OffbrainGET
Buyer-side companion to the creator privacy notice (Att. B). For how creator profiles are sourced before a creator opts in, see the notice at collection; for the per-study consent + NDA shape, see the sample template (Att. C).

Buyer privacy notice

This notice describes how Offbrain Research, LLC ("Provider") handles information you submit via the project intake form, by email to ops@get.offbrain.ai, or in scoping calls. It is companion to the creator privacy notice, which covers creator-side data only.

Who is responsible

Provider is the controller of buyer-side data. Privacy contact: privacy@get.offbrain.ai.

What we collect from you

  • Identity & contact: company legal name, your name, role, work email, optional phone, referral source.
  • Project parameters: study topic and goal, target completes, target window, follower band, creator category, identity- share preference, age-restricted topic flag, free-text notes.
  • Engagement metadata: intake submission timestamp, response and clarification thread, signed SOW and any amendments.
  • Confidential information: any non-public business context you share to scope the study (product, brand strategy, hypotheses, timeline). Treated under the confidentiality obligations in the SOW.

Why we collect it

  • To respond to your intake and decide if the study is feasible.
  • To draft a Project SOW and scope its parameters honestly.
  • To run the engagement: kick off, source creators, brief them within the limits of the SOW, and report results.
  • To honor legal obligations (records retention, tax).

Who sees it

  • Provider operations staff, on a need-to-know basis.
  • Sub-processors that help run the engagement (email delivery, payment processing, calendar/meeting hosting), under contracts that prohibit using your data for their own purposes.
  • Legal authorities, when required by valid legal process.
  • Creatorsonly see study-facing information that you approved in the SOW (topic framing, length, incentive). Your identity as the buyer is disclosed to creators per the SOW "sponsor disclosure" setting.

We do not sell buyer data. We do not share buyer data with other clients. We do not use buyer-side data to train AI models.

How long we keep it

  • Intake-only (no SOW signed): retained up to 12 months from your last contact, then deleted on request or on the next quarterly purge — whichever is sooner.
  • Engagement records (signed SOW): retained 7 years after engagement close for legal, accounting, and audit purposes.
  • Email threads & meeting notes: aligned to the engagement record retention above.

Where it lives

Buyer-side data is held in Provider-managed systems (email, document store, ticketing) hosted in us-east-1, with access limited to operations staff. Engagement records are migrated to Provider's managed Postgres on engagement close, with row-level security and encryption at rest.

Your rights

At any time, by emailing privacy@get.offbrain.ai:

  • Request a copy of the buyer-side data we hold about you and your company.
  • Correct anything we have wrong (e.g., role change, email change).
  • Request deletion of intake-only records before the 12-month auto- purge, subject to any legal hold.
  • Withdraw from contact about future studies.
  • Receive an export of the data in a portable format (JSON or CSV).

We respond within 10 business days and complete non-trivial requests within 30 days. If we deny or delay, we tell you why.

Security & processors

  • Email-in-transit and at-rest encryption.
  • MFA on all Provider operator accounts that touch intake or engagement data.
  • Access logged; access reviewed quarterly.

Sub-processors

The following sub-processors handle some or all of the buyer-side data described above. Each is contracted under a written data processing agreement that prohibits use of buyer data for the sub-processor's own purposes and requires breach notification within statutory timelines.

Sub-processorPurposeData categoriesRegion
Vercel, Inc.Site hosting + CDN; serverless function runtime for intake formIP, request metadata, intake form fields in transitUS
Resend (Resend, Inc.)Transactional email delivery (intake notifications, confirmations)Email content, subject, recipient address, delivery metadataUS
Google Workspace (Google LLC)Operations email, calendar, document storage for engagement recordsEmail threads, meeting metadata, signed SOW + amendments, scoping notesUS
Stripe, Inc.Invoicing and payment processing for engagement fees (when used)Company billing details, invoice line items, payment statusUS
1Password (AgileBits, Inc.)Internal credential storage for operator MFA and API keysOperator account secrets only — no buyer data stored hereCanada / US

Material changes to this list (adding a new sub-processor, changing a region, or adding a data category) trigger a notice via the email of record at least 14 days before the change takes effect, with a right to object.

Data Processing Agreement (DPA)

Provider operates under a pilot-tier DPA that accompanies the signed SOW and incorporates the same data-handling commitments described in this notice. The pilot DPA covers:

  • Confidentiality of buyer-side study and engagement data.
  • Limited purpose use (no resale, no model training, no aggregation).
  • Sub-processor list above with prior-notice change rights.
  • Breach notification within 72 hours of Provider awareness.
  • Return or deletion of buyer data on engagement close, subject to legal-hold retention windows.

A copy of the pilot DPA is provided with the SOW for signature. Buyers with a custom DPA template are accommodated on a case-by-case basis; the underlying handling commitments do not change.

Changes to this notice

We may update this notice. The version recorded against your SOW governs that engagement; new versions apply prospectively.

Version: v1.0.1 · Effective: 2026-05-07