1. Who We Are

RiskBrief ("we", "us", "our") operates the intelligence platform at risk-brief.com. We are the data controller for personal data collected through this service.

For data protection queries, contact us at: intel@risk-brief.com

2. What Data We Collect

Account Data

• Email address (used to create and manage your account)
• Hashed password (we never store your password in plain text)
• Account plan and credit balance
• Stripe customer ID (for payment management — we do not store card details)
• Subscription status and renewal dates

Usage Data

• Destinations and mission profiles you submit for dossier generation
• Generated intelligence dossiers stored in your archive
• Dossier generation timestamps and monthly usage counts

Contact Data

• Name, email, organisation and message if you submit a contact form

Technical Data

• Session tokens stored in your browser's sessionStorage (cleared when you close the tab)
• Cookie consent preference stored in localStorage

3. What We Do NOT Collect

• We do not use advertising or tracking cookies
• We do not use analytics platforms (Google Analytics, Meta Pixel, etc.)
• We do not sell, rent or share your data with third parties for marketing
• We do not collect location data, device fingerprints, or browsing history

4. How We Use Your Data

• Account management — to authenticate you, manage your subscription and credits
• Service delivery — to generate your intelligence dossiers and store them in your archive
• Payment processing — we pass your email to Stripe to process payments; Stripe handles all card data
• Transactional emails — to send you account confirmation, payment receipts and service notices via Resend
• Support — to respond to contact form enquiries
• Legal compliance — to comply with applicable law and prevent fraud

5. Legal Basis for Processing

• Contract performance — processing necessary to provide the service you've paid for
• Legitimate interests — security, fraud prevention, service improvement
• Legal obligation — compliance with applicable UK law
• Consent — where you have explicitly provided it (e.g. cookie consent)

6. Third-Party Services

We share minimal data with the following trusted third parties, each with their own privacy policies:

• Stripe (stripe.com) — payment processing. Your email is shared to create a Stripe customer record. Card data is handled entirely by Stripe.
• Resend (resend.com) — transactional email delivery
• Anthropic (anthropic.com) — AI model provider. Your destination and mission text is sent to Anthropic's API to generate dossiers. Anthropic's API terms apply.

7. Data Retention

• Account data is retained for as long as your account is active
• Dossiers are stored in your archive and retained until you delete them or close your account
• Contact form submissions are retained for 12 months
• Monthly usage records are retained for 13 months
• On account deletion, all personal data and dossiers are permanently removed

8. Your Rights Under UK GDPR

You have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your data ("right to be forgotten")
• Restriction — ask us to limit how we use your data
• Portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at intel@risk-brief.com. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including password hashing (bcrypt), encrypted HTTPS connections, and access controls on our database. No internet transmission is 100% secure, and we cannot guarantee absolute security.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or to exercise your rights:
Email: intel@risk-brief.com