Privacy Policy | Brief - Executive Intelligence

This Privacy Notice applies to the processing of personal information by Brief Productivity Solutions, Inc. (“Brief,” “we,” “us,” or “our”) including on our website available at https://trybrief.ai and our other online or offline offerings that link to, or are otherwise subject to, this Privacy Notice (collectively, the “Services”).

1. UPDATES TO THIS PRIVACY NOTICE

We may update this Privacy Notice from time to time in our sole discretion. If we do, we’ll let you know by posting the updated Privacy Notice on our website, and we may also send other communications.

2. PERSONAL INFORMATION WE COLLECT

We collect personal information that you provide to us, personal information we collect automatically when you use the Services, and personal information from third-party sources, as described below.

A. Personal Information You Provide to Us Directly

We may collect personal information that you provide to us.

Account Information. We may collect personal information in connection with the creation or administration of your account. This personal information may include, but is not limited to, your name, email address, phone number, and other information you store with your account.
Transactions. We may collect personal information and details associated with your transactions with the Services, including payment information. Any payments made via our Services are processed by third-party payment processors. We do not directly collect or store any payment card information entered through our Services, but we may receive information associated with your payment card information (e.g., your billing details).
Your Communications with Us. We, and our service providers, may collect the information you communicate to us, such as through email or our web chat tool.
Surveys. We may contact you to participate in surveys. If you decide to participate, we may collect personal information from you in connection with the surveys.
Interactive Features. We and others who use our Services may collect personal information that you submit or make available through our interactive features (e.g., messaging features, commenting functionalities, forums, blogs, and social media pages). Any information you provide using the public sharing features of the Services will be considered “public.”
Conferences, Trade Shows, and Other Events. We may collect personal information from individuals when we attend or host conferences, trade shows, and other events.
Business Development and Strategic Partnerships. We may collect personal information from individuals and third parties to assess and pursue potential business opportunities.
Job Applications. If you apply for a job with us, we will collect any personal information you provide in connection with your application, such as your contact information and resume or CV.

B. Personal Information Collected Automatically

We may collect personal information automatically when you use the Services.

Device Information. We may collect personal information about your device, such as your Internet protocol (IP) address, user settings, cookie identifiers, other unique identifiers, browser or device information, Internet service provider, and location information (including, as applicable, an approximate location derived from the IP address and precise geo-location information).
Usage Information. We may collect personal information about your use of the Services, such as the pages that you visit, items that you search for, the types of content you interact with, information about the links you click, the frequency and duration of your activities, and other information about how you use the Services.
Cookie Notice (and Other Technologies). We, as well as third parties, may use cookies, pixel tags, and other technologies (“Technologies”) to automatically collect personal information through your use of the Services.
- Cookies. Cookies are small text files stored in device browsers.
- Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects personal information about use of or engagement with the Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may also include web beacons in emails to understand whether messages have been opened, acted on, or forwarded.

See “Your Privacy Choices” below to understand your choices regarding these Technologies.

C. Personal Information Collected from Third Parties

We may collect personal information from third parties. These third parties may include, but are not limited to, the examples described below.

Third-Party Services. If you access the Services, or integrate with the Services, using a third- party website, application, service, products, or technology (each a “Third-Party Service”), we may collect personal information from that Third-Party Service that you have made available via your privacy settings.

These Third-Party Services may include, but are not limited to, Microsoft 365, Google Workspace, video conferencing services such as Microsoft Teams or Zoom, Slack and other messaging platforms, and CRM services.

The personal information collected may include, but is not limited to, contact information, contents of communications, meeting recordings or transcripts, calendar event details, and other information about individuals available in the relevant Third-Party Service.
Users of the Services. Users of the Services may upload or otherwise provide personal information about others.

3. HOW WE USE PERSONAL INFORMATION

We use personal information for a variety of business purposes, including to provide the Services, to improve the Services, and to provide you with marketing materials, as described below.

A. Provide the Services

We use personal information to provide the Services, such as:

Developing and maintaining a knowledge graph and individual profiles for our customers;
Deriving insights and other information about individuals for our customers;
Taking actions on behalf of authorized users including, but not limited to, automated actions through the use of AI agents;
Providing access to certain areas, functionalities, and features of the Services;
Communicating with you;
Answering requests;
Sharing personal information with third parties as needed to provide the Services; and
Processing your financial information and other payment methods.

B. Improve the Services and Develop New Products and Services

Enhancing the Services
Training and refining personalization models that improve each individual user's experience of the Services, including the per-user knowledge graph and World Model of Work described in Section 8 (Google User Data). Brief uses data obtained through Google APIs only to refine personalization that serves the individual user whose data was used. Brief does not use data obtained through Google APIs to develop, improve, train, or fine-tune any generalized AI or machine-learning model that would serve users beyond the user whose data was used.

C. Operate Our Business

We use personal information to operate our business, such as:

Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
Carrying out analytics;
Creating de-identified and/or aggregated information;
Processing applications if you apply for a job we post on our Services;
Allowing you to register for events;
Enforcing our agreements and policies; and
Carrying out activities that are required to comply with our legal obligations.

D. Marketing

We may use personal information in connection with our marketing activities including to tailor and provide you with marketing communications, promotions, and offers that may interest you. Please note that we do not use personal information uploaded by our customers about third parties for our marketing purposes.

We may use personal information: (i) for other purposes that are clearly disclosed to you at the time you provide the personal information, (ii) with your consent, or (iii) as otherwise directed by you.

We share personal information with third parties for a variety of business purposes, including to provide the Services, to protect us or others, or in connection with a major business transaction such as a merger, sale, or asset transfer, as described below.

A. Disclosures to Provide the Services

We may share any of the personal information we collect with the categories of third parties described below.

Service Providers: Brief uses the following categories of service providers, each bound by contractual data-handling obligations:
- Cloud infrastructure and hosting: Google Cloud Platform (compute, storage, PostgreSQL via AlloyDB, Pub/Sub).
- AI / machine learning inference: Google Cloud Vertex AI (Gemini models). Brief does not use any other AI/ML provider in the data path. Google's commitment regarding Vertex AI Generative AI data governance, published at cloud.google.com/vertex-ai/generative-ai/docs/data-governance, states: "Google won't use your data to train or fine-tune any AI/ML models without your prior permission or instruction." Brief has not granted any such permission.
- Billing and payments: Stripe, Inc.
- Customer support and analytics: 1) Linear Orbit, Inc., 2) Anthropic PBC and 3) Posthog, Inc.
Advertising Partners: Device data described in Section 2.B may be shared with advertising partners for interest-based advertising on Brief's marketing pages. Brief does not share, sell, or transfer any data obtained through Google APIs — including Gmail, Calendar, Contacts, Chat, Tasks, or directory data — for advertising purposes of any kind. Customer-uploaded third-party data is also excluded from advertising use.
Other Users You Share or Interact With. The Services may allow Brief users to share personal information or interact with other users of the Services.
Third-Party Services You Share or Interact With. The Services may link to or allow you to interface with, interact with, share information with, direct us to share information with, access, and/or use a Third-Party Service.
Any personal information shared with a Third-Party Service will be subject to the Third-Party Service’s privacy policy. We are not responsible for the processing of personal information by Third-Party Services.
Brief Customers (Authorized Users Only). In cases where you use our Services as an employee, contractor, or other authorized user of a Brief customer, we may share any information associated with your use of the Services with the Brief customer, including, but not limited to, account information, usage information, files, and the contents of the communications associated with your account. Your personal information may also be subject to the Brief customer’s privacy policy. We are not responsible for the Brief customer’s processing of your personal information.
Affiliates. We may share your personal information with our corporate affiliates.

B. Disclosures to Protect Us or Others

We may share your personal information and related information with external parties if we, in good faith, believe doing so is required or appropriate to comply with law enforcement requests, national security requests, or other government requests; comply with legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual unauthorized or illegal activity.

C. Disclosure in the Event of Merger, Sale, or Other Asset Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, purchase or sale of assets, transition of service to another provider, or other similar corporate transaction, your personal information may be shared, sold, or transferred as part of such a transaction.

5. YOUR PRIVACY CHOICES

The privacy choices you may have about your personal information are described below.

Email Communications. If you receive an unwanted email from us, you can use the unsubscribe functionality found at the bottom of the email to opt out of receiving future emails. Note that you will not be able to opt out of certain communications (e.g., communications regarding the Services or updates to this Privacy Notice).
Text Messages. If you receive an unwanted text message from us, you may opt out of receiving future text messages from us by following the instructions in the text message you have received from us or by otherwise contacting us as set forth in “Contact Us” below.
“Do Not Track.” Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.
Cookies. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, the Services may not work properly. The online advertising industry also provides mechanisms that may allow you to opt out of receiving targeted ads from organizations that participate in self-regulatory programs. To learn more, visit the Network Advertising Initiative and the Digital Advertising Alliance. Please note you must separately opt out in each browser and on each device.

6. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

All personal information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live.

7. CHILDREN’S PERSONAL INFORMATION

The Services are not directed to children under 18, and we do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has uploaded personal information to the Services in violation of applicable law, you may contact us as described in “Contact Us” below.

8. GOOGLE USER DATA

Brief connects to users' Google accounts to provide its Executive Intelligence platform. Brief's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements applicable to Gmail and Google Workspace data.

A. Google OAuth Scopes Brief Requests

Brief uses incremental authorization. When a user first connects their Google account, Brief requests only a minimal set of six scopes needed for sign-in and the core briefing: the OpenID Connect identity scopes (openid, email, profile), read-only Gmail, read-only Calendar, and read-only Contacts. Every other scope is requested later, one feature at a time, and only when the user chooses to enable that feature. Each scope is requested only because the corresponding user-facing feature requires it. The table below lists every scope Brief can request and when it is requested.

Scope	Requested	Purpose in Brief
openid, email, profile	At sign-in	Authenticate the user and populate the user's identity within Brief.
https://www.googleapis.com/auth/gmail.readonly	At sign-in	Read the user's Gmail messages to surface action items, pending decisions, and meeting prep context in the daily briefing.
https://www.googleapis.com/auth/calendar.readonly	At sign-in	Read the user's calendar events to populate meeting context (attendees, times, conference links, prep notes) in the daily briefing.
https://www.googleapis.com/auth/contacts.readonly	At sign-in	Read the user's contacts to resolve names against email senders, recipients, and Chat participants so the briefing shows human-readable names.
https://www.googleapis.com/auth/gmail.compose	When the user enables Compose Email	Create email drafts in the user's Gmail Drafts folder for the user to review and send manually. Brief does not send email autonomously.
https://www.googleapis.com/auth/calendar	When the user enables Calendar writes	Create new events when the user takes a scheduling action, and provision a dedicated secondary "Brief AI" calendar onto which Brief writes shadow events that surface Brief's briefing detail (prep notes, attendee context) directly inside the user's Google Calendar app.
https://www.googleapis.com/auth/contacts	When the user enables Contacts write-back	Write notes back to the user's contacts and create contacts when the user takes a contact-management action.
https://www.googleapis.com/auth/tasks	When the user enables Tasks	Read the user's Google Tasks to surface them in the daily briefing, and write back when the user creates or completes tasks through Brief.
https://www.googleapis.com/auth/chat.messages	When the user enables Chat	Read messages from Google Chat spaces and direct messages the user is a member of to surface action items in the daily briefing, and post messages back to Chat as part of action workflows initiated by the user.
https://www.googleapis.com/auth/chat.spaces.readonly	When the user enables Chat	Enumerate the user's Chat spaces during sync setup.
https://www.googleapis.com/auth/chat.memberships.readonly	When the user enables Chat	Resolve sender display names in Chat messages.
https://www.googleapis.com/auth/directory.readonly	When the user enables Contacts or Chat	For Google Workspace accounts, resolve sender display names for users outside the immediate space members list. Gracefully degrades for personal Gmail accounts.

B. Limited Use Commitment for Gmail and Google Workspace Data

Brief's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

Use for user-facing features only. Brief uses Google user data exclusively to provide and improve the user-facing features that are prominently displayed in Brief's interface — the daily briefing, person briefings, meeting prep, email draft creation, calendar event creation, and contact and task management.
No transfer except to provide features, comply with law, or for security. Brief transfers Google user data only to (i) Google Cloud Vertex AI for inference, which remains within Google's infrastructure, or (ii) as required to comply with applicable law or valid legal process, or (iii) as necessary to investigate a security incident or abuse of Brief's service. Brief does not sell Google user data or transfer it to any third party for the third party's own purposes.
No advertising use. Brief does not use Google user data to serve advertisements, and does not transfer Google user data to advertising platforms.
No human reading of Google user data, except in the following narrow circumstances:
- With the user's explicit, contemporaneous consent (for example, when the user opens a support ticket and asks Brief personnel to investigate a specific message).
- As necessary for security investigations, abuse prevention, or to comply with applicable law.
- When the data has been aggregated and anonymized for internal operations consistent with applicable privacy law.
Per-user personalization only; no generalized model training. Brief uses Google user data to refine personalization that serves the individual user whose data was used — including building each user's private knowledge graph and World Model of Work, and personalizing that user's daily briefing, person briefings, and meeting prep. Consistent with Google's Limited Use policy, Brief does not use Google user data to develop, improve, train, or fine-tune any generalized AI or machine-learning model that would serve users beyond the user whose data was used to refine the model. Brief does not transfer Google user data to any third party for that third party's own model training.

C. Google Cloud Vertex AI Gemini as Sole AI Processor

Brief sends Google user data to Google Cloud Vertex AI Gemini to perform summarization and extraction in the daily briefing pipeline. Because Vertex AI runs on Google's own infrastructure, Google user data sent for inference does not leave Google Cloud. Per Google's published commitment at cloud.google.com/vertex-ai/generative-ai/docs/data-governance, Google does not use customer prompts or outputs to train its foundation models without prior permission. Brief has not granted any such permission. Brief uses no other AI or machine-learning provider in the Google data path.

D. Encryption

Brief encrypts Google user data and OAuth tokens at rest using two layers:

Storage-layer encryption. Brief's PostgreSQL database runs on Google Cloud AlloyDB, which encrypts all data at rest using a Customer-Managed Encryption Key (CMEK) stored in Google Cloud KMS. The key is controlled by Brief, not by Google's default key infrastructure, and is rotated every 90 days.
Application-layer encryption. Sensitive user data fields — including message bodies, task descriptions, and similar content — are additionally encrypted in the application layer using per-user Data Encryption Keys (DEKs). Each user's DEK is wrapped by a separate Key Encryption Key in the same Google Cloud KMS keyring, providing defense in depth so that storage-layer access alone is insufficient to read sensitive user content.

Data in transit between Brief's services, between Brief and Google's APIs, and between Brief and Google Cloud Vertex AI is encrypted with TLS 1.2 or higher.

9. DATA RETENTION

Brief retains Google user data only as long as the user maintains an active Google integration with Brief. Specifically:

Ingested user data (Gmail messages, calendar events, contacts, Chat messages, tasks): retained while the Google integration remains connected. When the user disconnects the Google integration or deletes their Brief account, this data is purged from Brief's primary database as part of the disconnect or deletion transaction (see Section 10).
OAuth tokens: retained while the integration remains connected; deleted immediately on disconnect or account deletion.
LLM audit and usage records (records of which prompts ran against Vertex AI, used for cost and quality monitoring): retained for 90 days on a rolling basis.
News enrichment data (third-party news article content used to enrich person briefings): retained for 30 days on a rolling basis.
Database backups: Brief's production database (Google Cloud AlloyDB) retains two backup layers: continuous backup with a 14-day point-in-time recovery window, and weekly automated backups taken every Sunday with the 14 most recent retained (approximately 14 weeks of historical snapshots). Deleted data persists in those backup layers until they roll off automatically. Brief does not selectively restore deleted user data from backups; backups are used only for disaster recovery and are restored as a whole instance.

10. HOW TO DELETE YOUR DATA

Users have two paths to delete data Brief has collected.

A. Disconnect a single Google account

From Brief's connected-accounts settings, the user clicks "Disconnect" on any connected Google account. This action:

Deletes Brief's encrypted copy of the OAuth tokens for that account.
Calls Google's token revocation endpoint to invalidate the refresh token at Google.
Deletes the integration_connections record, which cascades through the database to purge all Google user data sourced from that connection — Gmail messages, calendar events, contacts, Chat messages, tasks, and associated metadata.
Purges Brief's stored Gmail and Calendar push-notification subscription records for that connection. Brief does not renew these subscriptions, so they lapse at Google, and any notification received after disconnect is ignored because the underlying connection has been deleted.

B. Delete the entire Brief account

From Brief's account settings, the user clicks "Delete Account." This action:

Cancels any active subscription with Stripe.
Deletes the user's record from Brief's database, which cascades through every foreign key referencing that user — purging every row of user data Brief holds, across all integrations.
Clears the session and refresh cookies in the browser.
Asynchronously deletes any files Brief stored in Google Cloud Storage on the user's behalf (attachments, photos, other user objects), typically within minutes.

C. Backup retention

As noted in Section 9, deleted data persists in AlloyDB automated backups for the backup retention window. Backups are not selectively restored.

D. Written deletion requests

Users may also submit a written deletion request by email to contact@trybrief.ai. Brief will process the request within 30 days unless a shorter window is required by applicable law.

E. Revoking Brief's Google access directly at Google

Independent of any action in Brief, users may revoke Brief's access to their Google account at any time at https://myaccount.google.com/permissions. This is the canonical Google-controlled mechanism for revoking third-party application access.

11. CONTACT US

If you have any questions about our privacy practices or this Privacy Notice, please contact us at: contact@trybrief.ai.