Privacy Policy

Account Information: Email address, name, password (encrypted), profile information, and authentication details you provide during registration.

User Content: Mind maps, chat maps, conversations, chat history, node data, and the corresponding AI-generated output (e.g., summaries, suggestions), and any other content you create or upload to the Service.

AI Provider Credentials: API keys for third-party AI providers (such as OpenAI, Anthropic, Google, or others) that you optionally provide. These credentials are encrypted using industry-standard encryption and stored securely.

Payment Information: Billing details, transaction history, and subscription information (processed securely through third-party payment processors).

Usage Data: Information about how you interact with our Service, including features used, maps created, AI interactions, timestamps, and session duration.

Technical Data: IP address, browser type and version, device information, operating system, referring URLs, and other technical information collected automatically for security, fraud prevention, and functionality purposes.

Cookies and Similar Technologies: Essential cookies for authentication and service functionality, and optional analytics cookies (with your consent).

Service Provision: To provide, maintain, and improve our AI-powered mind mapping and chat mapping service, including user authentication, data storage, and feature delivery.

AI Processing: Your conversations and prompts are sent to your selected AI provider (OpenAI, Anthropic, Google, or others) to generate AI responses and mind map content. By using the AI features, you acknowledge that your prompts and conversation history are sent outside of the Company's infrastructure and become subject to the chosen AI provider's privacy policy and data handling practices. This processing occurs in accordance with your chosen AI provider and their respective privacy policies.

Communication: To send you service-related notifications, updates about new features, security alerts, and responses to your inquiries.

Analytics and Improvement: To analyze usage patterns, understand user behavior, and improve our Service (only with your explicit consent for non-essential analytics).

Security and Fraud Prevention: To detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activities.

Legal Compliance: To comply with applicable laws, regulations, legal processes, and law enforcement requests.

Business Operations: To manage subscriptions, process payments, provide customer support, and maintain our business operations.

Contract Performance: Processing necessary to provide our Service and fulfill our contract with you (Article 6(1)(b) GDPR).

Consent: Where you have given explicit, informed consent for specific processing activities, such as analytics or optional AI features (Article 6(1)(a) GDPR).

Legitimate Interests: For service improvement, security, and fraud prevention, where our legitimate interests are balanced against your rights and freedoms (Article 6(1)(f) GDPR).

Legal Obligations: To comply with legal requirements and obligations under applicable law (Article 6(1)(c) GDPR).

AI Service Providers: Your prompts and conversations are sent to your selected AI provider (OpenAI, Anthropic, Google, or others) for processing. Each provider has its own privacy policy and data handling practices. We recommend reviewing their policies.

Infrastructure Providers: We use Supabase for database, authentication, and backend services. Supabase processes data in accordance with their privacy policy and acts as a data processor under GDPR.

Payment Processors: Payment information is processed by secure third-party payment processors (such as Stripe). We do not store complete credit card information.

Analytics Services: With your consent, we may use analytics services to understand usage patterns and improve our Service.

Legal Requirements: We may disclose your information if required by law, court order, or governmental authority, or to protect our rights, property, or safety.

Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction (you will be notified).

No Data Sales or Sharing: We do not sell your personal information, nor do we "share" or "process" it for the purpose of cross-context behavioral advertising, as these terms are defined under the CCPA/CPRA.

Right to Access (GDPR Art. 15, CCPA): You can request a copy of all personal data we hold about you.

Right to Rectification (GDPR Art. 16): You can correct any inaccurate or incomplete personal data.

Right to Erasure/Deletion (GDPR Art. 17, CCPA): You can request deletion of your personal data, subject to legal retention requirements.

Right to Restrict Processing (GDPR Art. 18): You can limit how we process your data in certain circumstances.

Right to Data Portability (GDPR Art. 20): You can request your data in a structured, machine-readable format for transfer to another service.

Right to Object (GDPR Art. 21, CCPA): You can object to certain types of processing, including direct marketing and processing based on legitimate interests.

Right to Withdraw Consent (GDPR Art. 7(3)): You can withdraw consent at any time for processing based on consent (without affecting lawfulness of prior processing).

Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

California Residents (CCPA/CPRA): California residents have additional rights, including the right to know what personal information is collected, disclosed, or sold, and the right to opt-out of sale (though we do not sell personal information).

We implement comprehensive technical and organizational measures to protect your personal data:

Encryption: Data is encrypted in transit using TLS/SSL and at rest using industry-standard encryption algorithms.

Access Controls: Strict role-based access controls limit who can access your data. Only authorized personnel with legitimate business needs can access user data.

Authentication: Multi-factor authentication options and secure password policies protect your account.

Regular Security Audits: We regularly review and update our security measures, conduct vulnerability assessments, and implement security patches.

Secure Infrastructure: We use enterprise-grade infrastructure with built-in security features, firewalls, and intrusion detection systems.

Incident Response: We maintain an incident response plan to quickly address any security breaches and notify affected users as required by law.

Account Data: Retained while your account is active and for up to 90 days after account deletion (to allow recovery), unless longer retention is required for legal compliance.

User Content (Maps): Retained until you delete them or close your account. Deleted content is permanently removed within 30 days.

Conversation History: Retained according to your settings and until account deletion.

Payment Records: Retained for tax and accounting purposes as required by applicable law (typically 7 years).

Audit and Security Logs: Retained for security, fraud prevention, and compliance purposes for up to 2 years.

Backups: Data may remain in backups for up to 90 days after deletion from production systems.

Your data may be transferred to and processed in countries outside your country of residence, including the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place:

Standard Contractual Clauses: We use EU-approved Standard Contractual Clauses (SCCs) for transfers from the EEA to countries without adequacy decisions.

Adequacy Decisions: We rely on European Commission adequacy decisions where available.

UK-Specific: For UK data transfers, we comply with UK GDPR and use UK-approved transfer mechanisms.

Data Processing Agreements: We enter into Data Processing Agreements (DPAs) with all service providers who process personal data on our behalf, ensuring they act only as our Data Processors and under our instructions.

Essential Cookies: We use strictly necessary cookies for authentication, security, and core service functionality. These cannot be disabled.

Functional Cookies: We use cookies to remember your preferences and settings.

Analytics Cookies: With your explicit consent, we use analytics cookies to understand how users interact with our Service and improve it.

Third-Party Cookies: AI service providers and other third-party services may set their own cookies when you use their features.

Cookie Management: You can manage cookie preferences through your browser settings and our cookie consent banner. Note that disabling essential cookies may affect service functionality.

AI Provider Selection: You control which AI provider processes your data. Different providers have different data retention and usage policies.

Training Data: By default, we configure AI providers to not use your data for training their models, where such options are available. Please review individual AI provider policies.

Sensitive Information: We strongly recommend that you DO NOT input Special Categories of Personal Data (e.g., health, racial, political, religious data) or sensitive proprietary information into the Service. Your input is processed by third-party AI providers, and we cannot guarantee the protection of highly sensitive data once it leaves our system.

Data Minimization: We only send necessary context to AI providers to generate responses.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. Material changes will be notified to you via:

• Email notification to your registered email address

• Prominent notice within the Service

• Updated "Last Modified" date at the top of this policy

Your continued use of the Service after such changes constitutes acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

Data Controller: BrainStorm Technologies LTD is the data controller for your personal information.

If you have any questions about this Privacy Policy, want to exercise your rights, or have concerns about how we handle your data, please contact us:

Email: privacy@brainstorm-map.com

Data Protection Officer: dpo@brainstorm-map.com (for GDPR-related inquiries)

For EEA residents: If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority.