Last updated: September 12, 2025
This page summarizes how Brew supports GDPR compliance. For full details, see our Privacy Policy, Terms of Service, and DPA.

Overview

Brew is committed to protecting personal data and complying with GDPR. We collect and process the minimum data necessary to provide the Services, use tools consistent with our security and privacy standards, and give customers control over their data.

Roles and Responsibilities

  • Controller vs. Processor: For email recipients’ data you manage in Brew, you are the controller and Brew is the processor. For site visitors, account/profile, billing, and similar data, Brew acts as a controller.
  • Legal Bases: As controller, you are responsible for establishing a lawful basis (e.g., consent or contract) for sending emails and for honoring recipient rights.
  • Data Processing Addendum (DPA): For processing we perform on your behalf, our DPA applies and forms part of your agreement with Brew: /legal/dpa
  • Sender obligations: You are the “sender” for e‑privacy and anti‑spam purposes and must ensure compliant consent/opt‑out and accurate sender information. See our Acceptable Use Policy and Terms for details.

Lawful Bases for Key Processing Activities

Brew processes personal data under the GDPR on the following lawful bases:
  • Providing the Services (account setup, email delivery, engagement events): Art. 6(1)(b) GDPR (contract) where we have a contract with you, or Art. 6(1)(f) (legitimate interests) for closely related operations needed to run the Services.
  • Billing, invoicing, and tax records: Art. 6(1)(c) (legal obligation) and, where applicable, Art. 6(1)(b) (contract).
  • Security, fraud prevention, abuse and deliverability protection: Art. 6(1)(f) (legitimate interests in securing and maintaining our Services).
  • Product communications to existing customers (about similar services): Art. 6(1)(f) (legitimate interests), subject to opt‑out at any time and to applicable e‑privacy rules (e.g., PECR/Article 13 e‑Privacy Directive).
  • Marketing emails where required by local law: Art. 6(1)(a) (consent), with withdrawal at any time.
Controllers (our customers) are responsible for establishing a lawful basis for sending emails to their recipients and for honoring data‑subject rights. See our DPA for details.

Data Minimization

We only process data needed to provide, secure, and support the Services (e.g., email delivery and engagement events, account settings). We design defaults to limit collection and retention consistent with business needs and applicable law. Customers should not submit special categories of personal data (e.g., health, biometric, genetic, political opinions) unless permitted by law and covered by written instructions and safeguards in the DPA. Please also do not submit children’s data; our Services are not intended for use by individuals under the age noted in our Terms of Service. Please also do not submit payment card numbers, government‑issued IDs, health or medical information, or other regulated data, unless expressly permitted in writing by Brew and covered by appropriate safeguards in the DPA.

AI Features and Your Data

When you use Brew’s AI features (e.g., to generate emails, automations, images), your prompts, inputs, and outputs are processed to provide, secure, and improve the Services. We instruct and configure our third‑party AI model providers not to use your inputs or outputs to train their models, and we rely on their contractual commitments and documented policies to that effect. Any use of Customer Content for Brew’s own model or feature improvement is governed by our Privacy Policy and plan‑based terms (including any Enterprise Addendum). Regardless of plan, we may use aggregated or de‑identified data that does not identify you or any individual to operate, analyze, improve, and develop the Services. Where you connect your own AI/API keys to Brew, your chosen provider acts as a separate controller or processor under its own terms and privacy policy; Brew processes related prompts and outputs only to facilitate the integration. AI‑generated outputs may be non‑unique, inaccurate, or inappropriate; you should review and validate outputs before use. See our Terms of Service for additional AI‑specific disclosures and restrictions.

International Data Transfers

Where personal data is transferred outside the EEA/UK/Switzerland, Brew uses recognized safeguards such as the EU Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum/IDTA, together with supplementary measures as appropriate. We also rely on provider‑level protections and documented data‑handling commitments from our subprocessors. Details of the applicable SCC modules and Annexes are set out in our DPA. We assess transfer risks and implement supplementary measures where appropriate. Nothing in this page constitutes a representation that any specific transfer mechanism (e.g., an adequacy decision) applies unless explicitly stated on our Security page or in our DPA with you. EU/UK Representatives. Where required, we appoint EU and/or UK representatives under GDPR/UK GDPR Article 27; if appointed, their details are posted on our Security page.

Subprocessors

We use vetted subprocessors for hosting, email delivery, analytics supporting service operation, and AI processing. We remain responsible for their performance and require protections no less protective than our DPA. See the current list (and “last updated” date) on our Security page: /security. We publish subprocessor updates there and provide notice where practicable. You can subscribe to subprocessor change notifications by emailing privacy@brew.new.

Data Subject Rights (GDPR)

For personal data we process as a processor on behalf of our customers (e.g., email recipients and audience data), end users should contact the sender (our customer), who is the controller. We assist customers in handling access, correction, erasure, restriction, portability, and objection requests in line with GDPR and our DPA. If we receive a request that relates to data we process as a processor, we will, where feasible, notify and/or forward the request to the relevant customer (controller). For personal data where Brew is the controller (e.g., account, billing, site usage), you can submit a request by contacting privacy@brew.new. We may need to verify your identity before responding.

Supervisory Authorities

You may lodge a complaint with the supervisory authority in the EEA/UK Member State of your habitual residence, place of work, or place of the alleged infringement. We are committed to cooperating in good faith with supervisory authorities.

Retention

We apply defined retention windows aligned with legal, security, and operational needs:
  • Account, profile & billing records: retained while the account is active and for limited periods thereafter to meet tax/audit and fraud‑prevention obligations.
  • Content & assets (e.g., emails, templates, images): retained while needed to provide the Services; removed from active systems after deletion; standard backups are overwritten in the ordinary course.
  • Engagement telemetry, delivery and security logs: retained for limited rolling windows to support deliverability, security, diagnostics, and abuse prevention.
  • Suppression lists: we may retain email addresses on suppression lists to honor opt‑out/unsubscribe requests and comply with legal obligations.
Where the law requires longer retention, we keep only what is necessary for that purpose. We may retain aggregated or de‑identified information that no longer identifies a person.

Contact

For GDPR or privacy questions, contact privacy@brew.new. For copyright matters, contact our DMCA agent at copyright@brew.new.
This page is informational and does not replace the Terms of Service, Privacy Policy, or DPA. In case of conflict, those documents control.