Privacy Policy

Last updated: May 15, 2026
Effective date: May 15, 2026

1. Introduction

Trisafe, a sole trader registered in Australia, trading as ProductBrain ("we", "us", or "our"), operates ProductBrain (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

We are committed to complying with the Australian Privacy Act 1988 (Cth), the European Union's General Data Protection Regulation (GDPR), and other applicable data protection laws.

2. Data Controller and Contact Information

Trisafe, trading as ProductBrain, is the data controller responsible for your personal information.

Contact Information:
Email: privacy@productbrain.com
Support: support@productbrain.com

3. Information We Collect

We collect the following types of information:

3.1 Account Information

When you create an account with ProductBrain, we collect:

• Email address
• Name (if provided)
• Account credentials (managed by Clerk, our authentication provider)
• Profile information (if provided)

3.2 Brain Content and Usage Data

When you use the Service, we collect:

• Your planning data (goals, needs, approaches, jobs, and tasks you create)
• Project metadata (project names, iterations, tags)
• Usage patterns (features used, frequency of access)
• Collaboration data (if you share projects with team members)

3.3 Technical and Analytics Data

We automatically collect technical information including:

• IP address
• Browser type and version
• Device information (type, operating system)
• Session information (login times, session duration)
• Pages visited and features used
• Performance data (load times, errors)

3.4 Payment Information

Payment information is collected and processed by Paddle, our Merchant of Record for all markets.

We do not store your full payment card details. Paddle handles all payment information according to their privacy policy and PCI-DSS compliance requirements. We receive only:

• Transaction confirmations
• Last four digits of payment card
• Billing address information
• Payment status and subscription details

3.5 Communications

If you contact us for support or communicate with us via email, we collect:

• Your email address
• Message content
• Any information you choose to provide in your communications

4. How We Use Your Information

We use your personal information for the following purposes:

4.1 Providing the Service

• Creating and managing your account
• Storing and synchronizing your planning data
• Enabling collaboration features
• Processing payments and managing subscriptions
• Providing customer support

4.2 AI-Assisted Features

• Processing your content through third-party AI services to generate planning suggestions
• Improving the relevance and quality of AI-generated suggestions

4.3 Improving the Service

• Analyzing usage patterns to improve features and user experience
• Identifying and fixing bugs and technical issues
• Developing new features based on user needs

4.4 Communications

• Sending transactional emails (account confirmations, password resets, subscription updates)
• Responding to support inquiries
• Sending important service announcements
• Sending marketing communications (with your consent, where required by law)

4.5 Legal Compliance

• Complying with legal obligations
• Protecting our rights and interests
• Preventing fraud and abuse

5. Data Storage and Location

5.1 Primary Data Storage

Your account information and planning data is stored in Supabase data centers located in Australia. Data is encrypted at rest and in transit using industry-standard encryption protocols.

5.2 Data Residency

While our primary data storage is in Australia, your information may be accessed or processed by our service providers in other countries, including:

• United States (Clerk for authentication, Vercel for hosting, Resend for email)
• European Union (Paddle for international payment processing)

We ensure that all data transfers comply with applicable data protection laws through appropriate safeguards such as Standard Contractual Clauses (SCCs) where required.

6. Third-Party Services and Data Processors

We use the following third-party services to provide and improve our Service:

Each of these service providers has their own privacy policy governing how they handle your data. We recommend reviewing their policies:

• Clerk: clerk.com/privacy
• Supabase: supabase.com/privacy
• AI Service Provider: See our AI provider's privacy policy
• Paddle: paddle.com/privacy
• Vercel: vercel.com/legal/privacy-policy
• Resend: resend.com/legal/privacy-policy

7. AI Processing and Data Usage

7.1 What Data is Processed

When you activate AI features, the following data may be sent to our AI service provider:

• Goals, needs, approaches, and jobs you've created
• Context from your current project or selection
• Your prompts and questions to the AI assistant

7.2 How AI Data is Used

• Your content is processed by our AI service provider to generate planning suggestions, draft content, and respond to your queries
• Your data is NOT used to train third-party AI models
• We do not use your data to train our own models
• AI processing is real-time and on-demand — data is not permanently stored by the AI provider for training purposes

7.3 Opting Out of AI Features

AI features are optional. You can choose not to use AI-assisted features, and your content will not be sent to our AI service provider if you do not activate these features.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

8.1 Essential Cookies

Required for the Service to function properly:

• Authentication cookies (Clerk session management) — necessary to keep you logged in
• Security cookies — protect against fraud and abuse

8.2 Analytics Cookies

Help us understand how users interact with the Service:

• Usage analytics (pages visited, features used)
• Performance monitoring (load times, errors)
• User behavior patterns (session duration, frequency)

8.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

9. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy.

9.1 Active Accounts

While your account is active, we retain all your data to provide continuous service.

9.2 After Account Cancellation

• Your data remains accessible in read-only mode for 30 days after subscription cancellation
• After 30 days, your planning data may be permanently deleted
• You can export your data at any time before deletion

9.3 After Account Deletion

• When you request account deletion, we permanently delete your account and all associated data within 30 days
• Some information may be retained for legal or regulatory purposes (e.g., financial records for tax compliance)

9.4 Legal Retention Requirements

We may retain certain information longer where required by law, such as:

• Financial records (7 years for tax compliance)
• Audit trails and security logs (as required by law)
• Information subject to legal holds or pending litigation

10. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

10.1 Rights Under GDPR (EU/UK Users)

• Right of access: Request a copy of your personal information
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): Request deletion of your personal information
• Right to restriction: Limit how we process your data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent: Withdraw consent for processing based on consent

10.2 Rights Under Australian Privacy Act

• Right to access: Request access to your personal information
• Right to correction: Request correction of inaccurate or incomplete information
• Right to complain: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

10.3 How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: privacy@productbrain.com

We will respond to your request within:

• 30 days for GDPR requests
• 30 days for Australian Privacy Act requests

10.4 Account Settings

You can also manage some of your data directly through your account settings:

• Update your profile information
• Export your planning data (JSON, CSV)
• Delete your account and all associated data
• Manage email preferences

11. Data Security

We implement industry-standard security measures to protect your personal information:

11.1 Technical Measures

• Encryption at rest (AES-256) for all stored data
• Encryption in transit (TLS 1.3) for all data transmission
• Secure authentication with multi-factor authentication (MFA) support
• Regular security audits and vulnerability assessments
• Access controls and role-based permissions

11.2 Organizational Measures

• Strict access policies limiting who can access personal data
• Employee training on data protection and security
• Incident response procedures for data breaches
• Regular backups to prevent data loss

11.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify you within 72 hours of becoming aware of the breach (as required by GDPR)
• Notify relevant supervisory authorities as required by law
• Provide information about the nature of the breach and steps we're taking to address it

12. Children's Privacy

ProductBrain is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information as soon as possible.

If you believe we have collected information from a child under 16, please contact us at privacy@productbrain.com.

13. International Data Transfers

As a global service, your personal information may be transferred to and processed in countries other than your country of residence, including:

• Australia (primary data storage via Supabase)
• United States (authentication, hosting, email services)
• European Union (payment processing via Paddle)

13.1 Safeguards for International Transfers

When transferring data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for data transfers outside the EU/EEA
• Data Processing Agreements: With all third-party processors
• Privacy Shield (where applicable): For US-based processors

13.2 Australia-EU Data Transfers

Australia is not recognized by the EU as providing adequate data protection. For transfers of EU personal data to Australia, we rely on Standard Contractual Clauses to ensure GDPR compliance.

14. Payment Processor Privacy

Your payment information is handled by different processors depending on your location:

All payment processing is handled by Paddle as Merchant of Record for all markets:

• Paddle's Privacy Policy applies: paddle.com/privacy
• Paddle collects and processes your payment information, billing address, and tax information
• We receive only transaction confirmations and subscription status from Paddle
• Full payment card details are stored by Paddle, not by ProductBrain

15. Marketing Communications

We may send you marketing communications about ProductBrain, including:

• Product updates and new features
• Tips and best practices
• Special offers and promotions

15.1 Consent

Where required by law (e.g., in the EU), we will only send marketing communications with your explicit consent.

15.2 Opting Out

You can opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your email preferences in your account settings
• Contacting us at privacy@productbrain.com

Note: You will still receive transactional emails (account confirmations, password resets, subscription updates) even if you opt out of marketing communications.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

16.1 Notification of Changes

If we make material changes to this Privacy Policy, we will notify you by:

• Email to your registered email address
• Prominent notice on the Service
• In-app notification

We will provide notice at least 30 days before the changes take effect.

16.2 Continued Use

Your continued use of the Service after the changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you should discontinue using the Service and may request deletion of your account.

17. Supervisory Authorities

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

17.1 EU/UK Users

EU and UK users can contact their local data protection authority. A list is available at:

• EU: edpb.europa.eu
• UK: Information Commissioner's Office (ICO) — ico.org.uk

17.2 Australian Users

Australian users can contact the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

ProductBrain
Email: privacy@productbrain.com
Support: support@productbrain.com

© 2026 ProductBrain. All rights reserved.