Privacy Policy

Your privacy is important to us. This Privacy Policy describes how Climax Web Solutions, operating as Brainfo, collects, uses, discloses, and protects personal information in connection with its products and services. We encourage you to review this Policy carefully, as it is intended to be clear, transparent, and consistent with applicable privacy and data-protection laws.

Introduction

Welcome to Brainfo (accessible at www.brainfo.ai) (“we,” “our,” or “us”). Brainfo is an offline-first note-taking and collaboration platform that helps you organize your thoughts, collaborate with your team, and access your content anywhere—even without an internet connection.

Brainfo is provided by Climax Web Solutions (Canada). We collect and use personal information to operate an offline-first, AI-enhanced note and collaboration service. We process data in Canada and through trusted third parties outside Canada. 

We are committed to protecting your privacy and being transparent about how we collect, use, and protect your personal information. This Privacy Policy explains:

• What information we collect from you
• How we use that information
• Who we share it with
• Your rights and choices regarding your information
• How we protect your data
• Who owns your data

This policy applies to all users of Brainfo, including our web application, mobile applications (iOS and Android), and desktop applications (Windows, macOS, Linux).

By using Brainfo, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our services.

Data Controller. This Privacy Policy is issued by Climax Web Solutions, operating “Brainfo”, with its principal place of business in Ontario, Canada. For most processing we act as the data controller. Where a customer/workspace owner uploads data about its members, we act as a processor/service provider for that customer.

Information We Collect

We collect information that you provide directly to us, information that is automatically collected when you use our service, and information from third parties in limited circumstances.

2.1 Information You Provide Directly

Account Information

When you create a Brainfo account, we collect:

• Email address: Required for account creation, login, and communication
• Password: Stored securely using industry-standard hashing (managed by our authentication provider)
• Name: First and last name (optional but recommended for collaboration features)
• Profile avatar: Optional profile picture that you may upload

Workspace Information

When you create or join workspaces, we collect:

• Workspace name: The name you give to your workspace
• Workspace icon: Optional icon/image for your workspace
• Member information: Email addresses of users you invite to collaborate
• Role assignments: Your role and the roles you assign to workspace members (owner, admin, member)

Content You Create

We store the content you create within Brainfo, including:

• Documents: Text, formatting, and rich media content in your notes and documents
• Tasks: Task descriptions, due dates, status, and related information
• Links: URLs and metadata for links you save
• Tags: Tags and labels you create to organize your content
• Folders: Folder names and organizational structure
• Comments and annotations: Any comments or annotations you add to content
• File attachments: Images, documents, and other files you upload to your content
  • Supported formats: JPEG, PNG, and other common file types
  • Size limits vary based on your subscription plan (Free, Pro, Team)
• Version history: Previous versions of your content for recovery purposes

Communication with Us

If you contact us for support or provide feedback:

• Support messages: The content of your communications with our support team
• Feedback: Any feedback, suggestions, or feature requests you provide

Payment Information (via Paddle)

When you upgrade to a paid subscription:

• Billing name and address: Collected by our payment processor, Paddle
• Payment method details: Credit card or other payment information (collected and stored by Paddle, not by us)
• Transaction history: Records of your subscription purchases and renewals

Important: We do not directly store or process credit card information. All payment processing is handled by Paddle, our PCI-compliant payment processor.

2.2 Information Collected Automatically

Usage Information

When you use Brainfo, we automatically collect:

• Feature usage: Which features you use (documents, tasks, AI chat, etc.)
• AI usage metrics: Number of AI requests you make (for usage limit enforcement)
• Last activity timestamps: When you last accessed your workspace or content
• Workspace membership: Which workspaces you belong to and your role in each

Device and Technical Information

We collect technical information about your device and how you access our service:

• IP address: Your device's internet protocol address (used for security and regional services)
• Device type: Whether you're using web, mobile (iOS/Android), or desktop (Windows/macOS/Linux)
• Browser type and version: If using the web application
• Operating system: Your device's operating system and version
• Device identifiers: Unique identifiers for your device (for mobile and desktop apps)
• Screen resolution: To optimize the user interface
• Network connection: Whether you're online or offline (for offline sync functionality)

Collaborative Editing Information

When you collaborate with others in real-time:

• Cursor position: Your cursor location in shared documents (visible to other collaborators)
• User presence: Whether you're currently viewing or editing a document
• Edit operations: The specific changes you make to documents (for real-time sync and version history)
• Session metadata: When you join and leave collaborative editing sessions

Local Storage

For offline functionality, we store data locally on your device:

• IndexedDB: A local database containing your synced workspaces, documents, and settings
• LocalStorage: Session tokens and application preferences
• Service Worker cache: Cached application files for offline use

This local data is encrypted and synchronized with our servers when you're online.

2.3 Information from Third Parties

Authentication Providers

If you sign up or log in using a third-party provider:

• Google OAuth: If you sign in with Google, we receive your email address, name, and profile picture from Google. We do not receive your Google password.

Video Metadata Services

When you embed videos in your documents:

• YouTube: We fetch public video metadata (title, thumbnail) via YouTube Data API v3
• Vimeo: We fetch public video metadata via Vimeo API

We only access publicly available information and do not access your private video libraries.

How We Use Your Information

We use the information we collect for the following purposes:

3.1 Provide and Improve Our Service

• Service delivery: To provide you with access to Brainfo and all its features
• Account management: To create and manage your account, workspaces, and subscriptions
• Content storage and sync: To store your content and sync it across your devices
• Offline functionality: To enable offline access to your content via local storage and synchronization
• Real-time collaboration: To enable real-time editing with other workspace members
• Version history: To maintain version history and allow you to restore previous versions
• Search and organization: To enable you to search, tag, and organize your content

3.2 AI-Powered Features

We offer AI features that operate only on the content you choose to send:

• Document Copilot – generates, edits, and restructures text from your prompts and selected content.
• AI Chat Assistant – answers questions and drafts content using the specific context you provide.
• Automatic Tag Generation – suggests tags based on titles and content you select.

How processing works

• Scoped input only. We transmit only your prompt and the exact snippets you select (plus minimal technical metadata) when you invoke an AI feature.
• Routing. Requests pass through Cloudflare AI Gateway and are then delivered to OpenRouter and its underlying model providers to produce the output.
• No model training. We instruct providers not to use your prompts or outputs to train models. Providers may retain short-term logs for abuse prevention, security, rate-limiting, and service reliability, as described in their policies.
• No advertising use. Your prompts/outputs are not used for targeted advertising.

Controls and safeguards

• Workspace controls. Owners/admins can enable/disable AI features for a workspace.
• Data minimization. Do not include highly sensitive personal data in prompts.
• Storage. Prompts and outputs are stored in your workspace only as needed to deliver the feature (e.g., keeping generated text in the document history). Operational logs (Gateway/Provider) are retained by those providers for a limited period.
• Usage limits. AI usage is capped by your plan (Free, Pro, Team).

If you prefer not to use AI, you can use Brainfo without invoking these features.

When you select a specific AI model in Brainfo, your prompt and selected content are sent to that model’s provider through our routing infrastructure. That provider processes the data only to generate the output. Each provider’s own privacy terms may also apply.

We use your content to provide AI-powered features:

• Document Copilot: To generate, edit, and improve text based on your prompts and selected content
• AI Chat Assistant: To answer questions and assist with content creation using context from your documents
• Automatic Tag Generation: To suggest relevant tags based on your document titles and content

Important: Your content sent to AI services is:

• Processed by OpenRouter (our AI service provider)
• Used only to generate your requested output
• Not used to train AI models (per OpenRouter's data handling policies)
• Subject to usage limits based on your subscription plan (Free: limited, Pro: increased, Business: highest)

3.3 Communication

• Service notifications: To send you important updates about your account, workspaces, or service changes
• Workspace invitations: To send email invitations when you invite someone to your workspace
• Subscription management: To send billing confirmations, renewal notices, and payment receipts
• Waitlist communications: To notify you when you're approved from the waitlist
• Support responses: To respond to your support requests and provide assistance
• Optional newsletters: To send product updates and tips (only if you opt in)

All transactional emails are sent via Resend, our email service provider.

3.4 Payment Processing

• Subscription billing: To process subscription payments and manage your billing information
• Plan management: To upgrade, downgrade, or cancel your subscription as requested
• Usage enforcement: To enforce plan limits (storage, AI requests, team members)
• Proration: To calculate prorated charges when you change plans mid-cycle

All payment processing is handled by Paddle, our payment processor.

3.5 Security and Fraud Prevention

• Authentication: To verify your identity and prevent unauthorized access
• Session management: To maintain your logged-in state securely
• Abuse prevention: To detect and prevent fraudulent activity, spam, and abuse
• Security monitoring: To monitor for security threats and respond to incidents
• Access control: To ensure users can only access workspaces they're authorized to view

3.6 Legal Compliance

• Legal obligations: To comply with applicable laws, regulations, and legal processes
• Terms enforcement: To enforce our Terms of Service and other agreements
• Rights protection: To protect the rights, property, and safety of Brainfo, our users, and the public

3.7 Analytics and Improvement

We collect usage metrics to improve Brainfo:

• Feature usage tracking: Which features are most used to prioritize improvements
• Performance monitoring: To identify and fix bugs and performance issues
• Error tracking: To diagnose and resolve technical problems

Cloudflare Pages Analytics (Infrastructure-Level):

• Real User Monitoring (RUM): We use Cloudflare Pages' built-in analytics to monitor application performance
• Data collected by Cloudflare:
  • Page load times and performance metrics
  • CDN request statistics (cache hit rates, response codes)
  • Geographic distribution of users (country/city level, derived from IP address)
  • Browser type and device information
  • Referrer URLs (where you came from)
• Purpose: To optimize application performance, CDN configuration, and user experience
• Privacy: This data is processed by Cloudflare per their privacy policy (https://www.cloudflare.com/privacypolicy/)
• No cross-site tracking: Only tracks performance on Brainfo, not across other websites
• No personal identification: This analytics data is not linked to your account or user profile

Error Tracking and Performance Monitoring (Sentry):

• Real-time error tracking: We use Sentry to monitor and fix bugs in real-time
• Data collected by Sentry:
  • Error messages and stack traces (technical details of bugs)
  • Performance metrics (page load times, slow database queries, API response times)
  • User context: User ID only (no email or name - configured for privacy)
  • Browser and device information (user agent, OS, screen resolution)
  • URL and route information (which pages you were visiting when errors occurred)
  • Session replay: User interactions and page changes to understand bug context
  • IP address (for geographic context, can be scrubbed)
• Purpose: To identify, diagnose, and fix bugs and performance issues quickly
• Privacy protections:
  • PII scrubbing enabled: Email addresses, usernames, and other personal info automatically removed
  • Sensitive field filtering: Passwords, tokens, and credit card information never sent
  • Session replay excludes: Password fields, payment forms, and other sensitive inputs
  • Data retention: Error data retained for 30 days, then automatically deleted
  • User context: Only user ID sent (not email or name), or fully anonymous if preferred
• Privacy Policy: https://sentry.io/privacy/
• GDPR Compliance: Sentry is GDPR-compliant and has a Data Processing Agreement

3.8 Legal Bases (EEA/UK only)
We process personal data on the following bases:

• performance of a contract (to create your account, provide sync, collaboration, AI features);
• legitimate interests (to secure the service, prevent abuse, improve features);
• compliance with legal obligations (invoices, government requests);
• consent (optional communications, certain AI uses if you enable them).
  If we rely on legitimate interests, we do so in a way that does not override your rights.

Data Storage and Security

4.1 Where Your Data is Stored

Your data is stored in secure, professional infrastructure:

Primary Database

• PostgreSQL database hosted by our database provider
• Location: Data centers chosen for optimal performance and reliability
• Encryption: Data encrypted at rest using industry-standard encryption

File Storage

• Supabase Storage for file attachments and media
• Encryption: All files encrypted at rest

Real-Time Collaboration

• Cloudflare Durable Objects for real-time collaborative editing
• Location: Cloudflare's global network (automatically routes to nearest data center)
• Persistence: Collaboration state synced to primary database

Offline Sync

• PowerSync service for offline-first synchronization
• Local storage: IndexedDB on your device (encrypted)
• Sync: Bidirectional synchronization when online

API and Backend

• Cloudflare Workers (serverless compute platform)
• Global distribution: API available from Cloudflare's global network
• DDoS protection: Built-in protection against distributed denial-of-service attacks

4.2 Security Measures

We implement multiple layers of security to protect your data:

Encryption

In Transit (Data being transmitted):

• TLS 1.2+: All data transmitted over HTTPS with modern TLS encryption
• WebSocket Secure (WSS): Real-time collaboration uses encrypted WebSocket connections
• Certificate verification: Valid SSL/TLS certificates for all domains

At Rest (Data being stored):

• Database encryption: PostgreSQL data encrypted at rest by our hosting provider
• File encryption: All uploaded files encrypted at rest in Supabase Storage
• Local storage encryption: IndexedDB data encrypted on your device

Authentication and Access Control

• Password hashing: Passwords hashed using bcrypt/scrypt via Supabase Auth (never stored in plaintext)
• JWT tokens: Secure JSON Web Tokens for session management
• Token expiration: Automatic token expiration and refresh for security
• Multi-factor authentication (MFA): Optional TOTP-based 2FA for enhanced account security
• OAuth 2.0: Secure integration with Google for single sign-on

Role-Based Access Control (RBAC)

• Workspace roles: Owner, Admin, and Member roles with different permissions
• Resource-level permissions: Users can only access workspaces they're members of
• Data isolation: PowerSync sync rules ensure you only sync data you're authorized to access

Input Validation and Sanitization

• Schema validation: All API inputs validated using Zod schemas
• XSS prevention: User input sanitized to prevent cross-site scripting attacks
• SQL injection prevention: Parameterized queries via Drizzle ORM
• CSRF protection: Cross-site request forgery protection on all state-changing operations

Security Headers

Our web application uses security headers to protect against common attacks:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Referrer-Policy: strict-origin-when-cross-origin

Content-Security-Policy: [comprehensive policy]

Strict-Transport-Security: max-age=31536000; includeSubDomains

Network Security

• Cloudflare DDoS protection: Protection against distributed denial-of-service attacks
• Firewall rules: Restricted access to backend infrastructure
• Origin validation: CORS policies restrict which origins can access our API

Monitoring and Incident Response

• Error monitoring: Cloudflare observability enabled for error tracking
• Security logging: Logging of authentication events and suspicious activity
• Incident response: Procedures in place to respond to security incidents

Note: We do NOT log sensitive information like passwords, credit card numbers, or session tokens in our logs.

4.3 Data Backup and Recovery

• Automated backups: Regular automated backups of all data
• Version history: Content versions stored for recovery
• Durable Object persistence: Collaboration state persisted to prevent data loss
• Disaster recovery: Infrastructure designed for high availability and disaster recovery

4.4 Your Responsibility

While we implement strong security measures, your security also depends on:

• Strong passwords: Use unique, strong passwords for your account
• Enable MFA: Use multi-factor authentication for additional protection
• Keep devices secure: Protect devices with passwords/biometrics
• Be cautious with sharing: Only share workspace access with trusted collaborators
• Report security issues: Report any suspected security vulnerabilities to security@brainfo.ai

4.5 International Transfers

• We are based in Canada, but we use service providers and infrastructure that may process your information in other countries (including the United States and the European Union).
• When we transfer personal information from the EEA/UK/Switzerland to countries that do not provide the same level of protection, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent transfer tools.
• Some performance/real-time features (e.g. Cloudflare Durable Objects) route data through the nearest region to deliver the service.
  Why: this is the biggest gap because you named a global infra but didn’t explain legality of transfers.

1. Add “Canadian users (PIPEDA)” + “EU/UK users” + “California/Virginia/etc.” rights split
   You have a big generic “Your Rights” but you don’t tell California users about “no selling/sharing” and you don’t tell Canadians about complaints.

Third-Party Services

We use carefully selected third-party services to provide Brainfo. Each service processes specific types of data as described below.

5.1 Essential Services

Supabase (Authentication and Storage)

• Purpose: User authentication, database hosting, file storage
• Data Shared: Email, password (hashed), profile information, uploaded files
• Location: Supabase's data centers
• Privacy Policy: https://supabase.com/privacy
• Data Processing Agreement: Available upon request

Cloudflare (Infrastructure)

• Purpose: API hosting (Workers), real-time collaboration (Durable Objects), DDoS protection, CDN, AI request routing, analytics
• Data Shared: All data passing through our API and web application
• Services Used:
  • Cloudflare Workers: Serverless API backend
  • Cloudflare Pages: Web hosting with CDN
  • Cloudflare Durable Objects: Real-time collaboration state
  • Cloudflare AI Gateway: Routes AI requests to OpenRouter (caching and monitoring)
  • Cloudflare Pages Analytics: Performance monitoring (RUM and CDN analytics)
• Analytics Data:
  • Page load performance metrics
  • CDN request statistics
  • Geographic location (country/city level from IP)
  • Browser and device information
  • Referrer URLs
• Location: Cloudflare's global network
• Privacy Policy: https://www.cloudflare.com/privacypolicy/
• GDPR Compliance: Cloudflare is GDPR-compliant

PowerSync

• Purpose: Offline-first data synchronization
• Data Shared: Workspace data, documents, tasks, tags, folders
• Location: PowerSync data centers
• Privacy Policy: https://www.powersync.com/legal/privacy-policy
• Data Processing: Real-time bidirectional sync with your devices

5.2 Payment Processing

Paddle

• Purpose: Payment processing, subscription management, billing
• Data Shared:
  • Billing information (name, address, email)
  • Payment method details (stored by Paddle only, not by us)
  • Transaction amounts and subscription details
  • Customer ID and subscription status
• Location: Paddle's secure payment infrastructure
• Privacy Policy: https://www.paddle.com/legal/privacy
• Compliance: PCI DSS Level 1 certified, GDPR-compliant
• Important: We do not store or process credit card information. Paddle handles all payment data securely.

5.3 Communication Services

Resend

• Purpose: Transactional email delivery
• Data Shared:
  • Email addresses (recipients)
  • Email content (invitations, notifications, receipts)
  • Sender information
• Location: Resend's email infrastructure
• Privacy Policy: https://resend.com/legal/privacy-policy
• Use Cases:
  • Workspace invitations
  • Waitlist approvals
  • Subscription notifications
  • Payment confirmations

Intercom

• Purpose: Customer support and communication
• Data Shared:
  • Email address
  • Name (if provided)
  • Waitlist status
  • User type (individual/organization)
• Location: Intercom's data centers
• Privacy Policy: https://www.intercom.com/legal/privacy
• GDPR Compliance: Intercom is GDPR-compliant
• Use Cases:
  • Waitlist management
  • Customer support conversations
  • Product announcements (if you opt in)

5.4 AI Services

OpenRouter (via Cloudflare AI Gateway)Purpose: Provide AI-powered features (Document Copilot, AI Chat Assistant, Automatic Tag Generation).
Routing: When you use an AI feature, your prompt and selected content are securely transmitted through Cloudflare AI Gateway, which then forwards the request to OpenRouter and its underlying model providers to generate your output.

Data Shared (only when you use AI features):

• Prompt text and explicitly selected content (from your workspace)
• Minimal metadata required to deliver the response (e.g., workspace ID or usage limits)

Processing and Retention:

• Your content is processed solely to generate the requested output.
• We instruct all AI providers not to use your content to train or improve their models.
• Cloudflare and OpenRouter may retain short-term transaction logs (for security, abuse prevention, and rate-limiting only), then delete them automatically.
• AI responses and prompts may be stored within your Brainfo workspace for your own access (e.g., document history) but not for provider training.

Data Handling and Location:

• Processing occurs via OpenRouter’s infrastructure and may route through data centres in the U.S., EU, and other regions depending on the model selected.
• All transmissions are encrypted in transit via HTTPS/TLS.

Privacy Policies:

• OpenRouter – https://openrouter.ai/privacy
• Cloudflare – https://www.cloudflare.com/privacypolicy/

User Guidance and Controls:

• Use AI features only on non-sensitive content.
• Avoid including personal, confidential, or regulated data in prompts.
• Workspace owners and admins can enable or disable AI features at any time.
• AI usage is subject to plan limits (Free, Pro, Team).

Summary:
Your AI-related data is handled only to fulfil your explicit requests and is never sold, used for advertising, or employed to train machine-learning models.

OpenRouter (via Cloudflare AI Gateway)

• Purpose: AI-powered features (Copilot, AI Chat, Tag Generation)
• Routing: Requests routed through Cloudflare AI Gateway before reaching OpenRouter
• Data Shared:
  • Document content (only what you explicitly send to AI features)
  • User prompts and questions
  • Selected text for editing
• Cloudflare AI Gateway:
  • Routes and optionally caches AI requests
  • Provides monitoring and rate limiting
  • Logging: request/response
• Location: OpenRouter's infrastructure (routes to various AI model providers)
• Privacy Policy: https://openrouter.ai/privacy
• Data Usage:
  • Your content is NOT used to train AI models
  • Data processed only to generate your requested output
  • OpenRouter may temporarily cache requests for rate limiting
• AI Models: Access varies by subscription plan (Free: basic models, Pro: advanced models, Business: all models)

How to minimize AI data sharing:

• Only use AI features on non-sensitive content
• Review AI-generated content before sharing
• Don't include personal information in AI prompts

5.5 Video Services

YouTube Data API v3

• Purpose: Fetch video metadata for embedded videos
• Data Shared: Video URLs you embed in documents
• Data Accessed: Publicly available video information (title, thumbnail, duration)
• Privacy Policy: https://policies.google.com/privacy
• Important: We only access public video data; we do not access your YouTube account or private videos.

Vimeo API

• Purpose: Fetch video metadata for embedded videos
• Data Shared: Video URLs you embed in documents
• Data Accessed: Publicly available video information
• Privacy Policy: https://vimeo.com/privacy
• Important: We only access public video data; we do not access your Vimeo account.

5.6 Third-Party Service Policies

All third-party services we use:

• Are selected for their security and privacy practices
• Have their own privacy policies (linked above)
• Are required to protect your data in accordance with applicable laws
• Are periodically reviewed for continued compliance and security

We do NOT use:

• Third-party analytics services (Google Analytics, Mixpanel, Amplitude, PostHog, etc.)
• Advertising networks
• Social media tracking pixels (except Google OAuth for login)
• Data brokers or data resellers
• Marketing tracking tools

What we DO use (with strong privacy protections):

• Cloudflare Pages Analytics: Infrastructure-level performance monitoring (RUM and CDN analytics)
• Sentry: Error tracking with PII scrubbing, sensitive data filtering, and 30-day retention

Your rights with third parties:

• You can exercise privacy rights (access, deletion) directly with these services via their privacy policies

Cookies and Tracking Technologies

6.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help us recognize you and remember your preferences.

6.2 Cookies We Use

We use cookies and similar technologies for the following purposes:

Essential Cookies (Required)

These cookies are necessary for the service to function and cannot be disabled:

• Session cookies: Maintain your logged-in state (sb-access-token, sb-refresh-token)
• Authentication tokens: Securely store your authentication credentials
• Workspace context: Remember your last visited workspace
• Preference cookies: Remember your theme (light/dark mode) and language preferences

Functional Cookies (Optional)

These cookies enhance functionality:

• Editor preferences: Remember your editor settings and view preferences
• UI state: Remember sidebar open/closed state, panel layouts
• Recently viewed: Track recently accessed documents for quick access

6.3 Local Storage

In addition to cookies, we use browser local storage:

• LocalStorage: Session tokens, user preferences, UI state
• IndexedDB: Offline-synced data (workspaces, documents, tasks)
• Service Worker cache: Application files for offline use

6.4 Third-Party Cookies

When you use third-party features, those services may set their own cookies:

• Google OAuth: If you sign in with Google, Google may set cookies (see Google's privacy policy)
• Paddle Checkout: When you make a payment, Paddle may set cookies (see Paddle's privacy policy)

6.5 Your Cookie Choices

How to control cookies:

• Browser settings: Most browsers allow you to refuse cookies or delete existing cookies
  • Chrome: Settings > Privacy and security > Cookies
  • Firefox: Settings > Privacy & Security > Cookies
  • Safari: Preferences > Privacy > Cookies
  • Edge: Settings > Cookies and site permissions
• Essential cookies: Disabling essential cookies will prevent you from using Brainfo
• Functional cookies: You can disable these, but some features may not work as expected

Do Not Track:

• We respect Do Not Track (DNT) signals
• We do not track you across other websites
• We do not use third-party tracking pixels or analytics

Data Sharing and Disclosure

7.1 Sharing Within Workspaces

When you collaborate in workspaces:

• Workspace members: Other members of your workspace can see:
  • Your name and profile picture
  • Content you create or edit in shared workspaces
  • Your comments and activity in shared documents
  • Your online/offline status (when you're actively using the workspace)
• Workspace owners and admins: Can additionally see:
  • Workspace usage statistics
  • Member roles and permissions
  • Subscription and billing information

When a customer organization/workspace owner uploads personal information about its members, that organization controls that data. In those cases, we process such data only to provide the service, in line with our agreement with that organization.

Control your sharing:

• Only join workspaces with people you trust
• Create separate workspaces for different projects or teams
• Use private workspaces for personal content

7.2 Service Providers

We share data with third-party service providers who help us operate Brainfo:

• Infrastructure providers: Cloudflare, Supabase, PowerSync (see Section 5)
• Payment processor: Paddle (for billing and payments)
• Email service: Resend (for transactional emails)
• Customer support: Intercom (if you contact support)
• AI service: OpenRouter (only content you explicitly send to AI features)

Our requirements for service providers:

• Process data only as instructed by us
• Maintain appropriate security measures
• Comply with applicable privacy laws
• Not use your data for their own purposes
• Have data processing agreements in place

7.3 Legal Requirements

We may disclose your information if required by law or in response to valid legal processes:

• Legal obligations: To comply with applicable laws, regulations, or legal requests
• Legal process: In response to subpoenas, court orders, or other legal processes
• Rights protection: To protect the rights, property, or safety of Brainfo, our users, or the public
• Fraud prevention: To detect, prevent, or address fraud, security, or technical issues
• Terms enforcement: To enforce our Terms of Service or other agreements

Our commitment:

• We will notify you of legal requests unless prohibited by law
• We will contest overbroad or inappropriate requests
• We will only disclose the minimum information necessary

7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets:

• Your information may be transferred to the acquiring entity
• We will notify you via email and/or prominent notice on our service
• The acquiring entity will be required to honor this Privacy Policy
• You will have the opportunity to delete your account before the transfer

7.5 With Your Consent

We may share your information for other purposes with your explicit consent:

• If you authorize us to share data with third-party integrations
• If you participate in joint promotions with partners
• If you opt in to beta programs or research studies

7.6 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably identify you:

• Usage statistics (e.g., "X% of users use AI features")
• Performance metrics
• General trends and insights

This data does not identify individual users and is not subject to this Privacy Policy.

7.7 Error Tracking and Performance Monitoring

Sentry

• Purpose: Real-time error tracking and performance monitoring
• Data Shared:
  • Error messages and stack traces
  • Performance metrics (transaction times, slow queries)
  • User context: User ID only (not email or name)
  • Browser and device information
  • URL and route information
  • Session replay data (user interactions for debugging)
• Privacy Protections:
  • PII scrubbing enabled: Email addresses, IP addresses, and usernames automatically removed
  • Sensitive field filtering: Passwords, tokens, credit cards never sent
  • Session replay exclusions: Password fields, payment forms excluded from recordings
  • Data retention: 30 days (errors automatically deleted after 30 days)
  • User context: Only user ID sent (not email/name) for privacy
• Location: Sentry's secure data centers (US and EU regions available)
• Privacy Policy: https://sentry.io/privacy/
• GDPR Compliance: Sentry is GDPR-compliant with Data Processing Agreement
• Purpose: To identify, diagnose, and fix bugs quickly to improve your experience

Why we use Sentry:

• Immediate notification when errors occur
• Understand the context of bugs (what page, what action)
• Track performance issues (slow pages, database queries)
• Prioritize fixes based on impact
• Ensure a smooth, bug-free experience

Your privacy:

• Sentry never sees your passwords, payment information, or document content
• We've configured Sentry to minimize personal information collection
• Session replay helps us understand bugs but excludes sensitive fields
• You can request deletion of your data from Sentry at any time

7.8 What We Do NOT Do

We do NOT:

• Sell your personal information to third parties
• Share your content with advertisers
• Use your data for targeted advertising
• Share your data with data brokers
• Rent or lease your information to others

Your Rights and Choices

You have rights regarding your personal information. This section explains what rights you have and how to exercise them.

8.1 Access Your Information

What you can do:

• View and edit your profile information in account settings
• Access all your workspaces, documents, and content through the app
• Review your subscription and billing information in workspace settings

8.2 Correct Your Information

What you can do:

• Update your name, email, and profile picture
• Edit or correct any content you've created
• Update workspace names and settings

8.3 Delete Your Information

Delete Specific Content

What you can do:

• Delete individual documents, tasks, or links
• Remove file attachments
• Clear AI chat history

Delete Your Account

What you can do:

• Permanently delete your entire account and all associated data

How to do it:

• Settings > My Account > Delete My Account
• Confirm deletion

What is NOT deleted:

• Shared workspaces you don't own continue to exist (you're just removed as a member)
• Content created by other users in shared workspaces remains available to those users
• Transaction records may be retained for legal and accounting purposes (as required by law)

8.4 Export Your Data

What you can do:

• Export individual documents to DOCX or PDF format

8.5 Manage Communications

What you can do:

• Unsubscribe from optional newsletters and product updates
• Control notification preferences

What you CANNOT opt out of:

• Transactional emails (account notifications, billing receipts)
• Security alerts (password changes, unauthorized access attempts)
• Workspace invitations (sent by other users)

How to do it:

• Click "Unsubscribe" at the bottom of any marketing email

8.6 Object to Processing

What you can do:

• Object to certain types of data processing (subject to legal limitations)

How to do it:

• Email support@brainfo.ai with your specific objection

8.7 Restrict Processing

What you can do:

• Request that we limit how we use your data in certain circumstances:
  • You contest the accuracy of your data
  • You object to processing and we're verifying legitimate grounds
  • We no longer need the data, but you need it for legal claims
  • Processing is unlawful, but you don't want data deleted

How to do it:

• Email support@brainfo.ai with your request

8.8 Data Portability

For information you provided to us:

• You can export your data in machine-readable format (JSON)

8.9 Withdraw Consent

Where we rely on your consent to process data:

• You can withdraw consent at any time
• Withdrawing consent does not affect lawfulness of processing before withdrawal
• Some features may become unavailable if you withdraw consent

8.10 How to Exercise Your Rights

To exercise any of these rights:

1. In-app: Many rights can be exercised directly in Settings
2. Email: Contact support@brainfo.ai with your request
3. Include: Your name, email address, and specific request
4. Verification: We may request additional information to verify your identity

8.11 Region-Specific Notices

(a) EEA/UK users. You have the right to lodge a complaint with your local data protection authority.
(b) Canada (PIPEDA). You may request access to, or correction of, your personal information, subject to limited exceptions. If you are not satisfied, you may contact the Office of the Privacy Commissioner of Canada.
(c) U.S. state privacy laws (incl. California/CPRA). We do not sell or “share” personal information for cross-context behavioural advertising. You may request to know, delete, or correct certain personal information we hold about you by emailing support@brainfo.ai. We will not discriminate against you for exercising these rights.

Data Retention

9.1 How Long We Keep Your Data

We retain your information for as long as necessary to provide Brainfo and fulfill the purposes described in this Privacy Policy.

Active Accounts

• Account information: Retained while your account is active
• Content (documents, tasks, links): Retained while your account is active and you haven't deleted it
• File attachments: Retained while associated content exists

Deleted Content

• Trash: Deleted content moves to Trash and is retained for 30 days
• After 30 days: Content in Trash is permanently deleted
• Empty Trash: You can manually empty Trash to immediately delete permanently

Deleted Accounts

• Personal data: Deleted within 30 days of account deletion
• De-identified data: May be retained indefinitely for analytics (cannot identify you)

9.2 Why We Retain Data

We retain data for legitimate business and legal purposes:

• Service provision: To provide you with access to your content
• Legal compliance: To comply with legal, tax, and accounting obligations
• Dispute resolution: To resolve disputes or enforce our Terms of Service
• Fraud prevention: To detect and prevent fraud and abuse
• Security: To maintain security and prevent unauthorized access

9.3 Data Deletion

When we delete data:

• Secure deletion: Data is securely deleted from production systems
• Irreversibility: Deletion is permanent and cannot be undone

9.4 Your Control Over Retention

You can control how long we keep your data:

• Delete content: Delete individual documents, tasks, or files at any time
• Empty Trash: Immediately permanently delete content in Trash
• Delete account: Delete your entire account and all data
• Export before deletion: Export your data before deleting (deletion is permanent)

Where your devices store offline copies (IndexedDB/local storage), deletion on our servers will not automatically delete copies on your device; you must clear those locally.

Children's Privacy

Brainfo is not intended for use by children under the age of 13 (or 16 in the European Economic Area).

10.1 Age Restrictions

• Minimum age: You must be at least 13 years old (16 in the EEA) to use Brainfo
• No collection from children: We do not knowingly collect personal information from children under 13 (or 16 in the EEA)
• Parental consent: If we learn we have collected information from a child without parental consent, we will delete it promptly

10.2 If You Believe a Child Has Provided Information

If you believe a child under 13 (or 16 in the EEA) has provided personal information to us:

• Contact us immediately at support@brainfo.ai
• Include details about the child's account (email address, name, etc.)
• We will investigate and delete the account if confirmed

10.3 COPPA Compliance (United States)

We comply with the Children's Online Privacy Protection Act (COPPA):

• We do not knowingly collect information from children under 13
• We do not market to children under 13
• We do not have features specifically designed for children

Changes to This Policy

11.1 Policy Updates

We may update this Privacy Policy from time to time to reflect:

• Changes to our services or features
• Changes in legal requirements or regulations
• Improvements to our privacy practices
• Feedback from users or regulators

11.2 How We Notify You

When we make changes to this Privacy Policy:

• Material changes: We will notify you at least 30 days in advance via:
  • Email to your registered email address
  • Prominent notice in the Brainfo app
• Non-material changes: We will update the "Last Updated" date at the top of this policy

11.3 What Constitutes a Material Change

Material changes include:

• Adding new types of data collection
• Sharing data with new categories of third parties
• Using data for purposes not previously disclosed
• Reducing your rights or protections
• Changes to data retention periods

11.4 Your Choices After Changes

After we notify you of changes:

• Review: Review the updated Privacy Policy carefully
• Accept: Continued use of Brainfo constitutes acceptance of the new policy
• Object: If you don't agree with the changes:
  • You can delete your account before the changes take effect
  • You can export your data before deleting
  • Contact us with questions or concerns at support@brainfo.ai

11.5 Version History

• Current version: [EFFECTIVE_DATE]
• Previous versions: Available upon request at support@brainfo.ai

Some content in Brainfo may link to or embed third-party services. Their collection and use of information is governed by their own privacy policies. We are not responsible for their practices.

Contact Information

12.1 General Inquiries

If you have questions about this Privacy Policy or our privacy practices:

Email: support@brainfo.ai

Subject Line: "Privacy Policy Inquiry"

We will respond to your inquiry within 7 business days.

12.2 Security Issues

To report a security vulnerability or concern:

Email: support@brainfo.ai

Subject Line: "Security Report"

12.3 Breach Notification

If we determine that a security incident has created a real risk of significant harm to you, we will notify you and, where required, regulators, in line with applicable laws (including Canadian and EU/UK rules).”

Acknowledgment

By using Brainfo, you acknowledge that you have read and understood this Privacy Policy and agree to be bound by its terms.

Last Updated: 1st February 2026

If there is any inconsistency between this Privacy Policy and a localized version, this English version prevails