Privacy Policy
Last Updated: 14 March 2026
2.1 Introduction
BrainTwo ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use the BrainTwo platform and services (the "Service").
BrainTwo is operated by Sugarloaf Consulting Ltd, registered in England and Wales (Company No. 15028503), with its registered office at Building 18 Gateway 1000 Whittle Way, Arlington Business Park, Stevenage, Hertfordshire, England, SG1 2FP. We are the data controller for the personal data we process through the Service.
Privacy Contact: Email: privacy@braintwo.ai Address: Sugarloaf Consulting Ltd, Building 18 Gateway 1000 Whittle Way, Arlington Business Park, Stevenage, Hertfordshire, England, SG1 2FP
2.2 What This Policy Covers
This Privacy Policy applies to personal data collected through the Service, including our website (braintwo.ai), user accounts, Brain profiles, and all related features. It does not cover third-party websites or services linked from our platform.
2.3 Personal Data We Collect
2.3.1 Data You Provide Directly
Account Data: Name, email address, username/slug, password (hashed), profile information (headline, bio, profile picture), and any other information you provide during registration or profile setup.
Payment Data: When you subscribe to Paid Services, our payment processor (Stripe) collects your payment card details, billing address, and related payment information. We receive only the last four digits of your card number, card type, and billing details. We do not store full card numbers.
Brain Source Data (Public Sources — Free Tier): Content you voluntarily provide to build your Brain, including: pasted text, uploaded documents (PDF, DOCX, TXT), LinkedIn data exports (ZIP files you download from LinkedIn and upload to BrainTwo), YouTube transcript data, blog/website URLs for scraping, AI conversation exports (ChatGPT, Claude), and any other content you upload.
Brain Source Data (Private Sources — Paid Tier): Data accessed through authorised integrations via official OAuth APIs, including: Gmail messages, Slack messages and threads, Google Calendar events. You explicitly authorise each connection and can disconnect at any time.
Communication Data: Messages you send to us via email, support requests, or feedback.
2.3.2 Data We Collect Automatically
Usage Data: Pages visited, features used, time spent on pages, click patterns, and interactions with the Service.
Device and Technical Data: IP address, browser type and version, operating system, device type, screen resolution, referring URL, and unique device identifiers.
Brain Interaction Data: Queries submitted to Brains (both by Brain owners and visitors), Brain responses generated, and interaction timestamps.
2.3.3 Data from Third Parties
OAuth Providers: When you connect a third-party account (e.g., Google for Gmail access), we receive authorisation tokens and the data you have consented to share through the OAuth flow.
2.3.4 Special Categories of Data
We do not intentionally collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation). However, if you upload content containing such information (e.g., within emails or documents), it may be processed as part of your Brain source data. You are responsible for ensuring you have the appropriate basis for providing such data.
2.4 How We Use Your Personal Data
We process your personal data for the following purposes:
| Purpose | Lawful Basis (UK GDPR) |
|---|---|
| Providing and operating the Service, including Brain creation and hosting | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Generating Brain profiles and behavioural dimensions from your source data | Performance of contract (Art. 6(1)(b)) |
| Displaying your public Brain profile and responses to visitors | Consent / Performance of contract (Art. 6(1)(a)/(b)) |
| Sending service-related communications (e.g., account notifications, security alerts) | Legitimate interest (Art. 6(1)(f)) |
| Sending marketing communications (with your consent) | Consent (Art. 6(1)(a)) |
| Analysing usage patterns to improve the Service | Legitimate interest (Art. 6(1)(f)) |
| Preventing fraud, abuse, and security incidents | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
2.5 Brain Profiling and AI Processing
2.5.1 How Brain Profiling Works
When you provide source data, our system processes it to build a behavioural profile across multiple dimensions (such as writing style, domain expertise, problem-solving approach, and communication patterns). This profiling is used to generate Brain responses that reflect your professional knowledge and communication style.
2.5.2 Free Tier Profiling
Free tier Brains are profiled across a subset of dimensions using only publicly provided content. No private data is processed for free tier Brains.
2.5.3 Paid Tier Profiling
Paid tier Brains are profiled across the full set of dimensions, incorporating both public and private source data (such as email communication patterns and calendar activity).
2.5.4 Automated Decision-Making
The Brain profiling process constitutes automated processing of your personal data. However, it does not produce legal effects or similarly significant effects concerning you. You can request human review of any profiling output by contacting us at privacy@braintwo.ai.
2.6 How We Handle Third-Party Data in Your Sources
Your source data (particularly emails and Slack messages) will contain personal data about other people. We process this data as follows:
(a) Extraction, not storage of third-party identities. Our profiling system analyses your communication patterns in general terms. It does not create profiles of the people you communicate with.
(b) No verbatim quoting. Brain profiling prompts are explicitly instructed to never quote third parties verbatim. Profiling outputs describe patterns in general terms only.
(c) Public Brain filtering. When your Brain is queried by visitors (public mode), only data derived from published/public sources is used in responses. Private source data (emails, Slack, calendar) is never exposed to public visitors.
(d) Data isolation. All source data is isolated to your account through database-level Row Level Security (RLS). No other user or Brain can access your source data.
2.7 How We Share Your Personal Data
We do not sell your personal data. We share personal data only in the following circumstances:
Service Providers. We use third-party service providers to help operate the Service, including:
- Supabase (database hosting and authentication)
- Stripe (payment processing)
- Anthropic / OpenAI (AI inference — query text is sent to generate responses; no personal data is retained by these providers beyond processing the request)
- Inngest (background job processing)
- Resend (transactional email delivery)
- Vercel (hosting and analytics)
Each service provider processes data only on our instructions and is bound by data processing agreements.
Public Brain Profiles. If you choose to make your Brain public, your profile information (name, headline, bio, expertise tags) and Brain responses to visitor queries will be publicly accessible.
Legal Requirements. We may disclose your personal data if required by law, regulation, legal process, or governmental request.
Business Transfers. In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of the transaction. We will notify you of any such transfer and any choices you may have regarding your data.
With Your Consent. We may share your personal data with third parties when you have given us explicit consent to do so.
2.8 No Training on Your Data
Your source data and Brain data are used exclusively for your personal AI Brain. We do not use your data to train general-purpose AI models, share it with other users, or sell it to third parties. Aggregated, anonymised data (which cannot identify you) may be used to improve the Service.
2.9 Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of your account + 30 days after deletion |
| Brain source data | Duration of your account; deleted within 30 days of account deletion or source disconnection |
| Payment data | As required by financial record-keeping laws (typically 6 years under UK law) |
| Usage and analytics data | 24 months (anonymised thereafter) |
| Brain interaction logs | 12 months (anonymised thereafter) |
| Support communications | 24 months after resolution |
When you delete your account, we initiate deletion of your Brain and all associated source data within 30 days. Some data may be retained longer where required by law or to resolve disputes.
2.10 Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption at rest: AES-256 encryption for stored data
- Encryption in transit: TLS 1.3 for all data transmitted between your device and our servers
- Access controls: Database-level Row Level Security (RLS) ensuring strict data isolation between users
- Token encryption: OAuth tokens are encrypted with per-user keys at the application level
- Infrastructure security: Hosted on enterprise-grade cloud infrastructure with regular security updates
- Access management: Principle of least privilege for all team access to production systems
No method of electronic transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.
2.11 International Data Transfers
BrainTwo is based in the United Kingdom. Your data may be processed in:
- United Kingdom (primary)
- European Economic Area (certain infrastructure providers)
- United States (certain service providers, including AI inference providers)
2.12 Your Rights (UK GDPR)
Under the UK General Data Protection Regulation, you have the following rights regarding your personal data:
Right of Access. You have the right to request a copy of the personal data we hold about you.
Right to Rectification. You have the right to request correction of inaccurate or incomplete personal data.
Right to Erasure. You have the right to request deletion of your personal data in certain circumstances (e.g., when the data is no longer necessary for the purpose it was collected).
Right to Restrict Processing. You have the right to request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object. You have the right to object to processing based on legitimate interests. You also have the right to object to direct marketing at any time.
Right to Withdraw Consent. Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Right in Relation to Automated Decision-Making. You have the right not to be subject to a decision based solely on automated processing which produces legal or similarly significant effects. Our Brain profiling does not produce such effects, but you may contact us to discuss any concerns.
To exercise any of these rights, contact us at privacy@braintwo.ai. We will respond within one month. If we need additional time (up to two further months), we will inform you within the first month.
Right to Lodge a Complaint. You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
2.13 Children's Privacy
The Service is not intended for anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@braintwo.ai.
2.14 US State Privacy Rights
If you are a resident of California or another US state with applicable privacy legislation:
California (CCPA/CPRA). You have the right to know what personal information we collect and why, request deletion of your personal information, opt out of the sale or sharing of your personal information, and not be discriminated against for exercising your rights. We do not sell personal information. To exercise your rights, contact privacy@braintwo.ai.
Other US States. Residents of Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, and other states with consumer privacy laws may have additional rights. Contact privacy@braintwo.ai to exercise any applicable rights.
2.15 Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or by posting a notice on the Service at least 14 days before the changes take effect. Your continued use of the Service after the changes take effect constitutes your acceptance of the updated Privacy Policy.
2.16 Contact Us
If you have questions or concerns about this Privacy Policy or our data practices:
- Email: privacy@braintwo.ai
- Post: Sugarloaf Consulting Ltd, Building 18 Gateway 1000 Whittle Way, Arlington Business Park, Stevenage, Hertfordshire, England, SG1 2FP