Back to homeLegal

Privacy Policy

Last updated: 11 May 2026

1. Data Controller

Brieflet is operated by Brieflet. For questions about your data contact us.

2. Information We Collect

We collect the following personal data:

  • Account information: name, email address, and authentication details (via Clerk)
  • Company preferences: the companies you configure, industries, regions, key players, and sources you select
  • Timezone: when you sign up, we detect your IANA timezone identifier (e.g. Pacific/Auckland) from your browser using the standard Intl.DateTimeFormat Web API. This is used solely to schedule your daily briefing for delivery at your local 8:30am. No IP-based geolocation or location data is collected, and the value can be reviewed or changed at any time from your profile settings.
  • Payment information: processed and stored by Stripe — we do not store card details
  • Usage data: email delivery preferences, frequency settings, and the number of briefings sent
  • Consent records: timestamps and status of your consent to data processing

3. Lawful Basis for Processing

We process your personal data on the following legal bases under the GDPR:

  • Consent (Art. 6(1)(a)): You provide explicit consent before we generate and send personalised briefings. You can withdraw consent at any time from your profile page.
  • Contract (Art. 6(1)(b)): Processing is necessary to deliver the service you subscribed to, including generating briefings and managing your account.
  • Legitimate interest (Art. 6(1)(f)): Delivering the service you signed up for. We may process data to improve our service, prevent abuse, and ensure security, where our interests do not override your rights.

4. How We Use Your Information

We use the information we collect to:

  • Deliver your personalised governance intelligence briefings
  • Process payments and manage your subscription
  • Send transactional emails such as account confirmations and receipts
  • Improve and personalise our service
  • Comply with legal obligations

5. Data Processors & Third Parties

We do not sell, trade, or rent your personal information to third parties. We share data only with the following processors, each bound by data processing agreements:

  • Convex (USA) — database and backend infrastructure
  • Clerk (USA) — authentication and identity management
  • Stripe (USA) — payment processing
  • SMTP2GO (New Zealand) — email delivery
  • OpenAI / Anthropic (USA) — AI-powered briefing generation

6. International Data Transfers

Some of our processors are based in the United States. Where personal data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards to ensure an adequate level of protection for your data.

7. Data Retention

We retain your personal data for as long as your account is active. Generated briefs are automatically and permanently deleted within 12 months. Records of news articles used to assemble briefs are not linked to your identity and are deleted within to 30 days. If you delete your account, your profile and briefings are permanently erased within 30 days. We may retain anonymised, aggregated data for analytics purposes.

8. Cookies

Brieflet uses only essential cookies for authentication and session management. We do not use advertising, analytics, or tracking cookies. You can disable cookies in your browser settings, but this may affect your ability to log in.

9. Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. All data is encrypted in transit (TLS) and at rest.

10. Your Rights (GDPR & NZ Privacy Act)

You have the following rights over your personal data:

  • Right of access: Request a copy of all data we hold about you. Use the "Export my data" button on your profile page.
  • Right to rectification: Update your information at any time from your profile page.
  • Right to erasure: Delete your account and all associated data via the "Delete my account" button on your profile page, or by contacting us.
  • Right to restrict processing: Ask us to limit how we use your data.
  • Right to data portability: Receive your data in a structured, machine-readable format (JSON).
  • Right to object: Object to processing based on legitimate interest.
  • Right to withdraw consent: Uncheck the consent box on your profile page at any time. This does not affect the lawfulness of processing carried out before withdrawal.
  • Right to unsubscribe: Every email includes an unsubscribe link to stop receiving briefings.

To exercise any of these rights, use the controls on your profile page or contact us. We will respond within 30 days.

11. Children’s Privacy

Brieflet is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our site. Continued use of Brieflet after changes take effect constitutes acceptance of the revised policy.

13. Contact & Complaints

If you have questions about this policy or wish to make a complaint, please contact us.

If you are in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. If you are in New Zealand, you may contact the Office of the Privacy Commissioner at privacy.org.nz.

Privacy Policy — Brieflet