Privacy Policy

1. Who We Are

Cast Rock Innovation L.L.C., a North Carolina limited liability company d/b/a Cast Net Technology ("RuleBrief," "we," "us," or "our") operates the website rulebrief.com and the RuleBrief regulatory intelligence subscription service (collectively, the "Service").

This Privacy Policy applies to all visitors to rulebrief.com, free trial users, and paid subscribers on all plans. It explains what personal information we collect, why we collect it, how we use and protect it, and your rights.

These practices are incorporated into and subject to our Terms of Service at rulebrief.com/terms.

2. Information We Collect

2.1 Information You Provide Directly

Category	Examples	Required?
Account identifiers	Name, email address, hashed password	Yes — account creation
Business profile	Company name, industry, operating states, employee count range, regulatory interests	Yes — brief personalization
Billing information	Processed entirely by Stripe; we never store raw card numbers or CVV codes	Yes — paid plans
Communications	Support messages, feedback, survey responses	When you contact us
Profile preferences	Notification settings, delivery schedule, topic filters	Optional

2.2 Information Collected Automatically

Category	Examples	Purpose
Email engagement	Open status recorded via a standard tracking pixel embedded in brief emails	Delivery confirmation, service improvement
Usage data	Pages visited, features engaged	Service improvement
Technical data	Anonymized IP addresses, browser type, operating system, device type	Security, debugging
Cookies and similar technologies	See Section 8	Authentication, preferences

We embed a standard 1×1 tracking pixel in email briefs and digest emails to record whether a message was opened. This data is stored in our own systems (not shared with third parties) and is used solely to confirm delivery and measure service effectiveness.

We minimize collection to what is reasonably necessary for the purposes described in Section 3.

3. How We Use Your Information

We use your personal information to:

1. Deliver the Service — authenticate your account, personalize briefs to your business profile, send weekly briefs and urgent regulatory alerts, provide archive access;
2. Manage billing and subscriptions — process payments, issue receipts, manage renewals, handle refund requests;
3. Improve the Service — analyze aggregate usage patterns, conduct product research, debug issues;
4. Communicate with you — respond to support requests, send service announcements, renewal reminders, policy updates, and security notices;
5. Ensure security and prevent fraud — detect, investigate, and address misuse, unauthorized access, and abuse;
6. Comply with legal obligations — respond to lawful government requests, enforce our Terms, retain records as required by law.

We do not use your information for targeted advertising, behavioral advertising profiles, or any purpose materially incompatible with the purposes listed above.

4. Third-Party Service Providers

We share your information only with service providers who process it strictly on our behalf under written data processing agreements or equivalent contractual protections:

Processor	Purpose	Data Location
Stripe, Inc.	Payment processing, billing, invoicing	United States
DigitalOcean, LLC	Application hosting and infrastructure (API and backend services)	United States
Resend, Inc.	Transactional email delivery (briefs, alerts, receipts)	United States
Cloudflare, Inc.	Inbound email routing for support and privacy contact addresses	United States
Microsoft Corporation (Outlook.com)	Storage of inbound support and privacy request communications	United States

We do not use third-party advertising platforms, ad networks, social media tracking pixels, or data brokers. We review our processor list periodically and update this Policy when processors are added or changed.

5. Data Sharing

We do not sell, rent, trade, or otherwise disclose your personal information to third parties, except in the following limited circumstances:

1. Service Providers: To the processors listed in Section 4, strictly for the purposes described and under contractual protections;
2. Legal Requirements: When required by applicable law, valid legal process (e.g., subpoena, court order), or governmental authority, or when we reasonably believe disclosure is necessary to protect the rights, property, or safety of RuleBrief, our users, or the public;
3. Business Transfers: In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or substantially all of our assets. If such a transfer involves your personal information, we will notify you by email at your registered address at least thirty (30) days before the transfer takes effect and provide you the opportunity to delete your account and data before the transfer completes;
4. With Your Consent: For any other purpose, only with your prior explicit written consent.

We do not sell or share your personal information for the purpose of cross-context behavioral advertising.

6. Data Retention

Data Category	Retention Period	Basis
Active account and profile data	Duration of active subscription	Contract performance
Brief archives	60 days (Solo), 12 months (Growth/Team)	Contract performance
Billing records	7 years	Tax and legal compliance
Support communications	3 years	Legitimate interest / legal defense
Email engagement data (open tracking)	Duration of active subscription, deleted on account deletion	Service improvement
Anonymized aggregate data	Indefinite	No personal identifiers retained

Upon account deletion, plan cancellation (after final period), or verified deletion request, we will remove your personal information from production systems within 30 days and from backup systems within 90 days, except where we are required by applicable law to retain certain records (such as billing and tax records, retained for 7 years).

7. Security

We implement technical and organizational security measures consistent with industry standards for B2B SaaS services, including:

• TLS 1.2+ encryption for all data in transit;
• AES-256 encryption for data at rest in our database systems;
• bcrypt password hashing with unique per-user salts;
• Access controls with multi-factor authentication for administrative and infrastructure access;
• Segregated access — employees and contractors access personal data only on a need-to-know basis;
• Periodic security reviews and access audits.

No method of electronic transmission or storage is completely secure. While we take these measures seriously, we cannot guarantee absolute security of your information. You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly at support@rulebrief.com if you suspect unauthorized access to your account.

8. Cookies and Tracking Technologies

We use the following limited categories of cookies and similar technologies:

Category	Purpose	Can You Disable?
Essential	Session authentication, CSRF protection, security tokens	No — required for the Service to function
Preference	UI settings, display preferences, last-viewed state	Yes — clearable via browser settings

We do not use Google Analytics, Facebook Pixel, Google Tag Manager, or any advertising or social media tracking technology. We do not set analytics cookies.

For preference cookies, you may opt out by clearing cookies in your browser settings. Disabling preference cookies does not affect core Service functionality, though some UI preferences may not be saved.

9. Your Rights

Regardless of where you are located, you have the following rights with respect to your personal information:

Right	What It Means
Access	Request a copy of the personal information we hold about you
Correction	Request correction of inaccurate or incomplete information
Deletion	Request deletion of your personal information (subject to legal retention obligations)
Portability	Request your data exported in a structured, machine-readable format (JSON or CSV)
Restriction	Request that we limit processing of your information in certain circumstances
Withdraw Consent	Where processing is based on your consent, withdraw that consent at any time without affecting the lawfulness of prior processing

How to submit a request: Email privacy@rulebrief.com with "Privacy Request" in the subject line and a description of your request.

Response time: We will acknowledge receipt within 5 business days and provide a substantive response within 30 days. We may need to verify your identity before processing the request. We do not charge for reasonable, non-repetitive requests.

10. California Residents — CCPA/CPRA Rights

This Section applies to residents of the State of California and supplements the rights described in Section 9.

10.1 Categories of Personal Information Collected (Prior 12 Months)

CCPA/CPRA Category	Examples	Collected for Business Purpose
Identifiers	Name, email, account ID, anonymized IP	Yes — account management, service delivery
Commercial information	Plan type, subscription history, payment history	Yes — billing, account management
Internet/network activity	Page views, feature use, email open status	Yes — service improvement
Professional/employment information	Company name, industry, employee count range	Yes — brief personalization
Geolocation (approximate)	Operating states selected; city/region approximated from IP	Yes — brief personalization
Sensitive personal information	Hashed passwords (account authentication only; not used for profiling or advertising)	Yes — authentication only

We do not sell or share (for cross-context behavioral advertising) any of the above categories.

10.2 California Consumer Rights

As a California resident, you have the right to:

• Know — request disclosure of the categories and specific pieces of personal information collected about you, and how it is used and shared;
• Delete — request deletion of your personal information (subject to legal exceptions);
• Correct — request correction of inaccurate personal information;
• Opt-Out of Sale or Sharing — We do not sell or share your personal information for cross-context behavioral advertising. This right is not applicable to our practices, but we honor it categorically;
• Limit Use of Sensitive Personal Information — We use sensitive personal information (hashed passwords) only for account authentication — never for profiling, advertising, or non-essential purposes;
• Non-Discrimination — We will not deny you Service, charge you different prices, or provide a different quality of Service because you exercised your California privacy rights.

10.3 How to Submit California Requests

Email privacy@rulebrief.com with "California Privacy Request" in the subject line. We will respond within 45 days; if we require additional time, we will notify you and may extend the response period by up to 45 additional days (90 days total), with explanation.

10.4 Authorized Agent

You may designate an authorized agent to submit CCPA requests on your behalf. We may require proof of the agent's written authorization and may require you to verify your identity directly with us.

11. International Users and Data Transfers

RuleBrief is operated from the United States. If you access the Service from outside the United States — including from the European Economic Area (EEA), United Kingdom, or Switzerland — your personal information will be transferred to, stored, and processed in the United States, which may provide different data protection standards than your home jurisdiction.

For users subject to the EU General Data Protection Regulation (GDPR) or UK GDPR:

• We rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission, where contractually available and required, for data transfers from the EEA or UK to our U.S.-based processors;
• By creating an account and accepting our Terms of Service, you acknowledge and consent to the transfer of your personal information to the United States under the conditions described in this Policy.

RuleBrief is primarily designed for U.S.-based businesses and U.S. regulatory content. If you are located in the EEA or UK and believe the GDPR or UK GDPR applies to your use, contact us at privacy@rulebrief.com and we will work with you in good faith to accommodate applicable legal requirements.

12. Security Incidents and Breach Notification

In the event of a security incident involving unauthorized access to or disclosure of your personal information, we will:

1. Investigate promptly — conduct a thorough investigation to determine the scope, cause, and nature of the incident;
2. Contain and remediate — take reasonable steps to contain the incident and prevent further unauthorized access;
3. Notify affected users — provide timely email notice to affected users at their registered address when we reasonably conclude that a breach has occurred and presents a material risk to their rights or interests, consistent with applicable state and federal breach notification laws;
4. Notify regulators — notify applicable regulatory authorities as required by applicable law.

We do not commit to fixed notification timeframes beyond what applicable law requires, as we prioritize thorough investigation over speed of notification to ensure notices contain accurate and actionable information. Our notifications will describe the nature of the incident, the categories of data affected, and steps you can take to protect yourself.

13. Children's Privacy

RuleBrief is a business-to-business service intended exclusively for business owners, operators, executives, and professionals. We do not knowingly collect personal information from individuals under the age of 18. If we learn that we have inadvertently collected such information, we will delete it promptly. If you believe we may have information from a minor, please contact us at privacy@rulebrief.com.

14. Data Processing Agreement (DPA)

Enterprise customers — and any customers whose own contractual obligations or applicable law (including GDPR, CCPA, or similar regulations) require a formal Data Processing Agreement — may request our standard DPA.

To request a DPA: Email privacy@rulebrief.com with "DPA Request" in the subject line. Include your company name, applicable jurisdiction, and any specific requirements. We will respond within five (5) business days.

Our standard DPA addresses: data processing scope and purposes, processor obligations and sub-processor management, data subject rights assistance, security measures, breach notification procedures, data return and deletion, and audit rights.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — those that meaningfully affect how we collect, use, or share your personal information — we will provide at least fourteen (14) days' advance notice by email to your registered address and by posting a prominent notice on our website.

Minor, clarifying, or administrative changes may be posted without advance notice; the updated "Last Updated" date at the top of this Policy will reflect any revision.

Continued use of the Service after a revised Policy's effective date constitutes your acceptance. If you object to a material change, you may cancel your account and request deletion of your data before the change takes effect.

16. Contact Us

For privacy questions, data subject requests, DPA inquiries, or to report a security concern: