Privacy policy.

1. Who we are

Briefly (“Briefly”, “we”, “us”) operates the briefly.app web platform. We are the data controller for the personal data described below. Our registered address is Athens, Greece. You can reach us at privacy@briefly.app.

2. What Briefly does

Briefly is a two-sided marketplace. Travellers describe a trip in natural language with help from our AI assistant and publish a structured brief. Verified travel agencies see the brief and submit proposals. The traveller picks one, and the booking is settled directly between the traveller and the agency off-platform (Briefly does not hold trip payments). Briefly invoices the agency a commission on each completed booking.

3. The data we collect

We collect the minimum data we need to make the marketplace function.

From every user

• Account data: email address, password (stored hashed, never in plaintext), display name, role (traveller / agency / admin), language preference.
• Session data: a strictly necessary authentication cookie issued by our auth provider (Supabase) so you stay signed in.
• Activity log: we store in-app notifications and a ledger of brief credits granted or spent so you can audit your own account.

From travellers specifically

• Trip briefs: the structured brief you publish (destination, dates, budget, party, vibe, accommodation preferences, flight preferences, notes, etc.) and the chat transcript that produced it.
• Profile preferences: defaults you save (typical party size, currency, bucket list, dietary needs, accessibility needs, passport country) if you choose to fill them in.
• Booking and review records: proposals accepted, payment-confirmation acknowledgements, and reviews you leave for agencies.

From agencies specifically

• Business profile: agency name, country, region, contact details, license number, service areas, languages, specialties.
• Payment methods you list: bank name, IBAN, BIC/SWIFT, account/routing numbers, payment instructions. These are visible only to travellers who have accepted your proposal in-app.
• Proposal content: the structured proposals you submit and the AI's ranking analysis of each.
• Booking history and commission invoices: bookings won and commission owed/paid.

What we do NOT collect

We do not collect government-issued IDs, payment card numbers (Stripe handles those), location data, browsing history outside Briefly, or biometric data. Traveller passport country, if entered, is a country name only — never a document image or number.

4. Why we use it (lawful bases under GDPR Art. 6)

• Contract (Art. 6(1)(b)): to provide the marketplace you signed up for — running auth, publishing briefs, routing proposals, processing payments via Stripe, sending transactional emails about your trips and proposals.
• Legitimate interests (Art. 6(1)(f)): AI ranking of proposals to help travellers compare them; anti-fraud and anti-spam pattern detection on proposal text; minimal server logs for security and debugging. Our interest in operating a trustworthy marketplace is balanced against your interest in privacy.
• Legal obligation (Art. 6(1)(c)): retaining commission invoice and booking records for tax and accounting purposes.
• Consent (Art. 6(1)(a)): we ask for consent before sending non-essential marketing emails. You can withdraw consent at any time in your Settings.

5. Who we share it with

We share data only to the minimum extent necessary to operate the service. We do not sell personal data to anyone, and we do not share data with advertising networks.

Other users on the platform

• Your published brief (without your email or contact details) is visible to verified agencies in our marketplace feed.
• Your name and a proposal you accepted is visible to the agency that submitted it. The agency's bank details become visible to you only after you accept their proposal.
• Reviews you write or receive are visible on the relevant profile pages.

Processors we rely on

• Supabase (EU region) — authentication, database, file storage. Acts as a data processor under our DPA.
• OpenAI — the AI chat that builds your brief and the AI that ranks proposals. We send the conversation content and the structured brief / proposal as prompts. We use the API with data-retention disabled where supported; we do not allow OpenAI to train models on your inputs.
• Stripe — payment processing for traveller pack purchases and agency subscriptions, plus commission invoicing data. We never see or store full payment card numbers; Stripe handles them under its own (PCI-DSS compliant) policy.
• Resend — transactional email delivery (new proposal, payment claimed, payment confirmed, brief expiring, etc.).

We do not transfer personal data outside the EEA except via providers that operate under Standard Contractual Clauses or an equivalent transfer mechanism (notably OpenAI, which is US-based, where data transferred under the EU–US Data Privacy Framework).

6. How long we keep it

• Account profile data: while your account is active, then deleted on account closure (subject to the legal-obligation exceptions below).
• Brief content and proposals: kept while the brief or proposal is live, then archived for as long as your account is open so you can refer to past trips.
• Booking records, commission invoices, payment confirmations: retained for at least 7 years to meet Greek and EU accounting and tax obligations, even after account deletion.
• Notifications and chat transcripts: 24 months after the related brief closes, then deleted.
• Server logs: 30 days.

7. Your rights

You have the following rights at any time. Most are self-service in your account; for the rest, email privacy@briefly.app.

• Access (Art. 15): download every piece of data we hold about you as a JSON export from Settings → Your data.
• Rectification (Art. 16): edit your profile, brief, and preferences at any time.
• Erasure (Art. 17, “right to be forgotten”): delete your account from Settings → Danger zone. We complete deletion within 30 days, subject to the retention obligations in Section 6.
• Restriction (Art. 18) and objection (Art. 21): email us and we'll suspend processing for the specific purpose you object to.
• Portability (Art. 20): the same JSON export from Settings serves this right.
• Withdraw consent: any consent you gave for non-essential email can be withdrawn in Settings; this doesn't affect processing under contract or legitimate interest.
• Lodge a complaint: you can complain to the Hellenic Data Protection Authority (HDPA) at www.dpa.gr or any EU member-state supervisory authority of your habitual residence.

8. Cookies and similar technologies

Briefly uses one strictly necessary cookie set by our auth provider so you stay signed in. We do not use marketing, analytics, or third-party tracking cookies. If we add analytics in the future, we will request consent first.

We use localStorage to remember your cookie-consent choice and to save your in-progress trip-brief draft so it survives a refresh. These are not cookies and are not shared with anyone.

9. Security

Data is encrypted in transit (HTTPS only) and at rest (Supabase manages volume encryption). Passwords are hashed using industry-standard algorithms. Database access is locked down by Row-Level Security policies so users can only see their own data. We protect administrative operations behind a separate service-role key held only by our backend.

If we become aware of a personal-data breach that's likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and notify you without undue delay where the risk is high.

10. Children

Briefly is not intended for children under 16. If you believe a child has signed up, email privacy@briefly.app and we'll delete the account.

11. AI-specific notice

When you chat with our AI to build a trip brief, the text of your messages is sent to OpenAI's API to generate the assistant's reply. OpenAI processes this text under its API terms; we configure the API so that your inputs are not used to train OpenAI's models. The same applies to the AI ranking of proposals: brief and proposal text is sent to OpenAI to compute a score and reasoning.

The AI's output is advisory only. Travellers and agencies make their own decisions; Briefly does not guarantee that any AI score, ranking, or suggestion is accurate.

12. Changes to this policy

We will update this page when our practices change. Material changes will be flagged in-app or by email. The “Last updated” date at the top tells you when the page last changed.

13. Contact

For any privacy question or to exercise any right above, email privacy@briefly.app. We respond to GDPR requests within 30 days.