Skip to main content
Briefed
Sign up, it’s free!
Briefed

Legal

Privacy Policy

Last updated: 21 April 2026 (revised)

On this page

Who we are

Harrison Media Group Ltd (“Briefed”, “we”, “us”) is a company registered in England and Wales. We operate briefedmedia.com, id.briefedmedia.com, and related services.

Registered office: Ground Floor, 1 Spinningfields Square, Manchester, M3 3AP, United Kingdom.

Harrison Media Group Ltd is the data controller for the personal data described in this policy.

Scope of this policy

This policy covers personal data processed when you:

  • Subscribe to our newsletter
  • Create a Briefed account or sign in
  • Purchase a paid plan or use a team account
  • Interact with our websites, emails, or support channels

It applies across all Briefed properties. Where a specific product has additional disclosures, those will be shown in-product.

What we collect

Information you give us

  • Contact details such as your email address, name, and avatar
  • Account credentials you choose to set
  • A short free-text description of what you do, if you provide it at signup (optional)
  • Payment information, which is collected and held by our payment processor rather than by us
  • Details of any organisation or team you participate in
  • Referral code, if you were invited
  • Messages you send us through support channels

Authentication signals

  • Records of the sign-in methods you have enabled (for example passkeys, authenticator apps, social sign-in with Google, LinkedIn, or Apple)
  • The technical material needed to verify those sign-in methods, stored in industry-standard protected form. We never hold plaintext passwords, passkey private keys, or authenticator-app secrets.
  • Recovery codes you generate, held in a form that cannot be read back by us or by staff

Session and device context

  • A session identifier while you are signed in
  • The IP address and User-Agent your browser presents
  • The approximate location (country, and where available the city) derived from your IP address. We do not use GPS or ask your browser for its location.
  • Devices you choose to mark as trusted, so that you do not have to sign in on every visit. We record a friendly device name, the browser and approximate location associated with it, and when it was last used.
  • A record of when you most recently proved your presence (for example by passkey or authenticator), used to decide whether sensitive actions need you to confirm again
  • The organisation you are currently acting within, if you belong to a team

Activity and security records

  • A log of sensitive actions on your account (sign-ins, sign-in attempts, credential changes, key creation, team invitations, administrator access, and similar events), each recorded with the relevant actor, IP, browser, and timestamp
  • Records of blocked or abusive traffic aimed at your account or at our infrastructure more broadly

Things we collect automatically

  • Email engagement data (opens, clicks) via our email provider
  • Basic site analytics (page views, referral source) via our infrastructure provider
  • IP address, User-Agent, and HTTP referrer for signup attempts, used for abuse prevention and anonymised audience analytics

How we use your data

  • To deliver our newsletter and products
  • To authenticate you and authorise access to your account and any organisation you belong to
  • To process payments and manage subscriptions
  • To personalise your experience based on your preferences
  • To understand how our content performs and improve it
  • To prevent fraud and abuse, detect security incidents, and keep your account safe
  • To comply with our legal obligations
  • To communicate with you about your account, your subscriptions, and material changes to our service

Lawful bases

We process your personal data under one or more of the following lawful bases under the UK GDPR:

  • Contract. To provide the Briefed service you have signed up for, including authentication, billing, and delivery of the product.
  • Legitimate interests. To keep our service secure, prevent abuse, understand our readership at an aggregate level, and improve our content. We balance these interests against your rights and freedoms.
  • Legal obligation. To meet tax, accounting, and other statutory record-keeping duties, and to respond to lawful requests from authorities.
  • Consent. Where we ask for it explicitly, for example for optional communications. You can withdraw consent at any time.

Security

We apply layered, industry-standard safeguards to protect your account and your data. These include encryption in transit and at rest, strict access controls for staff, monitoring for abusive or anomalous behaviour, and the use of reputable infrastructure providers.

As part of our abuse prevention, sign-in attempts originating from networks associated with malicious activity may be blocked or challenged. We record the outcome of these checks but do not publish the specific signals or thresholds we use, because doing so would materially weaken them.

When we detect a sign-in from a device you have not previously used on your account, we will email you with the relevant context and a quick way to lock your account if it was not you. You can also review and revoke active sessions and trusted devices at any time from your account security page.

Certain sensitive actions require you to prove your presence again, independently of your session being otherwise valid. This is designed to limit what a hijacked session or an absent-minded open tab can do.

We maintain an internal security-monitoring function that reviews aggregate, de-identified signals about abuse attempts and system behaviour. As part of this, we use our AI subprocessor (see below) to help our engineering team triage those signals. No user-identifiable content or personal data is sent to that subprocessor.

No system is perfectly secure. If we identify a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office within 72 hours and, where required, inform you directly.

Cookies and similar technologies

We use functional cookies only. We do not use advertising cookies and we do not place third-party analytics cookies on our authentication surfaces.

The cookies we set are:

CookiePurposeLifetime
briefed_sessionKeeps you signed in between visits14 days, renews with activity
briefed_deviceRemembers a device you have marked as trusted so you do not have to sign in from scratch on every visitUp to 12 months, or until you revoke the device
briefed_impersonationDisplays the context banner while a Briefed administrator is temporarily signed in as you1 hour

We also set short-lived tokens used to protect against cross-site request forgery and to complete sign-in flows. All cookies are served over HTTPS only and are limited in scope to Briefed properties. You can clear them at any time from your browser; doing so will sign you out.

Staff access to your account

Briefed staff with administrator privileges may temporarily sign in as you to investigate issues you have raised with support or to respond to a security incident. This is standard practice in SaaS products, and we want to be transparent about it.

Whenever an administrator does this:

  • The action is recorded in both the administrator’s and your own activity feed
  • A clear banner is shown across the product for the full duration, so that you can see it the next time you sign in
  • The administrator’s access is time-limited and does not persist like a normal session
  • The administrator must have recently re-proved their own identity; not just held a valid session

Administrators may not sign in as other administrators. We do not access your account for any purpose other than legitimate support, security investigation, or legal compliance.

Who we share data with

We share personal data only with service providers necessary to operate Briefed. Each of these acts as a processor on our instructions, under a written data processing agreement.

  • Cloudflare. Hosting, content delivery, DNS, security protection, and IP-based geolocation. Processes inbound requests to Briefed.
  • Stripe. Subscription billing and payments. Receives the information necessary to bill you. Your payment card details are held by Stripe, not by us.
  • Resend. Transactional email delivery. Receives the recipient address and message body.
  • Anthropic. A constrained AI subprocessor used by our engineering team for internal security triage. Receives aggregate, de-identified metrics only; no user content, no personal data.

We never sell your personal data. We never share it with advertisers. We do not enrich your profile using third-party data brokers.

We may also disclose personal data where we are legally required to do so, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

International transfers

Our service runs on globally distributed infrastructure and some of our subprocessors are based outside the UK and EEA. Where personal data is transferred internationally, we rely on appropriate safeguards (such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK addendum, or an equivalent mechanism) to ensure your data continues to be protected to UK GDPR standards.

Your rights under the UK GDPR

You have the right to:

  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Have your data erased (“right to be forgotten”)
  • Restrict or object to our processing of your data
  • Receive your data in a portable format
  • Withdraw consent where we are relying on it
  • Not be subject to a decision based solely on automated processing that has legal or similarly significant effects

Several of these rights are now self-serve from your account:

  • Access and portability. You can download a structured export of the data we hold on you from your account activity page. The export includes your profile, your sign-in history, your devices and authentication factors, your API keys, your subscriptions, your team memberships and invitations you have sent, your support interactions, your two-factor authentication status, and your recent activity log.
  • Device and session management. You can inspect and revoke every active session and every trusted device from your account security page.
  • Account recovery. If you lose access to your authenticator, you can use a backup code at id.briefedmedia.com/recover to regain access without contacting support.
  • “Wasn’t me” lockdown. The alert we email on new-device sign-in includes a single-click link to lock your account, usable even if you are not signed in.
  • Deletion. See below.

For any request we cannot handle from within the product (including rectification beyond what the profile editor supports, restriction, objection, or questions about our processing), email privacy@briefedmedia.com. We aim to respond within one month, as required by law.

Deleting your account

You can schedule your account for deletion at any time from your account settings. For your safety we ask you to confirm with any credentials you have enabled before we accept the request.

When you schedule deletion, we immediately end all your active sessions and revoke every trusted device, and we email you a confirmation that includes a quick cancellation link. A 14-day grace period follows during which you can change your mind and fully restore the account.

After the grace period expires, we permanently delete your credentials, sessions, API keys, and team memberships, and we anonymise your user record so it can no longer be used to identify you. The anonymised stub is retained so that references to your past activity in our internal security logs remain consistent; it contains no personal data.

We retain billing and invoice records for seven years as required by UK tax and accounting law, even after your account is deleted. The law lets us keep those records as a narrow exception to your right to be forgotten, because another law tells us we must hold on to them.

Where data is retained in backups after deletion, it is purged according to the standard backup rotation and is not restored to production.

Data retention

We retain personal data only for as long as we need it for the purposes set out in this policy, and in line with our legal obligations.

  • Newsletter subscription: for as long as you are subscribed, plus a suppression record after you unsubscribe so that we do not re-send to you
  • Account profile: until you delete your account
  • Active sessions: a 14-day rolling window that renews with activity and expires on inactivity
  • Trusted devices: up to 12 months, or until you revoke them
  • Activity log visible to you: the most recent 12 months
  • Short-lived sign-in tokens (for example magic links): a few minutes; single-use and discarded on consumption
  • Email verification tokens: 24 hours; single-use
  • API keys: until you revoke them (we only ever hold a non-reversible form, never the key itself)
  • Raw signup abuse-prevention records (IP, User-Agent, referrer): a short, fixed window, then deleted automatically
  • Subscription and invoice history: seven years, as required by UK tax and accounting law
  • Anonymised stub of a deleted user record: retained indefinitely to preserve the integrity of our internal security logs; contains no personal data

Aggregated, non-identifying statistics derived from these records (for example country-level signup counts or engagement ratios) may be retained indefinitely for audience analysis.

Internal security-audit records required as evidence of how an account or our systems have been accessed may be retained for longer than the user-visible window, but remain subject to the same access controls.

Audience analytics and sponsorship

We aggregate non-identifying signals (country, referrer domain, cohort retention, engagement ratios) into daily snapshots used for editorial decisions and, when shared with prospective sponsors, qualitative audience descriptions. Sponsor-facing materials never contain individual-level data and never expose raw IP addresses, User-Agents, or email addresses. We do not use third-party enrichment services and do not sell or share personal data with advertisers.

The lawful basis for processing IP address, User-Agent, and referrer at the signup form is our legitimate interest in preventing abuse and in understanding the coarse composition of our readership. You may object to this processing at any time by contacting privacy@briefedmedia.com.

Automated decision-making

We use automated systems to filter abusive or malicious traffic at sign-in and signup, because human review of every request is not practical and would itself increase risk. These systems may block, challenge, or flag requests for review.

These decisions do not have legal or similarly significant effects on you within the meaning of Article 22 of the UK GDPR. If you believe your access has been blocked in error, contact privacy@briefedmedia.com and a human will review the case.

Children

Briefed is intended for adult readers and professionals. We do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, contact privacy@briefedmedia.com and we will delete the account.

Changes to this policy

We will update this policy when our practices change or when we add or remove a subprocessor. The “last updated” date at the top of the page always reflects the latest revision. For material changes, we will notify you by email or in-product where practicable.

Complaints

If you believe we have handled your personal data in a way that breaches the law, we would prefer you raise it with us first so we can try to put it right. Email privacy@briefedmedia.com.

You also have the right to complain directly to the UK Information Commissioner’s Office at ico.org.uk, or to a supervisory authority in your country of residence.

Contact

For privacy enquiries: privacy@briefedmedia.com

By post: Harrison Media Group Ltd, Ground Floor, 1 Spinningfields Square, Manchester, M3 3AP, United Kingdom.