1. Introduction and Scope
This Privacy Policy explains how Brainpercent, LLC ("Brainpercent," "we," "us," or "our"), a Delaware limited liability company, collects, uses, shares, and protects personal information when you use https://brainpercent.app and the related Brainpercent platform (the "Service").
This Policy applies to (a) visitors to our public website, (b) registered users of the Service across all paid and free tiers, (c) participants in our affiliate program, and (d) anyone who contacts us. It does not apply to third-party websites you reach through links in content you generate. By using the Service you confirm you have read this Policy.
2. Information We Collect
We collect only what we need to operate, secure, and improve the Service.
Information you provide directly
- Account data: email address, name (optional), profile preferences, language and region. Supabase Authentication with magic-link email and Google OAuth. From Google we receive your email, basic profile, and Google account ID — nothing more.
- Billing data: when you subscribe or buy credit packs, Stripe collects payment method, billing address, and tax info. We never see or store your full card number. We receive a Stripe customer ID, last four digits, card brand, expiration, and invoice records.
- Content you generate: URLs you submit, prompts, brand assets, and AI-generated outputs (articles, social posts, images, videos, podcasts). Stored so you can return to them.
- Communications: support tickets, emails to edward@brainpercent.com, in-app chat messages.
- Affiliate data: Stripe Connect Express account ID, payout history, referrals attributed to you, tax forms collected by Stripe.
Information collected automatically
- Server logs: IP, user agent, referrer, request path, response status, timing. Kept 30 days then deleted.
- Device + usage data: approximate location (country/region from IP), pages visited, features used, errors.
- Cookies and similar technologies: see Section 8.
AI-pipeline metadata
When you use the Service we record which AI providers handled each step (Anthropic, OpenAI, GoAPI), token counts, and credit deductions for billing reconciliation.
We do not intentionally collect special-category personal data (health, biometric, religious, political). Please do not paste such data into prompts.
3. How We Use Information
- Service delivery: generate content, store projects, publish to social platforms you connect.
- AI processing: send prompts and context to Anthropic, OpenAI, and GoAPI to produce outputs (Section 4).
- Billing: process subscriptions and credit packs via Stripe, send invoices, prevent fraud, handle disputes.
- Customer support: respond to requests and troubleshoot.
- Security + fraud prevention: rate-limiting, abuse detection, account-takeover detection.
- Service improvement: aggregated, de-identified analytics of feature usage.
- Marketing: with your explicit opt-in consent. Every marketing email has one-click unsubscribe. Transactional emails are sent without separate consent because they are necessary for the contract.
Legal bases (GDPR Art. 6): contract performance for service delivery and billing; legitimate interests for security and product improvement; consent for marketing; legal obligation for tax records and law-enforcement requests.
4. How We Share Information
We do not sell personal information and have not done so in the prior 12 months. We share data only with the following categories of processors, each bound by a data-processing agreement.
| Category | Examples | Data shared |
|---|---|---|
| Payment & billing | Payment processors, payout services | Name, email, payment method, billing address, transactions |
| Cloud infrastructure | Database, storage, CDN, edge delivery | Account data, content, server logs |
| AI model providers | Large language model and image/video generation providers | Prompts, selected context, brand assets |
| Social publishing | Authorized publishing platforms you connect | Generated content, scheduling instructions, connected account tokens |
| Communications | Transactional and marketing email providers | Email address, name, message content |
| Analytics & operations | Error tracking, session analytics, SEO tooling | Usage events, anonymized session data, topic queries |
A full list of our current subprocessors, including specific vendor names, is available at /legal/subprocessors. We update that page when processors change and give 30 days' notice of material new subprocessors by email.
We may also disclose information (a) to comply with law, valid subpoena, or court order; (b) to protect rights, safety, or property; (c) in connection with a merger, acquisition, or asset sale, in which case we will give 30 days' notice.
5. International Data Transfers
Brainpercent, LLC operates from the United States. Our primary database and storage live in the European Union (Supabase EU region). When you use the Service your data may be transferred to: the United States (Stripe, Anthropic, OpenAI, Vercel control plane, Resend, SendGrid, GoAPI, Google, Microsoft); and other regions where Vercel edge nodes process requests.
For transfers from the European Economic Area, United Kingdom, and Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) (Module Two — Controller to Processor) executed with each US-based processor. Where applicable we also rely on the EU-US Data Privacy Framework. You may request copies by emailing edward@brainpercent.com.
6. Data Retention
- Account profile and authentication records: while account is active + 90 days after deletion
- User-generated content and assets: until you delete the item or your account
- Server logs (IP, request paths): 30 days
- Billing and payment records (Stripe): 7 years after final transaction (US tax law)
- Email logs: 12 months
- Support tickets: 24 months
- Affiliate payout records: 7 years (US tax law / 1099-NEC reporting)
- Marketing consent records: until withdrawal + 3 years
When you delete your account we erase content within 90 days. Stripe records, tax records, and any data subject to active legal hold are retained for the periods above and then permanently deleted.
7. Your Rights
European Economic Area, United Kingdom, Switzerland (GDPR / UK GDPR). You have the right to:
- access your data (Art. 15);
- rectify inaccurate data (Art. 16);
- erase your data — "right to be forgotten" (Art. 17);
- restrict processing (Art. 18);
- portability — machine-readable export (Art. 20);
- object to processing based on legitimate interests (Art. 21);
- withdraw consent at any time without affecting prior lawful processing (Art. 7(3));
- lodge a complaint with your supervisory authority.
California (CCPA/CPRA). Right to know, delete, correct, limit use of sensitive personal information, and opt out of "sale" or "sharing" — Brainpercent does not sell or share personal information for cross-context behavioral advertising under §1798.140(ad).
Israel (Privacy Protection Law, 5741-1981). Right to inspect and correct information we hold about you and to request deletion.
How to exercise rights. Email edward@brainpercent.com from your account email or use the in-app data-export and account-deletion controls. We respond within 30 days (GDPR) or 45 days (CCPA). Identity verification may be required.
8. Cookies and Tracking
We use a small set of cookies, each with a clear purpose:
| Cookie | Type | Purpose | Retention |
|---|---|---|---|
sb-*-auth-token | Strictly necessary | Supabase session | Session / 7 days |
bp_aff_click | Functional | Affiliate referral attribution (HMAC-signed) | 60 days |
ref_source | Functional | Source attribution (e.g. Product Hunt) | 30 days |
_ga, _ga_* | Analytics | Google Analytics (IP-anonymized) | 24 months |
_clck, _clsk | Analytics | Microsoft Clarity session replay | 12 months |
Strictly-necessary cookies do not require consent (GDPR Recital 30). Analytics cookies (_ga, _ga_*, _clck, _clsk) are currently loaded on page load. We are implementing a consent management system that will gate these on explicit consent. Until that system is live, you can block analytics cookies via your browser settings or a content-blocking extension such as uBlock Origin. To opt out of Google Analytics specifically, install the Google Analytics opt-out browser add-on.
9. AI and Generated Content
Your prompts and the outputs we generate are stored in your account so you can return to them. We do not use your private prompts or outputs to train any AI model — neither ours nor those of our providers. Anthropic and OpenAI API endpoints are configured for zero training. You retain ownership of the outputs you create (subject to provider terms — see our Terms of Service).
If you publish content publicly (for example, by allowing us to publish to your connected social accounts), that content becomes public on those platforms under their terms.
10. Children's Privacy
The Service is directed exclusively to adults and young adults aged 13 and older in the United States and 16 and older in the European Economic Area, United Kingdom, and Switzerland. We do not knowingly market to or solicit personal information from any person under these ages. We do not collect or use personal information for behavioral advertising purposes in relation to any user we know to be under 18. We take reasonable steps to screen for age compliance at registration via age affirmation at signup.
If you are a parent or guardian and believe your child has registered without authorization, contact edward@brainpercent.com and we will delete the account and all associated data within 72 hours of verification. We do not require verifiable parental consent mechanisms under COPPA because the Service is not directed at children under 13.
11. Security
- Encryption in transit: TLS 1.2+ on all endpoints.
- Encryption at rest: AES-256 for Supabase Postgres and Storage.
- Database isolation: Postgres Row Level Security (RLS) enforces per-user access on every table.
- Payment security: Stripe is PCI DSS Level 1 certified; we never touch raw card data.
- Access controls: least-privilege admin access, no shared accounts, audit logs on production data.
- Secrets management: Vercel and Supabase encrypted environment variables.
- Monitoring: Sentry error tracking and Vercel runtime logs.
No system is perfectly secure. If a breach affects your data we will notify you within 72 hours where required by law (GDPR Art. 33-34; US state breach laws).
12. Changes to This Policy
We may update this Policy. For material changes we will notify registered users by email and post a banner on the site at least 30 days before the change takes effect. Non-material clarifications take effect on posting.
13. Contact
Brainpercent, LLC (Delaware, USA)
Founder & CEO: Edward Ilin
Email: edward@brainpercent.com
General contact: t.me/brainpercent
For data-protection requests, write "Privacy Request" in the subject line. You may always lodge a complaint with your local supervisory authority (in the EEA, see edpb.europa.eu).