Privacy policy

Last updated July 3, 2026

BriefOwl is operated by Maivor AB, Sweden (the data controller). Contact: daniel@maivor.ai. This page describes exactly what the product reads, what it stores, who processes it, and the controls you keep. Read-only by design: BriefOwl never writes to your site or your Google account.

Account data

When you create an account we store your email address and authentication credentials, handled by Supabase Auth. We use your email to sign you in and to deliver the product (for example your weekly brief). We do not sell personal data, and we do not send marketing email without a separate, explicit opt-in.

Google data (Search Console and Analytics)

If you connect Google, BriefOwl requests two read-only scopes: Search Console (webmasters.readonly) and Google Analytics (analytics.readonly). We use this access for one purpose: pulling the performance data of the sites you select so the product can write your briefs and raise findings. We store the OAuth refresh token encrypted in Supabase Vault, and we store the generated briefs plus the aggregated metrics they are built from. You can disconnect Google at any time in Settings — that revokes the grant with Google and deletes the stored token — or revoke access from your Google account’s security settings.

BriefOwl’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google user data is never sold, never used for advertising, and never read by humans except with your permission for support, for security, or where the law requires it.

How briefs are written

The written analysis in a brief is produced by a large language model (Anthropic’s Claude, via API). The model receives only pre-computed, aggregated metrics for the site and period — click counts, page paths, query strings, deltas — never your name, email, or any visitor-level data. Anthropic does not train models on this API traffic.

Analytics on this website

briefowl.io itself uses Google Analytics 4 to count visits — only with your consent. No tracking loads before you choose, the data is routed through our own domain, and declining changes nothing about how the site works. Change your mind any time:

Processors

Four sub-processors run the service: Supabase (database, authentication, encrypted secret storage), Vercel (hosting), Google (the APIs above and Google Analytics), and Anthropic (brief synthesis). Some of these process data in the United States; those transfers rely on the EU–US Data Privacy Framework or standard contractual clauses.

Cookies

Two kinds: a strictly necessary session cookie that keeps you signed in (no consent required), and optional analytics cookies that exist only if you allow them in the banner.

Retention and deletion

Account data lives until you delete your account. Briefs and site data live until you delete them or archive the site. Disconnecting Google deletes the stored token immediately. To delete your account and everything in it, email daniel@maivor.ai — deletion completes within 30 days.

Your rights

Under the GDPR you can request access, correction, deletion, restriction, or a portable copy of your personal data, and you can object to processing. Write to daniel@maivor.ai. You can also lodge a complaint with the Swedish data protection authority (Integritetsskyddsmyndigheten, imy.se).