Privacy policy.

• Account information. Name, email, password hash (via Supabase Auth), workspace role, and authentication tokens issued to your browser session.
• Workspace inputs. Your offer, audience, brand voice, voice-of-customer data, competitor URLs, and any text or assets you upload to the Strategist, Production, or Matrix surfaces.
• Connected-account data. When you connect Meta Ads, Google, Arcads, or a CRM such as GoHighLevel, we store the OAuth/API credentials and the operational data the Service needs (campaign / ad set / ad metadata, daily insights, audience IDs, lead events). Credentials are encrypted at rest.
• Generated and inferred data. Angle × hook matrices, ad copy, scripts, landing page variants, diagnoses, and decisions produced by Brain on your behalf.
• Usage and device data. Pages viewed, actions performed, request logs, IP address, user agent, and approximate location, used to operate and secure the Service.
• Billing data. Plan, subscription status, invoices, and last-4 card metadata. Full card details are handled by Stripe; we never see or store them.

• Run the orchestration brain: build matrices, produce creative, sync with Meta, diagnose campaigns, and act on optimization rules you've approved.
• Authenticate users, scope data to your workspace, and enforce role-based access.
• Bill you, prevent abuse, and meter AI / vendor usage against your plan.
• Send transactional emails (security alerts, billing notices, trial reminders, digests you've opted into) and respond to support requests.
• Train internal heuristics on aggregated, de-identified signals to improve the product. We do not train third-party foundation models on your private data.
• Comply with legal obligations and respond to lawful requests.

Brain is designed so that the ad spend, the customer relationship, and the creative assets stay on your accounts. Meta Ads, Arcads, your CRM, and any model provider you supply a key for are charged directly to you, on credentials you own and can revoke at any time. Brain holds the orchestration layer and the workspace state.

We do not sell or rent personal information. We share data only with:

• Sub-processors we use to run the Service: Supabase (database, auth, storage), Cloudflare (edge runtime, CDN), Stripe (billing), Resend (transactional email), and the AI / video providers you have connected.
• Integrations you authorize, such as Meta, Google, Arcads, and your CRM — for the limited purpose of performing the action you triggered.
• Authorities, when required by law or to protect the safety, rights, or property of Brain, our users, or the public.

We retain workspace data for as long as your account is active. You can delete individual records inside the app, or request full workspace deletion by emailing the address below. Backups are rotated within 30 days of deletion. Aggregate, de-identified metrics used for system health may be retained longer.

Transport is encrypted in TLS 1.2+. Data at rest is encrypted by the underlying cloud provider. Third-party credentials are encrypted with a server-side key before being written to the database. Access to production systems is restricted to authorized personnel, logged, and audited. No system is perfectly secure — please report any suspected vulnerability to security@trybrain.io.

Depending on where you live (GDPR, UK GDPR, CCPA/CPRA, and similar), you may request access to, correction of, export of, or deletion of your personal information. You may also object to certain processing or withdraw consent. Email privacy@trybrain.io and we will respond within the timeframe required by applicable law.

We use first-party cookies and similar storage to keep you signed in, remember your workspace, and operate basic product analytics. We do not run third-party advertising cookies on trybrain.io. You can clear cookies via your browser at any time; this will sign you out.

Brain runs on globally distributed edge infrastructure. Your data may be processed in the United States, the European Union, and other regions where our sub-processors operate. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

The Service is not directed to anyone under 18, and we do not knowingly collect personal information from children.

We may update this policy as the product evolves. Material changes will be announced in-app or by email at least 14 days before they take effect.

Privacy questions: privacy@trybrain.io.
Security reports: security@trybrain.io.
General support: support@trybrain.io.