Brefi

Legal · Personal data

Privacy policy

Last updated: 21 May 2026

Brefi (“we”, “us”, “the service”) is operated by Haijahr Limited, a company registered in England and Wales. This policy explains what personal data we hold about you, why we hold it, who we share it with, and how to exercise your rights under UK GDPR and the Data Protection Act 2018.

§ I   Who we are

Haijahr Limited is the data controller for personal data processed by Brefi. You can reach our data protection contact at privacy@brefi.co.uk.

§ II   What we collect

  • Account data: your name and email address, provided when you register.
  • Filter configuration: CPV codes, keywords, regions, value ranges and other preferences you supply when configuring your morning brief.
  • Payment metadata: a Stripe customer ID and subscription status. We never see your card details — these are handled directly by Stripe.
  • Service usage: which tender opportunities you have viewed or dismissed, so we can refine the brief and avoid sending repeat content.
  • Operational logs: standard web server logs (IP address, user agent, timestamp) kept for 30 days for fraud prevention and debugging.

§ III   Why we hold it

  • To provide the service — your account data, filter configuration and Stripe customer ID are necessary to run Brefi. Lawful basis: performance of contract.
  • To send the daily brief — your email address and digest preferences are processed each morning to deliver matches that fit your filters. Lawful basis: performance of contract.
  • To prevent fraud and abuse — Cloudflare Turnstile and our log retention. Lawful basis: legitimate interests.

We do not use your data for advertising or sell it to third parties.

§ IV   Who we share it with

Brefi relies on a small set of carefully chosen sub-processors, each of which is contractually bound to handle your data in compliance with UK GDPR:

  • Stripe Payments UK Ltd — payment processing. Their privacy policy is at stripe.com/gb/privacy.
  • Mailtrap (Railsware Products Inc) — transactional email delivery for your daily brief.
  • DigitalOcean LLC — server hosting in their London region.
  • Cloudflare Inc — bot prevention on the registration form via Turnstile.

No personal data is transferred outside the United Kingdom or the European Economic Area without appropriate safeguards (Standard Contractual Clauses where applicable).

§ V   Cookies

Brefi uses only essential cookies — a session cookie for keeping you logged in, and a CSRF token for form security. We do not use analytics, advertising or tracking cookies. Stripe and Cloudflare set their own cookies on pages where they are loaded; these are used for fraud prevention and are required for the service to function.

§ VI   How long we keep it

  • Active accounts: while your subscription is active.
  • Cancelled accounts: 90 days after cancellation, then deleted (we may retain anonymised usage metrics indefinitely).
  • Server logs: 30 days.
  • Billing records: 7 years (HMRC requirement).

§ VII   Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data deleted (subject to legal retention requirements above).
  • Receive a portable copy of your data.
  • Object to specific processing.
  • Lodge a complaint with the Information Commissioner's Office.

To exercise any of these rights, email privacy@brefi.co.uk. We aim to respond within 14 days.

§ VIII   Changes

We may update this policy. Material changes will be notified by email at least 14 days before they take effect. The current version is always available at brefi.co.uk/privacy.