BrainFlow Privacy Policy
Last updated: June 6, 2026
BrainFlow (“we”, “us”, “our”) is a voice-to-notes app. This policy explains what we process, why, and how to reach us.
Data Controller: An individual based in the United Kingdom
Contact: [email protected]
Our Privacy Promise
- We don’t sell your data or use it for advertising.
- We don’t use third-party advertising trackers or behavioral analytics SDKs.
- We collect personal data only when you choose to provide it.
Summary (TL;DR)
- Your library: Your notes, transcripts, and recordings are stored in your own private BrainFlow library in the cloud, backed up and synced across your devices. You control export and deletion.
- Account: You can start as a guest with no signup. To back up and sync, you may claim an account (Apple, Google, or an email code). Our authentication provider handles sign-in.
- Transcription & AI: We send your audio to a speech-to-text provider to create a transcript, then send the transcript text to an AI provider to generate a title, summary, and tasks.
- No advertising or tracking: We don’t use advertising identifiers (IDFA/GAID), App Tracking Transparency, attribution SDKs, or behavioral analytics.
- Deletion: Deleting a note moves it to Trash. After 30 days, we permanently remove it, including its audio.
Data We Process
Stored in your BrainFlow library (cloud)
We store your content in your own private library so it’s backed up and available across your devices:
- Voice recordings you create or import
- Transcripts, notes, summaries, tasks, and any edits you make
- Your folders and tags
- App preferences and settings
Account information (if you claim an account)
You can use BrainFlow as a guest without signing up. If you claim an account, our authentication provider records your chosen sign-in method (Apple, Google, or an email address) so your library can sync and be recovered. We don’t store sign-in passwords ourselves.
Sent off-device for processing
When you record or import audio and ask BrainFlow to process it:
- Your audio is uploaded to our backend and sent to a speech-to-text provider, which returns a transcript.
- The transcript text (not your audio) is then sent to an AI provider to generate a title, summary, suggested tags, and tasks.
- We keep your recordings, transcripts, and notes in your library until you delete them. See Data Retention & Deletion.
Subscriptions
The Apple App Store or Google Play and our subscription tools handle purchases. We receive your subscription status (for example, whether you’re on a free or paid plan) but not your card details.
Exports you initiate
- Email export: when you email a note, our email provider delivers it to the address you choose.
- Notion export: if you connect Notion, BrainFlow writes the notes you choose into your Notion workspace. We encrypt your Notion access token before storing it.
- Markdown archive: you can export your notes as a Markdown archive at any time.
What we do not collect
- Name, email, or contact details, unless you provide them (for example, by claiming an account or contacting us)
- Location data
- Advertising identifiers (IDFA/GAID)
- Behavioral profiling or advertising analytics
Why We Use Your Data (Purposes)
- App functionality: Record, transcribe, summarize, organize, sync, and back up your notes across your devices.
- Reliability & abuse prevention: Keep the service working and prevent misuse (rate limiting, error diagnosis, fraud prevention).
- Account & subscription management: Authenticate you, sync your library, and manage your plan.
Legal Bases (UK GDPR)
- Performance of a contract (Art. 6(1)(b)): To provide the transcription, notes, sync, and account services you request.
- Legitimate interests (Art. 6(1)(f)): To keep the service secure and reliable and to prevent fraud and abuse. We use the minimum data necessary and do not use it for advertising.
Third-Party Services (Processors)
We use processors only to deliver core functionality:
- Convex – cloud database and file storage that hosts your BrainFlow library (notes, transcripts, and recordings).
- Clerk – authentication and account management when you claim an account.
- xAI – speech-to-text transcription. Receives the audio you submit and returns a transcript.
- Vercel AI Gateway / Google Gemini – note intelligence. Receives the transcript text (not your audio) to generate a title, summary, suggested tags, and tasks.
- RevenueCat & Superwall – subscription management and the upgrade screen.
- Resend – delivers the email exports you initiate.
- Notion – receives notes you choose to export. We connect via OAuth and encrypt your access token before storing it.
- App Stores (Apple, Google) – billing and app distribution.
Processors act under our instructions. We configure them to handle your content only as needed to run the service.
Data Retention & Deletion
- Your library: Recordings, transcripts, and notes are kept until you delete them. Deleting a note moves it to Trash, and it is permanently removed — including its audio and any derived data — after 30 days.
- Local copies: BrainFlow may keep a local copy of already-uploaded audio on your device for faster playback. You can clear this cache at any time; clearing it does not delete the copy in your cloud library.
- Support emails: If you contact us, we keep your message only as long as needed to respond and meet legal obligations.
- Operational logs: We keep limited technical logs for reliability and security. These do not contain your audio, transcripts, or note content.
Security
- All transfers use HTTPS/TLS.
- We hold your library in our backend’s managed storage, protected by authentication and least-privilege access controls.
- Connected service tokens (such as Notion) are encrypted at rest.
- BrainFlow does not currently offer end-to-end encryption: your content is encrypted in transit and is readable by our processing systems to provide transcription, AI features, and sync.
International Transfers
Our processors may handle data in the United States and other regions. Where data is transferred outside the UK/EU, we rely on appropriate safeguards (for example, Standard Contractual Clauses) as required by UK GDPR.
Your Rights
You can:
- Access/export your notes (from the app).
- Delete recordings and notes (from the app). Deleted items are removed permanently after 30 days in Trash.
- Object or restrict processing by not initiating transcription.
- Delete your account and data: Contact us to delete your account and the content in your library.
- Questions or complaints? Email [email protected]. You may also lodge a complaint with your local data protection authority (in the UK, the ICO).
Children’s Privacy
BrainFlow is not intended for children. We do not knowingly process children’s data.
Changes to This Policy
If we make material changes, we’ll update the “Last updated” date and, where appropriate, notify you in-app at least 30 days before changes take effect.
Contact
Questions or requests: [email protected]