Brief · Legal

Privacy Policy

Last updated: 14 May 2026

What we collect, what we do with it, who else touches it, and what your rights are. CGA Creative LLC operates Brief at cgacreative.com/brief.

What we collect

When you sign up:

Your email address. Used to authenticate you (we use Supabase magic links) and to send essential service messages.
A Stripe customer ID. If you subscribe, Stripe creates a customer record. We store the customer ID linked to your email. We never see or store your full credit card number. Stripe handles that.

When you use Brief:

Your inputs. Concept text, scene descriptions, prompts, character bibles, style notes, anything you type into Brief.
Your outputs. Synthesized briefs, shot lists, rendered images, taste signals.
Usage data. Which features you use, how many renders, render timings, what kinds of prompts succeed and fail. We use this to keep the service running and to figure out what to build next.

What we don't collect:

Your real name, unless you put one in a prompt.
Your physical address. Stripe handles billing addresses for tax compliance; we don't store them.
Your phone number.
Browser fingerprints or detailed device profiles.
Information from other sites you visit or your social accounts.

How we use what we collect

To run Brief. Serve you the tool, render your shots, save your work, bill you if you're a paid subscriber.

To improve Brief. Anonymized aggregate analysis of what's working: which features get used, where renders fail, what kinds of prompts succeed. We don't analyze individual users' content unless we're investigating a safety issue or you ask for support.

To communicate with you. Subscription receipts, security alerts, occasional product updates that you can opt out of from your settings.

We don't sell your data. We don't share it with advertisers. We don't have advertisers.

Who else touches your data

Brief is built on third-party infrastructure. Your data passes through:

Supabase (database and authentication). Stores your account, your prompts, your outputs. supabase.com/privacy
Stripe (payments). Handles all credit card processing. They store payment info. stripe.com/privacy
Replicate (image-generation infrastructure). Receives your prompts to generate images. Their policy is that prompts and outputs are not used for training without explicit opt-in. replicate.com/privacy
Black Forest Labs (Flux model). Their model runs on Replicate. They do not directly receive identifying information from us. blackforestlabs.ai/privacy-policy
Anthropic (Claude model). Some Brief features use Claude to write briefs, shot lists, and analyses. Your concept text passes to Claude. Anthropic's API policy is that inputs and outputs are not used to train models. anthropic.com/privacy
Vercel (hosting). Serves the Brief website and runs serverless functions. vercel.com/legal/privacy-policy

We chose these vendors because they have established privacy practices. Your data passes through them and is subject to their policies. We recommend reading their privacy policies if you want to understand the full chain.

How long we keep it

Account data (email, subscription status): for as long as your account exists, plus 30 days after deletion for backup retention.
Prompts and outputs: for as long as your account exists. Deleting your account deletes them, with the same 30-day backup retention.
Stripe records: Stripe retains transaction records for at least 7 years for compliance with US tax law. We can delete our reference to your Stripe customer ID, but Stripe's records persist independently of us.
Usage logs: 90 days, then deleted.

Your rights

You can:

Access what we have. Email us and we'll send your account data.
Delete your account from settings, or by email. We delete everything except records we're required to keep for legal or tax reasons.
Export your briefs, prompts, and renders. Email us for an export bundle.
Opt out of non-essential email (product updates) from settings.

If you're in California (CCPA/CPRA) or the EU/UK (GDPR), you have additional rights. The same email request gets you those.

Cookies and tracking

We use the minimum cookies necessary to operate Brief:

Authentication cookies set by Supabase so you stay logged in.
Stripe Checkout cookies set during payment flows.

We don't use third-party analytics cookies. No Google Analytics. No Facebook Pixel. No advertising trackers. We use anonymous server-side logging to understand site usage.

Security

We use HTTPS everywhere. Authentication uses Supabase's industry-standard JWT-based system. Database access is restricted by row-level security policies so users can only access their own data. Payments are handled by Stripe under their PCI-DSS Level 1 certification.

We do our best, but no online service is 100 percent secure. If we detect a breach affecting your data, we'll tell you within 72 hours and tell you what we know.

Children

Brief is not for anyone under 18. We don't knowingly collect data from anyone under 18. If you believe we've collected data from a minor, email us and we'll delete it.

International users

Brief is operated from the United States. If you use it from another country, your data will be processed in the United States. If you're in the EU or UK, you consent to this transfer when you use Brief, and you have the GDPR rights described above.

Changes to this policy

If we change this policy in a material way, we'll email you and post a notice on the Brief site. If you keep using Brief after changes take effect, you accept them.

Contact

Privacy questions: erich@cgacreative.com

CGA Creative LLC
Pittsfield, Massachusetts, USA