• Why Brieflodge
  • Templates
  • Changelog
  • Pricing
Start for freeSign In
Privacy Policy

How Brieflodge collects, uses, shares, and protects personal data.

Privacy Policy

Version 1.1 - 9 March 2026

This Privacy Policy explains how Brieflodge collects, uses, shares, stores, and otherwise processes personal data when you use our website, application, and related services.

Brieflodge is committed to handling personal data in line with the General Data Protection Regulation (GDPR) and applicable French and European data protection laws.

Quick summary

  • You remain in control of the customer content you store inside Brieflodge workspaces.
  • Brieflodge acts as a controller for account, billing, support, security, and website-related processing.
  • Brieflodge acts as a processor when customers use the Services to manage briefs, attachments, comments, and other workspace content on their own behalf.
  • We use a limited set of service providers to run the product, including infrastructure, email, analytics, collaboration, and payment vendors.
  • You can request access, correction, deletion, restriction, objection, or portability where applicable by contacting privacy@brieflodge.com.

1. Controller details

For the processing activities described in this Privacy Policy where Brieflodge acts as a controller, the data controller is:

Brieflodge
Paris, France
Email: privacy@brieflodge.com

Brieflodge has not designated a data protection officer at this time. Privacy requests and questions should be sent to the email address above.

2. Scope of this Privacy Policy

This Privacy Policy applies to personal data that Brieflodge processes as a controller in connection with:

  • account registration and administration;
  • subscription, billing, and payment management;
  • workspace and user administration;
  • product analytics, security, and service monitoring;
  • support, contact, and transactional communications;
  • operation of our marketing website and product environment.

When our customers use Brieflodge to store or manage briefs, files, comments, collaborator information, or other personal data for their own business purposes, Brieflodge generally acts as a processor on behalf of that customer. Those processing activities are described at a high level here and are governed contractually through our Data Processing Agreement.

This Privacy Policy does not apply to third-party websites, services, or integrations that are subject to their own privacy terms.

3. Categories of personal data we process

Depending on how you use Brieflodge, we may process the following categories of personal data.

Category Details Typical context
Account and profile data Name, email address, authentication identifiers, workspace membership, settings, and preferences When you register, sign in, join a workspace, or manage your profile
Billing and subscription data Subscription plan, billing status, invoices, business details, VAT-related data where provided, and payment references When you subscribe to a paid plan or manage billing
Customer content and collaboration data Briefs, comments, suggestions, tasks, attachments, workspace activity, invitations, and related content When customers and invited users collaborate inside the Services
Usage, device, and security data IP address, browser or device details, session information, sign-in events, usage events, and diagnostics When you access the website or product and when we secure and improve the Services
Communications data Messages, support requests, replies, and troubleshooting context When you contact us or receive service-related communications
Cookie and consent data Consent preferences and related browser identifiers When you interact with cookie controls and analytics choices

Brieflodge does not store full payment card numbers. Card processing is handled by Stripe.

4. How we collect personal data

We collect personal data:

  • directly from you when you create an account, update profile or billing information, invite users, contact us, or use the Services;
  • automatically when you access the website or product, including through essential technical logs and, where permitted, analytics tooling;
  • from workspace administrators or other authorised users who invite you into a workspace or assign you access;
  • from payment or infrastructure providers where needed to confirm transactions, prevent fraud, or operate the Services.

5. Why we use personal data

We use personal data to:

  • create and manage accounts and workspaces;
  • authenticate users and secure the Services;
  • provide collaboration, storage, workflow, and realtime-editing functionality;
  • process subscriptions, payments, taxes, and invoices;
  • send account, billing, security, and other transactional communications;
  • provide support and respond to requests;
  • understand product usage and improve features where analytics consent has been given;
  • prevent abuse, detect incidents, investigate misuse, enforce our Terms, and comply with legal obligations.

6. Legal bases

Where Brieflodge acts as a controller, we rely on one or more of the following legal bases under GDPR.

Processing activity Legal basis
Account creation, sign-in, workspace administration, and delivery of core product features Performance of a contract
Billing, invoicing, taxes, accounting records, and legal reporting Legal obligation and performance of a contract
Support, security monitoring, fraud prevention, abuse handling, and service reliability Legitimate interests
Optional analytics and non-essential cookies Consent
Product, billing, and operational notices Performance of a contract or legitimate interests, depending on the notice

Where we rely on legitimate interests, we do so only where those interests are not overridden by your rights and freedoms.

7. Controller and processor roles

Brieflodge acts as a controller for account, subscription, support, website, security, analytics-configuration, and service administration data.

Brieflodge acts as a processor where customers use the Services to manage their own briefs, workflows, collaborator data, uploaded files, and other personal data inside workspaces. In those cases, the customer determines the purposes of the processing and Brieflodge processes data on the customer's instructions as set out in the Services and our Data Processing Agreement.

If you are a respondent, collaborator, or third party whose data was added to Brieflodge by one of our customers, that customer is usually the controller for that processing and should be your first contact for data-rights requests relating to that content.

8. Sharing and subprocessors

We share personal data only where necessary to operate the Services, comply with law, or protect rights and security. We do not sell personal data.

The following providers are used in connection with Brieflodge's current product and operations:

Provider Service category Country May process brief / project submission Typical purpose
Cloudflare Hosting, storage, and security infrastructure πŸ‡ͺπŸ‡Ί Yes Hosting, file delivery, presigned storage, bot protection, Turnstile, and Cloudflare R2-backed file storage
Supabase Backend platform πŸ‡ͺπŸ‡Ί Yes Authentication, database, permissions, and core application data. Brieflodge stores application content in Supabase within the EU.
Directus Content management πŸ‡ͺπŸ‡Ί No Public site and legal-content management
Resend Email delivery πŸ‡ΊπŸ‡Έ Yes Transactional emails and service notifications that may contain brief or project context selected by users
Stripe Payments πŸ‡ΊπŸ‡Έ No Subscription billing, invoices, and payment processing
PostHog Analytics and error monitoring πŸ‡ͺπŸ‡Ί No Product analytics, diagnostics, and service improvement where configured
Unsplash Optional media provider πŸ‡¨πŸ‡¦ No Image discovery workflows initiated by users

We may also disclose personal data where necessary to comply with law, enforce our agreements, protect Brieflodge, our users, or the public, or support a corporate reorganisation, financing, merger, sale, or asset transfer.

9. International transfers

Brieflodge aims to structure its services with European data protection requirements in mind. Some providers may process data in the EEA or outside the EEA.

Where personal data is transferred outside the EEA, we take steps to ensure an appropriate level of protection, including contractual safeguards such as standard contractual clauses, transfer assessments where relevant, and vendor due diligence.

10. Retention and deletion

Brieflodge keeps personal data only for as long as necessary for the purposes described in this Privacy Policy, subject to legal, security, contractual, and operational requirements.

The following retention and deletion periods are currently supported by the product:

Data or record type Current retention behaviour
In-app notifications Expire after 7 days by default
Dismissed notifications Expire within 24 hours
Archived briefs Automatically deleted after 90 days
Soft-deleted task comments Permanently deleted after 30 days
Invitations Expire after 7 days
Queued brief invitations Removed after 30 days
OTP nonces Expired records removed after 1 day
Brief version history Retained for up to 90 days where the relevant feature is enabled
Brief activity history Retained for up to 365 days where the relevant feature is enabled
Personal account deletion Starts immediate app-side deletion of account data and associated stored files, subject to technical cleanup and legal exceptions

Some records are retained outside the direct control of the application:

  • Stripe may retain billing and payment records to meet tax, accounting, fraud-prevention, and legal obligations;
  • PostHog may retain analytics and error-event data according to its configured retention settings;
  • email-delivery providers may retain delivery logs for security and reliability purposes;
  • infrastructure backups and provider-managed system logs may be retained according to provider policies.

11. Direct marketing and product communications

We may send service, billing, legal, transactional, and security-related communications where necessary for the Services.

Where allowed by law, we may also send product updates or marketing communications related to Brieflodge. You can opt out of non-essential promotional emails at any time using the unsubscribe mechanism included in those messages or by contacting us.

12. Security

Brieflodge uses technical and organisational measures designed to protect personal data, including access controls, authentication safeguards, role-based permissions, storage segregation, vendor management, and service monitoring.

No system can be guaranteed to be perfectly secure. If Brieflodge becomes aware of a personal data breach affecting personal data we control, we will respond in accordance with applicable law.

13. Your rights

Depending on your location and the nature of the processing, you may have the right to:

  • access your personal data;
  • request correction of inaccurate data;
  • request deletion of data;
  • request restriction of processing;
  • object to certain processing;
  • receive a copy of certain data in a portable format;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with a supervisory authority.

To exercise your rights, contact privacy@brieflodge.com. We may request information reasonably necessary to verify your identity before responding.

If Brieflodge acts only as a processor for the data concerned, we may direct your request to the relevant customer controller.

14. Complaints

If you are located in France, you may lodge a complaint with the CNIL. If you are located elsewhere in the EEA, you may contact your local supervisory authority.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we do, we will publish the updated version and revise the date at the top of this page.

16. Contact

If you have questions or want to exercise your rights, contact privacy@brieflodge.com.

Made and hosted in the EU πŸ‡ͺπŸ‡Ί

Β© 2026 Brieflodge

About
  • Blog
  • Contact
Product
  • Templates
  • Cost of scope creep
  • Changelog
  • Pricing
Resources
  • Terms of Service
  • Privacy Policy
  • Data Processing Agreement
  • GDPR
  • Cookie Policy