The Premis™ BriefEarly access

Privacy Policy

Last updated: June 2026

1. What this is

This policy explains what data The Premis™ Brief collects, where it goes, how long it is kept, and what you can do about it.

2. What we collect

When you use the diagnostic: The problem text you submit, the industry, company stage, and decision owner fields if provided, and the AI-generated output. Each run is assigned a Run ID and logged with a timestamp.

Documents you attach: If you attach documents to a run, their contents are processed only to generate that run's output and are not stored — we keep no copy of them after the run completes.

When you sign in: Your email address, and optionally your name. We do not collect passwords — authentication is handled via a session token issued by our own infrastructure.

Organisation context: If you save context via the memory feature, we store your organisation size, standing constraints, approaches already tried, and current strategic focus, held against your email address.

Automatically: Your IP address, used for rate limiting only. It is not linked to your account or retained beyond the session window.

Ratings and feedback: If you rate a run or submit written feedback, that response is stored against the Run ID.

3. Where your data goes

Anthropic API: Problem text, context fields, and any documents you attach are sent to Anthropic's API to generate the diagnostic output. Anthropic does not use API inputs to train its models by default. See Anthropic's privacy policy.

Cloudflare: The Premis™ Brief runs on Cloudflare infrastructure — Pages (frontend), Workers (backend), D1 (database), and KV (rate limiting). See Cloudflare's privacy policy.

Nowhere else: We do not sell, share, or transfer your data to any other third party. Anthropic and Cloudflare are the only sub-processors.

4. Lawful basis for processing

We process your data on two grounds. Contract performance: session authentication and run history are necessary to deliver the service you requested. Legitimate interests: diagnostic logs and feedback are retained to operate and improve the service, balanced against your right to privacy. You may object to processing on legitimate interests grounds at any time by contacting us.

5. How long we keep it

Diagnostic runs and organisation context are retained for up to 24 months from the date of last activity, or until you request deletion — whichever comes first. Attached documents are never retained — they exist only for the run that uses them. Session tokens expire after 30 days.

6. Your rights

You can request at any time:

Email us at hello@premisbrief.com. We will respond within 14 days. If you are in the EU or UK, you also have the right to lodge a complaint with your local data protection authority.

7. Cookies

The Premis™ Brief uses a single session cookie (premis_session) for authentication. It is HttpOnly, Secure, and expires after 30 days. We do not use analytics cookies, advertising cookies, or any third-party tracking.

8. Data Processing Agreements

Enterprise customers requiring a Data Processing Agreement (DPA) for GDPR compliance may request one by emailing hello@premisbrief.com. We will respond within 5 business days.

9. Children

The Premis™ Brief is intended for business use by adults. We do not knowingly collect data from anyone under 18.

10. Changes

If we make material changes to this policy, we will update the date at the top of this page. Continued use after a change constitutes acceptance.

11. Contact

Questions about this policy? Email us at hello@premisbrief.com.