Privacy Policy

Effective Date: October 17, 2025

Last Updated: April 9, 2026

This Privacy Policy describes how Brief Labs Inc. ("Brief," "we," "us," or "our") collects, uses, and shares information when you use our Brief service (the "Service"). Brief is a product intelligence platform for development and go-to-market teams. It integrates with your development tools, CRM, meeting tools, analytics, and other business systems, and uses AI — including autonomous background agents — to provide context intelligence, revenue insights, competitive analysis, and strategic alignment to your workflow.

By using Brief, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Data Controller & Contact Information

Data Controller: Brief Labs Inc.
Contact: privacy@briefhq.ai
Data Protection Officer: Andrew Dillon, CEO (privacy@briefhq.ai)

2. Notice at Collection

Under California and other state privacy laws, we must disclose what personal information we collect, why we collect it, and how long we keep it.

Category of Personal Information	Examples	Source	Business Purpose	Retention Period	Do We Sell or Share?
Identifiers	Email address, name, account ID, IP address	You, your organization	Account creation, authentication, service delivery, support	Active account + 30 days after deletion	No
Commercial Information	Subscription plan, payment status, billing history	You, Stripe	Billing, subscription management	Active account + 7 years (tax/accounting)	No
Internet/Network Activity	Usage analytics, feature interactions, document views, search queries, log data	Automatic collection, PostHog	Service improvement, analytics, debugging	24 months	No*
Professional Information	Organization name, team roles, workspace membership	You, your organization	Workspace management, collaboration features	Active account + 30 days after deletion	No
User-Generated Content	Documents, decisions, product graph data, any content in open text fields	You	Service delivery, AI processing, context intelligence	Active account + 30 days after deletion	No
Integration Data	GitHub repos/code, Linear issues, Jira issues, Asana tasks, Confluence pages, Notion pages, Slack messages, Google Workspace files, HubSpot CRM data (contacts, companies, deals), meeting transcripts (Fathom, Fireflies, Granola), analytics data (PostHog), and data from other connected tools	Third-party integrations you authorize	Context synthesis, AI intelligence, service delivery	Cached up to 90 days; deleted within 30 days of integration disconnect (14 days for Slack — see Section 3.2.1)	No
Agent-Generated Data	Entity links, confidence scores, suggested decisions, research signals, persona profiles, deal pipeline data, competitive intelligence, vector embeddings, agent trajectory logs	Automated AI agent processing of your data	Context intelligence, entity resolution, strategic analysis	Active account + 30 days after deletion	No
Voice Data	Voice input transcribed to text, stored as conversation messages	You (if you use voice features)	Service delivery, voice-to-text processing via ElevenLabs	Transcribed text: Active account + 30 days after deletion. Audio: processed by ElevenLabs in real-time, not stored by Brief.	No
Geolocation Data (Approximate)	City/region derived from IP address	Automatic collection	Service delivery, analytics	24 months	No
Sensitive Personal Information	None collected directly; may be in user-generated content or integration data if you choose to input it	You (if provided)	Only as necessary for service delivery	Same as category above	No

*PostHog Analytics: We use PostHog for product analytics. PostHog data is not sold but may be used for analytics purposes. We do not share this data for cross-context behavioral advertising.

Important: We provide open text fields where you may input any content. You are solely responsible for any sensitive, confidential, or personal information you choose to provide through these fields.

3. Information We Collect

3.1 Information You Provide Directly

Account Information: When you create a Brief account, we collect:

Email address
Name
Organization affiliation

User-Generated Content: When you use Brief, you may provide:

Documents (user research notes, planning documents, project documentation)
Decision logs (including rationale, tags, and lifecycle conditions)
Product graph data (company information, customers, service definitions, competitive advantages, business model, goals, team information, velocity preferences, metrics)
GTM context data (competitors, deals/pipeline, positioning, target audiences, differentiators)
User personas (segment information, needs, pain points)
Research signals (customer requests, validation signals, churn risk indicators)
Folder structures and document organization
Any other content you choose to input into Brief

Important Note: While we only require email and name, Brief contains open text fields where you may input additional information. You are responsible for any information you choose to provide through these fields, including any personal data or sensitive information.

3.2 Information from Third-Party Integrations

Brief integrates with third-party services you authorize. When you connect an integration, we access and store data according to the permissions you grant:

Currently Available Integrations:

GitHub: Repository data (names, descriptions, code content, commits, branches, pull requests, issues, comments, labels, contributors), user profiles, organization data, team memberships
Linear: Team data, issue information (titles, descriptions, states, assignees), project data, comments
Jira: Issues, epics, sprints, projects, comments, assignees
Asana: Tasks, projects, workspaces, assignees
Notion: Pages, databases, workspace content
Confluence: Documentation pages, spaces, content
Slack: Messages, channels, threads, user information, @mentions
Google Workspace: Google Drive (files, folders), Google Docs (documents), Google Sheets (spreadsheets), Google Slides (presentations), Google Forms
HubSpot: Contacts (names, emails, phone numbers, job titles, lifecycle stages), companies, deals (pipeline stages, values, close dates), notes
Fathom: Meeting recordings, transcripts, summaries, highlights
Fireflies: Meeting transcripts, notes, action items
Granola: Meeting notes and conversation data
PostHog: Product analytics events, feature flags, user behavior data, insights
Stripe: Billing events, subscription status, invoice data (as an integration beyond payment processing)
Supabase: Database access via SQL queries (for connected Supabase projects)
Langfuse: LLM observability traces, prompts, user intent data
Helicone: LLM request logs, sessions, usage metrics

Planned Integrations (as we expand the Service):

Project Management: ClickUp, Monday, Airtable, Motion
Meeting Tools: Google Calendar
Analytics: Mixpanel
CRM & Support: Salesforce, Attio, Close, Zendesk, Freshdesk
Google Workspace: Gmail
Communication: Microsoft Teams, Discord
Code Repositories: GitLab
Sales Tools: Gong, Pipedrive
Other Services: As needed to support your workflow

Each integration is authorized through OAuth or API key authentication. You control which integrations to connect and can revoke access at any time. We access only the data necessary to provide Brief's context intelligence features.

3.2.1 Slack Integration — Data Practices

When you install the Brief Slack app, you authorize Brief to access your Slack workspace. This section details exactly what Slack data Brief accesses, how it is used, and how long it is retained.

Data We Access from Slack:

Messages: Channel messages, thread replies, and direct messages sent to the Brief bot. Brief reads messages from channels the bot has been added to and from channels you designate as "customer" channels for research signal extraction.
Channels: Channel names, IDs, topics, purposes, privacy status, and member counts — used to let you select which channels Brief monitors.
Users: User names, display names, email addresses, titles, and timezone — used for identity resolution (matching Slack users to Brief accounts) and for displaying user context in AI responses.
Files: File attachments shared in direct messages with the Brief bot (PDF, TXT, CSV, Markdown, DOCX, XLS/XLSX up to 10MB, and images). Files are downloaded transiently for AI processing and are not stored in Brief's database.
Search results: When an AI agent searches Slack on your behalf, message search results are retrieved via the Slack Search API using the installing user's token.

How Slack Data Is Used:

Responding to @mentions and direct messages with contextual AI answers
Extracting research signals (feature requests, pain points, sentiment) from designated customer channels — only AI-generated summaries are stored, not raw Slack messages
Capturing decisions via the /decide slash command
Providing Slack context to AI agents when you ask questions about your team's communications
URL unfurling to display Brief content previews in Slack

Slack Data Retention:

OAuth tokens (encrypted): retained while integration is active; deleted within 14 days of app uninstallation or integration disconnect
Raw Slack messages and file contents: processed transiently in memory; not persisted to Brief's database
Extracted research signals (AI-generated summaries): retained per standard data retention (active account + 30 days after deletion)
Decisions captured via /decide: retained per standard data retention (active account + 30 days after deletion)
DM session metadata: retained while integration is active; deleted within 14 days of app uninstallation

Slack App Removal: When you uninstall the Brief Slack app or disconnect the Slack integration, we will delete all Slack-specific data (tokens, session metadata, cached channel/user data) within 14 days. Research signals and decisions that were extracted from Slack and stored in your Brief account are retained under the standard retention policy above, as they are part of your Brief workspace data — you can delete these individually or by deleting your account.

Slack OAuth Scopes: Brief requests only the permissions necessary to deliver its features. A full list of requested Slack OAuth scopes is available upon request at privacy@briefhq.ai.

3.3 Usage Information

We automatically collect certain information when you use Brief:

Usage analytics (how you interact with Brief, including document views, search queries, tool usage)
Device information (browser type, operating system)
Log data (IP address, access times, pages viewed)
Approximate geolocation (city/region derived from IP address)

We use PostHog for analytics to understand how the Service is used and to improve it.

3.4 Payment Information

Payment processing is handled by Stripe. We do not store your credit card information or other payment details. Stripe's privacy policy governs their handling of your payment information. We receive and store subscription status, plan information, and billing history from Stripe.

4. How We Use Your Information

We use the information we collect for the following purposes, based on the legal grounds described below:

4.1 To Provide the Service (Legal Basis: Contract Performance)

Deliver Brief's core functionality as context infrastructure for your development team
Feed business context to AI development tools via Model Context Protocol (MCP)
Synthesize information across documents, decisions, and external integrations
Answer contextual questions (e.g., "Why did we choose PostgreSQL?" or "What's our 6-month goal?")
Surface relevant past decisions to prevent rework
Facilitate team onboarding with historical context
Process billing and manage subscriptions
Provide customer support

4.2 AI Processing (Legal Basis: Contract Performance)

Process your data using AI language models to provide intelligent responses and recommendations
Generate context-aware suggestions based on your product graph, decisions, and integrated data
Maintain alignment between development work and strategic objectives

4.3 To Improve and Maintain the Service (Legal Basis: Legitimate Interests)

Monitor and analyze usage patterns to improve Brief's features and performance
Debug technical issues and ensure service reliability
Ensure security and prevent abuse
Conduct product analytics via PostHog

4.4 To Communicate with You (Legal Basis: Contract Performance / Legitimate Interests / Consent)

Send service-related announcements and updates (contract performance)
Respond to your inquiries and support requests (contract performance)
Send renewal and billing notices (contract performance / legal obligation)
Send marketing communications (consent - you may opt out at any time)

4.5 Legal Compliance (Legal Basis: Legal Obligation / Legitimate Interests)

Comply with legal obligations
Enforce our Terms of Service
Protect our rights and the rights of our users
Respond to legal requests and prevent harm

5. AI Model Providers and Data Processing

Brief uses artificial intelligence to process your data and provide intelligent context. Here's what you need to know:

5.1 AI Providers We Use

Brief uses multiple AI language model providers, including but not limited to:

Anthropic (Claude): For natural language processing and context generation
OpenAI (GPT models): For natural language processing and context generation
Other AI model providers as needed to deliver the Service

For detailed information about our AI systems, see our AI System Card below.

5.2 What Data is Sent to AI Providers

When you use Brief's AI features — including interactive chat and autonomous background agents — we send the following to AI providers' APIs:

Your queries and prompts
Document content you've created in Brief
Decision logs, product graph data, and GTM context (competitors, deals, positioning)
Full product context (company information, goals, competitive advantages, customer details)
Code snippets, issue descriptions, and other data from connected integrations
Meeting transcripts and summaries from connected meeting tools
CRM data (contact information, deal details, pipeline stages) from connected CRM tools
User behavior analytics from connected analytics tools
Conversation history (which may be summarized/compacted for long conversations)
Tool call results from any connected integration
Any other content necessary to answer your questions or provide context

5.3 Autonomous AI Agents

Brief runs autonomous background AI agents that process your data on schedules or in response to events, without requiring a per-request prompt from you. These agents:

Sync and analyze data from connected integrations (e.g., syncing deals from HubSpot, extracting decisions from Slack)
Generate entity suggestions, research signals, persona profiles, and competitive intelligence
Create vector embeddings for semantic search and entity linking across all data sources
Log actions in trajectory tables for debugging and quality assurance; this data is subject to the same retention and deletion policies as other user data in your account

By connecting integrations and using Brief, you consent to this automated AI processing. You control which integrations are connected and can disconnect them at any time to stop agent processing of that data source.

5.4 Training Data Policy

We do NOT use your data to train third-party AI models. We use enterprise API tiers with zero data retention policies where available. Your data is processed by AI providers solely to deliver responses to you and is not stored or used for training by these providers under their standard API terms. We may use customer-isolated interaction traces to improve Brief's own specialized models. See Section 5.4 for details.

Specialized Model Training: We use customer-isolated interaction data to train specialized models that improve Brief's functionality for your organization. This data is never shared across customers or used to train models serving other customers.

5.5 Data Residency and Transfers

Data sent to AI providers may be processed in various locations, including the United States. For transfers to countries outside your jurisdiction:

For EU/UK users: We rely on Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum where applicable
For other users: We use providers with enterprise-grade security and data protection practices

See Section 12 for more information on international transfers.

5.6 Your Control

All AI processing is in service of delivering Brief's functionality to you. By using Brief, you consent to this AI processing. You control what information you input into Brief and can choose not to use AI features if you prefer.

6. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

6.1 With Your Consent

When you authorize integrations, you explicitly consent to Brief accessing and processing data from those services.

6.2 Service Providers and Subprocessors

We share information with third-party service providers and subprocessors who perform services on our behalf. These parties are contractually obligated to use your information only to provide services to us and to protect your information.

Current Subprocessors:

Subprocessor	Service Provided	Data Processed	Location
Anthropic	AI language model processing	User queries, documents, code, integration data, product context	United States
OpenAI	AI language model processing	User queries, documents, code, integration data, product context	United States
ElevenLabs	Voice AI processing	Voice input data	United States
Clerk	Authentication and identity management	Email, name, user profiles, session data, organization membership	United States
Stripe	Payment processing	Email, name, billing information, payment methods	United States
PostHog	Product analytics	Usage data, feature interactions, anonymized user identifiers	United States / EU
Render	Cloud hosting and infrastructure	All user data	United States
Supabase	Database services	All user data	United States
Inngest	Background job orchestration	Event payloads, job metadata, user/org context	United States
Sentry	Error tracking and monitoring	Error context, stack traces (PII is scrubbed before transmission)	United States
Postmark	Email delivery	Email addresses, names, transactional emails	United States
Firecrawl	Web content scraping	URLs and scraped webpage content	United States
Helicone	LLM observability and analytics	LLM prompts, responses, usage metrics	United States
Cascade	LLM tracing and evaluations	LLM interactions, evaluation data	United States
Maniac.ai	Specialized model training	Customer-isolated AI interaction data for training Brief's own models	United States

We maintain an up-to-date list of subprocessors and will provide 30 days' advance notice before adding new subprocessors that process personal data. You may object to new subprocessors by contacting privacy@briefhq.ai.

6.3 MCP Protocol and External AI Tool Access

Brief exposes your data via Model Context Protocol (MCP) to AI development tools you use (such as Claude Code, Cursor, ChatGPT, Copilot, or other MCP-compatible tools). This is a core feature of the Service.

How MCP Data Flows:

Request: Your local AI tool (the "MCP client") sends a tool call request to Brief's MCP server, authenticated with your Brief API key or session token.
Processing: Brief's server retrieves the requested data from your workspace — documents, decisions, product context, integration data, or search results — scoped to your organization's permissions.
Response: Brief returns structured tool results to the MCP client. These results may include document content, decision summaries, product graph data, entity information, and data from connected integrations (e.g., Linear issues, GitHub PRs, Slack messages, HubSpot deals).
LLM Processing: The MCP client (your AI tool) includes Brief's tool results in its prompt context and sends them to its configured LLM provider (e.g., Anthropic, OpenAI). Brief does not control which LLM provider the MCP client uses.

What Appears in Tool Results: Tool results contain the specific data you or your AI tool requested — for example, a decision's title and rationale, a document's content, a list of recent Linear issues, or a summary of customer signals. Tool results do not include data from other organizations or other users' private data.

Brief also supports user-configured custom MCP servers ("Bring Your Own MCP"), allowing you to connect additional data sources. Data from custom MCP servers is processed according to the same policies as other integration data.

MCP access supports both user-scoped authentication (data limited to the requesting user's permissions) and system-scoped authentication (for administrative or automated workflows).

6.4 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, or government agencies).

6.5 Business Transfers

If Brief is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

6.6 Protection of Rights

We may disclose information when we believe it is necessary to:

Enforce our Terms of Service
Protect our rights, property, or safety
Protect the rights, property, or safety of our users or others
Prevent fraud or abuse of the Service

7. Third-Party Services and Integrations

When you connect third-party integrations to Brief, those services' privacy policies and terms of service govern their collection and use of your information. We are not responsible for the privacy practices of these third-party services.

Each integration you authorize is subject to:

That service's terms of service
That service's privacy policy
The specific permissions you grant during OAuth authorization or API key setup

You can review and revoke integration permissions at any time through your Brief account settings.

8. Cookies, Tracking Technologies, and Do Not Track

8.1 Cookies and Similar Technologies

We use cookies and similar tracking technologies to:

Maintain your session and keep you logged in
Remember your preferences
Analyze usage patterns via PostHog
Ensure security and prevent fraud

You can control cookies through your browser settings. Disabling cookies may limit some functionality of the Service.

8.2 PostHog Analytics

We use PostHog for product analytics. PostHog may use cookies and similar technologies to track your usage of the Service. PostHog data is used solely for product improvement and is not shared for advertising purposes.

8.3 Do Not Track and Global Privacy Control

Do Not Track (DNT): We do not currently respond to browser Do Not Track signals.

Global Privacy Control (GPC): We recognize and honor Global Privacy Control signals as an opt-out of the "sale" or "sharing" of personal information for users in jurisdictions where this applies (e.g., California). If we detect a GPC signal from your browser, we will not share your data for analytics or advertising purposes beyond what is necessary to provide the Service.

9. Data Security

We take the security of your information seriously and implement appropriate technical and organizational measures:

9.1 Security Measures

Encryption:

Data in transit is encrypted using HTTPS/TLS (HSTS enforced in production)
Data at rest is encrypted in our databases
Secrets and OAuth tokens are encrypted using AES-256 symmetric encryption via PostgreSQL pgcrypto

Access Controls:

Authentication via Clerk with JWT-based session management
Row-Level Security (RLS) policies on all sensitive database tables, enforcing organization-level tenant isolation
All queries scoped by organization ID extracted from authenticated JWT claims
Integration-level resource scoping (control which repos, channels, spaces, etc. are accessible)
Encrypted OAuth token storage with distributed locking for token refresh operations
Secure API key management with scoped permissions (read/write)
Principle of least privilege

Application Security:

SSRF protection with DNS pinning to prevent server-side request forgery and DNS rebinding attacks
Webhook signature verification (HMAC SHA256) with timing-safe comparison and replay attack protection
Security headers: Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options, Referrer-Policy, Permissions-Policy
Input validation via Zod schema validation; parameterized queries via ORM to prevent SQL injection

Internal Access: Only the CEO (Andrew Dillon) has administrative access to user data, and such access is used solely for customer support purposes when explicitly requested by users.

Vendor Due Diligence: We vet all subprocessors for security and privacy compliance before engagement.

Vulnerability Reporting: If you discover a security vulnerability, please report it to security@briefhq.ai. We will respond promptly to security reports.

9.2 Breach Notification

In the event of a data breach that affects your personal information, we will notify you without undue delay as required by applicable law. Notifications will be sent to the email address associated with your account and may also be posted on our website or within the Service.

9.3 Limitations

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.

10. Data Retention

We retain your information for as long as your account is active or as needed to provide you the Service, and for specific periods based on legal, business, or operational needs.

10.1 Retention Periods by Category

Data Category	Retention Period
Account information (email, name)	Active account + 30 days after deletion
User-generated content (documents, decisions)	Active account + 30 days after deletion
Product graph data	Active account + 30 days after deletion
Integration data (cached)	Up to 90 days while integration is active; deleted within 30 days of integration disconnect
Usage analytics and logs	24 months
Billing records (invoices, payment history)	7 years (tax and accounting compliance)
Agent-generated data (trajectories, entity links, embeddings)	Active account + 30 days after deletion
Meeting transcripts (from connected tools)	Cached up to 90 days; deleted within 30 days of integration disconnect
CRM/deal data (from connected CRM tools)	Cached up to 90 days; deleted within 30 days of integration disconnect
LLM observability logs (Helicone, Langfuse, Cascade)	24 months
Conversation history and summaries	Active account + 30 days after deletion
Webhook event logs	24 months
Support communications	3 years
Backup data	Up to 90 days

10.2 Deletion Requests

You may request deletion of your account and associated data at any time by contacting privacy@briefhq.ai. We will delete your data within 30 days of your request, except where we are required to retain certain information for legal compliance, dispute resolution, or enforcement of our agreements.

10.3 Post-Deletion

After account deletion:

Your data is removed from active systems within 30 days
Backup copies may persist for up to 90 days
Billing records are retained for 7 years for tax compliance
Aggregated, anonymized data may be retained indefinitely

11. Your Rights and Choices

11.1 General Rights

Access and Correction: You can access and update your account information through your Brief account settings at any time.

Data Portability: You can export your documents and decisions from Brief at any time through your account dashboard.

Deletion: You can delete documents, decisions, and your entire account. Contact privacy@briefhq.ai to request account deletion.

Integration Control: You can connect or disconnect integrations at any time through your account settings. Disconnecting an integration revokes Brief's access to that service.

Marketing Communications: You can opt out of marketing emails by following the unsubscribe link in those emails or by contacting privacy@briefhq.ai.

11.2 California Privacy Rights (CPRA/CCPA)

If you are a California resident, you have the following rights under the California Privacy Rights Act (CPRA) and California Consumer Privacy Act (CCPA):

Right to Know: You can request:

Categories of personal information we have collected about you
Categories of sources from which we collected your personal information
Our business or commercial purpose for collecting or selling personal information
Categories of third parties with whom we share personal information
Specific pieces of personal information we have collected about you

Right to Delete: You can request deletion of your personal information, subject to certain exceptions.

Right to Correct: You can request correction of inaccurate personal information we maintain about you.

Right to Opt-Out of Sale or Sharing: We do not sell personal information. If our practices change, we will provide a "Do Not Sell or Share My Personal Information" link and honor your opt-out request.

Right to Limit Use of Sensitive Personal Information: If we use or disclose sensitive personal information for purposes beyond providing the Service, you have the right to limit such use. Currently, we only use sensitive personal information (if any) to provide the Service.

Right to Non-Discrimination: We will not discriminate against you for exercising your CPRA/CCPA rights.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authority.

Response Timing: We will respond to verifiable requests within 45 days. If we need more time (up to 90 days total), we will inform you of the reason and extension period.

Verification: To protect your privacy, we will verify your identity before responding to requests. Verification may require matching information you provide with information we have on file.

To Exercise Your Rights: Contact privacy@briefhq.ai with your request.

11.3 Other U.S. State Privacy Rights

If you are a resident of Virginia, Colorado, Connecticut, or Utah, you have similar rights to those described for California residents, including:

Right to Access: Request access to your personal information.

Right to Delete: Request deletion of your personal information.

Right to Correct: Request correction of inaccurate personal information.

Right to Opt-Out: Opt out of:

Targeted advertising (we do not currently engage in targeted advertising)
Sale of personal information (we do not sell personal information)
Profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in such profiling)

Right to Appeal: If we deny your request, you may appeal by contacting privacy@briefhq.ai. We will respond to your appeal within 60 days. If we deny your appeal, we will provide information about how to contact your state attorney general to submit a complaint.

To Exercise Your Rights: Contact privacy@briefhq.ai with your request.

11.4 European Union and United Kingdom Rights (GDPR/UK GDPR)

If you are in the European Union or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

Right of Access: You can request a copy of your personal data.

Right to Rectification: You can request correction of inaccurate personal data.

Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data in certain circumstances.

Right to Restrict Processing: You can request that we limit how we use your personal data.

Right to Data Portability: You can request a copy of your personal data in a structured, machine-readable format.

Right to Object: You can object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent: Where processing is based on consent, you can withdraw consent at any time.

Right to Lodge a Complaint: You can lodge a complaint with your local data protection authority:

EU: Contact your national supervisory authority (list available at https://edpb.europa.eu/about-edpb/board/members_en)
UK: Contact the Information Commissioner's Office (ICO) at https://ico.org.uk/

Response Timing: We will respond to requests within one month. If we need more time (up to three months total), we will inform you of the reason and extension period.

To Exercise Your Rights: Contact privacy@briefhq.ai with your request.

12. International Data Transfers

Brief is operated from the United States. If you are located outside the United States, please be aware that information we collect will be transferred to, stored, and processed in the United States.

12.1 Legal Basis for Transfers

For EU/UK Users: We transfer personal data from the EU and UK to the United States and other countries based on:

Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (2021/914) for transfers from the EU
UK International Data Transfer Addendum: We use the UK Addendum to the SCCs for transfers from the UK
Your Consent: By using Brief, you consent to the transfer of your information to the United States and other countries where our subprocessors operate

12.2 Adequacy and Safeguards

Where we transfer data to countries without an adequacy decision from the European Commission or UK, we implement appropriate safeguards such as SCCs and conduct transfer impact assessments.

12.3 Subprocessor Locations

Our subprocessors process data in the following locations:

United States: Anthropic, OpenAI, ElevenLabs, Clerk, Stripe, Render, Supabase, Inngest, Sentry, Postmark, Firecrawl, Helicone, Cascade, Maniac.ai
EU/US: PostHog (with EU data residency options)

By using Brief, you consent to these transfers.

13. Children's Privacy

Brief is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us at privacy@briefhq.ai, and we will take steps to delete such information promptly.

14. AI System Card

This section provides transparency into Brief's use of artificial intelligence systems.

14.1 AI Providers and Models

Providers Used:

Anthropic: Claude language models (including Claude 4 family and successors)
OpenAI: GPT language models (including GPT-5 family and successors)
ElevenLabs: Voice AI models for voice input processing
Other providers: We may use additional AI providers as technology evolves

14.2 Inputs Shared with AI Systems

When you use Brief's AI features — including interactive chat and autonomous background agents — the following data may be sent to AI providers:

Your natural language queries and prompts
Documents you've created in Brief (research notes, planning docs, etc.)
Decision logs and rationale you've recorded
Product graph data (goals, customers, competitive advantages, etc.)
GTM context (competitors, deals/pipeline, positioning, differentiators)
Code snippets, commit messages, and repository metadata from GitHub
Issue titles, descriptions, and comments from Linear, Jira, Asana, and other PM tools
Documentation from Confluence, Notion, and Google Workspace
Meeting transcripts and summaries from Fathom, Fireflies, and Granola
CRM data including contact information, deal details, and pipeline stages from HubSpot
Product analytics and user behavior data from PostHog
Conversation history (which may be summarized for long conversations)
Tool call results from any connected integration
Voice input data (if you use voice features)
Any other content necessary to generate contextual responses

14.3 Data Retention by AI Providers

Zero-Retention Policy: We use enterprise API tiers that do not retain your data for training third-party models. Data sent to AI providers is processed solely to generate responses and is not stored beyond the duration of the API request.

Customer-Isolated Model Improvement: We use customer-isolated interaction data to train specialized models that improve Brief's functionality. This data is never shared across customers or used to train models serving other customers. See Section 5.4 for details.

Exception — Abuse Monitoring Retention: Certain AI providers retain API inputs and outputs for a limited period solely for abuse monitoring and trust & safety purposes, not for model training:

Anthropic (Claude): May retain API inputs and outputs for up to 30 days for abuse monitoring and safety evaluation. Brief uses Anthropic's enterprise API tier. See: Anthropic Privacy Policy
OpenAI (GPT models): Retains API inputs and outputs for up to 30 days for abuse monitoring under their enterprise/API terms. OpenAI may review API traffic for trust & safety, which could include user queries and tool results containing workspace data (e.g., document excerpts, issue descriptions, contact names from integrations). Brief uses OpenAI's API tier with zero-retention for training. See: OpenAI Enterprise Privacy

During this abuse monitoring window, data sent to these providers may include any content from your Brief workspace that was part of the AI request — including queries, document content, decision logs, and data from connected integrations. This data is subject to each provider's enterprise data handling commitments and is not used for model training.

14.4 Safety Measures and Limitations

Safety Measures:

We use AI providers with robust content filtering and abuse prevention
We do not use AI outputs for automated decision-making with legal or similarly significant effects
Users can report problematic AI outputs to support@briefhq.ai

Limitations:

AI-generated content may contain errors, inaccuracies, or hallucinations
Users must review and verify AI outputs before relying on them
AI cannot provide professional advice (legal, financial, medical, etc.)
AI responses are probabilistic and not deterministic

14.5 User Controls

You Control:

What data you input into Brief (you can choose to exclude sensitive information)
Whether to use AI features (you can use Brief without AI processing)
Which integrations to connect (limiting what data is available for AI context)

Opt-Out: If you prefer not to have your data processed by AI, contact privacy@briefhq.ai to discuss alternative service configurations.

14.6 EU AI Act Compliance

Current Status: Brief's AI systems are classified as General Purpose AI (GPAI) under the EU AI Act. We are monitoring regulatory developments and will implement required transparency and risk management measures as the Act's provisions come into force (2025-2027 timeline).

Transparency: We commit to maintaining this AI System Card with up-to-date information about our AI systems, providers, and practices.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notice of Changes: We will notify you of any material changes by:

Posting the new Privacy Policy on this page and updating the "Last Updated" date
Sending an email notification to the address associated with your account
Providing prominent notice through the Service

Your Acceptance: Your continued use of Brief after such changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the modified Privacy Policy, you must stop using the Service.

Review: We encourage you to review this Privacy Policy periodically.

16. Contact Us & Data Protection Officer

If you have any questions about this Privacy Policy, our privacy practices, or wish to exercise your privacy rights, please contact us:

Email: privacy@briefhq.ai
Security Issues: security@briefhq.ai
Data Protection Officer: Andrew Dillon, CEO (privacy@briefhq.ai)

Company: Brief Labs Inc.
Location: San Francisco, California, United States

17. Data Processing Addendum (DPA)

A Data Processing Addendum (DPA) is available on request for customers who require one for GDPR, CCPA, or other data protection compliance purposes. To request a DPA, contact privacy@briefhq.ai. We will execute an appropriate DPA covering the categories of data processed, subprocessors used, security measures, and data subject rights described in this Privacy Policy.

18. Accessibility

We are committed to making our Privacy Policy accessible to everyone. If you have difficulty accessing this Privacy Policy or need it in an alternative format, please contact privacy@briefhq.ai.

Brief Labs Inc.
San Francisco, California, United States

Version: 3.1 (2026-Compliant, Slack App Directory)