BrightMind

Privacy Policy

Effective date: January 25, 2026
Who we are: BrightMind ("we", "us") operates the BrightMind mobile app and brightmind.club website. Contact: stan@brightmind.club.

Cookie Consent Management

We use CookieYes, a cookie consent management platform, to help you control which cookies and tracking technologies are active on our website. When you visit brightmind.club, you'll see a cookie consent banner that allows you to:

  • Accept all cookies — Enable all analytics and advertising features
  • Reject non-essential cookies — Only allow necessary cookies for basic functionality
  • Customize preferences — Choose specific cookie categories you want to allow

You can change your cookie preferences at any time by clicking the cookie settings link in our website footer or by clearing your browser cookies and revisiting the site. CookieYes stores your consent preferences to remember your choices on future visits. (CookieYes Privacy Policy)

Cookie categories we use:

  • Necessary: Essential cookies required for the website to function properly. These cannot be disabled.
  • Analytics: Help us understand how visitors interact with our website through tools like Google Analytics and Microsoft Clarity.
  • Advertisement: Used for advertising and measuring ad performance, including Reddit Pixel tracking.

What we collect

  • Email addresses (optional, app only). During onboarding, we optionally ask for your email address if you'd like to sign up for product updates and news about BrightMind. This is completely optional and not required to use the app. We do not share your email with third parties and keep it private.
  • User account (app). When you use the app, an anonymous account is automatically created to store your preferences, conversation history, and enable features like scheduled reminders and subscriptions. No email or password is required—your account is identified by an anonymous user ID.
  • Voice sessions (app). When you speak, your audio is transmitted in real time to our processors to transcribe, generate a response, and speak back. Through LiveKit Cloud's agent observability features, session data including audio recordings, transcripts, execution traces, and runtime logs are collected and stored for up to 30 days to help us monitor and improve the service. This includes turn-by-turn transcripts, traces of the voice pipeline execution, metrics (token counts, durations, speech identifiers), tool calls, and both user and agent audio recordings. We also store conversation transcripts and AI responses to provide session summaries and improve our service. This includes the text content of your messages, AI responses, and function calls made during sessions.
  • Text conversations (app). When you use the text chat feature, your messages and AI responses are stored to provide conversation history and enable features like action plans. This includes the text content of your messages, AI responses, tool calls, and any action plans proposed by the assistant.
  • File uploads (app). You can share images and documents with the AI assistant. These files are stored in Google Cloud Storage and processed by our AI partners to provide responses. Maximum file size is 25MB per file. We store metadata including filename, file type, and size.
  • User preferences (app). Your settings like theme color, language, custom AI instructions, and preferred task manager are stored to personalize your experience across sessions.
  • Device information (app). To deliver scheduled call reminders and push notifications, we collect your device platform (iOS/Android), push notification tokens, device timezone, and app version.
  • Scheduled calls (app). If you set up scheduled call reminders, we store the reminder times, recurrence patterns, and call event history (e.g., whether a call was accepted or declined).
  • Subscription data (app). If you subscribe to BrightMind Plus, we store your subscription status, the product purchased (monthly/yearly), purchase platform (App Store or Play Store), and expiration date. Payment processing is handled entirely by Apple or Google—we do not receive or store payment card details.
  • Integration data (app). When you connect third-party productivity services (such as Todoist, TickTick, and other task management platforms), we store OAuth tokens to maintain your connection and process data from these integrations to provide personalized coaching. Task data is processed in transit with our AI partners but is not permanently stored on our servers beyond the OAuth tokens needed to maintain your connection.
  • Mobile app analytics (app). We use Amplitude to understand how features are used and improve the app. This includes anonymous usage patterns like which screens are viewed, features used, and subscription events. We do not track personal information through analytics—your user ID is used only to link events within your session.
  • Error reporting (app). We use Sentry to capture app errors and crashes to help us fix bugs. Error reports may include your user ID for debugging purposes, along with device information and error details.
  • Website analytics (landing page only). We use Vercel Web Analytics (cookie-less; sessions discarded after 24 hours) and Microsoft Clarity for session recording and heatmaps. Clarity may collect interaction data (e.g., page views, clicks, scrolls, mouse movement), device/browser metadata, and similar usage information to help us understand usability. Clarity may use cookies or similar technologies. (Vercel, Microsoft Privacy, Clarity FAQ)
  • Advertising & measurement (landing page only). We use Reddit Ads Pixel and Conversions API to measure and improve ad performance. This may collect online identifiers (e.g., IP address, user agent, screen dimensions), your Reddit ad click ID from the URL (rdt_cid) which we store in a first‑party cookie (reddit_click_id, up to 30 days), page views and conversion events (e.g., waitlist signup), and—where available—customer‑provided identifiers such as the email you enter on the page (auto‑advanced matching). Reddit normalizes/hashes identifiers as described in their documentation. (Reddit Pixel)

Processors we use (and typical retention)

We choose privacy-forward defaults and enable zero-data-retention where available. These processors handle data in transit to deliver our services, including processing voice sessions and integration data from connected productivity platforms.

  • Supabase (database and authentication): stores user accounts, conversation history, preferences, and app data. EU-hosted. (Supabase Privacy)
  • Google Cloud Storage (file storage): stores user-uploaded files (images, documents). (Google Cloud Privacy)
  • LiveKit (real-time media transport and agent observability): processes audio/video in transit; may log IP and API/server events. Through LiveKit Cloud's agent observability features, LiveKit collects and stores session data including audio recordings, transcripts, execution traces, and runtime logs for up to 30 days (subject to a 30-day retention window). This data is used to provide insights into agent behavior and user experience. Audio recordings include both user and agent audio, and are uploaded to LiveKit Cloud after sessions end. (LiveKit, Agent Observability)
  • Deepgram (speech-to-text): retains personal data as needed to provide the service; usage logs are typically limited (e.g., Deepgram has stated a 90-day log storage for customers). We configure "no training" options. (Deepgram, developers.deepgram.com)
  • OpenAI (LLM): processes conversation, file uploads, and integration data in transit to generate AI responses and provide personalized coaching; may retain API inputs/outputs up to 30 days to operate the service and prevent abuse; offers Zero Data Retention on eligible endpoints, which we enable where feasible. (OpenAI, OpenAI Community)
  • Cartesia (text-to-speech): supports Zero Data Retention mode; when enabled, they do not store customer audio, transcripts, or outputs. (cartesia.ai)
  • Firebase Cloud Messaging (Android push notifications): delivers scheduled call reminders and notifications on Android devices. (Firebase Privacy)
  • Apple Push Notification Service (iOS push notifications): delivers scheduled call reminders and VoIP calls on iOS devices. (Apple Privacy)
  • RevenueCat (subscription management): manages subscription purchases and status; receives purchase data from App Store and Play Store. (RevenueCat Privacy)
  • Amplitude (mobile app analytics): collects anonymous usage analytics to help us understand how features are used. (Amplitude Privacy)
  • Sentry (error reporting): captures app errors and crashes to help us fix bugs; user ID may be attached for debugging. (Sentry Privacy)
  • Langfuse (AI observability): monitors AI session quality and performance to help us improve the service. (Langfuse Privacy)
  • Vercel Analytics (website only): cookie-less, anonymized analytics; session data is not stored permanently and is discarded after 24 hours. (Vercel)
  • Microsoft Clarity (website only): session recording and heatmaps to understand usability; may collect interaction data and device/browser metadata. See Microsoft’s privacy and FAQ for details. (Microsoft Privacy, Clarity FAQ)
  • Reddit Ads (website only): Pixel & Conversions API to attribute ad performance and deduplicate events between browser and server. Receives identifiers such as IP, user agent, click ID, and (where available) email entered on our site. (Reddit Ads)

Note: Providers may keep limited security/abuse-prevention logs or retain data if required by law. See their policies linked above.

Cookies and similar technologies (website)

Our website uses cookies to provide functionality, analytics, and advertising. These cookies are controlled by our CookieYes consent management platform, which allows you to manage your preferences. Below is a detailed list of cookies we use:

  • CookieYes consent cookies — stores your cookie consent preferences; necessary for the website to remember your choices.
  • reddit_click_id — first‑party cookie set by us when you arrive with a Reddit click ID (rdt_cid) in the URL; used solely for ad attribution and deduplication; expires in up to 30 days. Category: Advertisement
  • Google Analytics — may set cookies to track page views, user behavior, and conversions. These are blocked until you consent to Analytics cookies. Category: Analytics
  • Microsoft Clarity — may set cookies or use local storage to enable session analytics and heatmaps on the landing site. Blocked until you consent to Analytics cookies. Category: Analytics
  • Reddit Pixel — may set cookies to track ad conversions and user behavior for advertising purposes. Blocked until you consent to Advertisement cookies. Category: Advertisement
  • Vercel Web Analytics — does not set cookies; uses cookie-less tracking.

Legal bases (GDPR)

  • Consent (Art. 6(1)(a)): for optional email collection during onboarding to send product updates and news about BrightMind.
  • Performance of a contract (Art. 6(1)(b)): to provide real-time coaching (transcription, generation, and speech).
  • Legitimate interests (Art. 6(1)(f)): to keep the service secure and reliable (e.g., anti-abuse), store conversation history for service improvement and analytics, and provide session summaries to users.
  • Ads/measurement: in the EEA/UK we rely on your consent where required for the Reddit Pixel and related identifiers; elsewhere we may rely on legitimate interests to measure ad performance, subject to your right to object.

International data transfers

Our processors may process data in the U.S. and elsewhere. They use GDPR mechanisms like DPAs and Standard Contractual Clauses. (LiveKit)

Data retention

  • Email addresses: We retain your email address until you unsubscribe or request deletion. You can unsubscribe at any time using the link in our emails or by contacting us.
  • App data: User preferences, conversation history, and session data are retained while your account exists. File uploads are retained until you delete them or request account deletion. You can request deletion at any time via Settings → Share Feedback → Email in the app.
  • LiveKit Agent observability data: Audio recordings, transcripts, execution traces, and runtime logs collected through LiveKit Cloud's agent observability features are retained for 30 days and then automatically deleted. This includes turn-by-turn transcripts, traces of voice pipeline execution, metrics, tool calls, and audio recordings (both user and agent audio). (LiveKit Agent Observability)
  • Integration data: OAuth tokens for connected productivity services (Todoist, TickTick, etc.) are retained while your connection is active. Task data is processed temporarily in transit and is not permanently stored on our servers.
  • Subscription data: Subscription status and purchase information is retained while your account exists and for a reasonable period after cancellation to handle any billing inquiries.
  • Third-party processors: Providers retain only as described above (e.g., OpenAI up to 30 days; Deepgram usage logs commonly up to ~90 days; Vercel Analytics website sessions ≤24 h). (OpenAI, developers.deepgram.com, Vercel)
  • Reddit Ads: We store the click ID cookie for up to 30 days. Reddit's own retention of conversion events and identifiers is governed by Reddit's policies.

Your choices (ads & measurement)

Cookie consent banner: The easiest way to control cookies is through our CookieYes consent banner. You can accept, reject, or customize which cookie categories are active on our website. Your preferences will be saved for future visits.

Browser settings: You can also control browser‑based tracking by adjusting your browser settings, using content blockers, or enabling Do Not Track (where honored). If you are in the EEA/UK and do not consent to advertising cookies/identifiers, you can reject them via our cookie banner or contact us to opt‑out of server‑side matching. You can also object to processing at any time by emailing stan@brightmind.club.

Your rights (GDPR)

You can access, export, rectify, object, or delete your data. Email stan@brightmind.club. You can also complain to the Polish DPA (UODO). (UODO)

To delete your account and data: Open the app and go to Settings → Share Feedback → Email. Send us a deletion request and we will permanently delete all your data including conversation history, file uploads, preferences, device registrations, scheduled calls, and subscription records. Deletion is typically completed within 30 days.

Children & teens

  • EU/Poland: The digital age of consent is 16. Users under 16 must have verifiable parental/guardian consent for processing. (Linklaters, White & Case, gdprhub.eu)
  • Outside EU: We follow local laws; where consent age is 13–16, under-age users need parental consent. (GDPR)

If we learn a child used the app without required consent, we'll disable use and work to delete related data (subject to provider logs/legal requirements).

Security

All data is transmitted using transport encryption (TLS). We select reputable providers with documented security programs. User data is stored in EU-hosted Supabase with row-level security policies ensuring users can only access their own data.

Changes & contact

We may update this Policy; material changes will be posted with a new effective date.
Contact: stan@brightmind.club.