Privacy Policy
Last updated: June 17, 2026
Effective date: June 17, 2026
Important: This Privacy Policy applies to all users of ProductBrain, regardless of your location. We are committed to protecting your privacy and being transparent about how we collect, use, and share your personal information.
1. Introduction
Trisafe (ABN 34 935 278 644), a sole trader registered in Queensland, Australia, trading as ProductBrain ("we", "us", or "our"), operates ProductBrain (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.
We are committed to complying with the Australian Privacy Act 1988 (Cth), the European Union's General Data Protection Regulation (GDPR), and other applicable data protection laws.
2. Data Controller and Contact Information
Trisafe (ABN 34 935 278 644), trading as ProductBrain, is the data controller responsible for your personal information.
Contact Information:
Email: privacy@productbrain.com
Support: support@productbrain.com
3. Information We Collect
We collect the following types of information:
3.1 Account Information
When you create an account with ProductBrain, we collect:
- Email address
- Name (if provided)
- Account credentials (managed by Clerk, our authentication provider)
- Profile information (if provided)
3.2 Brain Content and Usage Data
When you use the Service, we collect:
- Your planning data (goals, needs, approaches, jobs, and tasks you create)
- Project metadata (project names, iterations, tags)
- Usage patterns (features used, frequency of access)
- Collaboration data (if you share projects with team members)
3.3 Technical and Analytics Data
We automatically collect technical information including:
- IP address
- Browser type and version
- Device information (type, operating system)
- Session information (login times, session duration)
- Pages visited and features used
- Performance data (load times, errors)
- Session recordings of your interactions with the app (via PostHog), captured with all text and form inputs masked so the content of your planning data is not recorded
3.4 Payment Information
Payment information is collected and processed by Paddle, our Merchant of Record for all markets.
We do not store your full payment card details. Paddle handles all payment information according to their privacy policy and PCI-DSS compliance requirements. We receive only:
- Transaction confirmations
- Last four digits of payment card
- Billing address information
- Payment status and subscription details
3.5 Communications
If you contact us for support or communicate with us via email, we collect:
- Your email address
- Message content
- Any information you choose to provide in your communications
4. How We Use Your Information
We use your personal information for the following purposes:
4.1 Providing the Service
- Creating and managing your account
- Storing and synchronizing your planning data
- Enabling collaboration features
- Processing payments and managing subscriptions
- Providing customer support
4.2 AI-Assisted Features
- Processing your content through third-party AI services to generate planning suggestions
- Improving the relevance and quality of AI-generated suggestions
- Free accounts only: Logging AI interactions (prompts, responses, and associated context) for quality improvement, prompt testing, and service enhancement. Logged data may be reviewed by ProductBrain staff or used as anonymised test data. This logging does not apply to paid accounts.
- All accounts: Recording the number of AI tokens consumed by each request — but not the content of the request — to meter your AI credit usage.
4.3 Improving the Service
- Analyzing usage patterns to improve features and user experience
- Identifying and fixing bugs and technical issues
- Developing new features based on user needs
4.4 Communications
- Sending transactional emails (account confirmations, password resets, subscription updates)
- Responding to support inquiries
- Sending important service announcements
- Sending marketing communications (with your consent, where required by law)
4.5 Legal Compliance
- Complying with legal obligations
- Protecting our rights and interests
- Preventing fraud and abuse
4.6 Free and No-Login Demo Sessions
- Free accounts and the no-login demo only: When an agent or user drives ProductBrain through the API on a free or no-login (demo) session, we record the content of those API interactions — the searches run, the changes made, and the sequence of calls — to understand how builders and their agents use the product and to improve it. Because the demo is a public surface reachable without an account or sign-up, we disclose this here. This does not apply to paid accounts, whose interaction content is never logged.
5. Data Storage and Location
5.1 Primary Data Storage
Your account information and planning data is stored, via Supabase, in the United States (Amazon Web Services, us-west-2 / Oregon region). Data is encrypted at rest and in transit using industry-standard encryption protocols.
5.2 Data Residency
Your information may be accessed or processed by our service providers in other countries, including:
- United States (Supabase for data storage in AWS us-west-2, Clerk for authentication, Vercel for hosting, Resend for email, and Google for AI processing via the Gemini API)
- European Union (Paddle for international payment processing; PostHog for product analytics, which is EU-hosted)
We ensure that all data transfers comply with applicable data protection laws through appropriate safeguards such as Standard Contractual Clauses (SCCs) where required.
6. Third-Party Services and Data Processors
We use the following third-party services to provide and improve our Service:
| Service |
Purpose |
Data Shared |
| Clerk |
Authentication and user management |
Email address, name, account credentials |
| Supabase |
Database and real-time synchronization |
All account and planning data |
| Google LLC (Gemini API) |
AI-assisted planning suggestions and semantic search (text embeddings) |
Content you submit to AI features and the text of nodes you create or search (goals, needs, approaches, jobs, tasks, and your queries) |
| Paddle |
Payment processing, Merchant of Record (all markets) |
Billing information, payment details, tax information |
| Vercel |
Application hosting and delivery |
IP address, browser information, usage logs |
| PostHog |
Product analytics and session replay (EU-hosted) |
Usage events, identified user ID, device/browser metadata, and session recordings with all text and inputs masked |
| Resend |
Transactional email delivery |
Email address, email content |
Each of these service providers has their own privacy policy governing how they handle your data. We recommend reviewing their policies:
A standalone, versioned list of our subprocessors — with the purpose, data shared, processing region, and DPA status for each — is maintained at productbrain.com/subprocessors. Customers may request advance notice of changes to this list.
6.1 Public Share Links
ProductBrain lets you create a public share link to a read-only view of a project. Anyone who has the link can open that view without logging in — the link itself acts as the credential. A shared view includes the project's name, the items you choose to share (their titles, descriptions, and structure), and your iteration names; free-text notes are excluded. Only create a share link for content you are comfortable making publicly accessible to anyone who obtains the link.
Share links remain active once created. There is currently no self-service control to revoke a share link; to have a shared view disabled, contact us at privacy@productbrain.com.
7. AI Processing and Data Usage
Important Notice: When you use AI-assisted features in ProductBrain, your content is sent to AI services for processing.
7.1 What Data is Processed, and Where it Goes
Our AI subprocessor is Google LLC, via the Gemini API. Your brain content is sent to Google in two distinct ways:
- AI assistance. When you use AI-assisted features (drafting, summaries, reviews), we send the relevant context — goals, needs, approaches, and jobs you've created, the surrounding project structure, and your prompts and questions — to the Gemini API to generate suggestions.
- Semantic search (embeddings). To power search and related-item matching, the text of nodes you create or update, and your search queries, is sent to Google's embeddings model. This happens as part of normal use, not only when you explicitly invoke an "AI" button.
- Task classification. When you add a task, its title and description are sent to the Gemini API to classify it (for example, as a quick to-do or a memo to revisit later) so your inbox can route it. This happens as part of normal use.
7.2 How AI Data is Used
- Your content is processed by Google (Gemini API) to generate planning suggestions, draft content, respond to your queries, and produce search embeddings.
- Your content is not used to train any AI model — Google's or ours. We access the Gemini API through a paid Google Cloud project, and your content is processed under Google's Customer Data Processing Addendum (CDPA) and paid-tier service terms. Under those terms, Google does not use prompts or responses submitted through the paid service to train or improve its models or products. We do not use your data to train any model of our own.
- Your AI data is processed only to provide the Service. Google may retain inputs for a limited period for abuse monitoring and to meet its legal obligations, as set out in those terms, and for no other purpose.
- The same basis applies to the search embeddings and task classification described in §7.1, which are processed under the same paid Google Cloud project and terms.
- Paid accounts: AI interactions are never logged by us. As described in §4.2, our own logging of AI prompts, responses, and context applies to free accounts only and never to paid accounts.
7.3 Opting Out of AI Features
AI-assisted drafting features are optional — if you do not activate them, your content is not sent to Google for those features. Note, however, that semantic search embeddings (§7.1) are generated as part of normal product use; if you need to avoid all transfer of node text to the AI subprocessor, contact us at privacy@productbrain.com to discuss available options.
8. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to:
8.1 Essential Cookies
Required for the Service to function properly:
- Authentication cookies (Clerk session management) — necessary to keep you logged in
- Security cookies — protect against fraud and abuse
8.2 Analytics Cookies
Help us understand how users interact with the Service:
- Usage analytics (pages visited, features used)
- Performance monitoring (load times, errors)
- User behavior patterns (session duration, frequency)
8.3 Managing Cookies
You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.
9. Data Retention
We retain your personal information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy.
9.1 Active Accounts
While your account is active, we retain all your data to provide continuous service.
9.2 After Account Cancellation
- Your data remains accessible in read-only mode for 30 days after subscription cancellation
- After 30 days, your planning data may be permanently deleted
- You can export your data at any time before deletion
9.3 After Account Deletion
- When you request account deletion, we permanently delete your account and all associated data within 30 days
- Some information may be retained for legal or regulatory purposes (e.g., financial records for tax compliance)
9.4 Legal Retention Requirements
We may retain certain information longer where required by law, such as:
- Financial records (7 years for tax compliance)
- Audit trails and security logs (as required by law)
- Information subject to legal holds or pending litigation
10. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
10.1 Rights Under GDPR (EU/UK Users)
- Right of access: Request a copy of your personal information
- Right to rectification: Correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten"): Request deletion of your personal information
- Right to restriction: Limit how we process your data
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent: Withdraw consent for processing based on consent
10.2 Rights Under Australian Privacy Act
- Right to access: Request access to your personal information
- Right to correction: Request correction of inaccurate or incomplete information
- Right to complain: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)
10.3 How to Exercise Your Rights
To exercise any of these rights, contact us at:
Email: privacy@productbrain.com
We will respond to your request within:
- 30 days for GDPR requests
- 30 days for Australian Privacy Act requests
10.4 Account Settings
You can also manage some of your data directly through your account settings:
- Update your profile information
- Export your planning data (JSON)
- Delete your account and all associated data
- Manage email preferences
11. Data Security
We implement industry-standard security measures to protect your personal information:
11.1 Technical Measures
- Encryption at rest (AES-256) for all stored data
- Encryption in transit (TLS 1.3) for all data transmission
- Secure authentication with multi-factor authentication (MFA) support
- Regular security audits and vulnerability assessments
- Access controls and role-based permissions
11.2 Organizational Measures
- Strict access policies limiting who can access personal data
- Employee training on data protection and security
- Incident response procedures for data breaches
- Regular backups to prevent data loss
11.3 Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify you within 72 hours of becoming aware of the breach (as required by GDPR)
- Notify relevant supervisory authorities as required by law
- Provide information about the nature of the breach and steps we're taking to address it
12. Children's Privacy
ProductBrain is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information as soon as possible.
If you believe we have collected information from a child under 16, please contact us at privacy@productbrain.com.
13. International Data Transfers
As a global service, your personal information may be transferred to and processed in countries other than your country of residence, including:
- United States (primary data storage via Supabase in AWS us-west-2; plus authentication, hosting, email services, and AI processing via Google's Gemini API)
- European Union (payment processing via Paddle; product analytics via PostHog)
13.1 Safeguards for International Transfers
When transferring data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): Approved by the European Commission for data transfers outside the EU/EEA
- Data Processing Agreements: With all third-party processors
- EU-US Data Privacy Framework (where applicable): For US-based processors that are certified under the framework
13.2 Transfers to Countries Without EU Adequacy
Our primary data storage (United States) and several of our service providers are located in countries that the EU has not recognized as providing full adequacy. For transfers of EU personal data to those countries, we rely on Standard Contractual Clauses (and, where applicable, the EU-US Data Privacy Framework) to ensure GDPR compliance.
14. Payment Processor Privacy
Your payment information is handled by different processors depending on your location:
All payment processing is handled by Paddle as Merchant of Record for all markets:
- Paddle's Privacy Policy applies: paddle.com/privacy
- Paddle collects and processes your payment information, billing address, and tax information
- We receive only transaction confirmations and subscription status from Paddle
- Full payment card details are stored by Paddle, not by ProductBrain
15. Marketing Communications
We may send you marketing communications about ProductBrain, including:
- Product updates and new features
- Tips and best practices
- Special offers and promotions
15.1 Consent
Where required by law (e.g., in the EU), we will only send marketing communications with your explicit consent.
15.2 Opting Out
You can opt out of marketing communications at any time by:
- Clicking the "unsubscribe" link in any marketing email
- Updating your email preferences in your account settings
- Contacting us at privacy@productbrain.com
Note: You will still receive transactional emails (account confirmations, password resets, subscription updates) even if you opt out of marketing communications.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
16.1 Notification of Changes
If we make material changes to this Privacy Policy, we will notify you by:
- Email to your registered email address
- Prominent notice on the Service
- In-app notification
We will provide notice at least 30 days before the changes take effect.
16.2 Continued Use
Your continued use of the Service after the changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you should discontinue using the Service and may request deletion of your account.
17. Supervisory Authorities
You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.
17.1 EU/UK Users
EU and UK users can contact their local data protection authority. A list is available at:
17.2 Australian Users
Australian users can contact the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au
18. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
ProductBrain
Email: privacy@productbrain.com
Support: support@productbrain.com
© 2026 ProductBrain. All rights reserved.