GDPR Compliance
Last updated: March 6, 2026
BriefBop is committed to protecting the rights and freedoms of individuals under the General Data Protection Regulation (GDPR). This page outlines our approach to GDPR compliance and your rights as a data subject.
Table of Contents
1. Overview
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to the processing of personal data of individuals in the European Economic Area (EEA). BriefBop processes personal data of EEA residents and is therefore subject to the GDPR.
We serve as both a data controller (for data we collect about our users) and a data processor (for data our customers process through the BriefBop platform). This page describes our practices and your rights under the GDPR.
Our GDPR Commitment
BriefBop has implemented organizational and technical measures to ensure compliance with the GDPR, including data protection by design and by default, staff training, data processing records, and impact assessments for high-risk processing activities.
2. Data Controller Information
For the purposes of the GDPR, the data controller for the personal data processed through the BriefBop platform is:
- Company Name
- BriefBop, Inc.
- Controller Role
- Data Controller for user account data; Data Processor for customer content processed through the platform.
- privacy@briefbop.com
- DPO Contact
- dpo@briefbop.com
- Supervisory Authority
- You may contact your local supervisory authority if you have concerns about our data processing practices.
3. Legal Basis for Processing
Under the GDPR, we must have a valid legal basis for processing your personal data. The following table outlines the legal bases we rely on for different processing activities:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation & management | Performance of contract | Art. 6(1)(b) |
| Service delivery (multi-model AI proofing, copy/image generation, brand analysis) | Performance of contract | Art. 6(1)(b) |
| Billing & payment processing | Performance of contract / Legal obligation | Art. 6(1)(b), 6(1)(c) |
| Analytics & service improvement | Legitimate interest | Art. 6(1)(f) |
| Marketing communications | Consent | Art. 6(1)(a) |
| Security & fraud prevention | Legitimate interest | Art. 6(1)(f) |
| AI model improvement (opt-in) | Consent | Art. 6(1)(a) |
| Legal compliance & tax records | Legal obligation | Art. 6(1)(c) |
4. Data Subject Rights
Under the GDPR, you have the following rights regarding your personal data. We are committed to honoring these rights and facilitating their exercise.
Right of Access (Art. 15)
You have the right to obtain confirmation of whether your personal data is being processed and, if so, to receive a copy of that data along with supplementary information about its processing. We will respond to access requests within 30 days and provide data in a commonly used electronic format.
Right to Rectification (Art. 16)
You have the right to request correction of inaccurate personal data or completion of incomplete data. You can update most account information directly through your BriefBop settings. For other corrections, contact our privacy team.
Right to Erasure (Art. 17)
Also known as the “right to be forgotten,” you may request deletion of your personal data when it is no longer necessary for the purpose it was collected, you withdraw consent, or you object to processing. We will delete your data within 30 days unless retention is required by law (e.g., billing records for tax compliance).
Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV). You may also request that we transmit your data directly to another controller, where technically feasible. This right applies to data processed on the basis of consent or contract.
Right to Restriction of Processing (Art. 18)
You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data, when processing is unlawful but you do not want deletion, or when you have objected to processing and the objection is pending verification. During restriction, your data will be stored but not actively processed.
Right to Object (Art. 21)
You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. If you object to processing for direct marketing, we will stop immediately. For other objections, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests and rights.
How to Exercise Your Rights
To exercise any of these rights, send a request to privacy@briefbop.com or dpo@briefbop.com. We will verify your identity before processing any request and respond within 30 days. If a request is complex or we receive a high volume of requests, we may extend the response period by an additional 60 days, and we will notify you of any extension.
5. Data Protection Officer
BriefBop has appointed a Data Protection Officer (DPO) to oversee our GDPR compliance efforts, serve as a point of contact for data subjects and supervisory authorities, and advise the organization on data protection obligations.
DPO Contact Information
- Title: Data Protection Officer
- Email: dpo@briefbop.com
- Response Time: Within 5 business days for general inquiries; within 30 days for data subject requests.
The DPO operates independently and reports directly to executive management. You may contact the DPO at any time regarding your data protection rights or concerns.
6. Cross-Border Data Transfers
As a global service, BriefBop may transfer personal data from the EEA to countries outside the EEA. We ensure that all cross-border transfers comply with GDPR requirements by implementing the following safeguards:
Standard Contractual Clauses (SCCs)
We use the European Commission-approved Standard Contractual Clauses (2021 version) for transfers to countries without an adequacy decision. These clauses are incorporated into our contracts with all sub-processors and partners outside the EEA.
Adequacy Decisions
Where possible, we rely on European Commission adequacy decisions that recognize certain countries as providing an adequate level of data protection.
Transfer Impact Assessments
We conduct transfer impact assessments (TIAs) for all cross-border data transfers to evaluate whether the laws of the destination country provide equivalent protection and to implement supplementary measures where necessary.
Supplementary Measures
When required, we implement supplementary technical measures (such as encryption and pseudonymization), organizational measures (such as data minimization policies), and contractual measures to ensure an equivalent level of protection for transferred data.
7. Data Processing Agreements
When BriefBop acts as a data processor on behalf of our customers, we enter into Data Processing Agreements (DPAs) that comply with Article 28 of the GDPR. Our DPA covers:
- The subject matter, duration, nature, and purpose of the processing.
- The types of personal data processed and categories of data subjects.
- Our obligations and the controller's rights regarding the processing.
- Technical and organizational security measures we implement.
- Conditions for engaging sub-processors and our notification obligations.
- Obligations regarding data subject requests, data breach notification, and audits.
- Data return and deletion upon termination of the agreement.
Requesting a DPA
Enterprise and business customers can request our standard DPA by contacting legal@briefbop.com. We are happy to negotiate custom DPA terms for enterprise clients with specific requirements.
9. Data Breach Notification
In the event of a personal data breach, BriefBop follows a structured notification process in accordance with Articles 33 and 34 of the GDPR:
- Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons.
- Data Subject Notification: If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay, describing the nature of the breach, likely consequences, and measures taken.
- Customer Notification: When BriefBop acts as a data processor, we will notify the data controller (our customer) without undue delay after becoming aware of a breach involving their data.
- Breach Records: We maintain a register of all data breaches, regardless of whether they trigger notification obligations, documenting the facts, effects, and remedial actions taken.
10. Data Protection Impact Assessments
BriefBop conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of data subjects, as required by Article 35 of the GDPR. This includes:
- Systematic and extensive evaluation of personal data through automated processing, including AI-powered features.
- Processing of personal data on a large scale.
- Use of new technologies for processing personal data.
- Systematic monitoring of public areas (not currently applicable to BriefBop).
Our DPIAs assess the necessity and proportionality of processing, identify and mitigate risks, and are reviewed whenever there is a significant change to processing activities or technology. The DPO is consulted on all DPIAs.
11. Sub-Processors
BriefBop uses the following categories of sub-processors to deliver our Service. All sub-processors are bound by data processing agreements that comply with Article 28 of the GDPR.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google Cloud / Firebase | Infrastructure, hosting, database, authentication | United States / EU |
| Anthropic (Claude) | AI model inference for language analysis, brand compliance, copy generation, and regulatory checking | United States |
| OpenAI (GPT-4o, GPT Image 1) | AI model inference for visual analysis, color detection, accessibility checking, image generation, and text embeddings for brand knowledge (via Pinecone) | United States |
| Google AI (Gemini) | AI model inference for cultural sensitivity analysis and supplementary creative evaluation | United States |
| Pinecone | Vector database for brand knowledge embeddings (RAG pipeline for brand-aware AI analysis) | United States (AWS us-east-1) |
| Stripe | Subscription billing and payment processing | United States / EU |
| Email Service Provider | Transactional and marketing email delivery | United States |
| Analytics Provider | Product analytics and usage monitoring | United States / EU |
We will notify customers of any intended changes to our sub-processor list at least 30 days in advance, giving you the opportunity to object. You may subscribe to sub-processor change notifications by contacting privacy@briefbop.com.
12. Contact & Complaints
If you have questions, concerns, or complaints about our GDPR compliance or data processing practices, you may contact us through the following channels:
Privacy Team
- privacy@briefbop.com
- For general privacy inquiries and data subject requests.
Data Protection Officer
- dpo@briefbop.com
- For GDPR-specific questions, complaints, and escalations.
Right to Lodge a Complaint
If you are not satisfied with our response to your inquiry or believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.