and any information you choose to provide when contacting us or giving feedback.
         5. Content You Provide: If you voluntarily share content (e.g., comments on our blog, user-generated content or any content to post, upload or otherwise provide on our Services, surveys, registration for sweepstakes or contests), we will process that content as needed to operate the Services.
         6. Sensitive Personal Data: We generally do not seek to collect sensitive data as defined under relevant laws (such as data about race, health, biometrics, or sexual orientation) unless required for specific Services or if you choose to provide them. If we need to process sensitive data, we will do so in accordance with applicable laws.
      2. Personal Data collected automatically:
         1. Account Usage Data: Information about how you interact with our Services, such as logins, account settings, design edits, uploads/downloads, and support interactions. This may include timestamps of logins or purchases.
         2. Device and Technical Data: IP address, operating system, browser type, device identifiers, and geo-location data (if enabled on your device). Our servers automatically log standard data from your browser or device.
         3. Website Usage (Log Data): Pages visited, time spent, links clicked, and referring webpage. We gather this through server logs and third-party analytics.
         4. Cookie Data: Data collected through cookies and similar tracking technologies, as detailed in the Cookies and Tracking Technologies section.
      3. Personal Data from other sources:
         1. Our Customers: If you use our Services on behalf of, or in collaboration with, an entity (e.g., your employer), that entity may provide us with information about you so that we can provision your account.
         2. Third Party Services and Organizations: We may obtain information about you from other sources, including from third party services and organizations. For example, if you access our Services through a third-party service, we may collect information about you from that third-party service.
3. HOW WE USE YOUR PERSONAL DATA AND OUR LEGAL BASES FOR PROCESSING
   1. We use your Personal Data for the following purposes:
      1. To Provide and Maintain the Services: We use data to create and manage your account, authenticate you, provide customer support, and operate the core functionality of our platform.
      2. To Improve and Develop Services: We use data (especially aggregated or de-identified data) to debug issues, run analytics, conduct research, and develop new features. We use usage data to understand how our Services are used and make improvements. We may also use your content to provide, improve and customize the Services including to train AI features in order to improve our Service. Learn more about how you can manage content used to train AI features here.
      3. To Personalize Your Experience: We may tailor the content and advertisements you see on our Services to your interests.
      4. To Send Services Communications: We send transactional emails for account-related or service-related purposes (e.g., password resets, billing notices, security alerts). These are not marketing communications, and you cannot opt out of these essential messages.
      5. For Marketing: If you sign up, we may send newsletters, product updates, and special offers. Where required, we will obtain your consent before sending marketing emails or texts. You can opt out at any time as described in Section 6 (User Rights and Choices).
      6. For Legal Compliance: To comply with legal obligations, such as financial record-keeping, responding to lawful requests by public authorities, or meeting data protection laws’ requirements.
      7. For Security and Fraud Prevention: To monitor, prevent, and detect fraud, abuse, illegal uses, and violations of our Terms of Use and Business Subscription Terms of Service. This includes using data to protect our platform, users, and others.
      8. For Corporate Transactions: In the event of a merger, acquisition, financing, or sale of assets, data may be transferred to a successor or affiliate as part of that transaction (with appropriate protections and notices, as required by law).
   2. Legal Bases for Processing (for Users in the EEA, UK, Brazil, and jurisdictions with similar legal requirements). Depending on the context, one or more of the following bases will apply:
      1. Performance of a Contract: Processing is necessary to perform our contract with you or to take steps at your request before entering into a contract (e.g., providing the Services you signed up for).
      2. Legitimate Interests: We may process Personal Data to further our legitimate interests, in a manner that is not overridden by your rights. For example, to improve and develop the Services, or ensure security. We will only rely on this basis after considering the potential impact on you and your rights. You have the right to object to processing based on legitimate interests.
      3. Consent: In cases where we ask for your consent (e.g., for certain marketing emails, or placing non-essential cookies), we may process Personal Data based on your consent. You have the right to withdraw consent at any time, which will not affect processing already carried out but will stop future processing.
      4. Legal Obligation: We may process Personal Data to comply with laws that apply to us (for example, tax laws, employment laws, or responding to government authorities). This can include providing certain data in response to lawful government requests or fulfilling obligations under relevant laws.
      5. Vital Interests: In rare cases, we may process data to protect someone’s life or vital interests (for instance, warning of a security breach).
      6. Public Interest: If we ever process data in the public interest (as defined by law), we will document and inform you of this, as required by the applicable law.
4. HOW WE SHARE YOUR PERSONAL DATA
   1. We do not sell Personal Data to third parties for monetary consideration. However, we may share Personal Data with certain trusted entities, as outlined below:
      1. Service Providers (Sub-Processors): We use third-party companies to support our Services – such as cloud hosting, data storage, analytics providers, email and marketing platforms, customer support software, AI software providers to support the Brief AI features, and payment processors. These providers act as our data processors (sub-processors), processing Personal Data on our behalf for the purposes described in this Policy. Please refer to our Data Processing Addendum, which includes a list of our sub-processors, for more information.
      2. Affiliates: If The Brief, Inc. has affiliates, subsidiaries, or related entities, we may share Personal Data within our corporate family, but only as needed and subject to this Policy’s protections.
      3. Business Partners: If we collaborate with partners for example to co-sponsored events, promotions, or integrated services, we will let you know at the time of Personal Data collection if any data will be shared, and you will have the choice to participate.
      4. Legal Requirements and Protection: We may disclose Personal Data when we believe in good faith that such disclosure is necessary to comply with a legal obligation, enforce our terms and policies, or protect the rights, property, or safety of The Brief, our users, or others. This includes: responding to lawful requests by public authorities (e.g., to meet national security or law enforcement requirements), addressing fraud or security issues, and using data in legal proceedings or investigations.
      5. Corporate Transactions: In the context of an actual or potential merger, acquisition, financing, sale of assets, bankruptcy, or receivership, user data may be transferred to a successor or affiliate as part of that transaction. If such a transfer occurs, we will ensure the recipient is bound by privacy obligations at least as strict as this Policy and applicable law, and we will notify you of any change in data control where required.
      6. Third-Party Links: Our Services may include links to third-party websites or services not operated by The Brief. Clicking those links may allow third parties to collect or share data about you. This Policy does not apply to those external sites. We encourage you to review the privacy policies of any third-party sites or services before providing your information to them. Note: For integrated third-party features (like social media “Like” buttons or single sign-on via Google or Meta), those third parties may collect data directly from you pursuant to their own policies.
5. COOKIES AND TRACKING TECHNOLOGIES We use cookies and similar tracking technologies (such as web beacons and pixels) to help operate our site and Services, remember your preferences, analyze usage, improve performance, deliver relevant advertising and enable social media features. Some cookies are essential to make the site work, while others support functionality, analytics, marketing, or social sharing. Certain cookies may also result in the sharing of personal information with third parties (such as advertisers, analytics providers or social media platforms), and you may have rights to opt out of this under applicable privacy laws. You can manage your preferences through our cookie banner or by clicking “Cookie Management” at the bottom of any page. For more detailed information about the specific cookies and trackers we use, their purposes, and how to control them, please see our Cookie Policy (which is part of this Policy).
6. USER RIGHTS AND CHOICES
   1. You have various rights and choices regarding your Personal Data. Depending on your location and applicable law, your rights may include:
      1. Access and Portability: You can request a copy of the Personal Data we hold about you, and information on how we use it. This typically includes the categories of data, the purposes of processing, and the parties with whom it is shared. We will provide this in a readily usable format.
      2. Correction (Rectification): If any of your Personal Data held by us is inaccurate, outdated, or incomplete, you have the right to request that we correct or update it. You can initiate this by contacting us at privacy@thebrief.ai or by using any other contact method provided in this Policy. In many cases, you can also directly review and update certain information—such as your name, email address, or account preferences—by logging into your account and accessing your account settings. We will respond to correction requests in accordance with applicable data protection laws, and may require verification of your identity before making changes.
      3. Deletion (Right to Erasure): Depending on where you reside, you may have the right to request that we delete your Personal Data, and we will do so unless an exemption applies. For example, we may need to retain certain data for legal obligations or legitimate interests (see Data Retention section). If you close your account, we will delete, deidentify or anonymize your data within a reasonable period, except as required to retain for legal reasons.
      4. Objection and Restriction: If we process your data based on legitimate interests, you can object to that processing, depending on where you reside. You can also request that we restrict processing in certain circumstances (for example, while we verify a correction request or if you contest the lawfulness of processing). Under certain U.S. state laws, you may object to certain targeted advertising uses (see Opt-Out of Targeted Ads below).
      5. Withdraw Consent: Where we rely on your consent (e.g., for marketing or certain data uses), you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before withdrawal but will stop further processing of the relevant data. For example, you can unsubscribe from marketing emails using the “unsubscribe” link, or adjust cookie settings to withdraw consent for analytics/ads cookies.
      6. Do Not Sell or Share My Personal Information (Opt-Out of Sale/Sharing for Targeted Advertising): Under certain U.S. state laws, you have the right to opt out of the “sale” or “sharing” of your personal information. “Sale” is broadly defined to include certain data sharing with third parties for valuable consideration, and “sharing” includes disclosing data for targeted advertising purposes. You may also have the right to opt out of processing that involves profiling that produces legal or similarly significant effects. How to Exercise: We provide a cookies management link on our website footer for residents in relevant jurisdictions which includes a “Do Not Sell or Share My Personal Information” button. For other states, we treat this mechanism as an opt-out of targeted advertising as well. Additionally, you can use browser-based opt-out signals such as the Global Privacy Control (GPC); we will honor such signals as a valid opt-out request for that browser/device, across the US, in line with the applicable laws and as required by California law. Once you opt out, we will not share your personal data with third-party advertising partners except as allowed for certain business purposes (e.g., service providers acting on our behalf). Note: You may still see generic ads not based on your personal data.
      7. Opt-Out of Marketing Communications: You can opt out of receiving marketing emails from us at any time by: (i) Clicking the “unsubscribe” link included at the bottom of any of our marketing emails, or (ii) Updating your email communication preferences directly in your account settings. Please note: Even if you opt out of marketing communications, we may still send you transactional or service-related messages, such as billing notifications, password resets, or updates about your account. Push Notifications: If our app sends push notifications, you can disable these at any time in your device settings. Transactional or service-related communications (e.g., account alerts, password resets, etc.) cannot be opted-out as they are necessary for service delivery​.
      8. Automated Decision-Making: We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significant impacts on individuals—such as decisions that affect your legal rights, eligibility for services, or financial status. If our practices change in the future, and where required by applicable laws, you will be informed and granted relevant rights as required by law.
      9. Appeals (for U.S. State Laws): If we decline to act on a rights request (e.g., we cannot fulfill it due to an exemption), we will explain our reasoning. In some jurisdictions , you may have the right to appeal our decision within a reasonable time. We will inform you how to appeal in our response, and how you may contact your state’s Attorney General if you have concerns.
      10. Non-Discrimination: We will not deny goods or services, charge different prices, or provide a different level of quality if you exercise any of your privacy rights. If any program requires personal data (like a rewards program), we will provide a fair explanation and obtain consent if required by law (for example, financial incentives disclosures under CCPA).
   2. How to Exercise Your Rights:
      1. Contact via Email: The easiest way is to email us at privacy@thebrief.ai. Please state your identity and specify which right you want to exercise. We may need to verify your identity (for instance, via your account email or additional info) to process certain requests.
      2. Authorized Agents: Depending on where you reside, you may have the right to designate an authorized agent to make requests on your behalf. We will require proof of the agent’s authority and verification of your identity.
      3. Response Time: We aim to respond to all valid requests within the timeframe required by law depending on where you reside. We will notify you if we need more time.
      4. Complaints: If you have concerns about how we handle your Personal Data, we encourage you to contact us first at privacy@thebrief.ai, so we can address and resolve the issue promptly. If you are located in the European Union (EU) or European Economic Area (EEA), you have the right under the GDPR to file a complaint with the data protection supervisory authority in your country of residence, your place of work or the location where the alleged infringement occurred. You can find a list of EU/EEA supervisory authorities on the website of the European Data Protection Board (EDPB). If you are located in the United Kingdom, you can submit a complaint to the Information Commissioner’s Office (ICO) via https://ico.org.uk/make-a-complaint/. If you are a user in Brazil, you can contact the Autoridade Nacional de Proteção de Dados (ANPD), the Brazilian data protection authority, via their website: https://www.gov.br/anpd.
7. DATA RETENTION We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Policy, and to comply with legal or business requirements.
   1. Retention Criteria: When determining retention periods, we consider factors such as: the duration of our relationship with you, the nature of the data, the purpose of processing, and legal requirements. Specifically:
      1. Active Account Data: Information associated with your account is kept while your account is active. If you delete your account or it becomes inactive, we will either delete the data or anonymize it within a set timeframe, unless we need to retain it longer, considering below criteria.
      2. Legal Obligations: Certain Personal Data must be retained to comply with law. For example, transaction records may be kept for accounting/tax statutory retention periods, typically seven (7) years in some jurisdictions. If a legal claim is anticipated, we may retain data relevant to that claim.
      3. Backups: Even after deletion, some data may persist in secure backups for a limited period but will be removed during the next backup rotation or retention cycle.
      4. Marketing Data: If you unsubscribe from marketing, we will stop sending and generally delete or anonymize your contact data for marketing purposes. However, we may keep minimal information (e.g., email) to honor your opt-out (to ensure we don’t accidentally re-add you).
      5. Anonymized or De-Identified Data: We may retain and use information that has been aggregated, anonymized or de-identified (so it is no longer Personal Data under applicable law) for analysis, improvements, and reporting – this is not subject to deletion requests since it no longer identifies any individual.
   2. Retention Periods by Data Type.
      1. We retain personal data only as long as necessary for the purposes described in this Policy. Typical retention periods include:
         1. Account and usage logs: Retained for up to ninety (90) days after the user’s last activity to support security, analytics, and customer service.
         2. Marketing leads: Retained for up to three (3) years after the last engagement (e.g., email open, form submission), unless you opt out earlier.
         3. Financial and tax records: Retained as required by applicable law.
         4. Support communications: Stored for up to three (3) years, depending on the nature of the inquiry and applicable laws.
         5. Interaction data: Retained for up to ninety (90) days, unless otherwise specified by tool configuration or legal obligation.
      2. Once the retention period expires, we will securely delete, de-identify or anonymize your Personal Data. If deletion is not possible (for example, archived in backups), we will securely store it and isolate it from further processing until deletion is feasible.
8. DATA SECURITY MEASURES Your privacy and data security are of paramount importance to us. We implement technical and organizational measures to protect your Personal Data from unauthorized access, alteration, disclosure, or destruction, including:
   1. Encryption in Transit and At Rest: We use industry-standard encryption protocols. For example, our website and apps enforce HTTPS/TLS for data in transit, and we encrypt sensitive data at rest in our databases (or with our cloud providers). Passwords are stored using one-way hashing (pbkdf2-sha256). For data transmissions, unless you specifically opt for an unencrypted channel, we always use encryption.
   2. Access Controls: Access to Personal Data is limited to authorized personnel who require it for their job. We employ role-based access, unique user IDs, and least-privilege principles. Administrative access to systems requires strong authentication (password and multi-factor authentication).
   3. Network Security: Our servers are hosted in secure data centers with firewalls, intrusion detection systems, and continuous monitoring. We isolate our environment in a Virtual Private Cloud (VPC) with strict network access controls.
   4. Security Assessments: We undergo regular security audits and assessments, including ISO 27001 certification of our information security management system. Periodic penetration testing and code reviews are conducted to find and fix vulnerabilities.
   5. Employee Training and Policies: Our staff receive training on data protection and must adhere to our internal security and privacy policies. We have an appointed Data Protection Officer (DPO) (if required by law) or a security team responsible for oversight.
   6. Incident Response: In the event of a Personal Data breach that poses a risk to your rights and freedoms, we will: (i) If required by the applicable law, notify the relevant supervisory authority without undue delay as required by the applicable law; and (ii) Provide you with notification directly if the breach is likely to result in a high risk to your rights and freedoms and include: the nature of the breach, contact details for our DPO or other contact point, likely consequences of the breach and measures taken or proposed to address the breach and mitigate possible adverse effects.
   7. Data Minimization: We adhere to the principles of data minimization and purpose limitation in our data collection and processing activities.
   8. Important: No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your Personal Data, we cannot guarantee absolute security. You also play a role: keep your account credentials confidential and alert us immediately if you suspect any unauthorized use of your account.
9. CHILDREN’S PRIVACY Our Services are not directed to children under the age of 18 (or the minimum age required by applicable law, which may be higher in certain jurisdictions). We do not knowingly collect Personal Data from children under 18. If you are under 18, please do not use our Services or provide any Personal Data. If we learn that we have inadvertently collected Personal Data from an individual under the legally required minimum age without proper consent where required by applicable laws, we will delete that data as soon as possible. Parents or guardians who believe we might have information about a child can contact us to request deletion.
10. INTERNATIONAL DATA TRANSFERS
    1. The Brief is a global service. Your Personal Data may be transferred to, and stored or processed in, countries other than your own. We primarily store data in the United States. By using our Services or providing us with your information, you acknowledge that your data may be transferred to our facilities and to those third parties with whom we share it (as described above), across international borders.
    2. EEA/UK/Switzerland Users: If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we comply with GDPR Chapter V (and equivalent UK law) regarding cross-border data transfers:
       1. Adequacy: Where possible, we rely on countries or recipients that have been deemed to provide an “adequate” level of protection by the European Commission (GDPR Article 45). For instance, if we transfer data to a service provider in a country with an adequacy decision.
       2. Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision (e.g., the U.S.), we use the European Commission’s Standard Contractual Clauses as a lawful transfer mechanism. We have implemented the modernized SCCs (as of 2021) with our processors and partners where required. You can view or download our current SCCs, which are incorporated into the Data Processing Addendum.
       3. Additional Safeguards: In some cases, we implement supplementary measures on top of SCCs, such as encryption of data in transit and at rest, and careful review of government access laws in the importing country, following the recommendations of the EU “Schrems II” decision.
       4. Binding Corporate Rules (BCRs): At this time, we do not rely on BCRs, but if we adopt BCRs for intra-group transfers in the future, we will reflect that here.
       5. Explicit Consent for Transfers: In exceptional situations, we may ask for your consent to transfer data internationally (GDPR Art. 49(1)(a)). If we do, you will be informed of possible risks due to the absence of adequate safeguards.
    3. Brazil Users (LGPD): For transfers out of Brazil, we ensure compliance with LGPD Chapter V. This may involve using Brazil’s standard contractual clauses or other valid transfer mechanisms recognized by the Brazilian data protection authority (ANPD). If required, we will obtain your consent for certain international transfers in line with LGPD requirements, or operate under other legal bases permitted by LGPD for cross-border data flow.
    4. India Users (DPDP Act): The DPDP Act 2023 imposes conditions on international transfers (which will be detailed by the Government of India’s policies/rules). We will only transfer personal data outside India in accordance with those conditions, such as to whitelisted countries or with approved contract terms once available. Until specific rules are notified, we treat transfers from India with similar safeguards as GDPR (SCCs, etc.) to ensure high protection.
    5. Other Regions: For other jurisdictions with data transfer laws (e.g., Canada’s PIPEDA, Australia’s Privacy Act, etc.), we comply by taking reasonable steps to ensure any overseas recipient handles Personal Data in a manner consistent with this Policy and applicable law.
    6. Regardless of where your data is processed, we will protect it as described in this Policy and in accordance with applicable law. You have the right to contact us for more information about the safeguards we have in place for international transfers (see Contact Information below).
11. CHANGES TO THIS POLICY We may update this Policy from time to time to reflect changes in our practices, legal updates, or for operational reasons. If we make changes, we will update the Effective Date at the top of this Policy. Your continued use of our Services after any changes to this Policy signifies your understanding and acknowledgement of the updated terms, to the extent permitted by law. If you do not agree with the changes, you should stop using the Services and close your account if applicable. We encourage you to review this Policy periodically to stay informed about how we are protecting your information.
12. CONTACT INFORMATION
    1. If you have any questions, concerns, or if you wish to submit a request to exercise your rights as detailed in this Policy, you can contact us using the details below:
       1. Address: The Brief, Inc., 490 Post St., Ste 500, PMB 2080 San Francisco, CA 94102, US
       2. Email: privacy@thebrief.ai
       3. Data Protection Officer (DPO): If you are from the United Kingdom or the European Economic Area, you may also contact our Data Protection Officer at dpo@thebrief.ai.
       4. EU/UK Representative: Creatopy SRL, Trade Center Building, 28E Nufarului St, 4th floor, Oradea, Bihor County, RO 410583.
    2. We will respond to your inquiries as soon as reasonably possible, and within any timeframes required by law. If you feel that we have not addressed your concerns satisfactorily, you may have the right to contact your local data protection authority or regulator.
       1. For EEA users, a list of data protection authorities is available on the European Data Protection Board website.
       2. UK users can contact the Information Commissioner’s Office (ICO) via https://ico.org.uk.
       3. Brazilian users may reach out to the Autoridade Nacional de Proteção de Dados (ANPD) through https://www.gov.br/anpd.
       4. Indian users may contact the Data Protection Board of India (once established under the Digital Personal Data Protection Act (DPDP Act)) or the relevant Ministry when further guidance is issued.
13. REGIONAL PRIVACY SUPPLEMENTS To address specific regional requirements and rights, please refer to the below information. In case of any conflict between the foregoing and the regional information below, the supplement for your region will prevail for matters specific to that region.
    1. EEA/UK Privacy Supplement (GDPR Compliance)
       1. This supplement provides additional information required by the GDPR and local laws in European countries, including the United Kingdom.
       2. Controller Contact: The Brief Inc. is the data controller for Personal Data processed under this Policy reachable at privacy@thebrief.ai
       3. Legal Bases & Detailed Purposes: We have outlined in Section 3 our legal bases under GDPR. You can find more details there. We will not process your data in new ways incompatible with those purposes without informing you and, if required, obtaining your consent.
       4. Individual Rights under GDPR: In addition to the rights described in this Policy:
          1. You have the right to object to processing of your Personal Data where we are relying on legitimate interests (including profiling). If you object, we will stop processing unless we have compelling legitimate grounds or need to continue for legal claims.
          2. You have the right to object to direct marketing at any time. We will honor this (and as noted, we only send marketing with consent in the first place).
          3. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you, we do not currently engage in such processing and will update this policy if that changes.
          4. We will inform you if we intend to further process your Personal Data for a purpose other than that for which it was collected, and provide any relevant further information.
          5. Data Transfers: As noted in this Policy, we use Standard Contractual Clauses or other safeguards for transfers outside the EEA. You can request a copy of the SCCs via our contact email.
          6. Right to lodge a Complaint: If you believe our processing of your Personal Data infringes GDPR, you have the right to lodge a complaint with an EU Data Protection Authority. For example, in Romania we fall under the jurisdiction of the ANSPDCP (Romanian DPA), and elsewhere, you can contact the authority in your country. Our lead supervisory authority (if applicable) will be indicated here. Our lead supervisory authority is the Romanian Data Protection Authority (ANSPDCP), as our main EU office is based in Romania. Representative: Creatopy SRL, Trade Center Building, 28E Nufarului St, Oradea, Bihor County, RO 410583
          7. EEA Data Subject Requests: We may ask for additional information to confirm your identity when you exercise your GDPR rights, and we will respond within one month unless the request is complex (in which case we can extend by two further months with notice).
          8. User Experience & Support Interactions. To improve our services, we may process limited interaction data as follows: (i) Analytics: With your consent, we use user experience analytics tools (e.g., heatmaps, session replays) to understand general navigation patterns. These tools are configured to mask or exclude personal data and do not support live monitoring; (ii) Live Chat: Chat conversations may be monitored or stored for support and quality assurance purposes. Processing is based on our legitimate interest or your consent, where required; (iii)Calls & Screen Sharing: Support sessions via video or screen sharing may be recorded only with your explicit consent. Participation is optional.
          9. All data is handled securely, accessed only by authorized staff, and retained for limited periods. EU/EEA users have rights under GDPR, including access, rectification, and objection.
       5. United States Privacy Supplement (US State Laws)
          1. This supplement addresses rights and disclosures under key U.S. state privacy laws (California, Virginia, Colorado, Connecticut, Utah, and others as they come into effect in 2025 and beyond).
          2. Categories of Personal Information (California Notice): In the past 12 months, we have collected the following categories of personal information (as defined by the CCPA/CPRA):
             1. Identifiers (real name, postal address, email, phone number, IP address, account name).
             2. Customer Records (payment information, billing address).
             3. Commercial Information (purchase history with us, subscription details).
             4. Internet or Network Activity (browsing history on our site, interactions with our app).
             5. Geolocation Data (approximate location from IP or device, if enabled).
             6. Professional or Employment Information (if you provide a business title or company).
             7. Inferences (profiled preferences for ads or product interests – used internally). We do not collect sensitive personal information as defined in CCPA as amended by the CPRA except possibly account passwords or precise geolocation in app usage, and we do not use or disclose sensitive data for purposes other than those allowed by law (e.g., security, authentication).
          3. Purposes and Sources: We collect these categories of information from the sources and for the purposes described in this Policy. (e.g., directly from users, through cookies, through service providers).
          4. Improving Support While Respecting Your Privacy: To make your experience even better, some interactions may be monitored or saved to help us improve service quality: (i) We may use User Experience Analytics technologies to better understand how visitors engage with our website. These tools help us identify usability issues and improve site functionality by analyzing general interaction patterns such as page navigation, clicks, and scrolling behavior. These technologies are configured to exclude or mask fields that may contain personal or sensitive information. They do not support live monitoring, and are only activated where legally required after you have given your consent. (ii) Chat Support: Conversations through live chat may be monitored and saved for quality assurance and to help us assist you more effectively. By using our chat features, you acknowledge and accept this practice. (iii) Calls & Screen Sharing: During support or onboarding sessions conducted via video call or screen sharing (e.g., Zoom), we may occasionally ask for permission to record the session. Your participation in any recording is entirely optional—we will always request your explicit consent in advance, and you are free to decline or leave the session at any time.
          5. Selling or Sharing: We do not sell personal information for money. We may “share” personal information with third parties for targeted advertising. Specifically, we may share Identifiers and Internet Activity (through cookies or pixels) with advertising networks to better reach you with relevant ads (if you have not opted out). Under Virginia/Colorado laws, this is considered processing for targeted advertising, which you have the right to opt out of . As noted above, our services are not directed to users under 18.
          6. In the last 12 months, we have shared the following categories for cross-context behavioral advertising: Identifiers (online identifiers like cookie IDs) and Internet/Network Activity, with advertising partners like Google or Meta. We have not knowingly sold or shared the personal information of minors under 16.
          7. Consumer Rights (Multi-State): You have the rights as outlined in this Policy: to access, delete, correct, opt-out of sale/sharing/targeted advertising, and not be discriminated against for exercising these rights. California users also have the right to request information about financial incentives if we offer any (we currently do not offer programs that provide different prices or services in exchange for personal information beyond standard loyalty/referral programs; if we do, we will provide required notice and obtain opt-in consent).
          8. Exercising Your Rights: California residents can use the methods in this Policy. We will confirm receipt of requests within 10 days and respond within 45 days (with extensions if necessary). For deletion requests, note that certain data may be retained as permitted by law (e.g., to complete transactions or for legal compliance). For opt-out requests, we will comply as soon as feasibly possible, and at most within 15 business days for California.
          9. Appeals (VA/CO/CT): If we decline your request, our response will include instructions for how to appeal our decision within those states’ required timeline (usually within 45 days of our decision). If the appeal is denied, you may contact your state Attorney General.
          10. Authorized Agent (CA): As noted, agents can submit requests on behalf of a consumer, but we will need proof of authorization and may require the consumer to verify identity directly.
          11. Notice of Collection: This Policy serves as our notice at collection under CCPA. We have provided the categories, purposes, and whether we sell/share data.
          12. Employee and B2B Data (CA): If you are a California-based employee, job applicant, contractor, or business contact, we may collect and use your personal information in accordance with the California Consumer Privacy Act (CCPA). To understand your rights or request the applicable privacy notice, please contact us at privacy@thebrief.ai.
          13. Shine the Light (CA Civil Code §1798.83): We do not share personal information with third parties for their direct marketing purposes without consent.
          14. California Minors (Online Content Removal): If you are a California resident under 18 and have an account, you can request removal of content you publicly posted on our Services by contacting us. We will then anonymize or remove content as required by CA law (note: this doesn’t ensure complete removal, especially if reposted by others).
          15. Other State Laws: We also comply with other states like Nevada (where you can opt out of sale under NRS 603A by emailing us, though we do not sell info) and the new laws in states listed in the introduction that come into effect. We are monitoring emerging laws to ensure this Policy remains compliant.
       6. Brazil Privacy Supplement (LGPD Compliance)
          1. In compliance with Brazil’s Lei Geral de Proteção de Dados (LGPD), this supplement outlines rights and information for users in Brazil:
             1. Controller Information: For Brazilian users, The Brief, Inc. is the controller of your personal data. We may also have a local representative or affiliate in Brazil; if so, contact details will be provided here. Our primary contact for LGPD matters is privacy@thebrief.ai.
             2. Legal Bases under LGPD: LGPD provides several legal bases similar to GDPR (consent, contract, legal obligation, legitimate interest, etc.). The purposes and corresponding legal bases for processing your data are as described in Section 3. For instance:
                1. We rely on consent (Art. 7(I)) for sending marketing communications or using certain cookies (when required).
                2. We rely on contractual necessity (Art. 7(V)) to provide the Services you signed up for.
                3. We rely on legitimate interest (Art. 7(IX)) for improving our Services, preventing fraud, etc., but we ensure these do not override your fundamental rights.
                4. We may process data for legal obligations (Art. 7(II)) such as complying with tax law, and in certain cases for judicial procedures (Art. 7(VI)) if needed.
                5. If applicable, we might process data for the protection of credit (Art. 7(X)) though unlikely in our context.
                6. Vital interests and health bases likely do not apply to our normal operations, except in emergencies.
             3. Your Rights under LGPD: Brazilian data subjects have the following rights (per Art. 18 of LGPD):
                1. Confirmation and Access: Right to confirmation of the existence of processing and access to your data.
                2. Correction: Right to request correction of incomplete, inaccurate, or out-of-date data.
                3. Anonymization, Blocking, Elimination: Right to request anonymization, blocking, or deletion of unnecessary or excessive data or data processed in non-compliance with LGPD.
                4. Portability: Right to data portability to another service or product provider, by means of an express request, in accordance with ANPD regulations (subject to commercial and industrial secrecy).
                5. Deletion of Consent-Based Data: Right to deletion of personal data processed with your consent, except where retention is required by law.
                6. Info on Sharing: Right to information about public and private entities with which we have shared data.
                7. Info on Consent Option: Right to information about the possibility of denying consent and the consequences of such denial. (We provide this whenever we ask for consent — e.g., if you don’t consent to marketing emails, you simply won’t receive them, with no impact on core services).
                8. Withdrawal of Consent: Right to revoke consent at any time. Once consent is withdrawn, we will cease processing the data for that purpose.
                9. Review of Automated Decisions: We do not currently engage in any automated decision-making that produces legal or significantly similar effects. If we ever engage in such activities in the future, you’d have the right to request a review of decisions that affect your interests.
                10. You may exercise these rights by contacting us at privacy@thebrief.ai. We will respond in accordance with LGPD and ANPD regulations, usually within 15 days of a verified request.
                11. Data Transfers: As described in this Policy, when transferring data outside Brazil, we use mechanisms like Standard Contractual Clauses or other ANPD-approved methods. By using our services, you understand that your data may be transferred internationally. We ensure that the receiving country or entity provides an adequate level of protection as required by LGPD (Art. 33 and 34).
                12. Enforcement and Contact: If you believe we have violated LGPD, you may file a complaint with Brazil’s National Data Protection Authority (ANPD). We encourage you to contact us first so we can address your concern.
                13. Children’s Data (Brazil): We do not process personal data of children under 12 without specific parental consent (per LGPD’s definition and requirements for children’s data). As noted in Section 8, our services are not intended for those under 18 generally, which covers compliance in Brazil for minors.
                14. User Experience Analytics: We may use User Experience Analytics technologies to better understand how users interact with our website. These tools help us improve site usability by analyzing general interaction data, such as page navigation and clicks. The technologies are configured to mask or exclude fields that may contain personal or sensitive data. In compliance with the Lei Geral de Proteção de Dados (LGPD), these tools are only activated with your consent, and are never used for live monitoring.
                15. Data Protection Officer (Encarregado): Under LGPD, we have designated a person (or team) as our Encarregado (DPO). You can reach them at dpo@thebrief.ai for any LGPD-related inquiries.
       7. India Privacy Supplement (DPDP Act Compliance)
          1. This supplement outlines how we comply with India’s Digital Personal Data Protection Act, 2023 (DPDP Act) for users in India:
             1. Data Fiduciary: The Brief, Inc. acts as a “Data Fiduciary” for the personal data we process under this Policy, meaning we determine the purpose and means of processing your personal data.
             2. Consent and Notice: The DPDP Act emphasizes consent and notice:
                1. We will provide a clear and easily understandable notice, such as this Privacy Policy, at or before the time we collect your personal data. This notice will specify: (i) What categories of personal data are being collected (e.g., name, contact information, online identifiers, usage data). (ii) Why we are collecting it – including purposes like service provision, user account management, personalization, security, legal compliance, and marketing (if applicable).
                2. The notice will be provided in: English, and Any of the Scheduled Languages of India (as listed in the Eighth Schedule of the Constitution), if reasonably necessary for better understanding by the Data Principal (e.g., where our services target users who primarily communicate in Hindi, Tamil, Bengali, etc.).
                3. We will only process your data for lawful purposes and in ways you would reasonably expect, consistent with the notice given.
                4. Consent: We will seek your consent before processing your personal data, unless another legal basis under DPDP Act applies (such as for performance of a contract, or compliance with law, etc., once such bases are clarified by the government). Consent will be: (i) Free, specific, informed, and unambiguous, signified by a clear affirmative action (similar to GDPR’s standard); (ii) We will inform you of how to withdraw consent as easily as it was given (e.g., by contacting privacy@thebrief.ai); (iii) If we introduce a consent manager (an intermediary) as per DPDP, we will comply with its framework.
             3. Data Principal Rights: Under the DPDP Act, Indian users (Data Principals) have rights such as:
                1. Right to Access: You can confirm if we are processing your data and request a summary of the data we have about you.
                2. Right to Correction and Erasure: You can request correction of inaccurate or misleading data, completion of incomplete data, and erasure of data that is no longer necessary for the purpose. If we correct or delete data that was shared with a third party, we will notify them if required.
                3. Right of Grievance Redressal: You can lodge a complaint at privacy@thebrief.ai regarding data processing.
                4. Right to Nominate (Posthumous Rights): You may have the right to nominate another individual to exercise your rights in the event of your death or incapacity (once the law provides the mechanism for this).
                5. Withdrawal of Consent: As mentioned, you can withdraw consent at any time; after withdrawal, we will stop processing your data for the purposes for which consent was obtained.
             4. We will respond to your requests within the timeframe specified by the DPDP Act or its rules (to be prescribed, currently expected to be within a reasonable time).
             5. Grievance Redressal: In accordance with Sec 14 of the DPDP Act, you can lodge a complaint at privacy@thebrief.ai. Please include “Grievance – India DPDP” in the subject line for clarity. We will acknowledge receipt of your grievance within 24 hours and endeavor to resolve it within 15 days or as prescribed. If you are not satisfied with our response, you may approach India’s Data Protection Board (once established) for further redressal, as per the rules that will be notified.
             6. Data Transfers: The Indian government will notify regions where data can be transferred. Until those are specified, we ensure a high standard of data protection for international transfers from India, similar to GDPR mechanisms (SCCs etc.), as explained in Section 10. We will update our practices to align with any specific whitelisting/blacklisting of countries or transfer conditions under DPDP rules.
             7. Data Security and Breach Notification: We implement security safeguards per Section 8 of this Policy. In case of a personal data breach likely to cause harm to Data Principals, we will notify the Data Protection Board of India and possibly affected individuals as required by the DPDP Act (once notification obligations are clarified).
             8. Children and Persons with Disabilities: The DPDP Act requires parental consent for processing data of children (under 18 in India), and places restrictions on tracking or targeted advertising directed at children. As noted, our Services are not intended for users under 18 globally, and definitely not for those under 18 in India without parental consent. We do not profile or track children specifically. For users with disabilities who may require guardians, we will work with verifiable guardianship consents in processing data, as needed.
             9. Fair and Reasonable Processing: Even where specific rights or bases differ, we commit to processing personal data in a fair and reasonable manner that respects your privacy, as required by the DPDP Act.