Privacy Policy

This is a good-faith description of our current data practices. We review and update it as the product evolves.

Account data: your email address, organization name and type, and basic membership/role information needed to run your workspace.

Capture content: the debrief answers, notes, and generated drafts you create in the app, scoped to your organization.

Usage events: limited records (for example, generation counts) used for rate limiting and basic operation.

Voice input: if you use voice capture, the audio you record is sent to our transcription provider to convert it to text. We do not store the audio recording; only the resulting transcript becomes part of your capture content, and you can review, edit, or remove it before saving (see Voice capture and transcription below).

Reference photos:images you attach to a capture to give human reviewers visual context. Reference photos are stored in your organization's private storage and are not sent to any AI model.

When you generate a draft, the relevant capture content is sent to OpenAI to produce that draft. AI outputs are drafts only and require qualified human review before they are treated as official.

Please do not enter regulated records, secrets, credentials, or highly sensitive personal data — use realistic but non-sensitive examples.

DebriefCore offers an optional voice capture feature. When you record audio with this feature, the audio is transmitted to OpenAI for the sole purpose of converting your speech to text (transcription). Voice capture is available to signed-in users only; we do not transcribe audio for anonymous visitors.

We do not store the audio. The recording is sent for transcription and is not retained on our systems. Only the resulting text is returned to you and saved as part of your capture, where you can review, edit, or remove it before saving.

Audio you submit for transcription is processed by OpenAI under OpenAI's own API terms and privacy practices. Under OpenAI's current API policy, content submitted through its API is not used to train its models. We do not control, and are not responsible for, OpenAI's independent practices. Please do not speak regulated records, secrets, credentials, or highly sensitive personal data into voice capture.

You may attach reference photos to a capture to give human reviewers visual context. Reference photos are not sent to OpenAI or any other AI model and are not used to generate drafts.

Reference photos are stored in your organization's private, access-controlled storage and are accessible only to authenticated members of your organization. Please do not upload faces, identity documents, or other sensitive personal information unless you have the rights and permissions to do so.

DebriefCore's interface is available in English and Spanish. This interface translation uses fixed, pre-written text built into the app — no capture content or personal data is sent anywhere to translate the interface.

Automated translation of your capture content (for example, translating a draft into natural Mexican Spanish) is planned but not currently active. If and when we enable content translation through a third-party provider (such as HablaFlow), we will update this policy to identify the provider and the data involved, and we will require your organization's consent before any of your content is sent to that provider. Until then, your capture content is not transmitted to any translation service.

We rely on third-party providers to operate the service, including Supabase (authentication, database, and file storage), Vercel (hosting), OpenAI (AI draft generation and voice transcription), Stripe (subscription payment processing), and Resend (transactional email). Each processes data on our behalf to provide their part of the service.

Payment card details are entered directly with Stripe and are not collected, seen, or stored by DebriefCore. A translation provider (HablaFlow) is planned for future content localization but is not active and receives no data today.

Each organization's data is isolated using database row-level security so one workspace cannot access another's captures, outputs, knowledge articles, or Context Packs. We keep secret keys server-side and require authentication for real (non-demo) actions.

Self-serve data export and deletion are handled on request. If you would like your data exported or removed, contact us and we will handle it.

DebriefCore is being designed toward recognized security and privacy best practices, but it is not certified or audited against any standard. We make no SOC 2, ISO, GDPR, or FAA compliance/approval claims.

Access is controlled by organization membership. The Internal / External / Restricted visibility labels shown on captures and outputs are not yet enforced — they do not control who can see, share, or filter content, and should not be relied on as a confidentiality or access boundary.

Questions about privacy? Email hello@debriefcore.com. Please do not send passwords or secrets by email.