Privacy Policy

Last updated: 24 April 2026 · Omnibus version 1.0 · Exercise your rights →

General sections

Introduction
Data we collect
How we use your data
Who we share with
Data retention
Your rights (universal baseline)
Security
Children
Changes to this policy
Contact

1. Introduction

This Policy describes how Brainiall Inc. ("Brainiall", "we", "our") collects, uses, stores, shares and protects your personal data when you use the chat.brainiall.com service and associated APIs — including chat, image/video generation, voice synthesis and transcription features ("Service").

This is a unified (omnibus) document covering ten data protection regimes. The general sections apply to all users; the per-jurisdiction sections (see navigation above) list local rights, response windows and supervisory authorities.

Data Protection Officer (DPO): dpo@brainiall.com · General privacy: privacy@brainiall.com

2. Data We Collect

2.1 Provided by you

Identity and account: name, email, avatar (via Google/Apple OAuth), preferred language.
User-generated content: text prompts, audio uploaded for transcription, submitted files and media generated by the Service.
Payments: processed by Stripe, Inc. (PCI-DSS Level 1). We only store the Stripe customer identifier (stripe_customer_id) and subscription metadata — we never store card numbers.
Support: messages exchanged with our support channel.

2.2 Collected automatically

Technical: hashed IP address, User-Agent, device type, anonymous fingerprint for abuse prevention (retained 30 days).
Session: HttpOnly, Secure, SameSite=Lax session cookie.
Usage telemetry: message counts, credits consumed, response times — aggregated for capacity and quality.
Opt-in analytics: Google Analytics, Microsoft Clarity — only if you consent via the cookie banner.

2.3 Sensitive data (opt-in only)

Voice biometrics (Voice Translate / Voice Clone feature) — stored encrypted, deletable anytime in Settings.

3. How We Use Your Data

Service delivery: authenticate your account, deliver AI responses, generate media, process credits.
Billing: process subscriptions and issue receipts.
Security and fraud prevention: detect abuse, block bots and automated attacks.
Transactional communication: confirmations, receipts, security alerts.
Marketing communication: only with explicit consent, with one-click opt-out.
Product improvement: aggregated and anonymized analytics. Your prompts are NOT used to train models (contractual obligation with our infrastructure providers).
Legal compliance: to meet tax, accounting and valid legal requests.

4. Who We Share With

We share data only with operators essential to the Service, always under data protection agreements (DPA / GDPR Art. 28 / LGPD Art. 39):

Category	Purpose	Legal basis
Authentication (Google, Apple)	OAuth login	Contract
Payments (Stripe)	Process subscriptions	Contract
Hosting and email infra	Operate the Service	Legitimate interest
AI model providers	Generate responses from prompts	Contract (with no-training clause)
Opt-in analytics	Measure aggregated use	Consent
Public authorities	Valid court order or legal request	Legal obligation

Full subprocessor list at /subprocessors. We do not sell personal data.

5. Data Retention

Category	Period
Account data	While the account is active; deleted within 30 days of request
Conversation history and generated media	Until you delete them manually
Security logs	90 days
Anonymized analytics	12 months, then aggregated
Tax records (payments)	Up to 10 years (legal obligation)

6. Your Rights (universal baseline)

Regardless of jurisdiction we globally honor the fundamental data subject rights:

Access: obtain a copy of the data we hold about you (JSON export at /api/account/export).
Rectification: correct inaccurate or outdated data.
Erasure: delete your account and associated data (up to 30 days).
Portability: receive your data in machine-readable form.
Restriction and objection: limit or object to specific processing.
Consent withdrawal: at any time, with future effect.
Non-discrimination: exercising rights will not degrade the Service.

Want to exercise a right?

Use our secure form with automated SLA.

Open DSAR request →

7. Security

TLS 1.3 in transit; at-rest encryption for sensitive stores and blobs.
OAuth-only authentication (no passwords stored); HttpOnly/Secure/SameSite=Lax sessions.
HSTS, CSP, X-Content-Type-Options and hardening headers on all routes.
Least-privilege principle, quarterly secret rotation.
Breach notification: we will notify you and the supervisory authority within the regulatory timeframe applicable to your jurisdiction (see per-jurisdiction sections).

8. Children

The Service is intended for users 18+. We do not knowingly collect minors' data without parental consent (LGPD art. 14 · GDPR art. 8 threshold of 16). If you believe a minor has provided data, please contact our DPO.

9. Changes

Material changes will be notified by email and in-app 15 to 30 days in advance depending on jurisdiction. The effective version is always the one published at this URL with the timestamp above.

10. Contact

Brainiall Inc. · DPO: dpo@brainiall.com · General privacy: privacy@brainiall.com · Security: security@brainiall.com · AI governance: ai-governance@brainiall.com

🇧🇷 LGPD — Brazil (Law 13.709/2018)

Regulator: National Data Protection Authority — ANPD
DPO: dpo@brainiall.com · Brainiall Inc.; Encarregado appointed under art. 41.
Response window: 15 days (art. 19)
Legal bases: Consent (art. 7, I), contract performance (art. 7, V), legitimate interest for B2B/security (art. 7, IX), legal obligation (art. 7, II)
International transfers: SCCs + adequacy decisions where applicable (art. 33)
Breach notification: To ANPD and to affected subjects in reasonable time (art. 48) — internal SLA: 72h

Specific rights (art. 18): confirmation of processing; access; correction; anonymization, blocking or deletion of unnecessary, excessive or unlawfully processed data; portability; deletion of consent-based data; information on sharing; consent withdrawal; review of automated decisions (art. 20); petition to the ANPD.

Brazilian data subjects may file complaints at gov.br/anpd/pt-br/canais_atendimento.

🇺🇸 CCPA / CPRA — California, USA

Regulators: California Privacy Protection Agency (CPPA) and California Attorney General
Privacy Officer: dpo@brainiall.com
Response window: 45 days, extendable by 45 more with notice (Cal. Civ. Code § 1798.130)
Categories collected: Identifiers; commercial info; internet data; approximate geolocation; audio/biometric (opt-in). Details at /privacy-ccpa.
Sale or sharing: We do not sell or share for cross-context behavioral advertising.

Rights: right to know; delete; correct; opt-out of sale/sharing; limit use of sensitive data (voice biometrics); non-discrimination. Authorized agents accepted with proof of representation.

Informational "Do Not Sell or Share My Personal Information" link: dpo@brainiall.com?subject=DNSMPI.

🇯🇵 APPI — Japan (Law 57/2003, 2022 amendment)

Regulator: Personal Information Protection Commission (PPC)
Privacy Officer: dpo@brainiall.com
Response window: Without undue delay; internal target 30 days
Transfers (art. 28): Informed consent from the data subject, equivalent contract or adequate regime recognition
Breach notification: On material risk, notice to the PPC and to the data subject (art. 26)

Rights (art. 28-34): disclosure, correction, suspension of use, suspension of third-party provision, erasure. We also disclose information on cross-border transfer mechanisms per APPI art. 28.

🇸🇦 PDPL — Saudi Arabia (Law 1443/2021)

Regulator: Saudi Data & AI Authority (SDAIA)
DPO: dpo@brainiall.com
Response window: 30 days
Legal bases (art. 5-6): Consent, contract, legal obligation, vital interests, legitimate interest (with safeguards)
Transfers: Require adequacy recognized by SDAIA or equivalent safeguards; DPIA recorded
Breach notification: To SDAIA within 72h for material incidents

Rights: to be informed, access, correct, delete and restrict processing. Right to petition SDAIA at sdaia.gov.sa.

🇦🇪 UDPL — United Arab Emirates (Federal Decree-Law 45/2021)

Regulators: UAE Data Office (federal) + free-zone authorities (DIFC Commissioner; ADGM Office of Data Protection)
DPO: dpo@brainiall.com
Response window: Up to 30 days
Legal bases: Consent, contract, legal obligation, legitimate interest, vital interests, public interest
Transfers: Adequacy, SCCs, BCRs or explicit consent
Breach notification: Without undue delay to the UAE Data Office and to the data subject if material risk

Rights: information, access, rectification, erasure, restriction, portability, objection and regarding automated decisions. Users in DIFC are subject to DIFC Data Protection Law 5/2020; in ADGM, to Data Protection Regulations 2021.

🇨🇦 PIPEDA — Canada (S.C. 2000, c. 5)

Regulator: Office of the Privacy Commissioner (OPC) + Quebec (CAI), Alberta, British Columbia provincial regulators
Privacy Officer: dpo@brainiall.com
Response window: 30 days
Principles (Schedule 1): Accountability, identifying purposes, consent, limiting collection, limiting use/retention, accuracy, safeguards, openness, individual access, challenging compliance
Transfers: Controller responsibility with equivalent contractual measures
Breach notification: To OPC and to data subjects where "real risk of significant harm" (s. 10.1), without delay

Quebec residents may invoke Law 25 (S.Q. 2021, c. 25) additionally — complaints to the Commission d'accès à l'information (CAI).

🇳🇬 NDPA — Nigeria (Nigeria Data Protection Act, 2023)

Regulator: Nigeria Data Protection Commission (NDPC)
DPO: dpo@brainiall.com
Response window: Up to 30 days
Legal bases (§25): Consent, contract, legal obligation, vital interests, public interest, legitimate interest
Transfers (§41-43): Adequacy decision, SCCs, BCRs or explicit consent
Breach notification (§40): To NDPC within 72h and to the data subject where risk exists

Data subject rights (§26-§37): information, access, rectification, erasure, restriction, portability, objection, no adverse automated decisions. Complaints to NDPC at ndpc.gov.ng.

🇮🇳 DPDP — India (Digital Personal Data Protection Act, 2023)

Regulator: Data Protection Board of India (DPBI) — constituted under the DPDP Act
DPO / Data Protection Officer: dpo@brainiall.com
Response window: To be defined by rule-making; we adopt 30 days as the default
Legal basis (§6): Consent with notice (§5), certain "legitimate uses" (§7) — employment, payments, public health, emergencies
Transfers (§16): Unless restricted by a government notification, cross-border transfers are permitted
Breach notification (§8(6)): To the Data Protection Board and to the data subject in case of a breach

Rights (§11-§15): access to information, correction/erasure, grievance redressal, nomination of a person to exercise rights upon death/incapacity. Minors (<18) require verifiable parental consent (§9).

🤖 EU AI Act — Article 50 (AI transparency)

Regulatory framework: Regulation (EU) 2024/1689, applied in staggered fashion from August 2026
AI governance: ai-governance@brainiall.com

Transparency (art. 50):

When interacting with Brainiall Chat you are interacting with an AI system. A visible banner at /chat makes this explicit.
All text responses, images, videos and audio generated are AI-generated content. Images and videos are marked with provenance metadata (including C2PA, on roadmap for July 2026) and watermarks where technically feasible.
We do not perform emotion recognition (art. 5(1)(f)) nor biometric categorization (art. 5(1)(g)) of sensitive attributes. No social scoring.
Deepfakes created by the user via Studio receive automatic labelling per art. 50(4).
Accessible mechanism to report abuse of generated content at trust@brainiall.com.

For foundation/General Purpose AI (GPAI) models we act as deployer; our upstream providers maintain technical documentation per Annexes XI-XII. Aggregated technical sheets and training-content summaries are available under B2B NDA via ai-governance@brainiall.com.

Quick links: Exercise rights (DSAR) · Terms · DPA · Subprocessors · Contact DPO