Privacy Policy · Brainprint

The short version

Brainprint reads your saved bookmarks, articles, and similar artefacts to produce a portrait of you as a reader. The data we hold is the data you choose to send us — uploaded export files or items pulled via OAuth from sources you connect. We process it, derive a portrait, and keep both. We do not sell your data, do not run advertising, and do not share inferences about you with third parties for their own purposes. You can ask us to delete everything at any time.

1. Who we are

Brainprint (“Brainprint”, “we”, “us”) operates the website at brainprint.net and is the data controller for personal data described in this policy. Contact: hello@brainprint.net.

If you are based in the European Economic Area (EEA), the United Kingdom, or Switzerland, this policy describes how we comply with the General Data Protection Regulation (GDPR) and the UK GDPR. If you are based in California, the sections marked CCPA apply to you.

2. The data we collect

We collect three categories of personal data:

2.1 Source data you give us

Uploaded files: bookmark exports (Pocket, Chrome, Firefox, Raindrop, Twitter archive, etc.), browsing-history files, and similar exports you voluntarily upload through /import or /import/history. The contents are URLs, page titles, excerpts, tags, timestamps, and source-platform identifiers.
OAuth-pulled saves: items fetched on your behalf from third-party services you connect via /connect — currently GitHub stars, Reddit saved posts (subject to provider approval), YouTube liked videos, Raindrop.io raindrops, and SaveSync bookmarks.
OAuth tokens / API keys: the access tokens, refresh tokens, and personal API keys necessary to perform those reads on your behalf. Tokens are scoped to read-only access where the provider supports per-scope tokens.

2.2 Account-adjacent data

Handle: a chosen username (e.g. your-name) used as the URL slug for your portrait at brainprint.net/your-name. We do not require an email or password.
Display name (optional): a free-text label shown on your portrait masthead.
Email (only if you unlock the Analysis view): collected by Stripe at checkout and shared with us for the purpose of receipts and account-recovery contact.
Stripe customer / session identifiers: opaque tokens linking your unlock to a Stripe transaction. We do not see or store card details.

2.3 Derived data we generate

Embeddings: numerical vector representations of each save’s text, used for clustering.
Themes, metrics, traits, values, focus, and cognitive scores: inferences derived from your saves (Big Five, Schwartz values, regulatory focus, need for cognition, etc.) computed by language models we operate via OpenAI and Anthropic.
Editorial copy: narrative observations and a “voice” descriptor generated by language models from your themes.

2.4 Things we do not collect

No advertising identifiers, fingerprints, or behavioural-tracking cookies.
No third-party analytics scripts. (No Google Analytics, no Meta Pixel, no Segment.)
No payment-card data — Stripe handles that entirely.
No microphone, camera, location, or device sensors.
We attempt to filter sensitive-category data (categorised as health, legal, or finance) before analysis. The filter is best-effort; you should not rely on it as a guarantee.

3. How we use your data

We use the data described in §2 only to:

Generate, store, and serve your portrait at brainprint.net/your-handle.
Process payments for the Analysis-view unlock (via Stripe).
Send transactional emails (e.g. payment receipts).
Fix bugs, debug failed pipelines, and improve the quality of the inference layer (using statistically-aggregated, identifier-stripped signals).
Comply with legal obligations.

We do not use your data to train foundation models, do not share it with brokers, and do not run profiling for advertising purposes.

4. Legal bases for processing (GDPR Art. 6)

Performance of a contract (Art. 6(1)(b)) — for portrait generation, payment processing, and maintaining your account so you can return to your portrait URL.
Legitimate interests (Art. 6(1)(f)) — for security, abuse prevention, and aggregated quality-improvement analytics. Our interest is maintaining a functional, secure service; we balance this against your rights and run minimal-necessary processing.
Consent (Art. 6(1)(a)) — for connecting third-party OAuth sources. You give consent by completing the OAuth flow at the third-party provider; you can revoke it from /connect or directly at the provider at any time.
Legal obligation (Art. 6(1)(c)) — where law requires us to retain or disclose data (e.g. tax records around Stripe transactions).

5. Sub-processors

We share data with the following processors, each of whom acts on our instructions under written data processing terms:

Processor	Purpose	Region
Render	Application hosting and request serving	United States
Supabase	Primary database and file storage	United States (EU region available on request)
Stripe	Payment processing for the Analysis unlock	United States, Ireland
OpenAI	Generating text embeddings used for clustering	United States
Anthropic	Generating editorial copy and trait inferences	United States
Inngest	Background job orchestration for the pipeline	United States
Cloudflare	DNS resolution for brainprint.net	Global edge network

We have data processing agreements with each. Where a processor is in the United States, transfers rely on the EU–U.S. Data Privacy Framework or Standard Contractual Clauses.

6. International transfers

Your data is processed primarily in the United States. By using Brainprint, you acknowledge that your data may be transferred to and processed in countries whose data protection laws differ from your own. We use Standard Contractual Clauses or successor mechanisms approved by the European Commission and the UK Information Commissioner’s Office to lawfully transfer EEA / UK personal data outside those territories.

7. Retention

Source data and derived portrait: kept indefinitely while your portrait is reachable at its URL. Raw uploaded files (the bytes you uploaded) are discarded within sixty seconds of parsing; only the parsed save records remain.
OAuth tokens: kept until you disconnect the source on /connect or revoke at the provider, at which point we delete the token within 7 days.
Stripe records: retained for the minimum period required by tax and accounting law in the relevant jurisdictions, typically 6–7 years.
Server logs: rotated and discarded within 30 days unless required for security investigation.
On request: we delete everything within 30 days of a verified erasure request — see §9.

8. Cookies and similar technologies

Brainprint uses one short-lived signed state cookie during OAuth flows to prevent CSRF attacks. The cookie is essential, expires within ten minutes of issue, and requires no consent banner under ePrivacy because it is strictly necessary to provide the service you requested. We do not use cookies for analytics, advertising, or cross-site tracking.

9. Your rights

Under the GDPR, the UK GDPR, and similar laws, you have the right to:

Access a copy of the personal data we hold about you (Art. 15).
Rectify inaccurate data (Art. 16).
Erase your data (Art. 17). For Brainprint, the canonical action is to email us asking for full account deletion.
Restrict or object to processing in certain circumstances (Arts. 18 and 21).
Receive your data in portable form (Art. 20) — we will export your saves and derived portrait as JSON within 30 days of a verified request.
Withdraw consent at any time, where consent was the legal basis (Art. 7(3)). For OAuth sources, disconnect from /connect or revoke at the provider directly.
Lodge a complaint with a supervisory authority (Art. 77). You may contact the supervisory authority of the EU member state where you live, work, or believe a violation occurred. UK residents can contact the Information Commissioner’s Office at ico.org.uk.

To exercise any of these rights, email privacy@brainprint.net from the address you used at checkout (or include enough information for us to identify you, such as your handle and approximate signup date). We respond within one month, extendable to three for complex requests.

10. CCPA — for California residents

California residents have the right to know what personal information we collect, the right to delete it, and the right to opt out of any sale of personal information. We do not sell or share personal information for cross-context behavioural advertising. To exercise your CCPA rights, email privacy@brainprint.net.

11. Automated decision-making

Your portrait includes scores and observations generated by language models (Big Five, Schwartz values, etc.). These are descriptive — they describe patterns in what you have read — and are not used to make decisions that produce legal or similarly significant effects on you within the meaning of GDPR Art. 22. We provide them as editorial commentary and recommend you treat them as such.

12. Children

Brainprint is not directed at people under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, email privacy@brainprint.net and we will delete the data.

13. Security

We use TLS for every request, encrypted-at-rest storage via our database provider, scoped service credentials, row-level security on user tables, signed state on OAuth roundtrips, and least-privilege API keys for third-party services. No system is perfectly secure; if a breach affects you, we will notify you and the relevant supervisory authority within 72 hours where required by Art. 33 GDPR.

14. Changes to this policy

We may update this policy as the service evolves. Material changes are reflected in the “Last updated” date at the top and announced on the site for 30 days before they take effect. Continued use after the effective date constitutes acceptance.

15. Contact

For privacy enquiries, data subject requests, or questions about this policy:

Email: privacy@brainprint.net
General contact: hello@brainprint.net

Last updated 29 April 2026. Effective from 29 April 2026.

Privacy Policy.