Privacy Policy

BrainiacMinds, Inc., a Delaware corporation ("BrainiacMinds", "we", "us", "our"), operates the Platform at brainiacminds.com.

For the purposes of data protection law (including GDPR), we act in two capacities:

Data Controller: for personal data relating to Tenants, Members, and Platform-level interactions — we determine the purposes and means of processing.

Data Processor: for Client data processed on behalf of Tenants — the Tenant is the Data Controller and we process Client data only on Tenant instructions as set out in our Data Processing Agreement. Tenants are responsible for establishing and maintaining their own lawful basis for processing their Clients' personal data.

Contact: tech@brainiacminds.com

Account and Tenant data: name, email address, password hash or OAuth identity reference, Tenant name and slug, custom domain, billing contact information and Stripe customer identifier (no raw card data — payment instruments are held directly by Stripe), Member roles, and invitation records.

Usage data: AI Employee interaction records (conversation transcripts, task records, tool-use logs), knowledge base content you upload (documents and files converted to indexed format for AI retrieval), voice session audio (processed in real-time; not retained by default), device information, IP address, browser user agent, session identifiers, and aggregated usage analytics.

Client data (processed on behalf of Tenants): Client profiles, project and engagement records, conversation history, and any other data the Tenant configures AI Employees to collect or process. We process this data on Tenant instructions only and do not use it for Platform-level purposes such as product improvement, cross-tenant analysis, or marketing.

Where GDPR or equivalent legislation applies, we rely on the following legal bases for processing personal data:

Contract performance (Article 6(1)(b)): processing necessary to create and manage your account, deliver Platform services, process payments, handle support requests, and perform our obligations under these Terms. This is the primary basis for our relationship with Tenants and their Members.

Legitimate interests (Article 6(1)(f)): processing necessary for our legitimate business interests, where those interests are not overridden by your rights and interests. This includes: security monitoring and fraud prevention; product analytics to improve the Platform; abuse detection and enforcement of our Acceptable Use Policy; and sending service-related communications that are not strictly contractual. We have assessed these interests against potential privacy impacts and believe they are proportionate.

Legal obligation (Article 6(1)(c)): processing required to comply with applicable law, including tax and accounting record retention (7 years), regulatory reporting obligations, and responding to lawful requests from public authorities.

Consent (Article 6(1)(a)): where we rely on consent — for example, for marketing communications or optional analytics features — we will request your consent separately and clearly. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

Client data processed on Tenant instructions: Tenants are responsible for identifying and documenting their own lawful basis for instructing us to process their Clients' personal data. Our DPA governs our obligations as Processor for that data.

We use the data we collect to:

Deliver the Service: create and manage your account and Tenant workspace, operate AI Employees, process payments, and provide customer support.

Ensure security and integrity: authenticate users, enforce tenant isolation, detect and prevent fraud, abuse, and security threats, and maintain audit logs.

Communicate with you: send transactional communications (security alerts, billing receipts, service announcements, and material Terms changes). We do not send marketing communications without your opt-in consent.

Improve the Platform: analyse aggregated, anonymised usage patterns to improve features and reliability. We do not use your knowledge base content, AI Employee conversations, or Client data for this purpose.

Comply with legal obligations: retain billing and financial records for the periods required by applicable tax and accounting law; respond to lawful government requests; meet GDPR, CCPA, and other regulatory requirements.

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We do not use your content or your Clients' data to train AI models that are shared with other Tenants or offered to third parties.

AI Employees process data — including conversation context, uploaded knowledge, and Client information — to generate responses. This processing:

Is tenant-isolated: no cross-tenant data access or leakage occurs by design. Each Tenant's data is stored in a separate, dedicated database.

Routes through our AI Gateway with tenant metadata attached for observability, billing attribution, and audit logging. All AI model calls are traceable to the originating Tenant.

Complies with EU AI Act Article 50: AI Employees identify themselves as AI systems to Clients at the start of every interaction. Clients are never deceived into believing they are communicating with a human.

May involve third-party AI model providers as sub-processors (see Section 6). These providers process data under data processing agreements and do not retain data for their own model training under our agreements with them.

Voice processing: voice session audio is processed in real-time by our voice infrastructure provider. Audio is not retained by default. Tenants may enable opt-in voice session recording, in which case retention is governed by the Tenant's configured retention period and this Policy.

Account data: retained for the duration of your account and for 90 days following account deletion to allow for recovery, after which it is permanently and irreversibly deleted.

Conversation transcripts and task records: retained according to your Tenant's configured retention period (default: 12 months; configurable per Tenant via Platform settings).

Billing and financial records: retained for 7 years for tax, accounting, and audit compliance. This retention period is required by applicable law and constitutes a legal obligation under GDPR Article 6(1)(c). Erasure requests cannot override this requirement for this specific category of data, but we will restrict processing to compliance purposes only during the retention period.

Voice session audio: not retained by default. Opt-in retention is configurable per Tenant and subject to the Tenant's chosen retention period and this Policy.

When data is deleted, we use reasonable technical measures to ensure permanent removal from active systems and to purge it from backups within our standard backup rotation cycle.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. Our current measures include:

Encryption in transit: all data transmitted between your browser or application and our Platform is encrypted using TLS 1.3 or higher.

Encryption at rest: data stored in our infrastructure is encrypted at rest using AES-256 encryption provided by Cloudflare's storage infrastructure.

Tenant isolation: each Tenant's data is stored in a dedicated, isolated database. There are no shared tables between Tenants. AI queries and knowledge retrieval are strictly scoped to the originating Tenant.

Access controls: access to personal data is restricted to personnel who need it to perform their job functions (role-based access control, least-privilege principle). Administrative access is logged and reviewed.

Security reviews: we conduct regular internal security reviews and address vulnerabilities on a risk-prioritised basis.

Vulnerability disclosure: if you discover a potential security vulnerability in the Platform, please report it responsibly to tech@brainiacminds.com. We commit to acknowledging reports within 3 business days and to working in good faith to remediate confirmed vulnerabilities.

No absolute guarantee: despite these measures, no security system is impenetrable. We cannot guarantee that personal data will never be accessed, disclosed, altered, or destroyed by a breach of our safeguards. In the event of a breach, we will act in accordance with our breach notification obligations (see Section 11).

AI Employees generate automated responses to Client and Member queries as their core function. We want to be transparent about what this means in the context of your rights under GDPR Article 22.

AI Employees do not make legally significant automated decisions about data subjects without human review in the default operating configuration. Standard AI Employee outputs — answers, recommendations, drafted content, task completions — are responses that a user then acts upon; the decision remains with the human.

Autonomous mode. Tenants who operate AI Employees in Autonomous mode — where the AI Employee takes actions or delivers outputs directly to Clients without Tenant review of each individual interaction — take on responsibility for ensuring that their Autonomous deployment does not constitute solely automated decision-making that produces legal effects or similarly significant effects on individuals, within the meaning of GDPR Article 22. Tenants in Autonomous mode should conduct their own assessment and implement human oversight mechanisms appropriate to their use case.

Right to human review. If you believe that an AI Employee operated through our Platform has made a decision that materially affects you — such as a refusal of service, a recommendation that significantly impacts your interests, or an automated action taken on your behalf — you have the right to request human review of that decision. Submit your request to the relevant Tenant's contact, or to us at tech@brainiacminds.com if the Tenant is not responsive, and we will facilitate a review.

We do not use personal data to build profiles of individuals for the purpose of making automated decisions about them outside of delivering the specific AI Employee services configured by the Tenant.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you.

Rectification: request correction of inaccurate or incomplete personal data.

Erasure ("Right to be Forgotten"): request deletion of your personal data, subject to legal retention obligations (e.g., 7-year financial records retention).

Portability: receive your personal data in a structured, machine-readable format.

Restriction: request that we limit how we process your data in certain circumstances.

Objection: object to processing based on our legitimate interests. We will stop unless we have compelling legitimate grounds that override your interests.

Withdraw consent: where processing is based on your consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Automated decision-making: request human review of any AI-based decision that produces a legal or similarly significant effect on you (see Section 9 — Automated Decision-Making).

To exercise any of these rights, contact us at tech@brainiacminds.com. We respond within 30 days. We may ask you to verify your identity before processing a rights request.

EU and EEA users may lodge a complaint with the supervisory authority in their member state.

UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk.

California residents (CCPA/CPRA): We do not sell or share personal information as defined under the California Consumer Privacy Act or the California Privacy Rights Act. We do not use sensitive personal information for purposes beyond those necessary to provide the Service. California residents may submit rights requests at tech@brainiacminds.com and will receive a response within 45 days.

Your personal data may be processed in countries other than the country in which you are located, including the United States and other countries where our sub-processors operate.

Where we transfer personal data from the EU or EEA to third countries that have not received an adequacy decision from the European Commission, we rely on one or more of the following transfer mechanisms: Standard Contractual Clauses (SCCs) approved by the European Commission; or other legally recognised transfer mechanisms under GDPR Chapter V.

EU Tenants may select an EU data residency zone during account setup to ensure that their Tenant database and stored content remain within EU-based Cloudflare infrastructure. Selecting EU data residency does not eliminate all international transfers, as some sub-processors (such as AI model providers) operate globally.

In the event of a personal data breach — meaning any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data we process — we will act as follows:

Supervisory authority notification (GDPR Art. 33): where required, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Tenant notification: we will notify affected Tenants without undue delay after confirming a breach, providing: a description of the nature of the breach; the categories and approximate number of individuals and personal data records affected; the likely consequences of the breach; the measures taken or proposed to address the breach and mitigate its effects.

Tenant responsibility for Client notification: as Data Controllers for their Clients' data, Tenants are responsible for assessing whether and how to notify their affected Clients under their own DPA obligations and applicable law. We will provide Tenants with the information they need to fulfil this obligation.

Incident register: we maintain an internal register of all personal data breaches, including those that do not require supervisory authority notification, in accordance with our accountability obligations.

Limitation: our notification obligation is limited to breaches of personal data within systems under our direct control. Breaches caused by Tenant configurations, Tenant credentials, or Tenant-side security failures are the responsibility of the Tenant.

The Platform is not directed at children under 13 years of age, or under 16 years of age in the European Union and United Kingdom. We do not knowingly collect personal data from children below these applicable age thresholds.

If you are a parent or guardian and believe that a child has provided us with personal data without appropriate consent, please contact us immediately at tech@brainiacminds.com. We will take steps to delete such data as soon as reasonably practicable.

We share personal data only with sub-processors that are necessary to deliver the Service. Our current key sub-processors are:

Cloudflare — infrastructure, edge compute, object storage, AI model hosting, and network security (global, with EU data residency available for EU Tenants).

Stripe — payment processing and Marketplace payouts (US and EU).

Anthropic — large language model inference for AI Employees (US).

Google — OAuth identity verification and voice processing via Gemini Live (US and EU).

GitHub — OAuth identity verification (US).

We maintain Data Processing Agreements with all sub-processors that impose data protection obligations consistent with GDPR requirements. EU Tenants may request a copy of applicable DPAs at tech@brainiacminds.com. We notify Tenants of material sub-processor additions or replacements at least 30 days in advance and provide Tenants the opportunity to object.