Brainiall
Sign inGet started

Privacy Policy

Last updated: 2026-04-28 · Effective immediately

1. Who we are

Brainiall ("we", "us", "our") operates the AI API platform at app.brainiall.com and api.brainiall.com. This Privacy Policy explains how we handle personal data submitted to our products: Background Removal, Audio Enhancement, Speaker Diarization, PDF-to-Markdown, Agent Memory, and the Speech AI / NLP Suite / Image Processing services.

2. Data we collect

We minimize data collection. The categories below are exhaustive:

  • Account data — email, organization name, API keys (we store only SHA-256 hashes), and OAuth identifiers when you sign in.
  • Usage data — per-call timestamps, endpoint, status code, latency, and byte counts for billing and abuse prevention. We do not retain request bodies.
  • API payloads — images, audio, PDFs, or text you submit are processed in-memory and discarded immediately after the response is returned. We do not log, store, or train on customer payloads.
  • Anonymous analytics — page views via Plausible (privacy-friendly, cookieless). No personal identifiers, no cross-site tracking.

3. Lawful basis (GDPR Art. 6)

  • Performance of contract for processing API requests, billing, and account management.
  • Legitimate interests for fraud prevention, rate limiting, and platform security.
  • Consent for any optional analytics or marketing email.

4. How long we keep data

  • API request payloads: 0 seconds after response (in-memory only).
  • Usage metrics (anonymized aggregates): up to 24 months for billing reconciliation.
  • Account records: until you delete your account, then 30 days for fraud prevention.
  • Logs (errors, auth events): up to 90 days.

5. Data subprocessors

We use the following subprocessors to operate the platform:

  • Latitude.sh (US) — bare-metal compute hosting. SOC 2 Type II.
  • Microsoft Azure (US) — Marketplace billing only (when subscribed via Marketplace).
  • Stripe (US) — direct credit card processing for non-Marketplace customers. PCI-DSS Level 1.
  • Plausible (self-hosted) — privacy-friendly analytics, no cookies, no personal data shipped off-platform.

6. International transfers

We are based in Brazil. EU/UK data is processed under Standard Contractual Clauses (SCCs) where applicable. US-side hosting (Latitude / Azure / Stripe) operates under their own attested controls.

7. Your rights (GDPR / CCPA)

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data ("right to be forgotten")
  • Export your data (data portability)
  • Object to or restrict processing
  • Lodge a complaint with a supervisory authority (e.g., ANPD in Brazil)

To exercise any of these rights, email us at privacy@brainiall.com or use our self-service DSAR endpoint at /api/privacy/request. We respond within 30 days.

8. Security

  • TLS 1.2+ on all endpoints (Let's Encrypt automatic renewal)
  • API keys hashed with SHA-256, never stored in plaintext
  • Per-tier rate limiting (Redis) to prevent abuse
  • Microsoft AD JWT signature validation on Marketplace webhooks
  • Internal API gateway with X-Internal-Key forwarding and 401/403/429 enforcement
  • Container isolation, healthchecks, and auto-restart for self-healing

9. Children's privacy

Our services are not directed to children under 16 (or the local age of digital consent). We do not knowingly collect data from minors.

10. Changes to this policy

We will update this page when our practices change and notify active customers by email for material changes. The "Last updated" date at the top is the source of truth.

11. Contact

Privacy inquiries: privacy@brainiall.com
Brainiall · Terms of Service · Data Processing Addendum