Legal · Personal data
Privacy policy
Last updated: 5 July 2026
Brefi (“we”, “us”, “the service”) is operated by Haijahr Limited, a company registered in England and Wales. This policy explains what personal data we hold about you, why we hold it, who we share it with, and how to exercise your rights under UK GDPR and the Data Protection Act 2018.
§ I Who we are
Haijahr Limited is the data controller for personal data processed by Brefi. You can reach our data protection contact at privacy@brefi.co.uk.
§ II What we collect
- Account data: your name and email address, provided when you register.
- Filter configuration: CPV codes, keywords, regions, value ranges and other preferences you supply when configuring your morning brief. Shared with any teammates you invite to your account.
- Payment metadata: a Stripe customer ID and subscription status. We never see your card details — these are handled directly by Stripe.
- Service usage: which tender opportunities you have viewed or dismissed, so we can refine the brief and avoid sending repeat content.
- Authentication data: if you enable two-factor authentication, an encrypted TOTP secret or a short-lived hashed email code; plus single-use recovery codes that we hash before storing.
- Consent log: a timestamped record of when you accepted the terms of service, privacy policy and any marketing opt-ins, together with the IP and user-agent at the moment of consent.
- Operational logs: standard web server logs (IP address, user agent, timestamp) kept for 30 days for fraud prevention and debugging.
§ III Why we hold it
- To provide the service — your account data, filter configuration and Stripe customer ID are necessary to run Brefi. Lawful basis: performance of contract.
- To send the daily brief — your email address and digest preferences are processed each morning to deliver matches that fit your filters. Lawful basis: performance of contract.
- To prevent fraud and abuse — Cloudflare Turnstile and our log retention. Lawful basis: legitimate interests.
We do not use your data for advertising or sell it to third parties.
§ IV Who we share it with
Brefi relies on a small set of carefully chosen sub-processors, each of which is contractually bound to handle your data in compliance with UK GDPR:
- Stripe Payments UK Ltd — payment processing. Their privacy policy is at stripe.com/gb/privacy.
- Mailtrap (Railsware Products Inc) — transactional email delivery for your daily brief.
- DigitalOcean LLC — server hosting in their London region.
- Cloudflare Inc — bot prevention on the registration form via Turnstile.
No personal data is transferred outside the United Kingdom or the European Economic Area without appropriate safeguards (Standard Contractual Clauses where applicable).
§ V Cookies
Brefi groups cookies into three categories. You choose which non-essential categories to allow via the banner shown on first visit; your choice is stored in a first-party cookie_consent cookie for 180 days and logged against your account if you are signed in. You can change your mind at any time by clearing that cookie.
- Essential — a session cookie that keeps you signed in and a CSRF token that protects forms. These cannot be switched off because the service does not function without them. Stripe (during checkout) and Cloudflare (anti-bot on registration) also set short-lived cookies in this category for fraud prevention.
- Analytics — if you opt in, we load Plausible Analytics, which records anonymised page views without using personal identifiers or third-party tracking. We use this only to understand which parts of the site are useful.
- Marketing — currently unused. If we ever introduce remarketing or third-party advertising cookies, they would be gated behind this category and disabled by default.
§ VI How long we keep it
- Active accounts: while your subscription is active.
- Cancelled accounts: 90 days after cancellation, then deleted (we may retain anonymised usage metrics indefinitely).
- Accounts deleted via self-service from your account settings: immediate deletion of your account, filter profiles, matched opportunities, pipeline notes and consent log. Billing records linked to your Stripe customer ID are retained for the HMRC period below.
- Server logs: 30 days.
- Billing records: 7 years (HMRC requirement).
§ VII Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Have inaccurate data corrected.
- Have your data deleted (subject to legal retention requirements above).
- Receive a portable copy of your data.
- Object to specific processing.
- Lodge a complaint with the Information Commissioner's Office.
Self-service tools. While signed in, you can exercise the most common rights yourself from the account page:
- Download my data — generates a JSON export of your account, filter profiles, matched opportunities, billing references and consent log (right to portability + right of access).
- Delete my account — confirms with your password, then permanently removes your account and associated data (right to erasure). Audit-required billing records are kept per the retention table above.
- Marketing preference — toggle on/off at any time; each change is added to your consent log.
- Two-factor authentication — enable via TOTP app or email codes; recovery codes are issued for account recovery.
For anything not covered by the self-service tools — for example, rectifying inaccurate data we hold or objecting to specific processing — email privacy@brefi.co.uk. We aim to respond within 14 days.
§ VIII Changes
We may update this policy. Material changes will be notified by email at least 14 days before they take effect. The current version is always available at brefi.co.uk/privacy.