Privacy Policy
Last updated: 25 April 2026
We collect the minimum information needed to operate BriefMe Pro and we never sell it. This policy explains what we store, why, who has access to it, and how to exercise your rights under GDPR, UK GDPR, and CCPA/CPRA.
1. Who is responsible
The data controller is Anjishnu Mukhopadhyay (the “Provider”). Privacy contact: privacy@briefme.pro.
2. What we collect
| Data | Why | Retention |
|---|---|---|
| Email, display name | Account, login, transactional email | Until account deletion |
| Password hash (PBKDF2-SHA256) | Authentication | Until account deletion |
| IP address, user-agent (login & security events) | Brute-force protection, fraud detection | 90 days |
| Stripe / Razorpay customer ID | Subscription billing | Until account deletion + 7 yr (tax) |
| Interactions (๐/๐ on stories) | Per-user personalisation | Until account deletion |
| Google / Apple subject ID | OAuth sign-in | Until account deletion |
We do not store credit-card numbers, CVCs, or bank credentials. Those are handled exclusively by Stripe and Razorpay.
3. What we do not collect
- No advertising or analytics cookies. Only an essential session cookie and a refresh-token cookie.
- No third-party tracking scripts (Google Analytics, Facebook Pixel, etc.).
- No location data beyond IP-derived country for fraud signals.
- No content of stories you read — only your reactions to them, when you choose to give one.
4. How we use it
- To operate the Service (auth, sessions, billing, email verification, password reset).
- To personalise your story feed based on the regions/topics you react to.
- To detect abuse (rate-limit failed logins, lock compromised accounts).
- To comply with legal and tax obligations.
5. Sub-processors
The following third parties process limited data on our behalf:
- Stripe, Inc. — payments (USA).
- Razorpay Software Pvt Ltd — payments (India).
- Resend, Inc. — transactional email (USA).
- Groq, Inc. — LLM inference for scenario text. Only the public event data and the user’s region/category preferences are sent — never email, name, IP, or any account identifier.
- Google LLC / Apple Inc. — sign-in (only when you click the OAuth button).
- Railway Corp. — hosting (USA).
- Sentry — error monitoring with PII scrubbing enabled (when configured).
6. International transfers
Data is processed in the USA, the EU, and India depending on the sub-processor. Transfers from the EU/UK rely on the EU Standard Contractual Clauses or equivalent safeguards published by the relevant sub-processor.
7. Your rights
You can exercise the following at any time, free of charge:
- Access & portability — Account → Export Data downloads a JSON of everything we hold about you.
- Erasure — Account → Danger Zone deletes your account. Personal fields are anonymised within 30 days; full row-level deletion completes within 90 days. Tax-relevant payment records are retained for 7 years per applicable law.
- Correction — update your profile from Account, or email privacy@briefme.pro.
- Object / restrict — email us; we’ll respond within 30 days.
- Lodge a complaint — with your local data-protection authority. EU residents: any DPA in your country. UK: ICO.
8. Security
Data in transit is protected by TLS 1.2+. Passwords are hashed with PBKDF2-HMAC-SHA256 (260 000 iterations, 32-byte salt). Sessions use signed JWTs with rotating refresh tokens. The database runs in WAL mode behind authenticated network access. We do not claim perfect security — if you believe you have found a vulnerability, please email security@briefme.pro.
9. Cookies
We set two cookies, both essential:
ooe_session— signed JWT, HttpOnly, SameSite=Lax. Expires in 7 or 90 days depending on “remember this device”.ooe_refresh— opaque refresh token, HttpOnly, SameSite=Lax. Expires in 14 or 90 days.
No analytics or advertising cookies are set.
10. Children
The Service is not directed to children under 16 (under 13 in the US). We do not knowingly collect data from children. If you believe a child has registered, email privacy@briefme.pro and we will delete the account.
11. Changes
Material changes to this policy will be announced by email at least 14 days before they take effect. The current version is always available at this URL.
12. Contact
All privacy requests: privacy@briefme.pro. We aim to respond within 7 working days; legal SLA is 30 days.