Privacy Policy

1. About BrainZone

BrainZone is a personal learning and planning system designed to help individuals organize their goals, tasks, study materials, and weekly schedules in one place. The service is accessible at brainzone.space and via the BrainZone web application.

This Privacy Policy explains what personal information BrainZone collects, how it is used, and the choices you have with respect to that information. By using BrainZone, you agree to the collection and use of information as described here.

2. Information We Collect

Account Information

When you create an account, we collect your email address and, if you choose to sign in with Google, your name and profile picture as provided by Google. We do not store your Google account password. Authentication is handled by Supabase Auth using industry-standard OAuth 2.0 and email/password flows.

Planning & Learning Data

BrainZone stores the content you create within the application, including:

• Tasks, to-do items, and their status
• Goals, milestones, and progress notes
• Weekly and daily planning sessions
• Calendar events you add to BrainZone
• Courses, chapters, and study notes
• Focus sessions (duration and intention)
• AI conversation history within the Soleil assistant

This content belongs to you. It is used solely to provide the service and is never sold or shared for advertising purposes.

Preferences & App State

We store your language preference (English, Hebrew, or Italian), onboarding completion state, and other in-app configuration so your experience is consistent across sessions and devices.

Google Calendar (optional)

If you explicitly choose to connect your Google Calendar, BrainZone requests OAuth access to read and write calendar events on your behalf. We store the OAuth access token and refresh token securely in your account record solely to enable calendar synchronization. This connection is entirely optional. You can revoke it at any time from BrainZone Settings or directly from your Google account permissions page. We do not access any Google data other than your calendar events.

Subscription & Payment Status

If you subscribe to BrainZone, we receive confirmation of your subscription status from PayPal via a secure webhook. We store your subscription status (active, cancelled, etc.) and the date of your last payment. We do not store payment card numbers or full payment details — these are handled exclusively by PayPal.

Technical Information

Our hosting infrastructure (Vercel) may collect standard server logs including IP addresses, request paths, and timestamps as part of normal application operation. This data is used for security, error monitoring, and service reliability purposes and is not linked to your BrainZone profile.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the BrainZone service
• Sync your planning data across your devices and sessions
• Power the Soleil AI assistant with context from your own BrainZone data — specifically your tasks, goals, notes, and plans that you create inside BrainZone. Google Calendar data is not used to power, train, or improve the Soleil AI assistant or any AI model.
• Enable optional calendar synchronization with Google Calendar, solely to display and organize your events inside BrainZone as you have requested
• Process and confirm subscription payments
• Send essential service communications (e.g., account or billing notices)
• Detect and prevent abuse, fraud, or unauthorized access
• Improve and debug the application — excluding Google user data, which is governed exclusively by Section 10 below

We do not use your personal data to train AI models, serve advertisements, or sell information to third parties.

Google user data: None of the general data-use purposes above apply to data received from Google APIs (Google Sign-In or Google Calendar) in any way that would exceed the Google API Services User Data Policy, including the Limited Use requirements. Google user data is used only as described in the “Google User Data and Limited Use” section of this Privacy Policy.

4. Data Storage & Security

Your data is stored on Supabase, a cloud database platform hosted on AWS infrastructure in the EU (Frankfurt region). All data is encrypted in transit using TLS and encrypted at rest by the hosting provider.

Access to your data is controlled by Row Level Security policies in our database, which ensure that users can only access their own records. Administrative access is limited and subject to authentication requirements.

While we implement reasonable security measures, no system is completely immune to vulnerabilities. We cannot guarantee absolute security of your data.

5. Third-Party Services

BrainZone uses the following third-party services. Each service has its own privacy policy:

• Supabase — Authentication and database storage. supabase.com/privacy
• Vercel — Application hosting and edge infrastructure. vercel.com/legal/privacy-policy
• Anthropic — Powers the Soleil AI assistant. Messages sent to Soleil are processed by Anthropic's API. Anthropic's data handling policies apply to content processed through their API. anthropic.com/privacy
• PayPal — Subscription payment processing. paypal.com/privacy
• Google — OAuth sign-in and optional Calendar integration. Applies only if you use Google sign-in or connect Google Calendar. policies.google.com/privacy

We do not use third-party advertising networks or behavioral analytics trackers.

6. Your Rights

You have the right to:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request that we correct inaccurate or incomplete data.
• Deletion — You can permanently delete your account and associated data yourself, directly in the app, from Settings → Account → Delete account. This removes your sign-in credentials and your associated app data (profile, courses, notes, tasks, goals, plans, brain dumps, Soleil AI conversations and memory, and your Google Calendar connection and synced mappings) from our systems. If you cannot access your account, you can instead request deletion by contacting us (see the Contact section below) and we will process it. A standalone summary of this process is also available at /account-deletion. Certain records may be retained or anonymized as described in the Data Retention section.
• Portability — Request an export of your planning data in a structured format where technically feasible.
• Revoke connected services — Disconnect Google Calendar at any time from BrainZone Settings.

To exercise any of these rights, contact us at the address below.

7. Data Retention

We retain your account and planning data for as long as your account is active or as needed to provide the service. When you delete your account in the app, your account credentials and associated app data are removed immediately as part of the deletion request.

Some records are retained or anonymized after deletion where this is necessary:

• records required to comply with legal obligations, or for security and fraud-prevention purposes;
• financial, accounting and commission records — such as invoices, subscription/payment history, and ambassador commission entries — required by law. After deletion we remove the link to your account (your user ID), but these records may still contain provider-side payment identifiers (for example PayPal subscription or transaction IDs) needed for accounting, reconciliation and dispute resolution. These identifiers are not removed, so these specific records are retained rather than fully anonymized;
• payment-provider records held by PayPal, which are governed by PayPal's own policies and are stored outside the BrainZone database;
• referral and attribution tracking records, which we retain in anonymized form — the link to your account (your user ID) and device identifiers (such as the recorded user agent) are removed so the records no longer identify you.

Where we are permitted to delete records entirely, we do so within 30 days of the deletion request.

OAuth tokens for Google Calendar are stored until you disconnect the integration or revoke access via Google.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. If changes are material, we will make reasonable efforts to notify you (for example, by posting a notice within the application). Continued use of BrainZone after changes are posted constitutes acceptance of the revised policy.

9. Contact

For privacy-related questions, requests, or concerns, please contact us at:

support@brainzone.space

We aim to respond to all requests within 14 business days.

10. Google User Data and Limited Use

BrainZone's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

BrainZone only accesses Google user data when a user explicitly chooses to use Google Sign-In or connect Google Calendar.

BrainZone uses Google user data only to provide and improve user-facing features that are visible and requested by the user, including:

• signing in with Google;
• connecting and displaying the user's Google Calendar events inside BrainZone;
• creating, updating, or syncing calendar events only when the user requests or enables this functionality.

BrainZone does not use Google user data for advertising, marketing, selling data, profiling, analytics unrelated to the calendar or sign-in feature, or training AI or machine learning models. The Soleil AI assistant uses only BrainZone-native data (tasks, goals, notes, and plans you create in BrainZone) — it does not receive or process your Google Calendar data.

BrainZone does not transfer Google user data to third parties except when strictly necessary to provide or improve the user-facing BrainZone features you have requested, to comply with applicable law, or to protect against security threats or abuse.

If you disconnect Google Calendar or revoke Google access, BrainZone stops accessing new Google Calendar data. Stored OAuth tokens are deleted from your account record. You may also request full deletion of your account data as described in the Your Rights section above.

You can revoke BrainZone's access to your Google account at any time from your Google Account permissions page. For the dedicated Google API disclosure, see our Google API Disclosure page.