Privacy Policy
Last updated: March 2026
1. Data Controller
BriefBot / Gabriel Marchesan Almeida / Wiener Str. 37, 76344 Eggenstein-Leopoldshafen, Germany / Email: contact@brief-bot.app
2. Data We Collect
| Data Category | Purpose | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Name, email address | Account creation via Google OAuth | §1(b) — Contract performance |
| Letter content (text/PDF) | AI analysis | §1(b) — Contract performance |
| Analysis history | Stored results for your reference | §1(b) — Contract performance |
| Consent records + audit log | GDPR compliance documentation | §1(c) — Legal obligation |
| Session tokens | Authentication | §1(b) — Contract performance |
| Contact form messages | Customer support | §1(b) — Contract performance |
| Analytics data (optional) | Product improvement | §1(a) — Consent |
| PDF documents (uploaded or camera-generated) | Document Vault — secure storage of original letters | §1(b) — Contract performance |
3. Data Retention
- Letter analyses: automatically deleted after 90 days
- Account data: retained while your account is active
- After account deletion: personal data anonymized within 30 days; analysis rows retained (anonymized) for 180 days for legal compliance
- Consent logs: retained for 3 years (legal obligation)
- Session tokens: deleted after 30 days
- Contact form messages: deleted after responding (max 90 days)
- PDF documents (Document Vault): stored compressed in Hetzner Object Storage (Germany/EU); deleted automatically after 90 days together with the analysis, or when the account is deleted
4. Sub-Processors
We use the following third-party services which process your data on our behalf. Data Processing Agreements (DPAs) are in place with each processor.
| Service | Purpose | Location | Privacy |
|---|---|---|---|
Mistral AIAI provider | AI letter analysis — text and image analysis (primary provider) | FranceEU | |
Vercel | Hosting and edge network | USASCC | |
Neon (PostgreSQL) | Database storage | EUEU | |
RevenueCat | Payment processing, subscription management | USASCC | |
Resend | Transactional email | USASCC | |
Google | OAuth authentication only | USASCC | |
Hetzner | Document storage (Object Storage, S3-compatible) | GermanyEU |
International data transfers: Mistral AI and Hetzner are EU-based (France and Germany respectively) — AI processing and document storage stay within the EU with no international transfer required. Vercel, Stripe, Resend, and Google are based in the USA. USA transfers are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c).
5. Your Rights (GDPR Art. 12–23)
- Art. 15 — Access: Export your data via Account > Privacy > Export Data
- Art. 16 — Rectification: Contact us to correct your data
- Art. 17 — Erasure: Delete your account via Account > Privacy > Delete Account
- Art. 18 — Restriction: Contact us to restrict processing
- Art. 20 — Portability: Export your data in machine-readable format
- Art. 21 — Object: Withdraw analytics consent at any time via cookie settings
- Art. 77 — Complaint: Lodge a complaint with the Bundesbeauftragte für Datenschutz und Informationsfreiheit (BfDI) or your local supervisory authority.
To exercise your rights, contact: contact@brief-bot.app. We respond within 30 days (GDPR Art. 12).
6. Cookies
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| next-auth.session-token | Essential | Authentication session | 30 days |
| briefbot-cookie-consent | Essential | Records your cookie preferences | 1 year |
| Analytics cookies | Optional (consent) | Usage analytics (only with consent) | 90 days |
Manage your preferences via the cookie banner or Cookie Settings. Cookie Settings.
7. Contact
Privacy inquiries: contact@brief-bot.app / Legal inquiries: contact@brief-bot.app
We do not currently have a designated Data Protection Officer (DPO) as we do not meet the thresholds of GDPR Art. 37. For DPO-related matters, contact the email above.
8. Changes to This Policy
We may update this policy. Material changes will be communicated via email or an in-app notice at least 14 days before taking effect.
9. Behavioural Analytics
To improve our service, BriefBot collects anonymised behavioural analytics data about how you interact with the application. This includes:
- Pages visited and time spent on each page
- Features used (e.g. camera scanner, chat, reminders, glossary)
- Buttons clicked and actions performed
- Session duration and frequency of use
- Upload types selected (text, PDF, image, camera)
This data is collected only when you have given consent at registration and is linked to your account. It is never shared with third parties and is retained for a maximum of 90 days, after which raw events are automatically deleted. Aggregated, anonymised insights are retained for service improvement purposes.
You may withdraw this consent at any time from Account → Privacy → Advanced Analytics. When disabled, no behavioural events will be collected.