Privacy Policy

Effective date: 15 June 2026 Last updated: 15 June 2026

This Privacy Policy explains how briff (briff.ai), operated by [OPERATOR] ("we," "us," or "our"), collects, uses, and shares personal data. It is incorporated into our Terms of Service.


1. Who We Are

briff is a research service operated by [OPERATOR] that produces customer-discovery briefs for founders and product teams. For any privacy question or to exercise your rights, contact us at privacy@briff.ai.

2. What briff Does

You describe a target customer or idea. We research that customer's publicly available discussions across the web and synthesize a written brief. Producing this brief necessarily involves processing two kinds of personal data: your account and input data, and the public statements of third parties whose posts inform the brief (see Section 9).

3. Information We Collect

What we do not collect:

  • We do not collect your payment-card numbers. Payments are handled by our Merchant of Record (Polar.sh); we receive only limited transaction metadata.
  • We do not collect precise device location, contact lists, or address books.
  • We do not sell personal data, and we do not use your inputs or briefs to train AI models.

Account data. When you create an account, our authentication provider (Clerk) collects your email address and authentication metadata. We use this to identify you, deliver briefs, and communicate about your account.

Inputs you submit. Idea descriptions, target-customer descriptions, prompts, and any materials you provide. We process these to research and generate your brief and to operate the free triage.

Generated content. The briefs and triage outputs we produce for you, including any third-party public information they contain (see Section 9). We store briefs so you can access them in your dashboard. Unpaid triage outputs may be published to our public library as described in Section 4.

Transaction data. When you buy credits, the Merchant of Record shares with us limited information such as your name or email, country, plan purchased, and payment status — not your card details.

Technical and usage data. Server access logs (IP address, user agent, timestamps, requested routes) and progress events generated while a brief is being produced.

Analytics. Aggregate usage measurement. ([Confirm analytics provider, e.g. Vercel Analytics / Plausible / GA4, or state "none" if not used."])

4. How We Use Information

We use personal data to:

  • Provide the Service: run idea triage, research public sources, generate and deliver briefs, and host them in your dashboard.
  • Operate accounts, process credits, and prevent fraud and abuse.
  • Communicate with you about your briefs, account, and purchases (transactional email via Resend).
  • Maintain security, debug, and improve reliability.
  • Comply with legal obligations.

Public brief library. If you submit a free triage but do not complete a paid brief order within 7 days, we may publish that triage in our public library at briff.ai/library. When we do, we publish the persona or idea text you submitted but scrub personal context such as your email address and company name. This is opt-out: completing a paid order keeps your triage private, and the checkout flow makes this explicit before you commit. You can also ask us to remove a published triage at privacy@briff.ai.

AI processing. We use AI models from Anthropic (Claude) to synthesize briefs and to perform idea triage. These calls are made through provider APIs. We do not use your inputs or generated briefs to train AI models, and our model providers do not train their models on data submitted through their business APIs. We rely on those providers' enterprise/API data-handling terms.

Legal bases (GDPR/UK GDPR). Where these laws apply, we process: account, input, and transaction data to perform our contract with you (Art. 6(1)(b)); logs, security, and analytics under our legitimate interests in operating and securing the Service (Art. 6(1)(f)); third-party public data within briefs under our and our customers' legitimate interests in market and customer research (Art. 6(1)(f)), balanced against the rights of the individuals concerned; and any optional marketing on consent (Art. 6(1)(a)).

5. Cookies

We use a small number of cookies, primarily for authentication and security. We do not use advertising or cross-site tracking cookies.

CookiePurposeDurationHow to opt out
Session / auth cookies (Clerk)Keep you signed in; protect against CSRFSession to ~30 daysSign out; clear browser data
[analytics cookie, if any]Aggregate usage measurement[duration]Block third-party cookies; provider opt-out

We honor browser Global Privacy Control / Do Not Track signals where required by law.

6. Third-Party Processors

We share personal data with the following subprocessors only as needed to operate the Service:

ProviderPurposePrivacy policy
VercelFrontend and API hostinghttps://vercel.com/legal/privacy-policy
UpstashJob queue and progress events (Redis)https://upstash.com/trust/privacy.pdf
NeonApplication database (Postgres)https://neon.tech/privacy-policy
ClerkAuthentication and account datahttps://clerk.com/legal/privacy
Cloudflare R2Storage of generated briefs (HTML, PDF)https://www.cloudflare.com/privacypolicy/
ResendTransactional email deliveryhttps://resend.com/legal/privacy-policy
Polar.shPayments (Merchant of Record), billing, taxhttps://polar.sh/legal/privacy
AnthropicAI models for triage and brief synthesishttps://www.anthropic.com/legal/privacy

Verify each URL and the list itself before publication; subprocessors can change. Consider maintaining a versioned subprocessor list and notifying customers of changes.

7. Data Retention

We retain data only as long as needed for the purposes above:

  • Inputs and generated briefs: retained in your account so you can access them, until you delete them or close your account, after which they are deleted within 30 days (backups purge on their normal cycle).
  • Unpaid triage published to the public library: retained in the public library (with personal context scrubbed) until you request removal at privacy@briff.ai.
  • Progress-event streams for an in-flight brief: short-lived, deleted on completion with a fallback expiry of 24 hours.
  • Account data: retained until account deletion; then deleted within 30 days.
  • Server access logs: retained up to 30 days for security and debugging.
  • Transaction records: retained as required for tax, accounting, and legal compliance (typically up to 7 years), held by us and/or the Merchant of Record.

8. Your Rights

GDPR / UK GDPR (EEA, UK). You have the right to access, rectify, erase, restrict, or port your personal data, to object to processing based on legitimate interests, and to withdraw consent. You may also lodge a complaint with your local supervisory authority.

CCPA/CPRA (California). You have the right to know, access, delete, and correct personal information, and to opt out of "sale" or "sharing." We do not sell or share personal information as those terms are defined.

Everyone. You can exercise these rights, regardless of location, by emailing privacy@briff.ai. We will respond within the timeframe required by applicable law. We may need to verify your identity before acting.

9. Third-Party Personal Data in Briefs

A defining feature of briff is that briefs draw on publicly available statements made by individuals on public platforms (such as Reddit, Hacker News, and Indie Hackers), and may name and quote those individuals as reachable prospective customers.

  • We process this public data to perform market and customer research for our customers, relying on legitimate interests where GDPR applies.
  • If you are an individual whose public statements appear in a brief and you wish to object or request erasure of your data from our systems, contact privacy@briff.ai. We will assess and honor valid requests as required by law.
  • For customers: you are an independent controller of any personal data contained in a brief once it is delivered to you. You must handle it lawfully — including honoring opt-outs, anti-spam, and privacy obligations — when you contact or process information about the individuals named (see Terms, Section 9).

10. International Transfers

We and our subprocessors may process data in countries other than yours, including the United States. Where required, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and equivalent mechanisms offered by our subprocessors.

11. Security

We use technical and organizational measures to protect personal data, including scoped access tokens, signed job payloads, presigned time-limited storage URLs, encryption in transit, and least-privilege credentials. No system is perfectly secure; we cannot guarantee absolute security.

12. Children

The Service is not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact privacy@briff.ai and we will delete it.

13. Changes to This Policy

We may update this Policy from time to time. We will revise the "Last updated" date and, for material changes, notify account holders where appropriate. Continued use after changes take effect constitutes acceptance.

14. Contact

For privacy questions or to exercise your rights: privacy@briff.ai. For other legal matters: legal@briff.ai. Operator: [OPERATOR].