Privacy Policy: How We Protect Your Data
Learn how CmdBrief collects, uses, and protects your personal data. GDPR and CCPA compliant privacy practices.
1. Introduction
CmdBrief ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit cmdbrief.com.
2. Data Controller
For GDPR purposes, the data controller is:
Email: [email protected]
3. Information We Collect
Personal Data You Provide
- Beta Waitlist: Email, optional name, role, current tools, workflow notes, platform, source, beta contact consent, optional product update consent, and invite status
- Consent Records: Cookie preference choices, consent version, timestamp, browser GPC status, and a local consent identifier
- Account and Invite Data: Email, device identifier and label, account and subscription status, invite campaign delivery and redemption records, and security records such as hashed authentication tokens
- Billing and Payment-Risk Data: Stripe customer, subscription, Price, Charge, dispute, and event identifiers; subscription status and renewal time; fraud-warning, refund, dispute reason and outcome codes; Terms version; and security timestamps. CmdBrief does not receive or store full card numbers or card security codes.
Automatically Collected Information
- Usage Data: Page views, content groups, form starts, clicks, referrers, and similar site events when analytics consent is enabled
- IP Address: Processed by analytics providers with IP anonymization or privacy-preserving settings where available
4. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Managing CmdBrief private beta access, invite prioritization, install instructions, and beta contact requests | Consent (Art. 6(1)(a)) |
| Creating and securing invited accounts, authenticating devices, and providing subscription access | Contract performance and legitimate interest in service security (Art. 6(1)(b), Art. 6(1)(f)) |
| Processing recurring payments, calculating tax, preventing fraud, reviewing refunds or disputes, suspending access during payment review, and maintaining financial evidence | Contract performance, legal obligation, and legitimate interests in fraud prevention and legal claims (Art. 6(1)(b), Art. 6(1)(c), Art. 6(1)(f)) |
| Sending optional product updates when you separately opt in | Consent (Art. 6(1)(a)) |
| Recording cookie and privacy choices, including GPC status | Legal obligation and legitimate interest (Art. 6(1)(c), Art. 6(1)(f)) |
| Analyzing site usage through Google Analytics and PostHog after analytics consent | Consent (Art. 6(1)(a)) |
6. International Transfers
Your information may be transferred to countries outside your residence when service providers process data. PostHog is configured for EU Cloud, while providers such as Google Analytics may process data internationally under safeguards including Standard Contractual Clauses (SCCs).
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Private beta waitlist and beta contact consent | Until the beta program ends, you opt out, or deletion is requested |
| Account, device, invite redemption, and subscription records | While the account is active and afterward only as needed for security, legal, and accounting obligations |
| Raw Stripe webhook payloads used for short-term security investigation | Up to 180 days, then redacted while compact event identifiers remain for replay protection |
| Compact fraud-warning, refund, and dispute records | 24 months, subject to any longer period required for legal claims |
| Invoices, tax, payment, and accounting records | For the statutory period required by applicable financial and tax law |
| One-time authentication codes | Short-lived and routinely deleted after use, lockout, or expiry |
| Optional product update consent | Until you opt out or deletion is requested |
| Analytics data | Up to 26 months |
| Consent records | 3 years |
8. Your Rights (GDPR)
Access
Request a copy of your personal data
Rectification
Correct inaccurate data
Erasure
Request deletion of your data
Portability
Receive data in machine-readable format
Object
Object to processing based on legitimate interests
Withdraw Consent
Withdraw consent at any time
To exercise these rights, contact us at [email protected]
9. Security
We implement appropriate technical and organizational measures to protect your personal data, including HTTPS encryption, regular security assessments, and access controls.
CmdBrief does not collect terminal content, prompts, repository contents, or detailed native-product usage telemetry as billing or dispute evidence. We rely on Stripe purchase records plus existing account, device, authentication, and security timestamps. Website analytics remain consent-controlled as described above.
10. Contact Us
For privacy-related inquiries: