Privacy Policy

Last updated: March 21, 2026

Braintree ("brain-tree.ai", "we", "us", or "our") is operated by Nadav Avisrur, with inquiries accepted at support@brain-tree.ai. We operate the brain-tree.ai website and related services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services. For the purposes of the EU General Data Protection Regulation (GDPR), we are the data controller.

1. Information We Collect

Account Information

When you create an account, we collect information provided by your authentication provider (GitHub or Google), including your name, email address, and profile picture. We use Supabase for authentication and do not store your password.

Usage Data

With your consent, we collect certain information when you visit our website, including your IP address, browser type, operating system, referring URLs, pages visited, and time spent on pages. We use PostHog for analytics, which may include session recordings (screen replays with all form inputs masked). This data is only collected if you accept optional cookies via our consent banner.

Brain Data

When you create or import a brain, we store the brain structure and file contents in our database. You retain full ownership of your brain data.

Payment Data

We do not currently process online payments. Paid plan upgrades are handled manually via email. We do not store credit card numbers or payment credentials.

2. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract performance (Article 6(1)(b)): Account creation, brain storage, AI content generation, and service delivery.
  • Consent (Article 6(1)(a)): Analytics (PostHog), session recording, and live chat (Crisp). You can withdraw consent at any time via the Cookie Settings link in our footer.
  • Legitimate interest (Article 6(1)(f)): Service security, fraud prevention, and infrastructure monitoring.
  • Legal obligation (Article 6(1)(c)): Tax records and regulatory compliance.

3. How We Use Your Information

  • Provide, operate, and maintain our services
  • Authenticate your identity and manage your account
  • Process your brain content through AI services (Anthropic Claude API) for brain generation
  • Understand how users interact with our platform to improve the experience (with consent)
  • Send you service-related communications (account verification, security alerts, trial notifications)
  • Process payments and manage subscriptions
  • Comply with legal obligations

4. Third-Party Services (Sub-Processors)

We use the following third-party services that may process your data:

  • Supabase (database, authentication, storage) — hosted in US East. Privacy Policy
  • Vercel (hosting and deployment) — global CDN with US origin. Privacy Policy
  • PostHog (product analytics and session recording, consent-gated) — US Cloud. Session recordings capture screen activity with all form inputs masked. Privacy Policy
  • Crisp (live chat support, consent-gated) — EU (France). May receive your email and name if logged in. Privacy Policy
  • Anthropic (AI brain generation) — US. Brain content is sent to the Claude API for processing. Anthropic does not use API inputs for model training. Privacy Policy
  • Resend (transactional email) — receives email addresses for trial notifications and service communications. Privacy Policy
  • Railway (MCP server hosting) — US. Hosts the MCP server that processes brain operations. Privacy Policy
  • GitHub / Google (OAuth authentication providers) — only profile data you authorize.

5. International Data Transfers

Your data may be transferred to and processed in the United States, where most of our sub-processors are located. For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as incorporated into our sub-processors' Data Processing Agreements and, where applicable, the EU-US Data Privacy Framework. You can request copies of the relevant transfer safeguards by contacting us at support@brain-tree.ai.

6. Data Retention

  • Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion request.
  • Brain data: Deleted when you delete a brain or your account.
  • Analytics data: PostHog retains event data for up to 1 year.
  • Payment records: Retained as required by tax law (typically 7 years).
  • Server logs: Retained for up to 30 days for security and debugging.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS) and at rest, row-level security policies in our database, and regular security reviews. However, no method of electronic storage is 100% secure.

8. Your Rights

For All Users

You may:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Download your brain data as a ZIP file

EU/EEA Residents (GDPR)

In addition, you have the right to:

  • Object to or restrict processing of your data
  • Data portability (receive your data in a machine-readable format)
  • Withdraw consent at any time (without affecting the lawfulness of prior processing)
  • Lodge a complaint with your local Data Protection Authority

We will respond to data subject requests within 30 days. Contact us at support@brain-tree.ai.

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the "sale" or "sharing" of personal information (we do not sell or share your data for advertising purposes)
  • Non-discrimination for exercising your rights

9. AI and Automated Processing

Braintree uses AI (Anthropic Claude API) to generate brain structures, content files, and execution plans based on your input. This AI processing is a core feature of the service and is performed under the "contract performance" legal basis. AI-generated content may contain inaccuracies and should be reviewed by the user. We do not use automated decision-making that produces legal or similarly significant effects on users.

10. Children's Privacy

Our services are not directed to individuals under the age of 16 (EU) or 13 (US). We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under these ages, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the "Last updated" date, and, where required, seeking your renewed consent.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at support@brain-tree.ai.