Privacy Policy (EU / GDPR)

Last updated: 19 April 2026 · Applicable to: European Economic Area residents under the General Data Protection Regulation (EU 2016/679).

1. Data Controller

Brainiall Inc., a Brazilian company, acts as data controller for the information you provide through this platform. Contact: privacy@brainiall.com.

We are not established in the EU but offer services to EU residents, so GDPR art. 3(2) applies to us.

2. What we collect

Account data: email, name, avatar (from your Google or Apple login).
Usage data: prompts you submit, images/videos generated, preferences (memory, push prefs), conversation metadata.
Technical data: IP address (hashed), browser type, device fingerprint — used for fraud/abuse prevention only, retained 30 days.
Payment data: handled directly by Stripe. We never store card numbers.

3. Legal basis (GDPR art. 6)

Contract performance (art. 6(1)(b)): processing needed to deliver the service you subscribed to.
Legitimate interest (art. 6(1)(f)): abuse prevention, service improvement via aggregated analytics.
Consent (art. 6(1)(a)): optional features (memory, push notifications, marketing emails) — toggled in settings.

4. Your rights (GDPR art. 15-22)

You can, at any time:

Access your data — export JSON from /api/account/export.
Rectify errors — account settings.
Erase (right to be forgotten) — delete account wipes everything within 30 days.
Restrict processing — disable memory/push via toggles.
Portability — JSON export is machine-readable.
Object to processing based on legitimate interest.
Lodge complaint with your local Supervisory Authority.

To exercise any right: privacy@brainiall.com. We respond within 30 days.

4.5 UK residents — UK GDPR

For data subjects in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) applies alongside the Data Protection Act 2018. Your rights mirror those listed above (access, rectification, erasure, restriction, portability, objection). The UK supervisory authority is the Information Commissioner's Office (ICO). To lodge a complaint, visit ico.org.uk/make-a-complaint or write to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. UK-EU data transfers rely on the UK Addendum to the EU Standard Contractual Clauses (UK IDTA).

4.6 Germany residents — DSGVO (EU GDPR as enacted in Germany)

For data subjects in Germany, the Datenschutz-Grundverordnung (DSGVO) applies as the direct implementation of EU Regulation 2016/679, alongside the Bundesdatenschutzgesetz (BDSG) for national-specific provisions. Your rights under Art. 15-21 DSGVO mirror those listed above (Auskunft, Berichtigung, Löschung, Einschränkung, Datenübertragbarkeit, Widerspruch). Legal basis for processing is primarily Art. 6 Abs. 1 lit. b DSGVO (contract performance) and Art. 6 Abs. 1 lit. f DSGVO (legitimate interest). A Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV) per Art. 28 DSGVO is available on request at privacy@brainiall.com or via /de/dpa. German supervisory authorities vary by state (Länder); complaints can be lodged with the authority in your federal state (list at bfdi.bund.de) or with the Federal Commissioner for Data Protection (BfDI). For company information per §5 TMG and §55 RStV, see our Impressum.

4.7 Rest of world — Other jurisdictions

We apply the following frameworks for users outside EU/UK/Germany:

India: Digital Personal Data Protection Act (DPDP) 2023, overseen by the Data Protection Board of India. Notice and consent per §5-§6, data principal rights per §11-§15. Contact privacy@brainiall.com to exercise rights.
Japan: Act on the Protection of Personal Information (APPI, Law No. 57/2003 as amended April 2022), overseen by the Personal Information Protection Commission (PPC). We notify of cross-border transfers per Art. 28, maintain records of processing per Art. 27.
Brazil: Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018), overseen by ANPD (Autoridade Nacional de Proteção de Dados).
California, USA: CCPA/CPRA, with right to know, delete, opt-out of sale (we do not sell personal data), correct, and limit use of sensitive data. Contact privacy@brainiall.com.
Canada: PIPEDA (Personal Information Protection and Electronic Documents Act), overseen by the Office of the Privacy Commissioner (OPC).
Singapore: PDPA (Personal Data Protection Act 2012), overseen by the Personal Data Protection Commission (PDPC).
Australia: Privacy Act 1988, overseen by the OAIC (Office of the Australian Information Commissioner).
South Africa: POPIA (Protection of Personal Information Act 4/2013), overseen by the Information Regulator.
Nigeria: NDPA (Nigeria Data Protection Act 2023), overseen by the Nigeria Data Protection Commission (NDPC). Data principal rights per §26-§37 (access, rectification, erasure, objection, portability).
Ghana: Data Protection Act 843/2012, overseen by the Data Protection Commission.

Users in other jurisdictions should refer to their applicable local law. Core data subject rights (access, correction, deletion, portability, objection) are honored globally via privacy@brainiall.com, regardless of jurisdiction.

4.8 Other EU member states — National GDPR implementations

The EU GDPR (Regulation 2016/679) applies directly to all member states but is complemented by national laws. Below we list the applicable national framework + national supervisory authority (DPA) per market where we have users. Data subject rights (access, rectification, erasure, restriction, portability, objection) apply uniformly via privacy@brainiall.com regardless of member state.

Italy: Codice Privacy (D.Lgs 196/2003 as amended by D.Lgs 101/2018), overseen by the Garante per la Protezione dei Dati Personali.
Netherlands: Uitvoeringswet AVG (UAVG), overseen by the Autoriteit Persoonsgegevens (AP).
Poland: Ustawa o ochronie danych osobowych (UODO 2018), overseen by the Urząd Ochrony Danych Osobowych.
Sweden: Dataskyddslagen (2018:218), overseen by Integritetsskyddsmyndigheten (IMY).
Belgium: Loi du 30 juillet 2018 / Wet van 30 juli 2018, overseen by the Autorité de protection des données (APD/GBA).
Spain: LOPDGDD (Ley Orgánica 3/2018), overseen by the Agencia Española de Protección de Datos (AEPD).
Ireland: Data Protection Act 2018, overseen by the Data Protection Commission (DPC).
Portugal: Lei 58/2019, overseen by the Comissão Nacional de Proteção de Dados (CNPD).
Romania: Legea 190/2018, overseen by the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP).
Other EU/EEA: Austria (DSG / DSB), Denmark (Databeskyttelsesloven / Datatilsynet), Finland (Tietosuojalaki / Tietosuojavaltuutettu), Greece (Ν. 4624/2019 / APDPX), Hungary (2018. évi XXXVIII / NAIH), Czech Republic (110/2019 / ÚOOÚ), Slovakia (ÚOOÚ), Slovenia (ZVOP-2 / IP-RS), Bulgaria (CPDP), Croatia (AZOP), Cyprus (CPDP), Luxembourg (CNPD), Malta (IDPC), Estonia (AKI), Latvia (DVI), Lithuania (VDAI), Norway (Datatilsynet), Iceland (Persónuvernd), Liechtenstein (DSS).

5. Data retention

Account data: until account deletion.
Conversations + generated media: until you delete them.
Analytics events: 90 days, then aggregated.
Billing records: 10 years (Brazilian tax law; EU users can request anonymization after 5 years).

6. International transfers

Data is processed in Brazil. EU-Brazil transfers use Standard Contractual Clauses (GDPR art. 46) and Brazil's LGPD is considered equivalent protection by several EU national DPAs. Infrastructure subprocessors: leading cloud hosting providers (USA + EU), Stripe (payments, global), AI infrastructure partners (each with their own SCCs; specific disclosures under NDA via /subprocessors + compliance@brainiall.com).

7. Cookies

We use essential cookies (session, CSRF) — no tracking cookies without consent. Cookie banner appears on first visit from EU IPs.

8. AI-specific notes

Prompts and generated outputs are not used to train upstream models (contractually enforced with our providers). Internal improvement uses only aggregated, anonymized signals.

9. Children

Service is not intended for users under 16 in the EU (GDPR art. 8). We do not knowingly collect data from minors.

10. Changes

Material changes trigger in-app notice + email 30 days before effective date.

For Brazilian users: see LGPD notice. For US users: see CCPA notice.