Privacy Policy
Last updated:
[Operator details pending] until completed in lib/legal/config.ts.This Privacy Policy describes how ReqBrief(“we”, “us”) handles your personal data when you use the ReqBrief service available at https://reqbrief.com. We aim to be transparent: this page lists every category of data we touch and every third party we share it with.
1. Who runs this service
ReqBrief is operated by [Operator name pending]. For full contact details see the Imprint.
2. What data we collect
2.1 Account data
When you sign up we collect your email address, a hashed password (if you set one), and any display name you choose. We need this to identify your account and let you log back in.
2.2 Project and interview data
When you create projects we store the project name, company name, contact name, type, and the context you provide. When your clients answer interview questions, we store the full transcript of the conversation.
2.3 Uploaded files
You and your interview participants may upload PDFs and images. PDF text is extracted and stored in our database; images are stored as base64-encoded content. We don't use third-party object storage for file content.
2.4 Generated briefs
The structured briefs the AI produces are stored against your project so you can re-read or download them.
2.5 Technical / log data
Our hosting provider and edge proxy log standard request metadata (IP address, user-agent, URL, timestamp, response status) for security, abuse detection, and debugging.
2.6 Rate-limit data
Our rate-limit service stores short-lived counters keyed by IP address and session identifier (typical TTL: 1 hour).
3. Why we use it (legal basis)
If you're in the EU/UK, we rely on the following GDPR legal bases:
- Performance of a contract (Art. 6(1)(b) GDPR) — for delivering the core service: account creation, interviews, brief generation, sending you the brief by email.
- Legitimate interests (Art. 6(1)(f) GDPR) — for security logging, abuse prevention, rate limiting, and bot detection. Our interest is keeping the service available and protecting against fraud and AI-cost abuse; this is balanced against your privacy by minimising the data we keep.
- Legal obligation (Art. 6(1)(c) GDPR) — where we're required to retain or disclose data by applicable law.
4. Who we share it with
We do not sell your personal data. We share data only with the third-party services we use to operate ReqBrief(“subprocessors”). Each subprocessor only receives the data it needs to perform its function.
| Provider | Purpose | Region | Privacy policy |
|---|---|---|---|
| Supabase | Database (Postgres), authentication, file content storage | EU or US region depending on project (see Supabase project settings) | View |
| OpenRouter | Routes AI inference requests to the underlying model provider (currently Anthropic Claude Haiku 4.5) | United States | View |
| Anthropic (via OpenRouter) | Generates interview questions and structured briefs | United States | View |
| Vercel | Application hosting, edge proxy, request logs | Global edge network | View |
| Resend | Transactional email delivery (brief-ready notifications, contact form) | United States | View |
| Cloudflare Turnstile | Bot detection on auth and contact forms (CAPTCHA replacement) | Global | View |
| Upstash | Rate limiting (Redis) on AI routes, uploads, and the contact form | Selected during database provisioning (US/EU) | View |
5. Where data is stored
Your account, project, session, and brief data live in our Supabase Postgres database. File content is stored in the same database (not in third-party blob storage). Email delivery is handled by Resend in the United States. AI inference goes via OpenRouter to Anthropic, both in the United States.
6. How long we keep it
- Account data — until you delete your account.
- Project, session, brief, file data — until you delete the project (soft-deleted projects can be restored within 8 seconds via the undo toast; after that they may be permanently removed).
- Server / proxy logs — retained by our hosting provider per their schedule (typically 30 days for request logs).
- Rate-limit counters — typically 1 hour (sliding window).
- Transactional email metadata — retained by Resend per their schedule.
When you delete your account we cascade-delete projects, sessions, messages, briefs, and uploaded files, and then remove your authentication record.
7. Your rights
If you're in the EU/UK, you have the following rights under the GDPR / UK-GDPR:
- Access (Art. 15) — request a copy of your data.
- Rectification (Art. 16) — correct inaccurate data via the account settings.
- Erasure (Art. 17) — delete your account from the account settings; cascades to all owned data.
- Restriction of processing (Art. 18) — contact us.
- Data portability (Art. 20) — request a machine-readable export by emailing us.
- Object (Art. 21) — to legitimate-interest processing.
- Complaint — lodge a complaint with your local supervisory authority.
To exercise any of these rights, email contact@reqbrief.com or use the contact form on our homepage.
8. Cookies and similar tech
We use a small number of strictly necessary cookies for authentication and locale preference. We do not use advertising or analytics cookies. Because all cookies are strictly necessary for the service to function, we do not display a cookie consent banner — no consent is required under ePrivacy for cookies in this category.
Cloudflare Turnstile may set short-lived tokens to verify your browser; these are scoped to challenge verification and are not used for advertising or tracking.
9. Children
ReqBrief is intended for use by professional users (typically agencies, freelancers, and their clients) aged 18 or older. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us and we will delete it.
10. International transfers
Some of our subprocessors (notably OpenRouter, Anthropic, Resend, and Cloudflare in some regions) are based in the United States. Where personal data is transferred outside the EU/UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework where applicable, as published by each provider.
11. Updates to this policy
We may update this Privacy Policy as we add features or change subprocessors. When we do, we'll update the “Last updated” date at the top of this page. Material changes affecting how we process your data will also be announced in-app or by email.
12. Contact
Questions about this policy or how we handle your data? Email contact@reqbrief.com or use the contact form on our homepage.