Privacy Policy

The short version

• We collect your name, email, and what you do in the app. Enough to run the service and bill you.
• We never sell your personal data. We do use subprocessors (listed at /subprocessors) to run the service.
• AI analysis of uploads happens via Anthropic + Cloudflare Workers AI. Neither trains on your data.
• You can export or delete your data. EU/UK/California residents have additional rights documented below.

1. Who we are

GoBrief is a creative-operations platform built in Nashville, Tennessee, United States. For privacy questions, email privacy@gobrief.co.

2. What we collect

Account info you give us: name, email address, organization name, password (we don't set passwords; we use magic links and Google OAuth, but OAuth-provided profile data counts).

Workspace content: creative assets you and your partners upload, metadata (file names, sizes, types, timestamps), comments, review decisions, brief text, spec definitions, delivery receipts.

Partners you add: names, emails, organization names, roles you assign them. These people don't create GoBrief accounts, but we process their email addresses on your instruction to deliver links. By adding a partner, you represent and warrant that you have obtained any notices or consents required under applicable data-protection law (including GDPR Art. 6 lawful basis and, where required, prior-informed consent) for GoBrief to process that partner's personal data on your behalf.

Payment info: handled by Stripe. We receive plan + status info and the last 4 digits of the card used; we never see the full card number.

Usage data: log lines (IP address, user agent, pages visited, timestamps), aggregated stats, error traces.

Cookies: sign-in session cookies, CSRF tokens, referral-attribution cookies, plan-selection cookies. Full list at /cookies.

3. Why we collect it and our legal basis (GDPR Art. 6)

For users in the European Economic Area, United Kingdom, and Switzerland, we rely on the following lawful bases under Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)), account creation, delivery of creative assets, billing, customer support, and the core platform features you signed up for.
• Legitimate interests (Art. 6(1)(f)), abuse and fraud prevention, security logging, service-quality improvement, internal analytics, and defending legal claims. Balancing tests are available on request.
• Consent (Art. 6(1)(a)), optional AI content analysis (recipients can opt out per-link; see §5), marketing or promotional email (we don't send these without opt-in), and any non-essential cookies.
• Legal obligation (Art. 6(1)(c)), tax records, responding to lawful process, and record-keeping required by law.

You can withdraw consent at any time by emailing privacy@gobrief.co. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. Who we share it with

We use subprocessors listed at /subprocessors. In short: Cloudflare (hosting + database + storage + AI), Stripe (billing), Resend (email delivery), Anthropic (AI analysis), Google (OAuth when you sign in with Google, and Google Analytics 4 for aggregate site-usage measurement, no advertising features, cookie details and opt-out in our Cookie Policy). We conduct due diligence on our subprocessors before engagement, enter into written data processing agreements with them that impose protections substantially similar to those in our own DPA, and will give you 30 days' notice of any new or replacement subprocessor via our Subprocessors page.

We do not sell your personal information. We don't share it with advertisers. We don't build advertising profiles.

We'll disclose data to law enforcement only where compelled by lawful process, and we'll push back on overbroad requests where we can. If this happens to you and the law doesn't prohibit it, we'll tell you.

Business transfers. If GoBrief is involved in a merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency, personal data may be transferred as part of that transaction. We'll ensure any successor is bound by terms no less protective than this policy, and we'll notify you by email and in-app at least 30 days before the transfer becomes effective so you can export or delete your data first.

5. AI processing

When you or a partner upload files, we run automated analysis so you know they match spec. Specifically:

• Images + PDFs: sent to Anthropic (Claude Sonnet 4.6 via API) for subject detection, quality analysis, composition notes, bleed-presence check. Anthropic doesn't train on your data and retains it for at most 30 days for abuse monitoring.
• Audio: sent to Cloudflare Workers AI Whisper for transcription and voice-vs-music classification. Cloudflare doesn't train on your data.
• Vector graphics, text, structured data: parsed locally in our Cloudflare Workers runtime; no third-party AI call.

Results are stored only in your workspace. You can opt specific content out by emailing privacy@gobrief.co; enterprise customers can disable AI analysis globally on their workspace.

6. How long we keep it

• Active workspace data: for as long as your account is active.
• Backups: 30 days rolling (daily snapshots stored in Cloudflare R2).
• Billing records: 7 years (US tax retention).
• Logs: 30 days for security and debugging; aggregated metrics retained longer for capacity planning.
• On account deletion: removed within 30 days, except where law or legal-hold flags require otherwise.

7. Your rights

Everyone: export your workspace data (email privacy@gobrief.co) or delete your account (from billing settings, or by emailing us).

EU / UK (GDPR): you have additional rights including access, rectification, erasure, restriction, portability, and objection. To exercise them, email privacy@gobrief.co. You can also complain to your national supervisory authority.

California (CCPA / CPRA): you have the right to know, delete, and correct personal information, plus opt out of sale or sharing. We don't sell or share your personal information for advertising purposes. To exercise CCPA rights, email privacy@gobrief.co.

Other US states (Virginia, Colorado, Connecticut, Utah, Texas): the protections described here extend to residents of those states as applicable.

8. International transfers

We're based in the US. If you're in the EU/UK/Switzerland, your data may be transferred to the US when we process it. We rely on the European Commission's Standard Contractual Clauses (Module Two, Controller-to-Processor, 2021) and, where applicable, the UK International Data Transfer Addendum and the EU-U.S. Data Privacy Framework. All our subprocessors have equivalent transfer mechanisms in place. Copies of the applicable clauses and our transfer impact assessments are available on request via privacy@gobrief.co.

9. How we protect your data (GDPR Art. 32)

We implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including:

• Encryption in transit, TLS 1.2+ for all traffic between browsers, our platform, and subprocessors.
• Encryption at rest, all customer content in Cloudflare R2 and D1 is encrypted at rest; OAuth tokens and other high-sensitivity secrets are additionally encrypted at the application layer using AES-256-GCM with keys derived from a rotating master secret.
• Access controls, least-privilege access for the GoBrief team, MFA required on all administrative accounts, scoped API credentials with audit logging.
• Network + platform security, Cloudflare WAF, bot management, rate limiting, dependency scanning, and regular security reviews of code changes.
• Backups + resilience, daily encrypted backups retained 30 days with documented restore procedures.
• Incident response, a documented security incident response plan, reviewed at least annually.

No system is perfectly secure, but we work hard to apply industry-standard controls and to improve them over time. More detail is at /security.

10. Data breach notification (GDPR Arts. 33 & 34)

If we become aware of a personal data breach affecting you, we will:

• Notify affected controllers (our customers) without undue delay and, where feasible, within 72 hours of becoming aware, so that you can meet your own GDPR Art. 33 notification obligation to supervisory authorities.
• Provide a description of the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures we are taking or proposing to address it.
• Where a breach is likely to result in a high risk to rights and freedoms, communicate with affected individuals directly, in coordination with the controller, in clear and plain language.
• Cooperate with you and with supervisory authorities as reasonably required.

11. Children

GoBrief is not intended for children under 13 (or under 16 in the EU). We don't knowingly collect data from children. If you believe we have, email privacy@gobrief.co and we'll remove it.

12. Changes

We'll post changes here and email you about material updates at least 30 days before they take effect. Continued use after the effective date means you accept the changes.

13. Contact

Privacy: privacy@gobrief.co.
Data Protection Officer: dpo@gobrief.co.
Based in Nashville, Tennessee, United States.