Privacy Policy

BriefKlar is committed to protecting your personal data. This policy explains what we collect, why we collect it, how we use it, and what rights you have under the GDPR and BDSG.

Effective: 1 March 2026·Updated: 1 March 2026·Law: Federal Republic of Germany

Data Controller

BriefKlar operates as the data controller for all personal data processed through briefklar.app. We are established in Hamburg, Germany and are subject to the GDPR and BDSG.

Field	Detail
Controller	BriefKlar
Address	Hamburg, Germany
General email	contact@briefklar.app
Data protection email	privacy@briefklar.app
Website	briefklar.app
Supervisory authority	Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI)
Authority website	datenschutz.hamburg.de

Personal Data We Collect

Account Data

◆Full name and email address (via Clerk authentication).
◆Preferred language and country settings.
◆Subscription tier (Free / Pro / Plus), billing status, billing interval.
◆Stripe Customer ID for subscription and payment management.

Document Data

◆Text content of uploaded letters, extracted via OCR or direct text input.
◆Uploaded files stored in encrypted private Supabase storage (letters-private bucket).
◆AI-generated analysis: authority, letter type, urgency, deadline, required actions, consequences.
◆AI-generated plain-language explanation and formal reply text.
◆Deadlines and calendar entries extracted from letter content.

Usage Data

◆Credit transaction history: credits debited, credited, purchased, referred, expired.
◆Feature usage: upload count, reply generation count, TTS/STT usage.
◆Session data: login timestamps, session duration.
◆IP address, browser type, device identifiers for security and rate limiting.

Payment Data

◆Payment data is processed exclusively by Stripe. BriefKlar does not store card numbers or credentials.
◆BriefKlar stores only Stripe Customer ID and Subscription ID.

Incognito Mode

◆When you use Incognito Mode (uncheck 'Save to history'), your document is processed and the result delivered, then permanently deleted within one hour.
◆No letter content is retained after deletion in incognito mode.

Legal Basis for Processing

Processing Purpose	Data Category	Legal Basis (GDPR)
Letter interpretation and reply service	Document content, analysis output	Art. 6(1)(b) — performance of contract
Account management via Clerk	Account data	Art. 6(1)(b) — performance of contract
Payment processing via Stripe	Stripe customer ID, billing data	Art. 6(1)(b) — performance of contract
Credit system management	Usage data, credit transactions	Art. 6(1)(b) — performance of contract
Security, fraud prevention, rate limiting	IP address, device data	Art. 6(1)(f) — legitimate interest
Compliance with German tax law (§ 147 AO)	Billing records	Art. 6(1)(c) — legal obligation

Third-Party Sub-Processors

BriefKlar uses the following sub-processors. Transfers outside the EEA use Standard Contractual Clauses (SCCs).

Processor	Purpose	Data Transferred	Location
Clerk	Authentication and session management	Email, name, session tokens	USA (SCCs)
Supabase	Database and file storage	All user data, letters, replies, files	EU (AWS Frankfurt)
Anthropic	Primary AI — letter analysis and reply	Letter text (transient)	USA (SCCs)
Groq / OpenAI	AI fallback, Whisper STT	Letter text / audio (transient)	USA (SCCs)
Stripe	Payment processing	Payment method data	USA (SCCs)
Vercel	Application hosting	Request logs, IP addresses	USA / EU

ℹLetter text sent to AI providers is transmitted transiently for analysis only. BriefKlar does not permit AI providers to use your content to train their models.

Data Retention

Data Category	Retention Period	Reason
Account data	Until account deletion, then 30 days in backup	Service provision
Free tier — no history	Not retained	Free tier design
Pro tier — document history	50 documents · 7 days from upload	Pro plan feature
Plus tier — document history	150 documents · 30 days from upload	Plus plan feature
Incognito mode documents	Deleted within 1 hour of result delivery	Privacy-by-design
Credit transaction audit log	3 years from transaction date	Financial record-keeping
Billing and payment records	7 years from transaction date	§ 147 AO German tax law
Server access logs	90 days	Security and debugging

Your Rights Under GDPR

Right	Article	How to Exercise
Right of Access	Art. 15	Request a copy of your data. Email privacy@briefklar.app.
Right to Rectification	Art. 16	Request correction of inaccurate data.
Right to Erasure	Art. 17	Request deletion. Via Settings → Delete Account, or email privacy@briefklar.app.
Right to Restriction	Art. 18	Request restriction of processing.
Right to Data Portability	Art. 20	Receive your data in JSON format.
Right to Object	Art. 21	Object to processing based on legitimate interest.
Right to Lodge a Complaint	Art. 77	Complain to Hamburg DPA — datenschutz.hamburg.de.

ℹBriefKlar implements a GDPR Article 17 data erasure endpoint at /api/user/delete-data that removes all files, letters, replies, and credit records. Requests are fulfilled within 30 days. Billing records are retained for 7 years as required by German tax law.

Data Security

◆All data in transit is encrypted using TLS 1.2 or higher. HTTPS enforced.
◆Document files are stored in private Supabase storage (letters-private) with signed URLs.
◆Row Level Security (RLS) on all database tables — users only access their own data.
◆Security headers: CSP, HSTS, X-Frame-Options, Referrer-Policy.
◆Input sanitization before passing to AI providers.
◆Rate limits: uploads 10/hour, AI 20/hour, TTS/STT 30/minute, GDPR deletion 2/day.

Children's Privacy

BriefKlar is not directed at children under 18. We do not knowingly collect personal data from children. If you believe your child has provided data to BriefKlar, contact privacy@briefklar.app and we will delete it promptly.

Questions? privacy@briefklar.app

briefklar.app · Hamburg, Germany