Privacy Policy — Perimeter Brief

Perimeter Brief ("we", "us", or "our") operates the website and service at perimeterbrief.io. This policy describes what personal data we collect, how we use it, who we share it with, and your rights regarding that data. We've written it to be readable, not just defensible.

1. What we collect

Data	When collected	Why
Email address	Newsletter signup or account creation	Delivering your digest and account communications
Name	Account creation	Personalising emails and your dashboard
Password (hashed)	Account creation / password change	Authentication. We never store plaintext passwords.
IP address	Login, API requests	Rate limiting, abuse prevention, security audit log
Browser / device info	Login	Session management and security alerts
Payment metadata	Subscription purchase	Billing. Card numbers are handled entirely by Stripe — we never see them.
Support messages	Contact form submissions	Responding to your inquiry
Ticket and dashboard content	Normal product use	Providing the service. Team plan data is org-isolated — other organisations cannot access it.
File attachments	Uploaded to tickets	Stored in Cloudflare R2; accessible only within your organisation.
Email delivery events	Automated — from our email provider	Handling bounces and unsubscribes to keep our list clean and compliant.

We do not use tracking pixels, behavioural advertising, or third-party analytics scripts. We do not sell your data.

2. How we use your data

Delivering the service — sending your daily digest, providing dashboard access, processing payments.
Transactional communications — account confirmation, password reset, billing receipts, security alerts. These cannot be opted out of while you have an active account.
Security and abuse prevention — IP addresses and login attempts are logged to detect and block brute-force attacks and rate-limit abusive traffic.
Support — messages you send us are used solely to respond to your inquiry and are not used for marketing.
Service improvement — aggregate, non-identifiable usage patterns may inform product decisions. No individual behaviour is tracked for this purpose.

3. Third-party services

We share data with the following processors only to the extent necessary to provide the service:

Provider	Purpose	Data shared
Stripe	Payment processing	Email, name, billing address. Card data never passes through our servers.
Mailgun	Transactional email delivery	Email address, email content
Amazon Web Services (SES)	Bounce and complaint handling	Email delivery events only
Cloudflare	CDN, DDoS protection, file storage (R2)	All web traffic passes through Cloudflare. Attachment files are stored in R2.
Railway	Database hosting	All database content is hosted on Railway infrastructure.
Vercel	Application hosting	Application code and server-side request logs

We have data processing agreements in place with each of these providers. We do not share data with any other third parties except as required by law.

4. Cookies and sessions

We use a single, strictly necessary session cookie (pb_sid) to keep you logged in. It is a secure, HTTP-only cookie that expires after 30 days or when you log out. We do not use advertising cookies, third-party tracking cookies, or analytics cookies of any kind.

5. Data retention

Active accounts — data is retained for as long as your account is active.
Cancelled subscriptions — account data is retained for 90 days after cancellation to allow reactivation, then deleted.
Free newsletter subscribers — email is retained until you unsubscribe, at which point it is suppressed (not deleted, to prevent accidental re-subscription) or deleted on request.
Security logs — IP addresses and login attempt records are retained for 90 days.
Support messages — retained for 2 years for quality and compliance purposes.

6. Your rights

Regardless of where you're located, you have the right to:

Access — request a copy of the personal data we hold about you.
Correction — update inaccurate or incomplete data. Most data can be updated directly in your dashboard profile.
Deletion — request that we delete your account and associated personal data. We will comply within 30 days, subject to any legal retention obligations.
Portability — request an export of your ticket and dashboard data in a machine-readable format.
Unsubscribe — every marketing email includes an unsubscribe link. You can also unsubscribe from your account profile at any time.
Object — object to processing based on our legitimate interests. We will cease that processing unless we have compelling grounds to continue.

To exercise any of these rights, contact us at [email protected] or use the support page. We will respond within 30 days.

7. Security

Passwords are hashed using bcrypt before storage. All data in transit is encrypted via TLS. Database access is restricted to application services — no public access is permitted. Team plan organisations have fully isolated data: no query or API endpoint returns data across organisation boundaries. We maintain an internal security audit log of all privileged actions.

Despite these measures, no system is perfectly secure. If you discover a security vulnerability, please report it responsibly to [email protected].

8. Children

Perimeter Brief is intended for professionals and is not directed at children under 16. We do not knowingly collect personal data from anyone under 16.

9. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify subscribers by email at least 14 days before the changes take effect. The effective date at the top of this page will always reflect the most recent version.

10. Contact

Questions about this policy or your data? Reach us at [email protected] or through the support page.