• Why Brieflodge
  • Templates
  • Changelog
  • Pricing
Start for freeSign In
GDPR

How Brieflodge approaches GDPR responsibilities, customer roles, and data protection practices.

GDPR and Brieflodge

Version 1.1 - 9 March 2026

This page explains, at a practical level, how Brieflodge approaches GDPR-related responsibilities when you use the Services.

This page is provided for general information only and does not constitute legal advice. You should assess your own compliance obligations with your legal adviser.

Quick summary

  • Brieflodge is based in France and operates with GDPR obligations in mind.
  • Brieflodge acts as a controller for account, billing, support, security, and website operations.
  • Brieflodge acts as a processor for customer-submitted content stored and managed in workspaces.
  • We make available a Privacy Policy, Cookie Policy, and Data Processing Agreement.
  • Customers remain responsible for the lawful basis, notices, and configuration of the personal data they choose to process through the Services.

1. What is GDPR?

The General Data Protection Regulation (GDPR) is the European Union framework governing how personal data is collected, used, stored, shared, and protected. It gives individuals rights over their personal data and sets obligations for controllers and processors.

2. Is Brieflodge GDPR aligned?

Brieflodge is based in France and operates its Services with GDPR requirements in mind. In particular:

  • we provide role-based access and workspace controls;
  • we use contractual, privacy, and cookie documentation designed for European legal requirements;
  • we support customer control over data stored in briefs and workspaces;
  • we provide a Privacy Policy, a Cookie Policy, and a Data Processing Agreement;
  • we structure non-essential analytics around user consent.

3. Controller and processor roles

GDPR responsibilities depend on the role Brieflodge plays in a given processing activity.

Brieflodge as controller

Brieflodge acts as a controller for:

  • account creation and administration;
  • subscription billing and payment records;
  • customer support and service communications;
  • website and product security operations;
  • analytics and monitoring configuration where Brieflodge determines the purpose of the processing.

Brieflodge as processor

Brieflodge acts as a processor where customers use the Services to manage their own briefs, attachments, comments, collaborator data, and related content. In those cases, the customer decides the purposes of the processing and Brieflodge provides the technical platform.

4. What customers remain responsible for

If you use Brieflodge for your organisation, you remain responsible for:

  • determining your lawful basis for processing personal data;
  • providing required notices to your own users, clients, prospects, or respondents;
  • configuring access, retention, and deletion settings in a way that matches your legal obligations;
  • responding to data subject requests relating to the content you control.

5. Data Processing Agreement

Where Brieflodge processes personal data on behalf of a customer, our Data Processing Agreement applies.

6. Customer controls and deletion

Customers can manage access to workspaces, remove members, archive or delete briefs, and delete personal accounts through the product.

Current product-supported deletion and retention behaviours include:

Data or record type Current retention behaviour
Notifications Expire after 7 days by default, or 24 hours if dismissed
Invitations Expire after 7 days
Queued brief invitations Purged after 30 days
Soft-deleted task comments Permanently deleted after 30 days
Archived briefs Automatically purged after 90 days
OTP nonces Deleted after 1 day once expired
Brief version history Retained up to 90 days where the relevant feature is enabled
Brief activity history Retained up to 365 days where the relevant feature is enabled
Personal account deletion Starts immediate app-side deletion of account data and related stored files

Some records remain subject to third-party or legal-retention requirements, such as billing records handled by Stripe, provider-managed logs, backups, and analytics-event retention configured through PostHog.

7. Subprocessors and service providers

Brieflodge uses the following services in connection with its current product stack:

Provider Service category Country May process brief / project submission Typical use
Cloudflare Hosting, security, and storage infrastructure πŸ‡ͺπŸ‡Ί Yes Hosting, R2 object storage, Turnstile, and related infrastructure services
Supabase Backend platform πŸ‡ͺπŸ‡Ί Yes Authentication, database, and permissions. Brieflodge stores application content in Supabase within the EU.
Directus Content management πŸ‡ͺπŸ‡Ί No Public content and legal-page administration
Resend Email delivery πŸ‡ΊπŸ‡Έ Yes Transactional emails and notifications that may include brief or project context selected by users
Stripe Payments πŸ‡ΊπŸ‡Έ No Subscription billing and payment processing
PostHog Analytics and monitoring πŸ‡ͺπŸ‡Ί No Product analytics and diagnostics
Unsplash Optional media provider πŸ‡¨πŸ‡¦ No User-initiated image discovery workflows

These services may involve processing in the EEA and, depending on the provider configuration, in other jurisdictions. Where required, Brieflodge relies on contractual safeguards and vendor due diligence for transfers.

8. International transfers

If personal data is transferred outside the EEA, Brieflodge uses appropriate safeguards such as standard contractual clauses or equivalent lawful transfer mechanisms.

9. Data subject rights

Depending on the context, data subjects may have rights of access, correction, deletion, restriction, objection, portability, and complaint.

Where Brieflodge acts as a processor, requests should generally be directed first to the relevant customer controller. Brieflodge will assist customers where appropriate under the DPA.

10. Security and incident response

Brieflodge uses technical and organisational measures designed to protect personal data and operates incident-response processes intended to support breach assessment, containment, and legally required notifications.

11. Contact

For GDPR-related questions, contact privacy@brieflodge.com.

If you are in France, you may also contact the CNIL. If you are elsewhere in the EEA, you may contact your local supervisory authority.

Made and hosted in the EU πŸ‡ͺπŸ‡Ί

Β© 2026 Brieflodge

About
  • Blog
  • Contact
Product
  • Templates
  • Cost of scope creep
  • Changelog
  • Pricing
Resources
  • Terms of Service
  • Privacy Policy
  • Data Processing Agreement
  • GDPR
  • Cookie Policy