Privacy Policy

We collect only what we need to run Brainboot: your account info, your brains and conversations, and usage metadata. We route prompts through LLM providers (listed in our Subprocessors page) to generate responses. We do not sell your data, and we do not train models on your content.

Account information. Email, display name, password hash, organization membership, billing address (for paid plans), and Stripe customer ID.

Your content. Brains you create, conversations, messages, saved settings, and any files you upload.

Usage data. Tokens consumed, requests made, models used, timestamps, rough geographic region derived from IP address, and error logs. Used for billing, quota enforcement, and debugging.

Cookies and local storage. Session cookies, authentication tokens, and consent preferences. See Section 8.

Payment information. Handled entirely by Stripe. We store only a customer ID, subscription ID, and the last four digits of your card for display purposes. We never see or store full card numbers.

We use your data to: provide and operate the Service, process payments, enforce quotas and rate limits, detect abuse, communicate with you about your account, send transactional emails, improve the Service, and comply with legal obligations.

We do not use your content to train machine learning models. We do not sell, rent, or trade your personal data to third parties.

To generate responses, Brainboot transmits your prompts and conversation context to the LLM provider whose model you selected. By default, we route traffic through Vercel AI Gateway with "disallow prompt training" enabled, which instructs providers not to retain or train on your data.

Providers we use are listed in our Subprocessors page. Each provider has its own privacy policy. By using a model, you agree that your prompts may be transmitted to that provider under its terms.

Do not submit sensitive personal data, protected health information, payment card numbers, or other regulated data in prompts unless you have independently verified that the provider handling the request complies with the applicable regulatory framework.

We share data only with the subprocessors listed on our Subprocessors page (LLM providers, Supabase for hosting, Stripe for billing, Resend for email, Vercel for compute and gateway). Each subprocessor is bound by data protection terms that restrict their use of your data to operating their service for us.

We may disclose data if required by law, court order, or valid legal request; or to protect the rights, property, or safety of Brainboot, our users, or the public.

We retain your account data and content for as long as your account is active. If you delete a brain, conversation, or message, it is removed from our primary database within 30 days. Backups are retained for up to 90 days for disaster recovery, after which they are permanently deleted.

We retain billing records for as long as required by tax and accounting law in our jurisdiction (typically seven years).

Depending on where you live, you may have the right to: access the personal data we hold about you; correct inaccurate data; delete your data; restrict or object to processing; receive a portable copy; and withdraw consent. You can exercise most of these rights directly through your account settings, or by emailing privacy@brainboot.ai.

If you are in the European Economic Area, United Kingdom, or Switzerland, you also have the right to lodge a complaint with your local data protection authority.

We use a small number of essential cookies to keep you logged in and remember your preferences. We use privacy-respecting analytics (no third-party ad cookies) to understand how the Service is used in aggregate. If you are in the EU or UK, we show a consent banner on your first visit.

We use industry-standard security practices, including encryption in transit (TLS), encryption at rest, hashed passwords, SHA-256 hashed API keys, Row Level Security on our database, and scoped access tokens. No system is perfectly secure, but we take reasonable measures to protect your data.

Brainboot is operated globally. Your data may be stored or processed in countries other than your own. When we transfer personal data out of the EEA or UK, we rely on standard contractual clauses or other lawful transfer mechanisms.

Brainboot is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe we have, contact privacy@brainboot.ai and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be notified by email or in-app notice at least 14 days before they take effect.

Privacy questions: privacy@brainboot.ai

Data Protection Officer: dpo@brainboot.ai