OrgBrief (“we”, “us”, “our”) is operated by RogerSon Ltd. This privacy policy explains how we collect, use, and protect information when you use orgbrief.com and our related services.
OrgBrief is a SaaS tool for executive recruitment firms. It processes CSV data to create org charts and market reports. We take data privacy seriously — particularly because the data you upload often contains information about people within your client organisations.
Data We Collect
We collect different categories of information depending on how you interact with OrgBrief.
Account information
When you create an account, we collect your name, email address, and company name. This is stored securely in our authentication system powered by Supabase.
Payment information
Subscription payments are processed by Stripe. We never see or store your full card details. Stripe handles all payment data in accordance with PCI-DSS standards. We receive only a transaction reference, the last four digits of your card, and your billing email.
Usage data
We collect standard analytics data including pages visited, features used, browser type, and device information. This is collected via Google Analytics 4 and is used to improve the product.
CSV Data Processing
This is the most important section. Your CSV files typically contain names, job titles, departments, and reporting relationships of people within your client organisations.
How we handle your CSV data
- —CSV parsing and org chart generation happens client-side in your browser wherever possible.
- —If you are not signed in, your data is never sent to our servers. It is processed entirely in the browser and discarded when you close the page.
- —If you have an account and choose to save a chart, the processed data is stored in your private workspace on Supabase. Only you (and anyone you explicitly share a link with) can access it.
- —We do not train AI models on your data. We do not sell, share, or licence your uploaded data to any third party.
- —CSV files are not retained after processing unless you explicitly save the resulting org chart.
Where server-side processing is required (for example, AI-assisted hierarchy inference on larger datasets), the data is transmitted over TLS, processed in memory, and not written to persistent storage unless you save the result to your account.
Cookies
We use a limited number of cookies to operate the service.
| Cookie | Purpose | Duration |
|---|---|---|
| Session token | Keeps you signed in (Supabase auth) | Session / 7 days |
| _ga, _ga_* | Google Analytics 4 — anonymous usage statistics | 2 years |
| stripe.csrf | Stripe checkout security token | Session |
We do not use advertising cookies or tracking pixels. You can disable Google Analytics by using a browser extension or adjusting your cookie preferences.
Authentication and Account Security
User authentication is managed through Supabase Auth. We support email/password sign-in and may add third-party OAuth providers (such as Google) in the future. Passwords are hashed and salted — we cannot see or recover your password. Session tokens are stored as secure, HTTP-only cookies.
All data in transit is encrypted via TLS 1.2+. Data at rest in Supabase is encrypted using AES-256.
Payments via Stripe
All payment processing is handled by Stripe, a PCI Level 1 certified payment processor. When you subscribe to OrgBrief Professional, your payment details are entered directly into Stripe's secure payment form. We never have access to your full card number.
We store your Stripe customer ID and subscription status so we can manage your access to paid features. For billing queries, we can see your billing email and the last four digits of your payment method. For anything else, Stripe's own privacy policy applies: stripe.com/privacy.
Data Retention
- Account dataRetained while your account is active. Deleted within 30 days of account closure.
- Saved org chartsRetained while your account is active. You can delete individual charts at any time from your dashboard.
- Unsaved CSV uploadsNever stored. Processed in-browser or in-memory and discarded immediately.
- Payment recordsRetained for 7 years as required by UK financial record-keeping regulations.
- Analytics dataGoogle Analytics retains data for 14 months by default. We do not extend this.
Your Rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
- —Access — request a copy of the personal data we hold about you.
- —Rectification — ask us to correct inaccurate data.
- —Erasure — ask us to delete your data (subject to legal retention requirements).
- —Portability — request your data in a structured, machine-readable format.
- —Objection — object to processing based on legitimate interests.
- —Restriction — ask us to limit how we process your data.
To exercise any of these rights, email us at hello@orgbrief.com. We will respond within 30 days.
Third-Party Services
OrgBrief uses the following third-party services that may process your data:
- SupabaseAuthentication, database, and file storage. Data hosted in the EU.
- StripePayment processing. PCI Level 1 certified.
- Google Analytics 4Anonymous usage analytics. No personal data shared.
- Vercel / NetlifyApplication hosting and CDN.
Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you via email or by posting a notice on the site. The “last updated” date at the top of this page reflects the most recent revision.
Contact
If you have questions about this privacy policy or how we handle your data, contact us: