Privacy Policy

Status: Operating entity confirmed (Chykalophia Group, LLC). Specific clauses still awaiting counsel review before V1 production cutover. The structure below follows current B2B SaaS practice (GDPR Art. 13 disclosures, CCPA/CPRA notice-at-collection, sub-processor transparency, sensitive-personal-information rules, US state-law overlays).

Plain-language summary#

We collect what we need to run the product, nothing else. We don't sell your data. We don't train AI models on your data. You can export or delete what's yours at any time. Concrete detail follows below; the email privacy@sendbriefs.com reaches a human who can answer specific questions inside one business day.

1. Who we are#

SendBriefs is a product operated by Chykalophia Group, LLC, an Illinois limited liability company (referred to in this policy as "Chykalophia," "we," "us," or "our"). Chykalophia plays two distinct roles with respect to personal data, and the distinction matters for your rights under GDPR and similar laws:

Controller — for data we collect through sendbriefs.com (the "marketing site"), AND for account-administration metadata on the platform (workspace name, billing contact, payment information, support tickets, audit logs, usage telemetry). For these categories, Chykalophia decides the purpose and means of processing and is the controller.
Processor — for Customer Data you upload into app.sendbriefs.com (the "platform") — including client information, integration data, and brief content — Chykalophia processes on your documented instructions and you remain the controller.

This dual role is consistent with EDPB Guidelines 07/2020 on the concepts of controller and processor.

Registered office: Chykalophia Group, LLC · 929 Michigan Ave, Apt 3 · Evanston, IL 60202 · United States.

Data protection contact: privacy@sendbriefs.com. We aim to acknowledge data-rights requests within 5 business days and resolve them within the statutory window applicable to your jurisdiction (typically 30 days under GDPR; 45 days under CCPA/CPRA, extensible by 45 more with notice).

2. Information we collect#

2.1 When you visit the marketing site#

Standard server logs — IP address, user agent, request timestamps, referring URL, approximate geolocation derived from IP. Used for security monitoring, fraud detection, and aggregate traffic analysis. Retained 30 days.
Marketing-analytics events (consent-gated) — page views, click events, scroll depth, form interactions. We use privacy-respecting providers (see "Sub-processors" in §10). If you decline analytics via the consent banner, we collect only the minimum technical telemetry required for site security.
Form submissions — when you complete a contact form, request a demo, sign up for the Friday Brief newsletter, or apply to the Founders Circle, we collect the fields you provide (typically: name, work email, agency name, role, optional message). Used only to fulfill your request and, where you've consented, to send marketing email you can opt out of in one click.

2.2 When you use the platform#

Account information — name, work email, password hash, role, workspace memberships, MFA factors, OAuth identities (if you sign in via SSO).
Workspace and client metadata — workspace name, client names, billing contacts, integration credentials, brand kits.
Brief content — what you type into the editor, including any personal data you choose to include in your reports.
Integration data — data we pull from third-party tools on your behalf (HubSpot, Stripe, GA4, GSC, Linear, Meta Ads, Google Ads, generic webhook payloads). The scope is whatever the connector requests and you authorize at the time of connection.
Usage telemetry — feature usage, error reports, performance metrics, audit-log entries. Tied to your workspace, not to individual end-readers of briefs.

2.3 Sensitive personal information#

Under CCPA/CPRA, "sensitive personal information" includes precise geolocation, biometric data, union membership, racial/ethnic origin, religious beliefs, and similar categories. We do not intentionally collect any of this category. Your account email is the only identifier we require, and we ask you to keep brief content limited to ordinary business data — please do not upload special-category data into briefs (medical records, biometric identifiers, etc.). If you do, you remain the controller of that data and accept additional responsibility under §7.

2.4 What we do not collect#

We do not buy personal data from data brokers.
We do not track you across other websites.
We do not use cross-site cookies, pixel networks, or device fingerprinting.
We do not collect or infer political views, religious beliefs, sexual orientation, health conditions, or any other special-category data.

3. How we use it (purposes + legal basis)#

Purpose	Legal basis (GDPR Art. 6)	CCPA category
Provide the contracted service	Contract — Art. 6(1)(b)	Performing the contract
Bill, invoice, and report tax	Contract + legal obligation — Art. 6(1)(b)+(c)	Compliance with law
Send transactional email (receipts, security alerts, brief delivery confirmations)	Contract — Art. 6(1)(b)	Performing the contract
Detect and prevent abuse, fraud, security incidents	Legitimate interest — Art. 6(1)(f)	Security / fraud prevention
Improve the product based on aggregated, anonymized usage trends	Legitimate interest — Art. 6(1)(f)	Internal operations
Send marketing email (Friday Brief)	Consent — Art. 6(1)(a)	Opt-in only
Marketing-site analytics (PostHog, Plausible, Vercel Analytics)	Consent — Art. 6(1)(a)	Cookie banner
Respond to customer support	Contract — Art. 6(1)(b)	Performing the contract
Comply with legal process or court order	Legal obligation — Art. 6(1)(c)	Compliance with law

We do not use your data for:

AI / machine-learning model training of any kind, by us or by any third party. Brief content is never sent to an external LLM provider as part of the core product. If we add an AI feature in the future, it will be opt-in per workspace and announced at least 30 days in advance.
Profiling that produces legal or similarly significant effects on you (per GDPR Art. 22).
Selling, renting, or licensing to third parties for their own marketing.
Combining with data from other customers for any purpose other than aggregate, anonymized service-improvement statistics that cannot be reverse-engineered to a workspace.

4. CCPA / CPRA notice-at-collection#

If you are a California resident (or otherwise covered by the California Consumer Privacy Act as amended by the California Privacy Rights Act), the following notice is given to you at or before each of these collection points:

Collection point	Categories collected (Cal. Civ. Code §1798.140)	Purpose
Marketing site (server logs, analytics)	Identifiers, Internet activity	Site security, aggregate analytics
Form submissions (contact, demo, newsletter)	Identifiers, professional/employment info	Respond to request
Account signup	Identifiers, commercial info, professional info	Deliver service
Platform usage telemetry	Identifiers, Internet activity, inferences	Operate & improve service
Billing	Identifiers, commercial info, financial info (via Stripe)	Process payment

We retain each category only for as long as listed in §6 below. The 12-month window of the right to deletion is honored from the date of your request unless a statutory exception applies (e.g., we cannot delete records we are legally required to keep, such as tax invoices).

We have not sold or shared personal information as those terms are defined under CCPA/CPRA in the past 12 months and have no plans to. If we ever change this, we will update this policy at least 30 days in advance and provide a "Do Not Sell or Share My Personal Information" mechanism in compliance with CPRA §1798.135.

5. Cookies and similar technologies#

We use three categories of cookies:

Strictly necessary — authentication, CSRF protection, consent state. Cannot be disabled via the banner because the site won't function without them.
Functional / Comfort panel — your selected text size, density preference, reduce-motion preference, high-contrast theme. Cookie-set only when you change a default.
Analytics (consent-gated) — Plausible (cookie-less), PostHog (consent-required), Vercel Analytics (anonymized fingerprint, consent-required).

Full inventory and opt-out controls are surfaced via the cookie banner at first visit and are accessible at any time through the Comfort panel.

The site honors the Global Privacy Control (GPC) browser signal. A GPC signal is treated as a do-not-sell-or-share opt-out for the duration of that browser session and persistently for identified accounts.

6. Data retention#

Category	Retention period
Account data (active customer)	For the life of the active subscription
Account data (cancelled customer)	90 days post-cancellation, then permanently deleted
Workspace + brief content	While workspace exists; permanently deleted within 30 days of workspace deletion
Billing records (invoices, tax)	7 years (US tax compliance)
Server logs	30 days, then deleted
Marketing analytics events	13 months, then aggregated and de-identified
Encrypted backups	35 rolling days, then overwritten
Audit log (security events, approvals)	7 years from creation, with user identifiers anonymized after workspace deletion
Marketing email subscriber records	Until unsubscribe + 30 day grace period

You can request earlier deletion at any time via privacy@sendbriefs.com. Legally required retention (e.g., tax records) is the only exception.

7. Your rights#

The rights below derive from a mix of GDPR, UK GDPR, CCPA/CPRA, and other US state privacy laws (VCDPA, CPA, CTDPA, etc.). We extend the rights to all users regardless of geography unless a right is specific to a jurisdiction.

Access — receive a copy of the personal data we hold about you, including categories, sources, and recipients.
Correction / rectification — fix anything inaccurate.
Deletion — ask us to delete your data (subject to legal-retention exceptions).
Portability — receive your data in a structured, machine-readable, commonly used format.
Objection — object to processing based on legitimate interest. We will stop unless we have compelling legitimate grounds that override your interests.
Restriction — limit how we process your data while a dispute is being resolved.
Withdrawal of consent — for anything we do on the basis of consent (marketing email, marketing-site analytics), withdraw at any time without affecting prior processing.
Non-discrimination — exercising any of these rights will never affect the price or quality of service we provide.
Opt-out of automated decision-making — we don't currently use automated decision-making that produces legal or similarly significant effects on you. If we ever do, you will be informed and given the right to human review.
Appeal — if we deny a rights request, you may appeal by emailing privacy@sendbriefs.com with subject "Privacy Rights Appeal." We will respond to appeals within 60 days.

How to exercise: email privacy@sendbriefs.com with subject "Privacy Rights Request" and tell us what you want. We may need to verify your identity (typically by confirming control of the email on file) before fulfilling the request. We do not require you to create an account to exercise rights.

If you are an end-user of one of our customers (for example, a person who receives a brief from an agency that uses SendBriefs to send it): the agency is the controller of that data, and rights flow through them. Contact the agency directly. We will help facilitate fulfillment on the agency's instructions.

Right to lodge a complaint: if you are in the EU/UK, you may complain to your data protection authority. If you are in California, you may file a complaint with the California Attorney General or the California Privacy Protection Agency.

We disclose personal data only in these defined situations:

Sub-processors (see §10 and the full list at /legal/subprocessors) acting on our instructions to provide the service.
Business transfers — if Chykalophia Group, LLC is acquired, merged, or its assets sold, customer data may transfer to the successor. You will be notified at least 30 days before any such transfer and given the option to delete your data first.
Legal compliance — when required by law, court order, or government request that we determine in good faith is valid and binding. We narrowly scope every response, request a judicial subpoena where allowed, notify the affected user where we are not legally prohibited from doing so, and publish an annual transparency report once we have any reportable requests.
Protection of rights, safety, or property — to investigate suspected fraud, terms violations, or threats to people or systems.
With your explicit consent for anything not covered above.

We do not sell personal data, and we do not share it with third parties for cross-context behavioral advertising.

9. International data transfers#

We are based in the United States and our primary sub-processors are US-based. If you access SendBriefs from outside the US, your data will be transferred to and processed in the US, which may not have a level of data protection equivalent to your home jurisdiction.

For EU/UK customers, transfers rely on a combination of:

The EU-US Data Privacy Framework (where the receiving sub-processor is self-certified).
Standard Contractual Clauses under GDPR Art. 46 (Module 2 or 3 as applicable) for any sub-processor not Framework-certified.
UK International Data Transfer Addendum for UK-origin transfers.
A Transfer Impact Assessment kept on file and updated annually; available to enterprise customers on request via privacy@sendbriefs.com.

If a court invalidates a transfer mechanism we rely on (as happened with Privacy Shield in 2020), we will switch to the next-available mechanism without service interruption and notify affected customers.

10. Sub-processors#

We use third-party services to operate SendBriefs. Each sub-processor is bound by a Data Processing Agreement that mirrors our commitments to you. The complete, dated list is maintained at /legal/subprocessors.

We will provide notice by email to the billing contact on file at least 30 days before any new sub-processor begins processing Customer Data, and the dated sub-processor list will be updated on the same schedule. You have the right to object during that 30-day window. If you object and we cannot reasonably accommodate the objection (for example by routing your data through an alternative sub-processor), you may cancel your subscription with a prorated refund of any prepaid unused fees.

11. Security#

We implement administrative, technical, and physical safeguards designed to protect your data against unauthorized access, accidental loss, or alteration:

In transit: TLS 1.2 or higher with strong cipher suites.
At rest: AES-256 encryption.
Tenant isolation: Postgres row-level security enforces workspace boundaries at the database layer. Cross-tenant access is architecturally prevented, not just procedurally policed.
Access controls: Role-based permissions, required multi-factor authentication for administrative access to production systems, least-privilege defaults.
Monitoring: Automated anomaly detection on authentication and data-access patterns, with alerts routed to our on-call engineer.
Backups: Encrypted, scheduled backups retained on a rolling 35-day window, with point-in-time recovery available within the retention window. Backups containing data from deleted workspaces are overwritten within the rolling 35-day window; we do not restore individual deleted workspaces from backup.
Audit: CASA (Cloud App Security Assessment) readiness work is in progress. SOC 2 Type II readiness via internal verification follows; third-party Type II audit certification is scheduled after Series A funding. Status updates are published on /trust as milestones are reached.
Vulnerability management: Coordinated disclosure program at security@sendbriefs.com with a 90-day window. Researcher credit on the Trust page on request.

No system can be guaranteed perfectly secure. If we become aware of a personal data breach affecting Customer Data, we will notify the affected Customer without undue delay and, where feasible, within 72 hours of confirmation, in line with GDPR Art. 33.

12. Children's data#

SendBriefs is a B2B product for professional use. It is not directed to children, and we do not knowingly collect personal data from individuals under 16 (or any higher minimum age set by applicable law in the user's jurisdiction — e.g., the COPPA threshold of 13 in the United States, GDPR Art. 8 default of 16 with member-state variations, and the California Age-Appropriate Design Code Act for users under 18 where it applies). If you become aware that a child has provided us personal data, contact privacy@sendbriefs.com and we will delete it within 30 days.

13. Marketing communications#

You may receive marketing email from us only if you have explicitly opted in (newsletter signup, demo request follow-up where you consented, etc.). Every marketing email contains a one-click unsubscribe link. Unsubscribing from marketing does not affect transactional emails required to operate your account (receipts, security alerts, brief-delivery confirmations).

We do not sell your email address. We do not share it with third parties for their marketing purposes.

14. Changes to this policy#

Material changes to this policy will be posted on this page at least 30 days before they take effect, and active customers will be notified by email at the billing address on file.

The "effective" date at the top of this page is updated on every change. Prior versions are archived in our git history and available on request from privacy@sendbriefs.com.

15. Contact#

For	Email
Privacy questions, data-rights requests, appeals	privacy@sendbriefs.com
Security disclosures	security@sendbriefs.com
General legal	legal@sendbriefs.com
Customer support	support@sendbriefs.com
Press / media	hello@sendbriefs.com

Postal: Chykalophia Group, LLC · 929 Michigan Ave, Apt 3 · Evanston, IL 60202 · USA.

EU / UK representative: Not yet appointed. We are below the GDPR Art. 27(2) threshold (occasional processing, no large-scale special-category data). If we cross that threshold, an EU and UK representative will be appointed and listed here.