Legal

Privacy Policy

Last updated: July 2026

1. Data controller

ColdBrief (coldbrief.com and the ColdBrief Slack application) is operated by Karol Dec, an individual based in Rzeszów, Poland. Karol Dec is the data controller responsible for your personal data processed through the service.

Contact: hello@coldbrief.com

2. What data we collect

  • Account data — email address, name, and authentication identifiers, managed by our authentication provider (Clerk).
  • Slack integration data — your Slack workspace ID, Slack user ID, locale and timezone, and the workspace access token required to operate the bot (stored encrypted, AES-256-GCM).
  • Preferences — settings you provide, such as your sales role, ideal customer profile, default contact role, and digest preferences.
  • Content you provide — sales methodologies you upload or describe (PDF or text), company names and URLs you research, and messages you send to the ColdBrief bot.
  • Generated content — research briefs, buying-signal summaries, and related research data produced for you by the service.
  • Usage data — commands used, briefs generated, credit usage, and feedback you give on briefs (👍/👎).
  • Technical data — server logs (IP address, timestamp) and error reports (via Sentry) used to keep the service secure and working.
  • Waitlist data — email address, consent record, and signup source, if you applied via the website form.

3. Data about companies and business contacts

ColdBrief compiles research briefs from publicly available sources — company websites, public LinkedIn company pages, news coverage, and web search. Briefs may include business contact information about people at researched companies (e.g. name, job title, public profile link) sourced exclusively from public business contexts. We process this data on the basis of legitimate interest (Art. 6(1)(f) GDPR) in providing B2B sales research.

If you are such a person and want your data removed from our systems, email hello@coldbrief.com and we will action it within 30 days.

4. Why we process data (legal basis)

  • Providing the service: Performance of a contract (Art. 6(1)(b) GDPR) — generating briefs, operating the Slack bot, managing your account and credits.
  • Launch updates and waitlist communication: Consent (Art. 6(1)(a) GDPR). You can withdraw it at any time — see Section 8.
  • Security, fraud prevention, and error monitoring: Legitimate interest (Art. 6(1)(f) GDPR) — rate limiting, abuse detection, and error tracking.
  • Researching publicly available business information: Legitimate interest (Art. 6(1)(f) GDPR) — see Section 3.

5. AI processing

Brief generation uses third-party AI providers. Content needed to produce your briefs — your methodology, your research requests, and collected public research data — is sent to Anthropic (Claude models) and Perplexity (Sonar) via their APIs. Under the API terms of these providers, your data is not used to train their models.

6. How long we keep your data

  • Account data, methodologies, and briefs — until you delete them or delete your account (Settings → Delete account, or by email).
  • Slack workspace tokens — until the ColdBrief app is uninstalled from the workspace or the account is deleted.
  • Research cache — up to 24 hours (used to avoid re-fetching the same public data).
  • Server logs and error reports — up to 90 days.
  • Waitlist emails — until you request removal or 24 months after signup, whichever comes first.

7. Who we share data with (sub-processors)

We do not sell your personal data. We use the following sub-processors to operate the service:

  • Supabase Inc. — database hosting (eu-central-1, Frankfurt, Germany).
  • Clerk Inc. — authentication (US).
  • Vercel Inc. — application hosting and infrastructure (US, global edge network).
  • Slack Technologies (Salesforce) — the Slack platform the bot runs on.
  • Anthropic PBC — AI brief generation (US).
  • Perplexity AI Inc. — AI research synthesis (US).
  • Apify Technologies s.r.o. — retrieval of public LinkedIn company data (Czech Republic, EU).
  • Firecrawl (Mendable AI) — retrieval of public website content (US).
  • Upstash Inc. — rate limiting infrastructure (US/EU).
  • Functional Software Inc. (Sentry) — error monitoring (EU data residency, Frankfurt, Germany).
  • Resend Inc. — transactional email delivery (US/EU).

All sub-processors are bound to process data only as instructed and in compliance with GDPR. Transfers outside the EEA rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.

8. Your rights

Under GDPR (EU/UK) and applicable laws worldwide, you have the right to:

  • Access the personal data we hold about you (Art. 15) — you can also export it yourself in Settings.
  • Correct inaccurate data (Art. 16).
  • Request deletion of your data — "right to be forgotten" (Art. 17) — also available in-app (Settings → Delete account).
  • Request restriction of processing (Art. 18).
  • Receive your data in a portable format (Art. 20) — the in-app export provides JSON.
  • Withdraw consent at any time — this does not affect the lawfulness of prior processing (Art. 7).
  • Object to processing based on legitimate interest (Art. 21).
  • Lodge a complaint with your local data protection authority (in Poland: UODO, uodo.gov.pl).

To exercise any right, email hello@coldbrief.com with subject “Privacy Request”. We will respond within 30 days.

9. Security

All traffic is encrypted in transit (TLS). Slack workspace tokens are encrypted at rest (AES-256-GCM). Database access is protected with row-level security so each account can only reach its own data. Access to production systems is limited to the operator.

10. Cookies

The website uses only functional cookies: a session cookie set by our authentication provider (Clerk) when you sign in, and a short-lived CSRF cookie during the Slack install flow. No advertising or third-party analytics cookies are used.

11. California residents (CCPA)

We do not sell personal information. California residents have the right to know what personal information is collected and to request deletion. To exercise these rights, contact hello@coldbrief.com.

12. Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated by email or in-app notice. The “Last updated” date above always reflects the current version.