Privacy Policy

Effective Date: October 17, 2025

Last Updated: October 17, 2025

This Privacy Policy describes how Mocksi Inc. ("Brief," "we," "us," or "our") collects, uses, and shares information when you use our Brief service (the "Service"). Brief is context infrastructure for development teams that integrates with your development tools and uses AI to provide business intelligence to your workflow.

By using Brief, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Data Controller & Contact Information

Data Controller: Mocksi Inc.
Contact: privacy@briefhq.ai
Data Protection Officer: Andrew Dillon, CEO (privacy@briefhq.ai)

2. Notice at Collection

Under California and other state privacy laws, we must disclose what personal information we collect, why we collect it, and how long we keep it.

Category of Personal Information Examples Source Business Purpose Retention Period Do We Sell or Share?
Identifiers Email address, name, account ID, IP address You, your organization Account creation, authentication, service delivery, support Active account + 30 days after deletion No
Commercial Information Subscription plan, payment status, billing history You, Stripe Billing, subscription management Active account + 7 years (tax/accounting) No
Internet/Network Activity Usage analytics, feature interactions, document views, search queries, log data Automatic collection, PostHog Service improvement, analytics, debugging 24 months No*
Professional Information Organization name, team roles, workspace membership You, your organization Workspace management, collaboration features Active account + 30 days after deletion No
User-Generated Content Documents, decisions, product graph data, any content in open text fields You Service delivery, AI processing, context intelligence Active account + 30 days after deletion No
Integration Data GitHub repos/code, Linear issues, Notion pages, Slack messages, and data from other connected tools Third-party integrations you authorize Context synthesis, AI intelligence, service delivery Cached up to 90 days; deleted within 30 days of integration disconnect No
Geolocation Data (Approximate) City/region derived from IP address Automatic collection Service delivery, analytics 24 months No
Sensitive Personal Information None collected directly; may be in user-generated content or integration data if you choose to input it You (if provided) Only as necessary for service delivery Same as category above No

*PostHog Analytics: We use PostHog for product analytics. PostHog data is not sold but may be used for analytics purposes. We do not share this data for cross-context behavioral advertising.

Important: We provide open text fields where you may input any content. You are solely responsible for any sensitive, confidential, or personal information you choose to provide through these fields.

3. Information We Collect

3.1 Information You Provide Directly

Account Information: When you create a Brief account, we collect:

  • Email address
  • Name
  • Organization affiliation

User-Generated Content: When you use Brief, you may provide:

  • Documents (user research notes, planning documents, project documentation)
  • Decision logs (including rationale, tags, and lifecycle conditions)
  • Product graph data (company information, customers, service definitions, competitive advantages, business model, goals, team information, velocity preferences, metrics)
  • Folder structures and document organization
  • Any other content you choose to input into Brief

Important Note: While we only require email and name, Brief contains open text fields where you may input additional information. You are responsible for any information you choose to provide through these fields, including any personal data or sensitive information.

3.2 Information from Third-Party Integrations

Brief integrates with third-party services you authorize. When you connect an integration, we access and store data according to the permissions you grant:

Currently Available Integrations:

  • GitHub: Repository data (names, descriptions, code content, commits, branches, pull requests, issues, comments, labels, contributors), user profiles, organization data, team memberships
  • Linear: Team data, issue information (titles, descriptions, states, assignees), project data, comments
  • Notion: Pages, databases, workspace content
  • Slack: Messages, channels, user information

Planned Integrations (as we expand the Service):

  • Project Management: Jira, Asana, ClickUp, Monday, Airtable, Motion
  • Documentation: Confluence, Google Docs
  • Meeting Tools: Fireflies, Fathom, Google Calendar
  • Analytics: PostHog, Mixpanel
  • CRM & Support: Salesforce, HubSpot, Attio, Close, Zendesk, Freshdesk
  • Google Workspace: Gmail, Google Drive, Google Sheets
  • Communication: Microsoft Teams, Discord
  • Code Repositories: GitLab
  • Sales Tools: Gong, Pipedrive
  • Other Services: As needed to support your workflow

Each integration is authorized through OAuth or API key authentication. You control which integrations to connect and can revoke access at any time. We access only the data necessary to provide Brief's context intelligence features.

3.3 Usage Information

We automatically collect certain information when you use Brief:

  • Usage analytics (how you interact with Brief, including document views, search queries, tool usage)
  • Device information (browser type, operating system)
  • Log data (IP address, access times, pages viewed)
  • Approximate geolocation (city/region derived from IP address)

We use PostHog for analytics to understand how the Service is used and to improve it.

3.4 Payment Information

Payment processing is handled by Stripe. We do not store your credit card information or other payment details. Stripe's privacy policy governs their handling of your payment information. We receive and store subscription status, plan information, and billing history from Stripe.

4. How We Use Your Information

We use the information we collect for the following purposes, based on the legal grounds described below:

4.1 To Provide the Service (Legal Basis: Contract Performance)

  • Deliver Brief's core functionality as context infrastructure for your development team
  • Feed business context to AI development tools via Model Context Protocol (MCP)
  • Synthesize information across documents, decisions, and external integrations
  • Answer contextual questions (e.g., "Why did we choose PostgreSQL?" or "What's our 6-month goal?")
  • Surface relevant past decisions to prevent rework
  • Facilitate team onboarding with historical context
  • Process billing and manage subscriptions
  • Provide customer support

4.2 AI Processing (Legal Basis: Contract Performance)

  • Process your data using AI language models to provide intelligent responses and recommendations
  • Generate context-aware suggestions based on your product graph, decisions, and integrated data
  • Maintain alignment between development work and strategic objectives

4.3 To Improve and Maintain the Service (Legal Basis: Legitimate Interests)

  • Monitor and analyze usage patterns to improve Brief's features and performance
  • Debug technical issues and ensure service reliability
  • Ensure security and prevent abuse
  • Conduct product analytics via PostHog

4.4 To Communicate with You (Legal Basis: Contract Performance / Legitimate Interests / Consent)

  • Send service-related announcements and updates (contract performance)
  • Respond to your inquiries and support requests (contract performance)
  • Send renewal and billing notices (contract performance / legal obligation)
  • Send marketing communications (consent - you may opt out at any time)

4.5 Legal Compliance (Legal Basis: Legal Obligation / Legitimate Interests)

  • Comply with legal obligations
  • Enforce our Terms of Service
  • Protect our rights and the rights of our users
  • Respond to legal requests and prevent harm

5. AI Model Providers and Data Processing

Brief uses artificial intelligence to process your data and provide intelligent context. Here's what you need to know:

5.1 AI Providers We Use

Brief uses multiple AI language model providers, including but not limited to:

  • Anthropic (Claude): For natural language processing and context generation
  • OpenAI (GPT models): For natural language processing and context generation
  • Other AI model providers as needed to deliver the Service

For detailed information about our AI systems, see our AI System Card below.

5.2 What Data is Sent to AI Providers

When you use Brief's AI features, we send the following to AI providers' APIs:

  • Your queries and prompts
  • Document content you've created in Brief
  • Decision logs and product graph data
  • Code snippets, issue descriptions, and other data from connected integrations
  • Any other content necessary to answer your questions or provide context

5.3 Training Data Policy

We do NOT use your data to train AI models. We use enterprise API tiers with zero data retention policies where available. Your data is processed by AI providers solely to deliver responses to you and is not stored or used for training by these providers under their standard API terms.

5.4 Data Residency and Transfers

Data sent to AI providers may be processed in various locations, including the United States. For transfers to countries outside your jurisdiction:

  • For EU/UK users: We rely on Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum where applicable
  • For other users: We use providers with enterprise-grade security and data protection practices

See Section 12 for more information on international transfers.

5.5 Your Control

All AI processing is in service of delivering Brief's functionality to you. By using Brief, you consent to this AI processing. You control what information you input into Brief and can choose not to use AI features if you prefer.

6. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

6.1 With Your Consent

When you authorize integrations, you explicitly consent to Brief accessing and processing data from those services.

6.2 Service Providers and Subprocessors

We share information with third-party service providers and subprocessors who perform services on our behalf. These parties are contractually obligated to use your information only to provide services to us and to protect your information.

Current Subprocessors:

Subprocessor Service Provided Data Processed Location
Anthropic AI language model processing User queries, documents, code, integration data United States
OpenAI AI language model processing User queries, documents, code, integration data United States
Stripe Payment processing Email, name, billing information, payment methods United States
PostHog Product analytics Usage data, feature interactions, anonymized user identifiers United States / EU
Render Cloud hosting and infrastructure All user data United States
Supabase Database services All user data United States
Lemlist Email delivery Email addresses, names, transactional and marketing emails United States / EU

We maintain an up-to-date list of subprocessors and will provide 30 days' advance notice before adding new subprocessors that process personal data. You may object to new subprocessors by contacting privacy@briefhq.ai.

6.3 MCP Protocol

Brief exposes your data via Model Context Protocol (MCP) to AI development tools you use (such as Claude Desktop, Cursor, or other MCP-compatible tools). This is a core feature of the Service. The data shared is limited to what you request through your local AI tools.

6.4 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, or government agencies).

6.5 Business Transfers

If Brief is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

6.6 Protection of Rights

We may disclose information when we believe it is necessary to:

  • Enforce our Terms of Service
  • Protect our rights, property, or safety
  • Protect the rights, property, or safety of our users or others
  • Prevent fraud or abuse of the Service

7. Third-Party Services and Integrations

When you connect third-party integrations to Brief, those services' privacy policies and terms of service govern their collection and use of your information. We are not responsible for the privacy practices of these third-party services.

Each integration you authorize is subject to:

  • That service's terms of service
  • That service's privacy policy
  • The specific permissions you grant during OAuth authorization or API key setup

You can review and revoke integration permissions at any time through your Brief account settings.

8. Cookies, Tracking Technologies, and Do Not Track

8.1 Cookies and Similar Technologies

We use cookies and similar tracking technologies to:

  • Maintain your session and keep you logged in
  • Remember your preferences
  • Analyze usage patterns via PostHog
  • Ensure security and prevent fraud

You can control cookies through your browser settings. Disabling cookies may limit some functionality of the Service.

8.2 PostHog Analytics

We use PostHog for product analytics. PostHog may use cookies and similar technologies to track your usage of the Service. PostHog data is used solely for product improvement and is not shared for advertising purposes.

8.3 Do Not Track and Global Privacy Control

Do Not Track (DNT): We do not currently respond to browser Do Not Track signals.

Global Privacy Control (GPC): We recognize and honor Global Privacy Control signals as an opt-out of the "sale" or "sharing" of personal information for users in jurisdictions where this applies (e.g., California). If we detect a GPC signal from your browser, we will not share your data for analytics or advertising purposes beyond what is necessary to provide the Service.

9. Data Security

We take the security of your information seriously and implement appropriate technical and organizational measures:

9.1 Security Measures

Encryption:

  • Data in transit is encrypted using HTTPS/TLS
  • Data at rest is encrypted in our databases

Access Controls:

  • Role-based access controls
  • Authentication requirements for all accounts
  • Secure OAuth token storage for integrations
  • Secure API key management
  • Principle of least privilege

Internal Access: Only the CEO (Andrew Dillon) has access to user data, and such access is used solely for customer support purposes when explicitly requested by users.

Vendor Due Diligence: We vet all subprocessors for security and privacy compliance before engagement.

Vulnerability Reporting: If you discover a security vulnerability, please report it to security@briefhq.ai. We will respond promptly to security reports.

9.2 Breach Notification

In the event of a data breach that affects your personal information, we will notify you without undue delay as required by applicable law. Notifications will be sent to the email address associated with your account and may also be posted on our website or within the Service.

9.3 Limitations

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.

10. Data Retention

We retain your information for as long as your account is active or as needed to provide you the Service, and for specific periods based on legal, business, or operational needs.

10.1 Retention Periods by Category

Data Category Retention Period
Account information (email, name) Active account + 30 days after deletion
User-generated content (documents, decisions) Active account + 30 days after deletion
Product graph data Active account + 30 days after deletion
Integration data (cached) Up to 90 days while integration is active; deleted within 30 days of integration disconnect
Usage analytics and logs 24 months
Billing records (invoices, payment history) 7 years (tax and accounting compliance)
Support communications 3 years
Backup data Up to 90 days

10.2 Deletion Requests

You may request deletion of your account and associated data at any time by contacting privacy@briefhq.ai. We will delete your data within 30 days of your request, except where we are required to retain certain information for legal compliance, dispute resolution, or enforcement of our agreements.

10.3 Post-Deletion

After account deletion:

  • Your data is removed from active systems within 30 days
  • Backup copies may persist for up to 90 days
  • Billing records are retained for 7 years for tax compliance
  • Aggregated, anonymized data may be retained indefinitely

11. Your Rights and Choices

11.1 General Rights

Access and Correction: You can access and update your account information through your Brief account settings at any time.

Data Portability: You can export your documents and decisions from Brief at any time through your account dashboard.

Deletion: You can delete documents, decisions, and your entire account. Contact privacy@briefhq.ai to request account deletion.

Integration Control: You can connect or disconnect integrations at any time through your account settings. Disconnecting an integration revokes Brief's access to that service.

Marketing Communications: You can opt out of marketing emails by following the unsubscribe link in those emails or by contacting privacy@briefhq.ai.

11.2 California Privacy Rights (CPRA/CCPA)

If you are a California resident, you have the following rights under the California Privacy Rights Act (CPRA) and California Consumer Privacy Act (CCPA):

Right to Know: You can request:

  • Categories of personal information we have collected about you
  • Categories of sources from which we collected your personal information
  • Our business or commercial purpose for collecting or selling personal information
  • Categories of third parties with whom we share personal information
  • Specific pieces of personal information we have collected about you

Right to Delete: You can request deletion of your personal information, subject to certain exceptions.

Right to Correct: You can request correction of inaccurate personal information we maintain about you.

Right to Opt-Out of Sale or Sharing: We do not sell personal information. If our practices change, we will provide a "Do Not Sell or Share My Personal Information" link and honor your opt-out request.

Right to Limit Use of Sensitive Personal Information: If we use or disclose sensitive personal information for purposes beyond providing the Service, you have the right to limit such use. Currently, we only use sensitive personal information (if any) to provide the Service.

Right to Non-Discrimination: We will not discriminate against you for exercising your CPRA/CCPA rights.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authority.

Response Timing: We will respond to verifiable requests within 45 days. If we need more time (up to 90 days total), we will inform you of the reason and extension period.

Verification: To protect your privacy, we will verify your identity before responding to requests. Verification may require matching information you provide with information we have on file.

To Exercise Your Rights: Contact privacy@briefhq.ai with your request.

11.3 Other U.S. State Privacy Rights

If you are a resident of Virginia, Colorado, Connecticut, or Utah, you have similar rights to those described for California residents, including:

Right to Access: Request access to your personal information.

Right to Delete: Request deletion of your personal information.

Right to Correct: Request correction of inaccurate personal information.

Right to Opt-Out: Opt out of:

  • Targeted advertising (we do not currently engage in targeted advertising)
  • Sale of personal information (we do not sell personal information)
  • Profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in such profiling)

Right to Appeal: If we deny your request, you may appeal by contacting privacy@briefhq.ai. We will respond to your appeal within 60 days. If we deny your appeal, we will provide information about how to contact your state attorney general to submit a complaint.

To Exercise Your Rights: Contact privacy@briefhq.ai with your request.

11.4 European Union and United Kingdom Rights (GDPR/UK GDPR)

If you are in the European Union or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

Right of Access: You can request a copy of your personal data.

Right to Rectification: You can request correction of inaccurate personal data.

Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data in certain circumstances.

Right to Restrict Processing: You can request that we limit how we use your personal data.

Right to Data Portability: You can request a copy of your personal data in a structured, machine-readable format.

Right to Object: You can object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent: Where processing is based on consent, you can withdraw consent at any time.

Right to Lodge a Complaint: You can lodge a complaint with your local data protection authority:

  • EU: Contact your national supervisory authority (list available at https://edpb.europa.eu/about-edpb/board/members_en)
  • UK: Contact the Information Commissioner's Office (ICO) at https://ico.org.uk/

Response Timing: We will respond to requests within one month. If we need more time (up to three months total), we will inform you of the reason and extension period.

To Exercise Your Rights: Contact privacy@briefhq.ai with your request.

12. International Data Transfers

Brief is operated from the United States. If you are located outside the United States, please be aware that information we collect will be transferred to, stored, and processed in the United States.

12.1 Legal Basis for Transfers

For EU/UK Users: We transfer personal data from the EU and UK to the United States and other countries based on:

  • Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (2021/914) for transfers from the EU
  • UK International Data Transfer Addendum: We use the UK Addendum to the SCCs for transfers from the UK
  • Your Consent: By using Brief, you consent to the transfer of your information to the United States and other countries where our subprocessors operate

12.2 Adequacy and Safeguards

Where we transfer data to countries without an adequacy decision from the European Commission or UK, we implement appropriate safeguards such as SCCs and conduct transfer impact assessments.

12.3 Subprocessor Locations

Our subprocessors process data in the following locations:

  • United States: Anthropic, OpenAI, Stripe, cloud hosting
  • EU/US: PostHog (with EU data residency options)

By using Brief, you consent to these transfers.

13. Children's Privacy

Brief is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us at privacy@briefhq.ai, and we will take steps to delete such information promptly.

14. AI System Card

This section provides transparency into Brief's use of artificial intelligence systems.

14.1 AI Providers and Models

Providers Used:

  • Anthropic: Claude language models (including Claude 3 family and successors)
  • OpenAI: GPT language models (including GPT-4 and successors)
  • Other providers: We may use additional AI providers as technology evolves

14.2 Inputs Shared with AI Systems

When you use Brief's AI features, the following data may be sent to AI providers:

  • Your natural language queries and prompts
  • Documents you've created in Brief (research notes, planning docs, etc.)
  • Decision logs and rationale you've recorded
  • Product graph data (goals, customers, competitive advantages, etc.)
  • Code snippets, commit messages, and repository metadata from GitHub
  • Issue titles, descriptions, and comments from Linear and other PM tools
  • Meeting notes and transcripts from connected tools (if you connect them)
  • Any other content necessary to generate contextual responses

14.3 Data Retention by AI Providers

Zero-Retention Policy: We use enterprise API tiers that do not retain your data for training or other purposes. Data sent to AI providers is processed solely to generate responses and is not stored beyond the duration of the API request.

Exception: Some AI providers may retain data for a limited period (typically 30 days or less) solely for abuse monitoring and service improvement, not for training. Consult provider-specific policies:

  • Anthropic: https://www.anthropic.com/legal/privacy
  • OpenAI: https://openai.com/enterprise-privacy

14.4 Safety Measures and Limitations

Safety Measures:

  • We use AI providers with robust content filtering and abuse prevention
  • We do not use AI outputs for automated decision-making with legal or similarly significant effects
  • Users can report problematic AI outputs to support@briefhq.ai

Limitations:

  • AI-generated content may contain errors, inaccuracies, or hallucinations
  • Users must review and verify AI outputs before relying on them
  • AI cannot provide professional advice (legal, financial, medical, etc.)
  • AI responses are probabilistic and not deterministic

14.5 User Controls

You Control:

  • What data you input into Brief (you can choose to exclude sensitive information)
  • Whether to use AI features (you can use Brief without AI processing)
  • Which integrations to connect (limiting what data is available for AI context)

Opt-Out: If you prefer not to have your data processed by AI, contact privacy@briefhq.ai to discuss alternative service configurations.

14.6 EU AI Act Compliance

Current Status: Brief's AI systems are classified as General Purpose AI (GPAI) under the EU AI Act. We are monitoring regulatory developments and will implement required transparency and risk management measures as the Act's provisions come into force (2025-2027 timeline).

Transparency: We commit to maintaining this AI System Card with up-to-date information about our AI systems, providers, and practices.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notice of Changes: We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page and updating the "Last Updated" date
  • Sending an email notification to the address associated with your account
  • Providing prominent notice through the Service

Your Acceptance: Your continued use of Brief after such changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the modified Privacy Policy, you must stop using the Service.

Review: We encourage you to review this Privacy Policy periodically.

16. Contact Us & Data Protection Officer

If you have any questions about this Privacy Policy, our privacy practices, or wish to exercise your privacy rights, please contact us:

Email: privacy@briefhq.ai
Security Issues: security@briefhq.ai
Data Protection Officer: Andrew Dillon, CEO (privacy@briefhq.ai)

Company: Mocksi Inc.
Location: San Francisco, California, United States

17. Data Processing Addendum

For enterprise customers who require a Data Processing Addendum (DPA) for GDPR, CCPA, or other compliance purposes, please contact privacy@briefhq.ai. We will work with you to execute an appropriate DPA.

18. Accessibility

We are committed to making our Privacy Policy accessible to everyone. If you have difficulty accessing this Privacy Policy or need it in an alternative format, please contact privacy@briefhq.ai.

Mocksi Inc. doing business as Brief
San Francisco, California, United States

Version: 2.0 (2025-Compliant)