Privacy Policy

1. Who We Are (Data Controller)

The data controller for the purposes of the UK GDPR is:

Patricia Taveira Saraiva (sole trader)

Registered address: Office 18104, 182-184 High Street North, East Ham, London, E6 2JA, United Kingdom

Email: hello@makerbrief.com

Our supervisory authority is the Information Commissioner's Office (ICO), Wycliffe House, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Website: ico.org.uk

We are registered with the Information Commissioner's Office (ICO) under registration reference ZC111055.

2. What Personal Data We Collect

2.1 Account Data

When you create an account, we collect your full name, email address, and authentication credentials (email and password, or your Google account details if you choose Google OAuth sign-in).

2.2 Business Data

The core purpose of Makerbrief is to help you manage brand deals. The business data you add to the Service may include brand names, contact names and contact details, deal values, payment amounts, invoice and due dates, deliverable notes, revision logs, renewal reminder dates, and any free-text notes you choose to add. This data is provided entirely by you and relates to your professional activities.

2.3 Billing Data

When you subscribe to a paid plan, our payment processor Stripe creates a customer record. We store your Stripe customer ID, subscription status, plan type, and trial start and end dates. We do not store your payment card number or card details — these are held exclusively by Stripe.

2.4 Usage and Technical Data

We collect technical data to operate and improve the Service, including your IP address, browser type, session data, and pages visited. This data is collected through standard server request logs as part of normal hosting operations.

We also use Sentry for application error monitoring and performance tracking. Sentry may collect browser type, device information, error context (including stack traces), and the pages you were on when an error occurred. Sentry is configured to minimise the capture of personal data.

3. How We Use Your Data and Our Legal Basis (GDPR)

We process your personal data only where we have a valid legal basis under the GDPR.

3.1 Performance of a Contract (Art. 6(1)(b))

We process your account data and business data because it is necessary to provide you with the Service you have signed up for. Without this processing, we cannot create your account or make the deal-management features available to you. We process billing data on the same basis, as it is necessary to manage your subscription.

3.2 Legal Obligation (Art. 6(1)(c))

We retain billing records for seven years to comply with financial record-keeping obligations under applicable law.

3.3 Legitimate Interest (Art. 6(1)(f))

We process usage and technical data to understand how the product is used and to improve it. We do not use this data to build individual profiles. We also use Sentry to detect and diagnose application errors and performance issues, which helps us maintain a reliable, secure service. We have assessed that these legitimate interests do not override your rights and freedoms.

3.4 Consent (Art. 6(1)(a))

If you opt in to receive marketing emails from us, we process your email address for that purpose on the basis of your consent. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by emailing hello@makerbrief.com.

4. How Long We Keep Your Data (Retention)

• Account and business data: deleted within 30 days of account cancellation or a written deletion request sent to hello@makerbrief.com.
• Billing records: retained for 7 years to meet financial record-keeping obligations.
• Usage and technical data: retained in accordance with Vercel's standard server log retention policy.
• Error monitoring data (Sentry): retained for 90 days in accordance with Sentry's default retention policy.
• Backups: may persist for up to 30 additional days after a deletion request is processed, after which they are purged from backup systems.

5. Who We Share Your Data With (Sub-processors)

We do not sell your personal data. We share data only with the following trusted sub-processors who help us deliver the Service. All US-based processors transfer data to the US under Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms as required by GDPR.

Supabase (Supabase Inc., USA)

Supabase provides our database, authentication, and backend infrastructure. All user account data and business data is stored on Supabase infrastructure, which is hosted on Amazon Web Services (AWS). Data transferred to the US under Standard Contractual Clauses.

Stripe (Stripe, Inc., USA)

Stripe handles all payment processing and subscription management. Stripe receives your billing information and payment card details. Stripe is certified as PCI DSS compliant. Data transferred to the US under Standard Contractual Clauses.

Vercel (Vercel Inc., USA)

Vercel provides web hosting and content delivery (CDN) for the Service. Vercel processes IP addresses and server request logs as part of normal hosting operations. Data transferred to the US under Standard Contractual Clauses.

Google (Google LLC, USA)

If you choose to sign in with Google OAuth, Google processes your name and email address to authenticate you. We do not receive your Google password. Data transferred to the US under Standard Contractual Clauses.

Resend (Resend Inc., USA)

Resend is our transactional email provider. Resend processes your name and email address to deliver system emails such as trial expiry notices and account notifications. Data transferred to the US under Standard Contractual Clauses.

Sentry (Sentry, Inc., USA — data stored in EU)

Sentry provides application error monitoring and performance tracking. Sentry may process technical data including browser information, device type, and error context when errors occur while you use the Service. Sentry is configured to minimise capture of personal data. Data is stored within the EU on AWS infrastructure in Germany (eu-central-1) and does not leave the EEA.

6. Your Rights

Depending on your location, you have the following rights regarding your personal data:

• Right of access: you may request a copy of the personal data we hold about you.
• Right to rectification: you may ask us to correct inaccurate or incomplete data.
• Right to erasure: you may ask us to delete your personal data (subject to legal retention obligations).
• Right to data portability: you may request your data in a structured, machine-readable format.
• Right to object: you may object to processing based on legitimate interest.
• Right to restrict processing: you may ask us to limit how we use your data in certain circumstances.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email hello@makerbrief.com. We will respond within 30 days. You may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are located in the EU, you may contact your local data protection supervisory authority.

7. UK GDPR

Makerbrief is operated from the United Kingdom. The UK GDPR is the primary data protection framework governing how we process your personal data. Your rights under the UK GDPR are as described in Section 6. Our supervisory authority is the Information Commissioner's Office (ICO), Wycliffe House, Wilmslow, Cheshire, SK9 5AF. Website: ico.org.uk. Where we process the personal data of individuals in the EU, we also comply with the EU GDPR. You may contact us at hello@makerbrief.com to exercise your rights under either framework.

8. California Residents — CCPA/CPRA Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know: you may request information about the categories and specific pieces of personal information we have collected about you, and how it is used and shared.
• Right to delete: you may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct: you may request correction of inaccurate personal information.
• Right to opt out of sale or sharing: we do not sell or share your personal information for cross-context behavioural advertising.
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email hello@makerbrief.com. We will respond within 45 days as required by law.

9. Canadian Residents — PIPEDA

If you are located in Canada, your personal information is handled in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to access personal information we hold about you and to challenge its accuracy. To make a PIPEDA access or correction request, contact hello@makerbrief.com.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. All data in transit is encrypted using TLS. Data at rest is encrypted by our infrastructure providers. However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

11. Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact hello@makerbrief.com and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice within the Service. The effective date at the top of this document will be updated accordingly. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13. Contact Us

For any privacy-related questions or to exercise your rights, contact Patricia Taveira Saraiva at hello@makerbrief.com.