Skip to main content
B

Privacy Policy

Effective May 29, 2026

Note: This is a baseline policy maintained by Briefli. It is being finalized with outside legal counsel and may be revised. Material changes will be communicated to account holders by email.

1. Who we are (data controller)

Briefli is operated by Timberline Coffee School Ltd. (“Briefli”, “we”, “us”). We are the data controller for personal data collected through briefli.io. You can reach our privacy contact at privacy@briefli.io.

2. What we collect

  • Account information — name, email address, and (if you choose email/password sign-in) a hashed password. Google Sign-In also exposes your Google profile name and email.
  • Interview content — the questions Briefli asks and your free-text answers during an interview session.
  • Prompt history — the generated prompts saved to your account so you can retrieve them later.
  • Payment information — handled by Stripe. We receive subscription status, billing name, the last four digits of your card, and transaction IDs. We do not store full card numbers or CVV.
  • Usage data — pages visited, features used, and session timestamps via PostHog (anonymized) and standard server logs.
  • Device and technical data — IP address, browser type, operating system, and referring URL.
  • Communications — if you contact support, we retain the messages.

3. Why we use it (purposes & legal bases)

  • To deliver the Service (create your account, run the interview, generate and store prompts, process payments) — legal basis: performance of a contract (GDPR Art. 6(1)(b)).
  • To secure the Service (fraud and abuse prevention, error monitoring, server logs) — legal basis: legitimate interests (GDPR Art. 6(1)(f)).
  • To improve the Service (product analytics on usage patterns, not on your interview content) — legal basis: legitimate interests (GDPR Art. 6(1)(f)). We do not use your interview content or generated prompts to train AI models.
  • To send transactional emails (receipts, password resets, account notices) — legal basis: performance of a contract.
  • To send marketing emails, only if you have opted in — legal basis: consent (GDPR Art. 6(1)(a)). You can withdraw at any time using the unsubscribe link.
  • To comply with legal obligations — legal basis: legal obligation (GDPR Art. 6(1)(c)).

4. Who processes your data (subprocessors)

We use the following service providers to operate Briefli. Each is bound by a Data Processing Agreement (or equivalent contractual terms) that restricts their use of your data to the services they provide to us.

  • Anthropic (PBC) — AI provider that processes your interview inputs to generate prompts. Anthropic’s standard API terms prohibit using inputs to train its models. Region: United States. Transfer mechanism: EU Standard Contractual Clauses.
  • Supabase, Inc. — database, authentication, and storage. Region: United States. Transfer mechanism: EU Standard Contractual Clauses.
  • Vercel, Inc. — hosting, edge functions, and content delivery. Region: United States and global edge. Transfer mechanism: EU Standard Contractual Clauses.
  • Stripe, Inc. — payment processing. Region: United States. Transfer mechanism: EU Standard Contractual Clauses.
  • Google LLC — Google Sign-In OAuth (only if you choose to sign in with Google). Region: United States. Transfer mechanism: EU Standard Contractual Clauses.
  • PostHog Inc. — product analytics on usage patterns. We do not send your interview content to PostHog. Region: United States / EU. Transfer mechanism: EU Standard Contractual Clauses.
  • Meta Platforms, Inc. — Meta Pixel for marketing-page conversion measurement (loads on marketing pages only, not inside the authenticated app). Region: United States. Transfer mechanism: EU Standard Contractual Clauses.

We do not sell your personal data. We do not share interview content or prompt history with anyone except these subprocessors, or when required by law (see Section 8).

5. How long we keep it (retention)

  • Account data — for as long as your account is active, plus up to 12 months after closure for legal and audit purposes.
  • Interview content and prompt history — for as long as your account is active. You can delete individual prompts at any time, and account deletion removes them within 30 days.
  • Payment records — retained as required by tax and accounting law, typically 7 years.
  • Server logs and security data — typically 90 days, longer if required to investigate a security incident.
  • Support communications — up to 24 months after the ticket is closed.

6. Your rights

Depending on where you live, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data.
  • Delete your personal data (right to erasure).
  • Restrict or object to certain processing.
  • Export your data in a portable format.
  • Withdraw consent for any processing based on consent (e.g., marketing emails).
  • Lodge a complaint with your local data protection authority. EU/EEA residents can find theirs at edpb.europa.eu. UK residents: the ICO (ico.org.uk).

To exercise any of these rights, email privacy@briefli.io. We respond within 30 days.

7. International transfers

Most of our subprocessors are based in the United States. When we transfer personal data outside the EU/EEA or UK, we rely on EU Standard Contractual Clauses (and the UK addendum where applicable) with each subprocessor, along with appropriate supplementary measures such as encryption in transit and at rest.

8. Disclosures required by law

We may disclose personal data if we are required to do so by law, a court order, or a binding governmental request, or to protect the rights, property, or safety of Briefli, our users, or the public.

9. Cookies

We use cookies that are strictly necessary to keep you signed in and to remember your preferences. We use analytics cookies (PostHog) to understand product usage. On marketing pages we may use a Meta Pixel cookie for conversion measurement. We do not use third-party advertising cookies for ad targeting inside the authenticated app.

10. Security

We use industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, server-side rendering with strict Content Security Policy, and regular review of security advisories. No system is 100% secure and we cannot guarantee absolute security.

11. Children

Briefli is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe we have, please contact us and we will delete it promptly.

12. Changes to this Policy

We may update this Privacy Policy. If we make material changes, we will notify account holders by email at least 14 days before the changes take effect.

13. Contact

Briefli (a service of Timberline Coffee School Ltd.)
Email: privacy@briefli.io

Back to sign in