Brain Agents AIBrain Agents AI

Privacy Policy

Last updated: April 28, 2026.

1. Introduction and scope

This Privacy Policy describes how Brain Agents AI collects, uses, retains, and shares personal data in connection with the Brain Agents AI website at brainagents.ai and the authenticated application at app.brainagents.ai (together, the "Service"). It applies to visitors to the marketing site, people who join the waitlist, prospective customers, and authenticated users of the Service.

Brain Agents AI is a self-serve, multi-cloud cost optimization product. The Service reads cost-and-optimization data from connected customer cloud accounts on a strictly read-only basis. This Policy covers the personal data Brain Agents AI handles on its own behalf (such as account information for authenticated users) as well as the customer billing data the Service processes on behalf of its customers. It does not cover personal data that customers process independently in their own cloud accounts.

The Service is offered to residents of the United States, Canada (excluding Quebec), Mexico, Argentina, Chile, Colombia, Peru, Uruguay, and other Latin American countries other than Brazil. The Service is not offered to residents of European Union member states, the United Kingdom, Brazil, or Quebec. The geographic restrictions are described in full in the Terms of Service.

If a term is defined in the Terms of Service, this Policy uses the same definition unless stated otherwise.

2. What personal data is collected

Brain Agents AI collects a limited set of personal data, grouped below by the context in which it is collected.

2.1 From marketing-site visitors

Visitors to brainagents.ai who have not signed up for an account encounter only two collection vectors:

  • GA4 anonymous analytics. Brain Agents AI uses Google Analytics 4 to measure marketing-site usage. Events captured include page views, scroll depth, click-through events on calls to action, and AI-referrer attribution. GA4 is configured in privacy-minimized mode: Google Signals is off, non-essential data sharing is off, and retention is set to two months (the platform minimum). GA4 is loaded only on marketing routes; it does not load on the authenticated application.
  • Waitlist signup. When a visitor joins the waitlist, Brain Agents AI collects the email address only. No name, company, role, IP, or other identifier is captured by the form.

GA4 sets cookies on the visitor's browser to identify a session across page loads. A cookie banner is presented on first visit with accept and reject options; the visitor's choice is honored on the marketing site and can be revisited at any time via the "Cookie Settings" link in the site footer.

The marketing site does not use marketing pixels, session-replay tooling, heatmap tooling, or third-party chat widgets.

2.2 From signup

When a visitor creates an account, Brain Agents AI collects:

  • Name, if the user chooses to provide it
  • Email address
  • Password (handled by Google Cloud Identity Platform / Firebase Authentication; the password hash is stored by the authentication service and is never available to Brain Agents AI in plaintext or any form Brain Agents AI personnel can read)
  • Workspace name and configuration values entered during onboarding

2.3 From use of the Service

While a customer uses the Service as an authenticated user, Brain Agents AI collects and processes:

  • Account activity: sign-in events, workspace actions, and similar product-usage telemetry, used to operate the Service and to keep an audit trail.
  • Cloud connection metadata: which clouds a workspace has connected, sync status, last-sync timestamp, and the result of recent sync runs.
  • Customer billing data ingested from connected cloud accounts. This is the cost-and-optimization data described at /security/data-flow: line-item billing data, optimization recommendations from each cloud's native advisors, and the resource metadata required to interpret cost data. This is the customer's data, processed on the customer's behalf to provide the Service. The Service does not read customer code, workload contents, databases, storage objects, network traffic, secrets, or end-user data.
  • Support chat content. When an authenticated user uses the in-app support widget, the messages sent and received are processed to answer the user's question. The support widget is restricted to authenticated routes and is not loaded on the marketing site or any unauthenticated route.
  • Audit logs: access and security events on the customer's workspace, retained per the operational policy described in /security.

2.4 From payment

Subscription billing is handled by Stripe. Card numbers, expiration dates, CVCs, and similar payment instrument details are collected directly by Stripe and never touch Brain Agents AI infrastructure. Brain Agents AI sees only the billing-contact information, the subscription status, and the invoice metadata that Stripe surfaces back through its API.

3. How personal data is used

Brain Agents AI uses the personal data described above for the following purposes:

  • To provide and operate the Service (authentication, workspace operation, cloud syncs, dashboard rendering, AI-agent functionality, support).
  • To send transactional communications related to the user's account, billing, security, and waitlist welcome.
  • To improve the Service through aggregated, anonymized analysis. Brain Agents AI does not perform identifiable cross-customer aggregation without the affected customers' opt-in consent.
  • To comply with legal obligations.
  • To detect and prevent abuse, fraud, and security incidents on the Service.

Brain Agents AI does not sell personal data and does not share personal data with advertisers.

4. Who personal data is shared with

Brain Agents AI uses a small number of vendors to operate the Service. The full list, with each vendor's role and the data category it accesses, is at /security/subprocessors. The list is segmented by data type:

  • Customer billing data. Google Cloud, including its AI infrastructure, processes customer billing data in us-east1. This is the only vendor that touches customer billing data.
  • Account or personal data only. Google Cloud Identity Platform / Firebase Authentication (sign-in), Resend (transactional email), Stripe (payment), and Cloudflare (edge protection) process account information or transactional data. They do not have access to customer billing data ingested from connected cloud accounts.
  • Marketing-site analytics only. Google LLC (Analytics) collects anonymous marketing-site visitor data. It does not load on authenticated routes and does not have access to customer accounts or customer billing data.

Brain Agents AI may also disclose personal data when required to do so by law, when responding to a valid legal process, or when necessary to protect the rights, property, or safety of Brain Agents AI, its customers, or the public.

5. Where personal data is stored

Brain Agents AI processes and stores personal data in Google Cloud us-east1 (United States). Customers and visitors who use the Service from outside the United States consent to processing in the United States by using the Service.

Storage destinations and tenant isolation are described in /security and /security/data-flow. Each customer workspace is stored in its own isolated BigQuery dataset, and cross-workspace queries are not possible.

6. How long personal data is retained

Retention follows the windows below.

  • Account data. Personal data associated with a customer's account is retained for the life of the subscription, plus a 30-day reactivation window after cancellation. After 30 days, all workspace data is permanently deleted.
  • Workspace deletion (customer-initiated). A customer who deletes a workspace directly enters a 7-day cooling period followed by a 90-day soft-delete window during which support can restore the workspace. After 97 days from the deletion request, deletion is permanent.
  • Raw billing snapshots. Raw billing snapshots are retained in Google Cloud Storage for 90 days for operational purposes.
  • Waitlist email addresses. Waitlist email addresses are retained until you create an account on the Service or until you request deletion. To request deletion, email [email protected].
  • GA4 marketing-site data. GA4 retains data for two months, the platform's minimum retention setting.
  • Audit logs. Audit logs are retained per Brain Agents AI's security and compliance requirements.

The full mechanics of cloud disconnection, subscription cancellation, and workspace deletion are at /security/disconnect.

7. Customer rights

Subject to the laws of the data subject's jurisdiction, customers and other data subjects may exercise the rights described below. Brain Agents AI honors rights as defined under applicable data protection law in the data subject's jurisdiction.

  • Access. A customer may request a copy of the personal data Brain Agents AI holds about them.
  • Deletion. A customer may request deletion of their personal data. The mechanics of deletion (cloud disconnection, subscription cancellation, workspace deletion, and the corresponding retention windows) are described at /security/disconnect.
  • Correction. A customer may request correction of inaccurate personal data.
  • Opt-out of analytics tracking. A marketing-site visitor may opt out of GA4 tracking via the cookie banner on first visit, via the footer "Cookie Settings" link at any later time, or via Google's browser opt-out tool at https://tools.google.com/dlpage/gaoptout.

To exercise any of the rights above, email [email protected]. Brain Agents AI responds within the timeframe required by applicable law in the requester's jurisdiction.

A data subject who believes their rights have not been honored may contact [email protected] directly, and may also have the right to lodge a complaint with the data protection authority in their jurisdiction.

8. Security

Brain Agents AI applies default Google Cloud encryption at rest to all customer data and requires TLS 1.2 or higher in transit. Each customer workspace is stored in its own isolated BigQuery dataset, and engineering access to customer data is granted on a least-privilege basis. The full security posture, including authentication, audit logging, encryption configuration, and vulnerability disclosure, is at /security.

9. Cookies and tracking technologies

Brain Agents AI uses cookies and similar technologies in a limited set of contexts:

  • GA4 analytics cookies are set on the marketing site only. GA4 is configured as described in section 2.1 above and is not loaded on authenticated application routes.
  • A cookie banner is presented to first-time marketing-site visitors with accept and reject options. The visitor's choice is honored on the site, persisted in the browser, and can be modified at any time via the "Cookie Settings" link in the site footer.
  • Strictly necessary cookies are used on app.brainagents.ai to maintain authenticated sessions. These cookies cannot be rejected without rendering the authenticated application unusable.

Brain Agents AI does not load marketing pixels (such as the LinkedIn Insight Tag or the Meta Pixel), session-replay or heatmap tooling, or third-party product-analytics tooling inside the authenticated application.

10. Children

The Service is not directed at users under the age of 13, or the equivalent minimum age in the user's jurisdiction. Brain Agents AI does not knowingly collect personal data from children. If a parent or guardian becomes aware that a child has provided personal data to the Service, they may contact [email protected] and the data will be deleted.

11. International data transfers

All processing occurs in Google Cloud us-east1 (United States). Customers in Canada (excluding Quebec) and in the Latin American countries where the Service is offered consent to processing in the United States by using the Service. The Service is not offered to residents of the European Union, United Kingdom, Brazil, or Quebec; full geographic-scope details and the enforcement layers (jurisdiction language, edge-level geo-block, and a Quebec-residency confirmation at signup) are in the Terms of Service.

12. Changes to this Privacy Policy

Brain Agents AI may update this Privacy Policy from time to time. Material changes will be communicated by email to active customers. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date of an updated Privacy Policy constitutes acceptance of the update.

13. Contact

For privacy questions and to exercise data rights, email [email protected].

Mailing address:

Brain Agents AI c/o Summit Path LLC 30 N Gould St Ste N, Sheridan, WY 82801

Brain Agents AI is operated by Summit Path LLC, a Wyoming limited liability company.