TideBrief

Privacy Policy

Last updated: 2026-05-10

This Privacy Policy explains how PLAY PLAY CARDS SRL (“TideBrief”, “we”, “us”) collects, uses, shares, and protects your personal information when you visit tidebrief.com or use the Service. It is intended to satisfy our disclosure obligations under U.S. federal and state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Texas Data Privacy and Security Act (“TDPSA”), the Oregon Consumer Privacy Act (“OCPA”), the Montana Consumer Data Privacy Act, the Florida Digital Bill of Rights (“FDBR”), the Iowa Consumer Data Protection Act, the Tennessee Information Protection Act (“TIPA”), the Indiana Consumer Data Protection Act, the Delaware Personal Data Privacy Act, the New Jersey Data Privacy Act, the New Hampshire Privacy Act, the Maryland Online Data Privacy Act (“MODPA”), the Minnesota Consumer Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act, the Washington My Health My Data Act (“MHMD”), Nevada SB 370, the Illinois Biometric Information Privacy Act (“BIPA”), the Illinois Genetic Information Privacy Act (“GIPA”), the Children’s Online Privacy Protection Act (“COPPA”), the Video Privacy Protection Act, the Telephone Consumer Protection Act (“TCPA”), and the CAN-SPAM Act, in each case as applicable. It also applies to EU/EEA/UK residents under the General Data Protection Regulation (“GDPR”) and the UK GDPR, and to Romanian residents under Law no. 190/2018.

1. Who is the controller of your data

The data controller is:

  • PLAY PLAY CARDS SRL
  • Str. Drumul Pescarilor, nr. 16 A, Olimp, Constanța, 905503, Romania
  • Trade Register: J2026023005004 · CUI: 54439120
  • Privacy contact: privacy@tidebrief.com

For California Consumer Privacy Act / CPRA purposes, we are the “business”. For GDPR purposes, we are the “controller”.

2. Information we collect

We collect the following categories of personal information:

  • Identifiers— email address, account ID, IP address (truncated/anonymized for analytics), device identifiers.
  • Account information— optional display name, the U.S. ZIP code(s) you select for fishing zones, plan and renewal status (mirrored from Stripe), preferences (species, watercraft, skill level).
  • Commercial information — subscriptions purchased, billing date, invoice history. We do not store full payment-card numbers; Stripe processes and stores them.
  • Internet/network activity— pages visited, referral source, approximate device type, brief email opens and clicks.
  • Inferences— derived preferences (e.g. “weekend angler”) used solely to tailor your Brief.

We do notknowingly collect “sensitive personal information” under U.S. state laws (precise geolocation, racial or ethnic origin, religion, mental/physical health, sexual orientation, biometric or genetic data, immigration status, financial-account login, contents of your private communications, government-ID numbers, etc.), and we do not collect “special-category data” under GDPR Art. 9. We do not knowingly collect data from children under 13 (COPPA) or under 16 (GDPR).

Specific disclaimers. We do not collect any “biometric identifier” or “biometric information” within the meaning of the Illinois Biometric Information Privacy Act (740 ILCS 14) — we do not collect retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. We do not collect any “genetic information” within the meaning of the Illinois Genetic Information Privacy Act (410 ILCS 513). We do not collect any “consumer health data” within the meaning of the Washington My Health My Data Act, the Nevada Health Data Privacy Law (SB 370), or the Connecticut health-data amendments. We do not collect “personal information of children” within the meaning of COPPA. We do not collect data covered by HIPAA, FERPA, FCRA, GLBA, or DPPA in the ordinary course of operating the Service.

3. Where we get it

  • From you, when you sign up, enter a ZIP, set preferences, or contact us.
  • From your device automatically when you load the site (cookies and similar; see our Cookie Policy).
  • From Stripe, which sends us your subscription status and minimal billing metadata.
  • From Resend, which tells us whether emails we sent you bounced, were opened, or had links clicked.

4. How we use it (and lawful basis under GDPR)

PurposeData usedGDPR lawful basis
Provide the Service: generate and email your weekly Brief, run your account.Account info, ZIP, preferences, identifiers.Performance of contract (Art. 6(1)(b)).
Process payments and meet tax/accounting obligations.Email, billing metadata.Performance of contract; legal obligation (Art. 6(1)(b),(c)).
Detect fraud, abuse, and bots; secure the Service.IP, identifiers, request logs.Legitimate interests (Art. 6(1)(f)) — security and integrity.
Aggregate analytics to improve the Service.Truncated IP, page/path, device class.Legitimate interests; consent in EU/EEA/UK and where required by U.S. state law.
Service emails (receipts, password resets, policy changes, your weekly Brief).Email, account state.Performance of contract; legitimate interests.
Marketing emails (only with opt-in; promotional, not your weekly Brief).Email.Consent (Art. 6(1)(a)) — withdrawable anytime.

We do notuse your personal information for automated decisions that have legal or similarly significant effects, and we do not perform “profiling in furtherance of decisions producing legal or similarly significant effects” as defined under U.S. state privacy laws or under GDPR Art. 22.

AI training.We do not sell, share, or otherwise provide your personal information to any third party for the purpose of training, fine-tuning, or evaluating an AI/ML model. Our LLM sub-processor (Anthropic) is contractually required not to train its models on your data. We do not use the content of your account or your reading patterns to fine-tune any model on your behalf or on anyone else’s behalf.

5. We do not sell or “share” your personal information

We do not sell personal information for money. We do not “share” personal information for cross-context behavioral advertising, as those terms are defined under California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and similar U.S. state privacy laws. We have not knowingly sold or shared the personal information of consumers under 16 in the preceding 12 months.

6. Who we share it with (sub-processors)

We share personal information only with vendors that need it to run the Service, under written data-protection agreements (and Standard Contractual Clauses where required for international transfers):

  • Supabase (database & auth) — U.S. hosted.
  • Stripe (payments) — global; PCI-DSS Level 1.
  • Resend (transactional email) — U.S. infrastructure.
  • Anthropic (LLM that drafts Briefs from public data plus your ZIP/preferences) — U.S.; configured to not train on your data.
  • Vercel (hosting and CDN) — global edge network.
  • Google Analytics 4 and Microsoft Clarity (anonymous usage analytics & heatmaps) — only after consent in EU/EEA/UK.
  • Professional advisers (lawyers, accountants) and authorities, where strictly required by law.

A current sub-processor list is available on request from privacy@tidebrief.com.

7. International transfers

We are based in Romania (EU). Several of our sub-processors store and process data in the United States or other jurisdictions. For transfers from the EU/EEA/UK to the United States, we rely on (i) the EU-U.S. Data Privacy Framework (and the UK Extension and Swiss-U.S. Data Privacy Framework) where the recipient is certified under the program operated by the U.S. Department of Commerce, and (ii) the European Commission’s 2021 Standard Contractual Clauses (Module 2 controller-to-processor or Module 3 processor-to-processor, as applicable), supplemented where required by the UK Information Commissioner’s International Data Transfer Addendum. Following the Schrems II judgment of the Court of Justice of the European Union (Case C-311/18), we conduct Transfer Impact Assessments and apply supplementary technical and organisational measures (including encryption in transit and at rest, access controls, and minimisation) where appropriate. Information about the relevant transfer mechanism for any specific sub-processor is available on request from privacy@tidebrief.com.

For transfers to Romania from non-EU countries (e.g. accountholders located in the United States whose data is mirrored to our Romanian database for billing or support), the controller is PLAY PLAY CARDS SRL in Romania, and processing is subject to Romanian and EU data-protection law.

8. How long we keep it

  • Active account data: while your account is open and for 12 months after you delete it (for fraud-prevention and dispute windows), then deleted.
  • Billing records: 10 years, as required by Romanian accounting/tax law.
  • Server and security logs: 30 days.
  • Marketing-consent records: until consent is withdrawn, plus 24 months of audit history.
  • Cookie data: per the durations listed in our Cookie Policy.

9. Security

We use reasonable administrative, technical, and physical safeguards to protect personal information: TLS-only transport, encryption at rest with our database provider, hardware-backed credentials, least-privilege access for employees, and audited third-party sub-processors. No system is 100% secure; if we suffer a breach affecting your data, we’ll notify you and competent authorities as required by law.

10. Your privacy rights

10.1 Rights for U.S. residents (state privacy laws)

Depending on your state of residence, you have the right to:

  • Know / Access the personal information we hold about you, the categories of sources, the categories of third parties to whom we disclose it, and the business or commercial purpose for collecting it.
  • Correct inaccurate personal information we maintain about you.
  • Delete personal information we’ve collected from you, subject to statutory exceptions (e.g. ongoing transactions, fraud prevention, legal obligations).
  • Portability — receive a copy of your personal information in a portable, structured, commonly used, machine-readable format.
  • Opt out of sale, sharing, or processing for targeted advertising or profiling that produces legal or similarly significant effects — we do not engage in any of these, but the right is preserved and any changes will be disclosed in advance.
  • Limit the use and disclosure of sensitive personal information — we do not collect any sensitive personal information.
  • Non-discrimination / non-retaliation — we will not deny service, charge a different price, provide a different level of service, or otherwise retaliate because you exercised a privacy right.
  • Appeal a denied request — reply to our denial email with the subject “Appeal”, and we will respond within 45 days (or 60 days for Colorado, Oregon, Tennessee, and Texas appeals; 60 days for Virginia, Connecticut). If we deny your appeal, you may contact your state attorney general.
  • California “Shine the Light” (Cal. Civ. Code § 1798.83) — California residents can request the categories of personal information shared with third parties for those parties’ direct-marketing purposes. We do not share for that purpose, so the answer is “none”.
  • Designate an authorized agent — you may designate an agent to make a request on your behalf. We will require written authorization signed by you and may require you to verify your own identity directly.

CCPA/CPRA annual disclosure metrics.In the 12 months preceding the “Last updated” date at the top of this page, the categories of personal information we collected are those listed in Section 2 above; we did not sell or share any personal information; we did not disclose personal information for a business purpose other than to the sub-processors listed in Section 6; and we received zero verifiable requests to know, delete, correct, or limit use of sensitive personal information that we either complied with in whole or in part or denied (we will update these metrics as we begin receiving requests, and publish them annually as required by Cal. Code Regs. tit. 11, § 7102).

Florida Digital Bill of Rights. If you are a Florida resident covered by the FDBR, in addition to the above you have the right to opt out of the collection of sensitive data and biometric data. We do not collect either, so this right is preserved by default. Florida residents may also opt out of the collection of personal data through voice or facial-recognition features; we use no such features.

Texas TDPSA notice.“NOTICE: We may sell your sensitive personal data” — not applicable; we do not sell sensitive personal data. “NOTICE: We may sell your biometric personal data” — not applicable; we do not collect or sell biometric personal data.

Nevada SB 220. Nevada residents may submit a verified request directing us not to make any sale of their personal information by emailing privacy@tidebrief.com. We do not currently sell personal information.

10.2 Rights for EU/EEA/UK residents (GDPR / UK GDPR)

You have the right to:

  • Access, rectify, erase, or restrict processing of your personal data.
  • Object to processing based on legitimate interests, including direct marketing.
  • Receive your data in a portable format.
  • Withdraw consent at any time without affecting prior lawful processing.
  • Lodge a complaint with your supervisory authority. The Romanian authority is ANSPDCP (dataprotection.ro).

10.3 How to exercise your rights

Email privacy@tidebrief.com from the address on your account, or write to us at the postal address in Section 1. We’ll verify your identity (sometimes by sending a confirmation link) and respond within 45 days for U.S. requests and 30 days for GDPR requests, with one extension if the request is complex. Authorized agents acting on your behalf must provide written authorization.

10.4 Global Privacy Control and opt-out preference signals

We treat the Global Privacy Control (GPC) browser signal as a valid opt-out request from sale, sharing, and targeted advertising for California, Colorado, and Connecticut residents (and any other state whose law requires it). Because we don’t engage in those practices, the signal serves as a confirmation of our standing position.

11. Cookies and similar technologies

See our dedicated Cookie Policy for categories, names, durations, and how to opt out. EU/EEA/UK visitors must affirmatively consent before non-essential cookies fire; you can change your preferences anytime via the cookie banner.

12. Children

TideBrief is not directed to children under 18. We do not knowingly collect data from anyone under 13 (COPPA) or under 16 (GDPR). If you believe a child has given us personal information, email privacy@tidebrief.comand we’ll delete it.

13. Changes to this Policy

We’ll update this page when our practices change. For material changes we’ll notify you by email at the address on file. Your continued use of the Service after the effective date means you accept the updated Policy.

14. Notice of financial incentives

We do not offer any financial incentive (e.g. discounts, additional services, or a different level or quality of service) in exchange for the retention, sale, or sharing of personal information. If we ever introduce one, we will publish a separate Notice of Financial Incentive, obtain opt-in consent, and allow you to withdraw consent at any time, in compliance with CCPA/CPRA (Cal. Code Regs. tit. 11, § 7080) and similar state laws.

15. Data-breach notification

If we suffer a personal-data breach that creates a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it (GDPR Art. 33), and we will notify affected individuals without undue delay where the breach is likely to result in a high risk (GDPR Art. 34). For U.S. residents, we will provide notice in accordance with applicable state breach-notification laws (including Cal. Civ. Code § 1798.82, N.Y. Gen. Bus. L. § 899-aa, and similar), as soon as reasonably practicable after we determine that notification is required, and in any event within the period required by law.

16. Do Not Track and opt-out preference signals

Our practices regarding Global Privacy Control are described in Section 10.4. There is no industry-wide standard for “Do Not Track” (DNT) browser signals, and we do not respond to them beyond treating them as analytics opt-outs.

17. Romanian and EU regulators

We are supervised primarily by the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP): dataprotection.ro, B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București 010336. EU/EEA residents may also contact their local supervisory authority. UK residents may contact the Information Commissioner’s Office at ico.org.uk.

18. Contact

Privacy questions or rights requests: privacy@tidebrief.com. Postal address: PLAY PLAY CARDS SRL, Str. Drumul Pescarilor, nr. 16 A, Olimp, Constanța, 905503, Romania.