Legal

Privacy Policy

Effective: 14 May 2026 · Last updated: 14 May 2026

BrainDump (“we,” “us”) is operated by Zhangir Ospan. This policy explains what personal information we collect when you use our website and app (the “Service”), what we do with it, and the rights you have over it. We try to write this in plain English — but where the law requires us to be precise, we are.

Contents
  1. Information we collect
  2. How we use information
  3. Legal bases (EEA / UK users)
  4. AI processing & subprocessors
  5. When we share information
  6. Data retention
  7. Security
  8. Your privacy rights
  9. California residents (CCPA / CPRA)
  10. EEA / UK residents (GDPR)
  11. International data transfers
  12. Cookies & local storage
  13. Children
  14. Changes to this policy
  15. Contact us

1. Information we collect

Information you give us

  • Account information. When you create an account, we collect your email address and a hashed password. We do not store your password in plaintext.
  • Your content. Everything you put into BrainDump — brain dumps, tasks, habits, goals, ideas, journal entries, chats with the assistant, planner schedules, weekly reflections. This is the core of what the Service does, and it is yours.
  • Waitlist information. If you join the waitlist before having an account, we collect your email address and the page or campaign that referred you.
  • Communications. If you email us for support or send us feedback, we keep that correspondence.

Information we collect automatically

  • Log data. IP address, browser type, device type, operating system, pages visited, timestamps, and referrers. This is standard server log data and is used for security, debugging, and basic analytics.
  • Usage data. Aggregated metrics about how you use the Service — e.g. how many nodes you create, which features you use — so we can improve it.
  • Cookies & local storage. See Cookies & local storage below.

Information we derive

  • Embeddings. We send your node titles and summaries to embedding providers (see AI processing) and store the resulting numeric vectors. These vectors power semantic search and clustering. They are derived from your content but are not human-readable.
  • AI-generated metadata. When you brain dump, an AI model proposes structured nodes from your text (titles, types, summaries, importance scores). You review and accept these before they enter your workspace.

2. How we use information

We use information for the following purposes:

  • To run the Service. Authenticate you, save your data, sync across devices, send the assistant's answers, run the planner, generate weekly reflections.
  • AI features. Send your content to third-party AI providers so they can return extractions, embeddings, suggestions, summaries, and chat responses. See AI processing for who receives what.
  • Account management. Verify your email, reset your password, notify you of account changes.
  • Support & communication. Respond to your questions, send service announcements, and (if you opt in) send product updates.
  • Improving the Service. Analyze aggregated, de-identified usage data to find bugs, improve performance, and prioritize features.
  • Security & abuse prevention. Detect unauthorized access, fraud, scraping, and other abuse.
  • Legal compliance. Comply with valid legal requests and enforce our Terms.

We do not sell your personal information. We do not show third-party advertising in the Service. We do not use your content to train our own AI models, and we contractually require our AI subprocessors not to use your content to train theirs.

3. Legal bases (EEA / UK users)

If you are in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases:

  • Contract (Art. 6(1)(b) GDPR): processing necessary to provide the Service you signed up for — storing your content, running AI features, syncing your devices.
  • Legitimate interests (Art. 6(1)(f) GDPR): security, fraud prevention, abuse detection, and basic product analytics. You can object at any time.
  • Consent (Art. 6(1)(a) GDPR): optional marketing emails. You can withdraw consent at any time by clicking “unsubscribe.”
  • Legal obligation (Art. 6(1)(c) GDPR): when we must process data to comply with law.

4. AI processing & subprocessors

BrainDump is an AI-native product. To deliver its features, your content is sent to third-party AI providers (“subprocessors”) over secure connections. We list every one of them here, what they process, and why.

Subprocessors

  • Supabase, Inc. — hosts our primary database and authentication. Stores your account, content, and all derived data. Privacy policy.
  • Anthropic, PBC — processes your brain dump text, node content, and chat messages to extract structure, answer questions, suggest next steps, and run other AI features. Anthropic states it does not use API inputs or outputs to train its models. Privacy policy.
  • Google LLC (Generative AI / Gemini) — generates vector embeddings of your node titles and summaries so we can power semantic search and clustering. We use the paid API tier, under which Google states inputs and outputs are not used to train its models. Privacy policy.
  • Cohere Inc. — (where applicable) reranks search results and assists with clustering. Privacy policy.
  • Vercel Inc. — hosts the application and its edge functions; receives standard server logs (IP, request metadata). Privacy policy.

What this means in practice. When you brain dump, the text leaves our servers and is sent to Anthropic to be processed; the result comes back and is stored in your account on Supabase. The same applies to embedding generation (Google) and reranking (Cohere). These providers process your content on our behalf under data processing agreements; they do not have their own relationship with you.

5. When we share information

We share personal information only in the following circumstances:

  • Subprocessors. The third-party service providers listed above, who process data on our behalf to deliver the Service.
  • Legal requests. When required by law, valid legal process, or to protect the rights, property, or safety of BrainDump, our users, or others.
  • Business transfers. If we are acquired, merged, or sold, your data may transfer to the new owner under the same protections this policy describes.
  • With your consent. Anything else only with your explicit consent.

6. Data retention

  • Account & content. We keep your account and content as long as your account is active.
  • Account deletion. When you delete your account, we delete your content from our active systems within 30 days. Encrypted backups may retain copies for up to 90 days after deletion before being overwritten.
  • Waitlist data. We keep waitlist emails until launch, after which we either transition you to an account or delete the entry within 12 months.
  • Logs. Standard server logs are retained for up to 30 days for security and debugging.
  • Legal & financial records. Where law requires (e.g. tax records), we keep records for the required period.

7. Security

We take reasonable technical and organizational measures to protect your information:

  • TLS encryption in transit between you, our servers, and our subprocessors.
  • At-rest encryption of the database (provided by Supabase).
  • Passwords are hashed; we never see or store the plaintext.
  • Row-level security on our database so users can only access their own content.
  • Restricted internal access to production data, audited via service-role credentials.

No method of transmission or storage is 100% secure. If we become aware of a breach affecting your personal data, we will notify you and the appropriate regulators in accordance with applicable law.

8. Your privacy rights

Regardless of where you live, you can:

  • Access the data we hold about you.
  • Correct inaccurate data (most data is editable directly inside the app).
  • Delete your account and all associated content from within the app (Settings → Delete account), or by emailing us.
  • Export a copy of your content in a machine-readable format by requesting it from us at the email below.
  • Opt out of optional marketing communications.

To exercise a right that isn't directly available in the app, email us at ospanzhangir2005@gmail.com. We will respond within 30 days.

9. California residents (CCPA / CPRA)

If you live in California, you have additional rights under the California Consumer Privacy Act:

  • Right to know what categories of personal information we collect, why, and who we share it with (we've set this out above).
  • Right to delete your personal information, subject to legal exceptions.
  • Right to correct inaccurate information.
  • Right to opt out of sale or sharing for cross-context behavioral advertising. We do not sell or share personal information for advertising, so this right is not triggered, but we honor “Do Not Sell or Share” requests anyway.
  • Right to limit use of sensitive information. We do not use sensitive personal information beyond what is necessary to provide the Service.
  • Right to non-discrimination for exercising any of these rights.

To exercise these rights, email ospanzhangir2005@gmail.com. You may also designate an authorized agent.

10. EEA / UK residents (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in Section 8, plus:

  • Right to restrict processing of your data in certain circumstances.
  • Right to object to processing based on legitimate interests.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to withdraw consent at any time, where consent is the basis for processing.
  • Right to lodge a complaint with your local data protection authority.

Because we do not have an EU establishment, you may contact our representative for GDPR purposes at the same email above. If we later appoint a formal Article 27 representative, we will list them here.

11. International data transfers

Our subprocessors (Anthropic, Google, Supabase, Vercel, Cohere) are primarily based in the United States, and your data is processed there. When we transfer personal data of EEA, UK, or Swiss users to the United States, we rely on:

  • Standard Contractual Clauses approved by the European Commission.
  • EU-U.S. Data Privacy Framework and its UK and Swiss extensions, where applicable.
  • Supplementary measures such as encryption in transit and access controls.

12. Cookies & local storage

We use a small number of cookies and browser storage items, all strictly functional:

  • Authentication cookies. Set by Supabase to keep you signed in. Essential to the Service.
  • Local storage. Used to remember which workspace you had open, your graph layout, your camera position, and similar UI preferences. This data stays on your device.
  • Server logs. Basic log data described in Section 1.

We do not use third-party advertising or behavioral-tracking cookies.

13. Children

BrainDump is not directed at children. You must be at least 13 years old to use the Service. If you are in the European Economic Area or the UK, you must be at least 16 years old, or have verifiable parental consent if you are between 13 and 16.

If we learn we have collected personal information from a child without proper consent, we will delete it. If you believe a child has provided us personal information, contact us at ospanzhangir2005@gmail.com.

14. Changes to this policy

We may update this policy. When we do, we'll change the “Last updated” date at the top. For material changes, we'll notify you in-app or by email at least 30 days before the change takes effect.

15. Contact us

Questions, requests, or complaints? Email us at ospanzhangir2005@gmail.com.

For formal legal notice, email ospanzhangir2005@gmail.com.

© 2026 Zhangir Ospan. All rights reserved.
TermsHome