Legal
Privacy Policy
Effective date: May 7, 2026
1. Introduction
CompanyBrain (“we,” “us,” or “our”) operates companybrainai.com and related services (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Service.
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your name, email address, company name, and authentication credentials. Authentication is handled by Clerk, Inc. We receive only the profile information necessary to create and manage your account.
2.2 Content You Upload
The Service allows you to upload documents, audio recordings, video files, and other materials (“Content”). We process this Content to provide you with AI-generated transcriptions, summaries, and structured knowledge documents. Your Content is stored securely and associated with your organization’s private namespace.
2.3 Usage Data
We automatically collect information about how you interact with the Service, including pages visited, features used, query logs, session duration, and browser and device type. This data is used to improve the Service and is not sold to third parties.
2.4 Communications
If you contact us by email or through the Service, we retain those communications to respond to inquiries and improve our support.
2.5 Google Drive Integration
If you choose to connect your Google Drive account, we request access only to the specific folder you authorize through Google’s secure OAuth 2.0 flow. We collect and process the names and contents of files within that authorized folder solely to generate structured knowledge documents for your organization. We do not access files outside the folder you select, and we do not access your Gmail, Google Calendar, Google Contacts, or any other Google service.
2.6 Google API Limited Use Disclosure
CompanyBrain’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: Google user data accessed via our Google Drive integration is used only to provide the CompanyBrain knowledge management service to you. We do not use Google user data to serve advertising, do not allow humans to read your Google user data except as necessary to provide the Service or as required by law, and do not transfer Google user data to third parties except as necessary to provide or improve the Service.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Process and transcribe uploaded files using AI services
- Generate structured knowledge documents from your Content
- Respond to queries made against your company’s knowledge base
- Send transactional emails (account verification, processing notifications)
- Detect, investigate, and prevent fraud or abuse
- Comply with legal obligations
- Improve and develop new features (using aggregated, anonymized data only)
We do not use your Content to train AI models unless you explicitly opt in to such a program.
4. Third-Party Service Providers
We share information with the following third-party providers who process data on our behalf under appropriate data processing agreements:
| Provider | Purpose |
|---|---|
| Clerk, Inc. | Authentication and identity management |
| Supabase, Inc. | Database and file storage |
| Pinecone, Inc. | Vector database for semantic search |
| Anthropic, PBC | AI content processing and generation (Claude) |
| OpenAI, LLC | Audio transcription (Whisper) and embeddings |
| Vercel, Inc. | Application hosting and deployment |
| Resend, Inc. | Transactional email delivery |
| Google LLC | Google Drive integration (OAuth 2.0 — folder-scoped access only) |
We do not sell your personal information to any third party.
5. Data Retention
We retain account information and Content for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your personal information and Content within 30 days, except where we are required by law to retain it longer or where anonymized aggregate data is retained for service improvement.
Buyer access tokens and associated session data are retained for 90 days after expiry for audit log purposes, then permanently deleted.
6. Data Security
We implement industry-standard security measures including encryption at rest and in transit, row-level security on all database tables, tenant-namespaced vector stores that prevent cross-tenant data access, and API key authentication with revocation support.
No method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but commit to notifying you promptly if a breach affecting your data occurs.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your personal data
- Portability — receive your data in a machine-readable format
- Opt-out — opt out of any marketing communications at any time
- Revoke Google Drive Access — if you have connected Google Drive, you may revoke our access at any time by visiting myaccount.google.com/permissions, selecting CompanyBrain, and clicking “Remove Access.”
To exercise these rights, email us at info@companybrainai.com. We will respond within 30 days.
8. California Privacy Rights (CCPA)
California residents have additional rights under the California Consumer Privacy Act. We do not sell personal information. You may request disclosure of what personal information we have collected in the past 12 months by contacting us at the email below.
9. International Data Transfers
Our services are hosted primarily in the United States. If you are located outside the United States, your information is transferred to and processed in the United States. By using the Service, you consent to this transfer. We rely on standard contractual clauses for transfers from the EEA.
10. Children's Privacy
The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the Service at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or your data, please contact us at: