Privacy Notice

The data controller for BrainLoot is BrainLoot. For privacy enquiries, data subject rights requests, or to nominate a representative on behalf of a child or another person, contact privacy@brainloot.app.

We process the following categories of personal data when you use BrainLoot:

• Account identity: display name, given/family name (optional), email address, hashed authentication state, profile avatar URL, account creation and last-sign-in timestamps.
• Workspace and guild content: board, deck, card, comment, attachment, checklist, label, and workspace-membership records you create or are added to.
• Billing metadata: Stripe customer id, subscription state, plan tier, seat count, last-four of card and brand (held by Stripe — we do not store full card numbers), invoice references.
• Support and feedback: messages you send to support, in-product feedback, and product issue reports.
• Device, network, and security data: IP address, user-agent, device type, request timestamps, authentication and rate-limit signals, App Check attestations, and audit/security event records.
• Cookie and analytics signals: when you opt in, Google Analytics events such as page views and feature usage. See the Cookie Notice for the full list and your choices.

We do not knowingly request or process special category data (Article 9 UK GDPR). Please do not submit health, biometric, racial, religious, political, sexual orientation, or trade-union data to a BrainLoot workspace.

Our lawful bases under Article 6(1) UK GDPR are:

• Contract (Art. 6(1)(b)): creating and operating your account, providing the workspace, processing payments and subscription state, providing support.
• Legitimate interests (Art. 6(1)(f)): securing the service against abuse and fraud, applying rate limits, preventing unauthorised access, generating aggregate operational metrics, defending legal claims. We have balanced these interests against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)): retaining accounting and tax records, responding to lawful requests from authorities, complying with consumer rights regulations.
• Consent (Art. 6(1)(a)): non-essential cookies and analytics, optional marketing emails. You may withdraw consent at any time without affecting prior processing.

We share personal data only with the processors and recipients required to operate BrainLoot:

• Google LLC / Google Ireland (Google Cloud — authentication, database, file storage, server-side compute, abuse protection, hosting, and with consent product analytics): authentication, primary data storage, file storage, server-side compute, abuse protection, hosting, and (with consent) product analytics.
• Stripe Payments Europe Ltd. and Stripe, Inc.: checkout, subscription management, customer portal, payment processing, invoicing, fraud prevention. Stripe is the controller for payment-card data.
• Sendinblue / Brevo (Sendinblue SA): transactional email delivery (password reset, sign-in verification, invitation, billing notifications).
• Atlassian Pty Ltd (Trello): only when you explicitly initiate a Trello board import. We request a short-lived API token to read the boards you select; we do not retain long-lived Trello credentials.
• Cloudflare (reCAPTCHA Enterprise via Google Cloud App Check): bot/abuse signals attached to client requests.

We do not sell personal data, and we do not share workspace content with advertisers or data brokers. Where we engage a sub-processor, we do so under a written data-processing agreement that imposes equivalent confidentiality and security obligations.

Our processors operate globally and may process personal data outside the United Kingdom and the European Economic Area, including in the United States. Where transfers occur, we rely on:

• UK adequacy regulations or European Commission adequacy decisions where available;
• the UK International Data Transfer Agreement (IDTA) or UK Addendum to the European Commission’s Standard Contractual Clauses (SCCs) for transfers to non-adequate jurisdictions;
• provider-specific safeguards (for example, Google Cloud’s and Stripe’s SCC commitments).

You can request a copy of the relevant transfer mechanism by emailing privacy@brainloot.app.

We keep personal data only as long as we need it for the purposes above:

• Account and workspace data: retained while your account is active. After deletion via the Profile panel, account-scoped records are removed from BrainLoot systems. Shared records (for example, cards in a guild owned by another user) remain in that guild.
• Audit and security logs: retained for up to 24 months to investigate abuse, fraud, and security incidents, then deleted or aggregated.
• Billing records: retained for 6 years to comply with UK accounting and tax obligations. Stripe maintains its own retention schedule for payment records.
• Support and legal correspondence: retained for up to 24 months after the matter is closed, then deleted unless retention is required to defend a legal claim.
• Backups: standard cloud backups may persist for up to 30 days after deletion before being overwritten in the normal backup cycle.

Subject to the conditions in UK GDPR, you have the right to:

• access the personal data we hold about you (Art. 15);
• request rectification of inaccurate data (Art. 16);
• request erasure (Art. 17);
• restrict processing (Art. 18);
• data portability for data you provided (Art. 20);
• object to processing based on legitimate interests (Art. 21);
• withdraw consent at any time (Art. 7(3));
• not be subject to a solely automated decision producing legal or similarly significant effects (Art. 22).

You can exercise access, portability, and erasure directly from the Profile panel using the “Export my data” and “Delete my account” actions. For any other right, email privacy@brainloot.app from the address on your account. We respond within one calendar month and may extend by two further months for complex requests, with notice.

If you believe our processing infringes UK GDPR, you can complain to the UK Information Commissioner’s Office: ico.org.uk/make-a-complaint (0303 123 1113). Users in the EEA may also complain to their local supervisory authority. We would prefer the chance to address your concern first — please email privacy@brainloot.app.

We protect personal data with: Google Cloud authentication with email verification, database and storage security rules enforcing per-user and per-guild access, server-side admin and ownership checks on every callable, App Check / reCAPTCHA Enterprise attestation on sensitive routes, rate limiting, encryption in transit (TLS) and at rest (Google Cloud default encryption), least-privilege service accounts, and audit logging. You are responsible for keeping your password and recovery email secure and for choosing trustworthy collaborators in shared workspaces.

Suspected security issues can be reported to security@brainloot.app or via our responsible disclosure policy.

BrainLoot is not directed to children. We do not knowingly process personal data of users under 13. If you believe a child has provided personal data, contact privacy@brainloot.app and we will delete it.

We may update this notice to reflect changes to the service, our processors, or applicable law. The effective date at the top of the page indicates the current version. Material changes will be notified by email or in-product banner where reasonable.

Privacy: privacy@brainloot.app — Support: support@brainloot.app.