Privacy policy

BriefBuilt Privacy Policy

Last updated: 16 July 2026

BriefBuilt, established at Schoorlaan 23, 2265 VS Leidschendam, the Netherlands, is the controller for the processing described here. The Chamber of Commerce and VAT identifiers will be added as soon as issued and before paid ordering is enabled. Privacy contact: support@briefbuilt.com. BriefBuilt handles privacy requests by email and aims to acknowledge them within five working days.

1. Scope and roles

This policy covers briefbuilt.com, orders, support, newsletters and the private project workspace. We are controller for our own sales, communication, security and administration. When we handle personal data from a client’s Shopify store or supplied files solely to build that client’s store, we generally act as processor for that client under our Data Processing Addendum.

2. Data, purpose, legal basis and retention

  • Website and security data: IP address, device/browser data, timestamps and security events. Purpose: deliver and secure the site, prevent fraud and diagnose faults. Basis: legitimate interests and, where applicable, consent for optional analytics/marketing. These data are retained under the relevant provider settings and deleted or anonymised when no longer needed for security, fault investigation or legal obligations.
  • Contact and pre-contract requests: name, business email, company and message. Purpose: answer requests and prepare a possible agreement. Basis: steps at your request before contract and legitimate interests. Enquiries are reviewed and deleted when they are no longer needed for follow-up, an agreement or a legal claim.
  • Orders and invoices: business/contact details, order, payment status, tax and transaction data. Purpose: perform the agreement, invoice, prevent fraud and meet tax/accounting duties. Basis: contract and legal obligation. Financial administration is retained for seven years after the relevant financial year.
  • Project brief and files: brand, business, product and store information, feedback, uploaded files, project events and access data. Purpose: deliver, secure and support the purchased service. Basis: contract. At project closeout we restrict further use and manually return or delete operational files and access credentials when they are no longer required, subject to the Customer’s choice, an agreed support period, a dispute or a legal duty. A limited project record and final correspondence may be kept only as long as reasonably needed to establish or defend legal claims.
  • AI assistance: the draft field and limited accepted brief context submitted when you actively request an AI suggestion. Purpose: create the requested suggestion. Basis: contract. OpenAI API storage is disabled in our request (`store: false`); accepted output may remain in the project record under the project retention schedule. Do not enter unnecessary personal or confidential data.
  • Support communication: messages and resolution details. Purpose: support the agreement and manage claims. Basis: contract and legitimate interests. Retained with the relevant enquiry or project only while needed for support, administration or a legal claim.
  • Newsletter: email address, subscription source/version and unsubscribe status. Purpose: send Shopify Storefront Notes. Basis: consent. We keep evidence needed to demonstrate consent while subscribed and afterwards only as long as reasonably necessary for compliance. After unsubscribe, the address may be kept on a suppression list solely to prevent accidental re-subscription.

3. Required and optional data

Fields marked required are needed to answer the request or perform the agreement. Without them we may not be able to accept or deliver the project. Newsletter subscription and optional AI assistance are voluntary and do not affect the core service.

4. Recipients and processors

Depending on the interaction, data may be processed by:

  • Shopify for storefront, checkout, orders, forms, customer privacy controls and the embedded app. See the Shopify Consumer Privacy Policy and Shopify Privacy Portal;
  • Fly.io for hosting the private project application and encrypted project storage;
  • Resend for transactional project emails;
  • GitHub for private build automation and short-lived build artifacts;
  • OpenAI only when AI assistance or an ordered AI service is used;
  • professional advisers, payment providers and public authorities where necessary or legally required.

We do not sell personal data. Provider names can change; we update this policy when a change materially affects the processing.

5. International transfers

Some providers or subprocessors may process data outside the EEA. Where no adequacy decision applies, we rely on approved safeguards such as the European Commission’s Standard Contractual Clauses and, where required, supplementary measures. You may ask support@briefbuilt.com for information about the relevant safeguard.

6. Cookies and similar technologies

Necessary technologies support checkout, security, privacy choices, chat and core site functions. Optional analytics or marketing technologies are used only where permitted and, where required, after consent. Details, providers, purposes and durations are in the Cookie Policy. You can change your choice through “Cookie preferences” in the footer.

7. Marketing

We send promotional email only with valid consent or where a legal existing-customer exception applies. Every message identifies BriefBuilt and includes a free, easy unsubscribe method. Withdrawing consent does not affect earlier lawful processing.

8. Security

We use access controls, private project links, encryption for Shopify Theme Access credentials, restricted file permissions, signed callbacks and reasonable organisational safeguards. No method is completely secure. Do not send passwords, payment-card data, special-category data or unrelated customer databases through forms or uploads.

9. Automated decisions

BriefBuilt does not make decisions with legal or similarly significant effects solely by automated means. AI suggestions do not become part of the approved brief until the customer actively accepts or edits them.

10. Your rights

Subject to the AVG/GDPR and applicable exceptions, you may request access, correction, deletion, restriction, portability or object to processing. You may withdraw consent at any time. Email support@briefbuilt.com. We may ask for proportionate identity verification and normally respond within one month. You may complain to the Dutch Data Protection Authority or your local EEA authority.

11. Children

The service is B2B and not directed to children. Do not submit children’s personal data unless necessary for a lawful client project and covered by written instructions and safeguards.

12. Changes

We may update this policy when our processing or the law changes. We publish the current version and date here and provide additional notice where required.