Privacy Notice

This notice explains how we handle your personal data, when we act as a data controller, and when we act as a processor on your employer's instructions.

Last updated: 10 July 2026

1. Who we are

The BrieXO platform and this website are provided by SFICA Limited (trading as BrieXO), a company registered in England and Wales (company number 15552143, registered office 52 Windsor Court, 3 Pennyroyal Drive, West Drayton, UB7 9GX) ("BrieXO", "we", "us", "our"). We are registered with the UK Information Commissioner's Office (ICO).

This notice applies to personal data we handle as a data controller. It also explains the more limited situations where we act only as a processor on our customer's instructions. It is written primarily around the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018; where you are in the European Union, the equivalent provisions of the EU GDPR apply to you.

We have not appointed a Data Protection Officer, as we are not currently required to appoint one. The privacy contact below handles all data protection questions and requests. You can reach us at privacy@sfica.co.uk.

2. The two roles we play

For your account, billing, and this website, we are the data controller. For competence records, project data, and evidence that your employer (our customer) uploads about you, we act as a processor on your employer's instructions — contact your employer to exercise your rights over that data, and see our Data Processing Agreement.

The rest of this notice describes the personal data we handle as a controller. Where we act only as a processor, our customer decides what data is collected and why, and our obligations are set out in the Data Processing Agreement rather than in this notice.

3. Data we collect as controller

When we act as a controller, we collect and use the following categories of personal data:

  • Account data — your name, work email address, role, and the company you belong to, so that we can create and administer your account.
  • Billing data — subscription and payment details, processed through our payment provider, Stripe. Full card details are handled by Stripe and never reach our servers.
  • Site analytics — information about how you use this marketing website, collected through Google Analytics 4 only where you have given consent through the cookie banner.
  • Support communications — the messages, questions, and other information you send us when you contact our support team.
  • Security logs — technical records such as IP address, device information, and authentication events, which we keep to secure the platform and detect misuse.

4. Purposes and lawful bases

The table below sets out what we use your personal data for and the lawful basis we rely on under the UK GDPR (and, for EU users, the EU GDPR).

PurposeLawful basis
Providing and maintaining the service and your accountPerformance of a contract
Billing, invoicing, and taking paymentPerformance of a contract, and compliance with a legal obligation for tax and accounting records
Keeping the platform secure and preventing abuseOur legitimate interests in securing our service and protecting our customers
Product analytics on this marketing websiteConsent, given through the cookie banner and withdrawable at any time
Sending marketing emails about our productsConsent, which you can opt out of at any time
Meeting our legal and regulatory obligationsCompliance with a legal obligation

Where we rely on our legitimate interests, we have balanced those interests against your rights and freedoms. You can object to processing based on legitimate interests, and you can withdraw any consent at any time, as described in the "Your rights" section below.

5. Recipients

We share personal data with a small number of trusted providers who help us run the platform and this website. Each of them acts on our instructions under a written contract and only handles the data needed for their role:

  • Hosting — Hetzner Online GmbH, which hosts our platform on servers in Germany.
  • Payments — Stripe, which processes subscription payments.
  • Transactional email — Sweego, an EU-based provider that delivers service and account emails.
  • AI providers — where you use our AI-assisted features, the relevant content is processed by our large-language-model providers to generate the output.
  • Error monitoring — Sentry, which helps us detect and diagnose technical errors.

We may also disclose personal data to our professional advisers (such as lawyers, accountants, and auditors), and to regulators, law enforcement, or other authorities where we are required to do so by law. A current list of the providers who process personal data on our behalf is available at /legal/subprocessors.

We do not sell your personal data.

6. International transfers

Our core hosting is located in Germany, within the European Union. Some of our recipients are located outside the UK and the European Economic Area (EEA) — for example, certain AI providers are based in the United States.

Where a transfer takes place to a country that is not covered by UK or EU "adequacy" rules, we rely on appropriate safeguards to protect your data. These include the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), and the EU SCCs, together with the additional technical and organisational safeguards put in place by the provider.

7. Retention

We keep personal data only for as long as we need it for the purposes described in this notice, and then delete or anonymise it. Our main retention periods are:

  • Account data — for the life of your account and for 12 months after it is closed.
  • Billing records — for 6 years, to meet our statutory tax and accounting obligations.
  • Security logs — for 12 months.
  • Customer data we hold as a processor — kept in line with our customer's instructions and the deletion terms of the Data Processing Agreement, not by us as a controller.

8. Your rights

Under the UK GDPR and, for EU users, the EU GDPR, you have the following rights over the personal data we hold about you as a controller:

  • the right to access a copy of your personal data;
  • the right to rectification of inaccurate or incomplete data;
  • the right to erasure of your data in certain circumstances;
  • the right to restrict our processing in certain circumstances;
  • the right to data portability;
  • the right to object to processing based on our legitimate interests or to direct marketing;
  • the right to withdraw consent at any time, where we rely on consent.

To exercise any of these rights, contact us at privacy@sfica.co.uk. Where your employer has uploaded data about you and we act only as a processor, please contact your employer, as they control that data and decide how these rights are handled.

If you are not satisfied with how we handle your data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk. If you are in the European Union, you may also complain to your local supervisory authority.

9. Cookies

We use cookies and similar technologies on this website. For details of the cookies we use and how to manage your preferences, see our Cookie Policy.

10. Changes to this notice

We may update this notice from time to time. We will post any updates on this page, and where a change is material we will let you know by email or through an in-app notice.

Entity: SFICA Limited (trading as BrieXO)

Registered: England and Wales — company number 15552143

Registered office: 52 Windsor Court, 3 Pennyroyal Drive, West Drayton, UB7 9GX

ICO: Registered with the Information Commissioner's Office

Privacy contact: privacy@sfica.co.uk