Privacy Policy
Version 1.1 - 9 March 2026
This Privacy Policy explains how Brieflodge collects, uses, shares, stores, and otherwise processes personal data when you use our website, application, and related services.
Brieflodge is committed to handling personal data in line with the General Data Protection Regulation (GDPR) and applicable French and European data protection laws.
Quick summary
- You remain in control of the customer content you store inside Brieflodge workspaces.
- Brieflodge acts as a controller for account, billing, support, security, and website-related processing.
- Brieflodge acts as a processor when customers use the Services to manage briefs, attachments, comments, and other workspace content on their own behalf.
- We use a limited set of service providers to run the product, including infrastructure, email, analytics, collaboration, and payment vendors.
- You can request access, correction, deletion, restriction, objection, or portability where applicable by contacting privacy@brieflodge.com.
1. Controller details
For the processing activities described in this Privacy Policy where Brieflodge acts as a controller, the data controller is:
Brieflodge
Paris, France
Email: privacy@brieflodge.com
Brieflodge has not designated a data protection officer at this time. Privacy requests and questions should be sent to the email address above.
2. Scope of this Privacy Policy
This Privacy Policy applies to personal data that Brieflodge processes as a controller in connection with:
- account registration and administration;
- subscription, billing, and payment management;
- workspace and user administration;
- product analytics, security, and service monitoring;
- support, contact, and transactional communications;
- operation of our marketing website and product environment.
When our customers use Brieflodge to store or manage briefs, files, comments, collaborator information, or other personal data for their own business purposes, Brieflodge generally acts as a processor on behalf of that customer. Those processing activities are described at a high level here and are governed contractually through our Data Processing Agreement.
This Privacy Policy does not apply to third-party websites, services, or integrations that are subject to their own privacy terms.
3. Categories of personal data we process
Depending on how you use Brieflodge, we may process the following categories of personal data.
| Category | Details | Typical context |
|---|---|---|
| Account and profile data | Name, email address, authentication identifiers, workspace membership, settings, and preferences | When you register, sign in, join a workspace, or manage your profile |
| Billing and subscription data | Subscription plan, billing status, invoices, business details, VAT-related data where provided, and payment references | When you subscribe to a paid plan or manage billing |
| Customer content and collaboration data | Briefs, comments, suggestions, tasks, attachments, workspace activity, invitations, and related content | When customers and invited users collaborate inside the Services |
| Usage, device, and security data | IP address, browser or device details, session information, sign-in events, usage events, and diagnostics | When you access the website or product and when we secure and improve the Services |
| Communications data | Messages, support requests, replies, and troubleshooting context | When you contact us or receive service-related communications |
| Cookie and consent data | Consent preferences and related browser identifiers | When you interact with cookie controls and analytics choices |
Brieflodge does not store full payment card numbers. Card processing is handled by Stripe.
4. How we collect personal data
We collect personal data:
- directly from you when you create an account, update profile or billing information, invite users, contact us, or use the Services;
- automatically when you access the website or product, including through essential technical logs and, where permitted, analytics tooling;
- from workspace administrators or other authorised users who invite you into a workspace or assign you access;
- from payment or infrastructure providers where needed to confirm transactions, prevent fraud, or operate the Services.
5. Why we use personal data
We use personal data to:
- create and manage accounts and workspaces;
- authenticate users and secure the Services;
- provide collaboration, storage, workflow, and realtime-editing functionality;
- process subscriptions, payments, taxes, and invoices;
- send account, billing, security, and other transactional communications;
- provide support and respond to requests;
- understand product usage and improve features where analytics consent has been given;
- prevent abuse, detect incidents, investigate misuse, enforce our Terms, and comply with legal obligations.
6. Legal bases
Where Brieflodge acts as a controller, we rely on one or more of the following legal bases under GDPR.
| Processing activity | Legal basis |
|---|---|
| Account creation, sign-in, workspace administration, and delivery of core product features | Performance of a contract |
| Billing, invoicing, taxes, accounting records, and legal reporting | Legal obligation and performance of a contract |
| Support, security monitoring, fraud prevention, abuse handling, and service reliability | Legitimate interests |
| Optional analytics and non-essential cookies | Consent |
| Product, billing, and operational notices | Performance of a contract or legitimate interests, depending on the notice |
Where we rely on legitimate interests, we do so only where those interests are not overridden by your rights and freedoms.
7. Controller and processor roles
Brieflodge acts as a controller for account, subscription, support, website, security, analytics-configuration, and service administration data.
Brieflodge acts as a processor where customers use the Services to manage their own briefs, workflows, collaborator data, uploaded files, and other personal data inside workspaces. In those cases, the customer determines the purposes of the processing and Brieflodge processes data on the customer's instructions as set out in the Services and our Data Processing Agreement.
If you are a respondent, collaborator, or third party whose data was added to Brieflodge by one of our customers, that customer is usually the controller for that processing and should be your first contact for data-rights requests relating to that content.
8. Sharing and subprocessors
We share personal data only where necessary to operate the Services, comply with law, or protect rights and security. We do not sell personal data.
The following providers are used in connection with Brieflodge's current product and operations:
| Provider | Service category | Country | May process brief / project submission | Typical purpose |
|---|---|---|---|---|
| Cloudflare | Hosting, storage, and security infrastructure | πͺπΊ | Yes | Hosting, file delivery, presigned storage, bot protection, Turnstile, and Cloudflare R2-backed file storage |
| Supabase | Backend platform | πͺπΊ | Yes | Authentication, database, permissions, and core application data. Brieflodge stores application content in Supabase within the EU. |
| Directus | Content management | πͺπΊ | No | Public site and legal-content management |
| Resend | Email delivery | πΊπΈ | Yes | Transactional emails and service notifications that may contain brief or project context selected by users |
| Stripe | Payments | πΊπΈ | No | Subscription billing, invoices, and payment processing |
| PostHog | Analytics and error monitoring | πͺπΊ | No | Product analytics, diagnostics, and service improvement where configured |
| Unsplash | Optional media provider | π¨π¦ | No | Image discovery workflows initiated by users |
We may also disclose personal data where necessary to comply with law, enforce our agreements, protect Brieflodge, our users, or the public, or support a corporate reorganisation, financing, merger, sale, or asset transfer.
9. International transfers
Brieflodge aims to structure its services with European data protection requirements in mind. Some providers may process data in the EEA or outside the EEA.
Where personal data is transferred outside the EEA, we take steps to ensure an appropriate level of protection, including contractual safeguards such as standard contractual clauses, transfer assessments where relevant, and vendor due diligence.
10. Retention and deletion
Brieflodge keeps personal data only for as long as necessary for the purposes described in this Privacy Policy, subject to legal, security, contractual, and operational requirements.
The following retention and deletion periods are currently supported by the product:
| Data or record type | Current retention behaviour |
|---|---|
| In-app notifications | Expire after 7 days by default |
| Dismissed notifications | Expire within 24 hours |
| Archived briefs | Automatically deleted after 90 days |
| Soft-deleted task comments | Permanently deleted after 30 days |
| Invitations | Expire after 7 days |
| Queued brief invitations | Removed after 30 days |
| OTP nonces | Expired records removed after 1 day |
| Brief version history | Retained for up to 90 days where the relevant feature is enabled |
| Brief activity history | Retained for up to 365 days where the relevant feature is enabled |
| Personal account deletion | Starts immediate app-side deletion of account data and associated stored files, subject to technical cleanup and legal exceptions |
Some records are retained outside the direct control of the application:
- Stripe may retain billing and payment records to meet tax, accounting, fraud-prevention, and legal obligations;
- PostHog may retain analytics and error-event data according to its configured retention settings;
- email-delivery providers may retain delivery logs for security and reliability purposes;
- infrastructure backups and provider-managed system logs may be retained according to provider policies.
11. Direct marketing and product communications
We may send service, billing, legal, transactional, and security-related communications where necessary for the Services.
Where allowed by law, we may also send product updates or marketing communications related to Brieflodge. You can opt out of non-essential promotional emails at any time using the unsubscribe mechanism included in those messages or by contacting us.
12. Security
Brieflodge uses technical and organisational measures designed to protect personal data, including access controls, authentication safeguards, role-based permissions, storage segregation, vendor management, and service monitoring.
No system can be guaranteed to be perfectly secure. If Brieflodge becomes aware of a personal data breach affecting personal data we control, we will respond in accordance with applicable law.
13. Your rights
Depending on your location and the nature of the processing, you may have the right to:
- access your personal data;
- request correction of inaccurate data;
- request deletion of data;
- request restriction of processing;
- object to certain processing;
- receive a copy of certain data in a portable format;
- withdraw consent where processing is based on consent;
- lodge a complaint with a supervisory authority.
To exercise your rights, contact privacy@brieflodge.com. We may request information reasonably necessary to verify your identity before responding.
If Brieflodge acts only as a processor for the data concerned, we may direct your request to the relevant customer controller.
14. Complaints
If you are located in France, you may lodge a complaint with the CNIL. If you are located elsewhere in the EEA, you may contact your local supervisory authority.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If we do, we will publish the updated version and revise the date at the top of this page.
16. Contact
If you have questions or want to exercise your rights, contact privacy@brieflodge.com.