Brightbrief

Privacy Policy

Last updated: 2026-04-25

Pre-launch notice. This Privacy Policy is a placeholder. It captures the actual data flows the service implements but the legal language has not been reviewed. Replace before opening public signups.

1. Data controller

Brightbrief is a service of Avack Media. The data controller for the information described below is Avack Media (contact: arthur@vanacker.io).

2. What we collect and why

  • Account email -- to authenticate you and to deliver briefings. Lawful basis: contract performance (Art. 6(1)(b)).
  • Business profile (company name, markets, competitors, ICP, tracked topics) -- to generate briefings tailored to your business. Lawful basis: contract performance.
  • Briefings we generate for you -- stored so you can re-read them in the dashboard. Lawful basis: contract performance.
  • Payment metadata (Paddle customer id, subscription tier, billing status) -- to manage your subscription. Card numbers are never seen or stored by us; they live with Paddle. Lawful basis: contract performance.
  • Trial-eligibility hash -- when you sign up, we record a peppered SHA-256 hash of your normalised email address in a dedicated table to prevent the same address from claiming the free trial twice. The plaintext email is NEVER stored in this table; only an irreversible hash is. Lawful basis: legitimate interest (Art. 6(1)(f)) in fraud and abuse prevention. We retain these records for 24 months and then delete them.
  • Service logs (sweep timing, web-search counts, delivery status) -- to operate and debug the service. Lawful basis: legitimate interest in service operation.

3. Sub-processors

We share data with the following third parties to provide the service:

  • Supabase (database + authentication) -- EU/Frankfurt region.
  • Anthropic(LLM provider for briefing generation). Your business profile is sent as a system prompt with each briefing run. We rely on Anthropic's data processing agreement; refer to their privacy policy for their handling.
  • Resend (email delivery). Recipient addresses and briefing content pass through Resend.
  • Paddle (payments). Paddle is the merchant of record for paid subscriptions and handles cardholder data; we never see card numbers.
  • Railway (worker hosting) and Vercel (web hosting) -- compute providers.

4. Your rights (GDPR)

You have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request erasure of your data, subject to limited exceptions.
  • Object to processing based on legitimate interest.
  • Data portability for data you have provided to us.
  • Lodge a complaint with your local supervisory authority (e.g. CNPD in Portugal, AP in the Netherlands, GBA/APD in Belgium).

Exercise these rights by emailing arthur@vanacker.io. We will respond within 30 days.

Note: a request to delete your trial-eligibility hash record may be declined under Art. 17(3)(b/e) where erasure would defeat our abuse-prevention purpose. We will respond explaining the basis.

5. Retention

  • Account data: while your account is active, plus 90 days after deletion for backups.
  • Briefings: while your account is active.
  • Trial-eligibility hashes: 24 months from grant.
  • Service logs: 90 days.

6. Cookies

We use only first-party cookies necessary for authentication (the Supabase session cookie). We do not use advertising or analytics cookies.

7. International transfers

Some sub-processors (notably Anthropic, Resend) may process data in the United States. We rely on Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.

8. Changes

We will notify you of material changes by email at least 14 days before they take effect.