Customer Data Agreement
Effective: 30 March 2026
1. Parties
This Customer Data Agreement ("Agreement") is entered into between:
- Briefed Intelligence Pty Ltd (ABN: to be confirmed), an Australian company based on the Gold Coast, Queensland ("Briefed", "we", "us"); and
- The Customer - the individual or entity that has subscribed to the Briefed intelligence platform ("Customer", "you").
This Agreement forms part of the Briefed Terms of Service and governs how Briefed processes Customer Data in connection with the Briefed venue intelligence platform.
2. Definitions
- Customer Data - raw data from platforms you connect to Briefed, including point-of-sale transactions, rostering records, accounting data, booking records, and online reviews.
- Personal Information - has the meaning given in the Privacy Act 1988 (Cth).
- Staff Data - Personal Information about your employees and contractors, including names, hours worked, shift times, departments, and sales performance.
- Derived Intelligence - metrics, benchmarks, coaching recommendations, predictions, trend analyses, and other outputs created by Briefed from Customer Data. Derived Intelligence is not raw data.
- Sub-processor - a third-party service provider engaged by Briefed to process Customer Data on Briefed's behalf.
3. Data Briefed accesses
When you connect your platforms to Briefed, we access the following categories of data via secure API connections or OAuth authorisation flows that you explicitly grant:
- Point of Sale (Square) - transactions, payment summaries, item-level sales, discounts, comps, voids, employee sales attribution.
- Rostering (Tanda) - employee names, scheduled and actual hours, shift times, departments, overtime, leave records.
- Accounting (Xero) - profit and loss reports, expense categories, revenue classifications, cost of goods sold.
- Bookings (NowBookIt) - reservation counts, covers, booking sources, no-show rates, party sizes.
- Reviews (Google Business Profile) - review text, star ratings, review dates, review responses.
- Social metrics - follower counts, engagement rates, post performance, and audience demographics from connected social accounts.
- Weather data - local weather conditions correlated with your venue's trading data.
All API connections use read-only access where available. We never store your third-party login credentials. Authentication tokens are encrypted at rest using AES-256-GCM.
4. Purpose limitation
Briefed processes Customer Data solely for the following purposes:
- Generating intelligence briefings, coaching, and operational reports for you.
- Improving Briefed's algorithms, models, and coaching quality.
- Creating anonymised, aggregated benchmarks for the Australian hospitality industry. Your individual data is never identifiable in benchmarks.
We do not sell Customer Data. We do not share raw Customer Data with other venues, competitors, or third parties for their own commercial purposes.
5. How data flows through Briefed
Briefed uses a two-pass architecture designed to protect your data:
- Pass 1 (Deterministic) - Your raw data is processed by Briefed's Python pipeline to compute variables, metrics, and trends. This is pure computation with no AI involvement. No raw data leaves this step.
- Pass 2 (Intelligence) - Only computed variables (not raw data) are sent to the AI layer for coaching and narrative generation. The AI never sees individual transaction records, employee names, or raw financial data.
This architecture means your raw data stays within Briefed's computation layer. Only derived metrics and pre-computed variables are processed by AI services.
6. Customer obligations
By connecting your platforms to Briefed, you warrant and agree that:
- You have the authority to share the connected data with Briefed, including any Staff Data processed through your POS and rostering systems.
- You will inform your staff that their data will be processed by Briefed for operational intelligence purposes. A template notice is provided at /staff-notice for your convenience.
- You will maintain accurate and active platform connections. Briefed is not responsible for inaccurate reports resulting from stale or disconnected data sources.
- You will not share your Briefed login credentials or portal access with unauthorised individuals.
- You will not attempt to use Briefed's intelligence outputs to identify staff at other venues or reverse-engineer other customers' data from anonymised benchmarks.
7. Briefed's obligations
Briefed commits to the following data protection measures:
- Privacy compliance - process all data in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
- Logical isolation - maintain strict logical isolation between customer venues. No customer can access another customer's data or intelligence outputs.
- Encryption at rest - all authentication tokens are encrypted using AES-256-GCM. Customer data stored in our database is encrypted at rest.
- Encryption in transit - all data transfers between Briefed, your connected platforms, and our sub-processors use TLS encryption.
- AI data handling - only send computed intelligence variables to AI processing, not raw Customer Data. AI outputs are transient and not stored by the AI provider.
- Access controls - restrict access to Customer Data to authorised Briefed personnel on a need-to-know basis.
- Breach response - maintain and follow a Data Breach Response Plan in accordance with the Notifiable Data Breaches (NDB) scheme.
- No secondary use - never use Customer Data for purposes outside those described in Section 4.
8. Sub-processors
Briefed uses the following sub-processors to deliver the service:
| Provider | Country | Purpose |
|---|---|---|
| Supabase | USA | Database hosting, authentication, customer data storage |
| Vercel | USA | Web application hosting and edge functions |
| Anthropic (Claude) | USA | AI-powered coaching and narrative intelligence generation |
| Stripe | USA | Payment processing (PCI DSS Level 1 certified) |
| Brevo | EU (France) | Email delivery for reports and communications |
| Google (GA4, GBP API) | USA | Website analytics and review data retrieval |
| Square | USA | POS data retrieval via API |
| Meta | USA | Advertising measurement and social metrics retrieval |
| DataForSEO | USA | Local search ranking and SEO data |
Briefed will notify you of any material changes to its sub-processor list by updating this page and, where practicable, by email.
9. Cross-border data transfers
Customer Data is transferred to and processed in the following jurisdictions:
- United States - Anthropic, Supabase, Vercel, Square, Google, Stripe, Meta, DataForSEO.
- European Union (France) - Brevo (email delivery).
Briefed ensures that contractual protections are in place with each sub-processor, including obligations equivalent to those in this Agreement. Where a sub-processor is certified under recognised frameworks (e.g. SOC 2, ISO 27001), Briefed relies on those certifications as additional assurance.
10. Data retention
- Active subscription - Customer Data is retained for as long as your subscription is active and your integrations are connected.
- Cancelled subscription - upon cancellation, Customer Data will be deleted within 90 days. If you request earlier deletion, we will comply within 30 days.
- Anonymised benchmarks - aggregated, anonymised data derived from Customer Data may be retained indefinitely. This data cannot be used to identify you or your venue.
- Backups - encrypted backups may persist for up to 30 days after deletion from production systems.
11. Data breach notification
In the event of a data breach involving Customer Data:
- Briefed will notify the affected Customer within 72 hours of becoming aware of the breach.
- Notification will include: the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.
- Where the breach constitutes an "eligible data breach" under the Notifiable Data Breaches scheme, Briefed will notify the Office of the Australian Information Commissioner (OAIC) as required by Part IIIC of the Privacy Act 1988.
12. Individual rights and staff data
Where Customer Data includes Staff Data (employee Personal Information), the following applies:
- The Customer is the primary controller of Staff Data. Briefed processes Staff Data on the Customer's behalf.
- If a staff member makes a request under APP 12 (access) or APP 13 (correction), Briefed will assist the Customer in responding to that request within a reasonable timeframe.
- Staff members may also contact Briefed directly at hello@briefedhq.au. Briefed will forward such requests to the relevant Customer and assist as needed.
13. Audit rights
Once per calendar year, the Customer may request a written summary of Briefed's current security practices, including:
- Encryption standards in use.
- Access control measures.
- Sub-processor compliance status.
- Any data breaches that occurred in the preceding 12 months.
Briefed will respond to such requests within 30 days. This right does not extend to on-site audits or access to Briefed's internal systems or source code.
14. Termination and data deletion
Upon termination of the Customer's subscription or this Agreement:
- All Customer Data access via connected platforms is immediately revoked (OAuth tokens deleted).
- Cached copies of Customer Data in Briefed's systems will be deleted within 90 days.
- Anonymised, aggregated data that cannot identify the Customer or their venue may be retained.
- The Customer may request an export of their data prior to termination by emailing hello@briefedhq.au.
15. Governing law
This Agreement is governed by the laws of Queensland, Australia. Any disputes arising under this Agreement will be subject to the exclusive jurisdiction of the courts of Queensland.
16. Contact
For questions about this Agreement or how Briefed handles your data:
Briefed Intelligence Pty Ltd
Gold Coast, Queensland, Australia
Email: hello@briefedhq.au
Web: briefedhq.au
See also: Privacy Policy · Terms of Service · Staff Data Notice