Privacy Policy - Web Application

Last updated

25 March 2026

You can also follow these links for our Web App Acceptable Use Policy, or our Web App Cookie Policy.

vBrief Ltd — Web Application Privacy Policy

This privacy policy explains what personal information vBrief Ltd collects as a data controller when you use the vBrief platform (the "Solution"), how we use it, and what rights you have.

Where we process personal data on behalf of a client organisation as a data processor (for example, documents and project data uploaded to the Solution), that processing is governed by our Data Processing Addendum with the client, not this policy. See Section 8 for more detail.

For information about how we handle personal data collected through our marketing website (vbrief.ai), please see our Website Privacy Policy.

  1. Contact details

  2. What information we collect, use, and why

  3. Lawful bases and data protection rights

  4. Where we get personal information from

  5. How long we keep information

  6. Who we share information with

  7. Sharing information outside the UK

  8. Platform processing (data processor role)

  9. How to complain

1. Contact details

Controller:
vBrief Ltd (Company No. 16079850)

Email:
privacy@vbrief.ai

Postal address:
vBrief Ltd
128 City Road, London EC1V 2NX, UK

2. What information we collect, use, and why

We collect or use the following information for account administration and access management:

  • Administrator and user contact details (name, work email address, job title)

  • Organisation identifiers

  • Authentication and SSO metadata (sign-in timestamps, session identifiers, role/group claims)

We collect or use the following information for billing, subscriptions, and payment processing:

  • Billing contact name and email

  • Company name and billing address

  • Invoice data, payment history, and VAT/tax fields

We collect or use the following information for security monitoring, incident response, and breach management:

  • Incident-related identifiers

  • Log excerpts (which may include personal identifiers such as IP addresses)

  • Communications related to security incidents

We collect or use the following information for support and service communications:

  • Names and contact details

  • Support correspondence content

This platform is intended for business users; we do not knowingly collect personal data from anyone under 18.

3. Lawful bases and data protection rights

Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO's website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO's website:

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for each purpose:

Account administration and access management:

  • Contract — processing is necessary to perform our contract with your organisation (or to take steps prior to entering into a contract).

  • Legitimate interests — administering user accounts, maintaining audit trails, and ensuring the security of the Solution. The data processed is limited to professional contact and access details, and individuals would reasonably expect this processing. Our interest does not override the individual's because the data is minimal, professional in nature, and individuals can request access, rectification, or erasure at any time.

Billing, subscriptions, and payment processing:

  • Contract — processing is necessary to perform our contract with your organisation.

  • Legal obligation — we are required to retain certain financial records under UK tax and company law.

Security monitoring, incident response, and breach management:

  • Legal obligation — we are required under UK GDPR to maintain records of personal data breaches.

  • Legitimate interests — protecting the security of our systems and the data of our users and clients. The processing is limited to security-relevant data, is proportionate to the risk, and individuals can contact us with concerns at any time.

Support and service communications:

  • Contract — processing is necessary to provide support services under our agreement with your organisation.

  • Legitimate interests — responding to support queries and service communications. The impact on individuals is low and the data is professional in nature.

For more information on our use of legitimate interests as a lawful basis, or to request a copy of our legitimate interest assessments, please contact us using the details above.

4. Where we get personal information from

  • From your employer or organisation (where they provide your details as an administrator, billing contact, or user)

  • Directly from you (support requests, in-app interactions)

  • Generated through your use of the Solution (authentication metadata, audit logs)

5. How long we keep information

We store personal data only for as long as necessary to fulfil the purposes explained in this notice, after which we delete or anonymise it.

  • Account and access records — retained for the duration of the client's agreement with us, plus 12 months to allow for any post-termination queries or obligations.

  • Billing and financial records — retained for 6 years from the end of the financial year in which the transaction occurred, in accordance with UK statutory requirements.

  • Incident and breach records — retained for as long as needed for compliance and claims management (typically 6 years).

  • Support correspondence — retained for the duration of the client's agreement with us, plus 12 months.

  • Server logs and security backups — automatically deleted within 30 days unless we need to investigate suspicious activity.

We review these retention periods at least once a year and update them if our processing activities change.

6. Who we share information with

Data processors

The following providers act as our processors and are bound by written data-processing agreements meeting Article 28 UK GDPR.

Microsoft Ireland Operations Ltd / Microsoft Corporation
Cloud hosting (compute, storage, database), encrypted backups, application monitoring, security operations, user authentication (Entra ID), and AI inference (Azure OpenAI). Data is hosted in Sweden (EEA); remote access from the US may be possible under Microsoft's sub-processing terms for support and security operations. (EEA / US)

Stripe Payments Europe, Limited
Payment processing. (US)

Xero (UK) Ltd
Accounting and invoicing. (US)

We do not sell, rent, or trade your personal information to third parties. We do not share your information for marketing purposes with any third party.

7. Sharing information outside the UK

Where necessary, our data processors may transfer personal information outside of the United Kingdom. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

Microsoft Ireland Operations Ltd / Microsoft Corporation
Category: Cloud hosting, authentication, AI inference, and security operations
Country: Data hosted in Sweden (EEA); potential remote access from US under Microsoft sub-processing terms
Transfer mechanism: EU SCCs + UK Addendum (incorporated in Microsoft DPA)

Stripe Payments Europe, Limited
Category: Payment processing
Country: United States
Transfer mechanism: EU SCCs + UK Addendum

Xero (UK) Ltd
Category: Accounting and invoicing
Country: United States
Transfer mechanism: EU SCCs + UK Addendum

8. Platform processing (data processor role)

When organisations use the vBrief platform (the "Solution"), they upload documents, emails, and project data which may contain personal information about their employees, clients, contractors, and other third parties.

In this context, the client organisation is the "data controller" and vBrief acts as a "data processor." Our processing of that data is governed by our Data Processing Addendum (DPA) agreed with each client, not this privacy policy.

Key points about platform processing:

  • All platform data is hosted on Microsoft Azure in Sweden (EEA).

  • AI processing uses Azure OpenAI, also hosted in Sweden (EEA). Customer data is not used to train AI models.

  • We process platform data only on the client's documented instructions.

  • On termination of a client agreement, we provide a 30-day data export window followed by secure deletion. Backups rotate within 30 days.

If you are an individual whose data has been uploaded to vBrief by a client organisation and you wish to exercise your data protection rights, please contact that organisation directly. They are the data controller for your information.

9. How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we've used your data after raising a complaint with us, you can also complain to the ICO.

The ICO's address:
Information Commissioner's Office,
Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint