Privacy Policy

1. Who this policy covers

This policy applies to visitors to briefton.com, waitlist sign-ups, authenticated users of the Briefton application, and individuals whose data appears in a customer's connected HubSpot account or meeting materials processed through Briefton.

If you interact with a sales team that uses Briefton, that team's employer controls most CRM-related processing. Direct requests about deal or contact records may need to be sent to that employer first; we will assist them as required by law.

2. Data we collect

We collect the following categories of information:

• Account data: name, work email, authentication identifiers, team membership, role (rep, manager, owner), timezone, and working-hours preferences.
• Contact & delivery data: WhatsApp phone number (E.164), WhatsApp opt-in timestamp, and message delivery metadata.
• CRM data (via HubSpot): deals, contacts, companies, pipeline stages, activity signals, and OAuth tokens needed to sync — stored in your team's Briefton workspace and written back only as configured.
• Conversation data: meeting or call transcripts you or your team submit, Scribe-generated summaries, and action items linked to deals.
• Coaching data (rep-private): observations generated for an individual rep. These are not visible to managers by product design and are enforced with database row-level security.
• Manager-visible aggregates: team-level patterns and metrics that do not expose individual coaching content.
• Support & WhatsApp inbound: messages you send to Briefton support or Chief, plus diagnostic context needed to triage issues.
• Billing data: subscription status, seat counts, and Stripe customer identifiers. Payment card details are handled by Stripe, not stored by us.
• Marketing & waitlist: email address, optional company name, signup source, and best-effort country from CDN headers.
• Technical logs: IP address, user agent, request timestamps, error reports (if error monitoring is enabled), and cron health metadata.

3. Where data comes from

We receive data directly from you (signup forms, Desk settings, WhatsApp replies), from your organization's HubSpot connection, from integrations you enable (for example meeting recordings forwarded to Scribe), and automatically from how you use the service (brief delivery, login sessions).

4. How and why we use data

We use personal data to:

• Provide the service: generate and deliver briefs, sync CRM fields, run meeting summaries, and show team dashboards.
• Operate dual-loyalty boundaries: keep rep coaching private while surfacing team-visible deal and pattern data.
• Authenticate users, enforce team permissions, and prevent abuse (including rate limits on public signup).
• Bill subscribers and manage trials through Stripe.
• Respond to support requests and improve reliability.
• Send transactional email (magic links, operational notices) and, if you join the waitlist, occasional product email you can opt out of.
• Comply with law and protect the security of the platform.

5. Legal bases (EEA / UK)

Where GDPR applies, we rely on: (a) performance of a contract — to provide Briefton to paying teams and registered users; (b) legitimate interests — to secure the service, prevent fraud, and improve operations, balanced against your rights; (c) consent — for WhatsApp brief delivery (collected at Desk or onboarding) and optional marketing; (d) legal obligation — where retention or disclosure is required by law.

Customers are responsible for choosing an appropriate legal basis for CRM and prospect data they connect from HubSpot.

6. Dual loyalty & manager visibility

Briefton is built so reps receive private coaching while managers see deal-level and aggregate team insight. Conversation transcripts and detailed summaries are not shown to managers unless a rep explicitly shares a conversation.

Managers can see deals, signals, brief delivery status, inbound-fit queues, and Almanac aggregate patterns for their team. They cannot access another rep's coaching observations through the product interface or our standard APIs.

7. Sharing & subprocessors

We do not sell personal data. We share data with service providers that help us run Briefton, under contracts that require appropriate safeguards:

• Supabase — application database and authentication (region depends on deployment configuration).
• Vercel — application hosting and background workflows.
• Stripe — subscription billing and payment processing.
• Twilio — WhatsApp message delivery and inbound webhooks.
• OpenAI — speech transcription (Whisper) where enabled.
• Anthropic / OpenAI — large-language-model inference for briefs, coaching, summaries, and support triage.
• Resend — transactional email.
• HubSpot — your organization's CRM (data flows under your HubSpot connection and permissions).
• Sentry (optional) — error monitoring when configured in production.
• Upstash (optional) — distributed rate limiting for public signup endpoints.

8. International transfers

We and our subprocessors may process data in the European Economic Area, the United States, and other countries where they operate. Where required, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses or equivalent safeguards offered by subprocessors.

Enterprise customers on Charter plans may request a data processing agreement and region-specific arrangements.

9. Retention

We keep data for as long as your team maintains an active account and as needed to provide the service. CRM-linked records follow your team's use of the product and HubSpot sync settings.

Waitlist entries are kept until you unsubscribe or ask us to delete them. Billing records may be retained as required for tax and accounting law.

When a user deletes their account from Desk settings, we terminate team memberships, anonymize the profile, and remove authentication access. Historical brief or deal records tied to team operations may remain until the team admin requests team-level deletion.

10. Security

We use industry-standard measures including encryption in transit (TLS), encrypted storage for sensitive OAuth tokens, row-level security in Postgres, signed webhooks, and least-privilege service credentials.

No method of transmission or storage is completely secure. Report concerns to hello@briefton.com.

11. Your rights

Depending on your location, you may have the right to access, correct, delete, restrict, or port your personal data, and to object to certain processing. You may also withdraw consent where processing is consent-based (for example WhatsApp opt-in).

Signed-in users can export a JSON copy of their profile, briefs, coaching notes, and related records from Desk → Your data, and request account deletion there.

EEA/UK residents may lodge a complaint with their local supervisory authority. Our lead supervisory contact for privacy questions is hello@briefton.com.

12. WhatsApp & communications compliance

Briefton sends operational sales briefs to phone numbers your team registers. Each rep must opt in before WhatsApp delivery is enabled.

Customers are responsible for ensuring they have a lawful basis and any required consents to message their reps and to process prospect or customer data in connected CRM systems, including compliance with WhatsApp Business Policy, TCPA (where applicable), and local electronic communications rules.

13. Cookies & similar technologies

We use strictly necessary cookies and local storage to keep you signed in and protect against cross-site request forgery. We do not use third-party advertising cookies on the application.

Marketing pages may use basic analytics consistent with our hosting provider. We will update this section if that changes.

14. Children

Briefton is a business service not directed at children under 16. We do not knowingly collect data from children.

15. Changes

We may update this policy as the product or law evolves. Material changes will be posted on this page with a revised date. Continued use after changes take effect constitutes acceptance where permitted by law.

16. Contact

Briefton OY · Privacy · hello@briefton.com · Helsinki / Tallinn