Privacy Policy

Last updated: April 21, 2026

1. Data Controller

The data controller is BrainFlow AI, a simplified joint-stock company registered under SIREN 898 587 332, with its registered office at 8 B RUE ABEL, 75012 PARIS, FRANCE.

Data protection contact: hello@brain-flow.ai

2. Data We Collect

BrainFlow collects only data strictly necessary for the service to function:

  • Account data: email address, user name, company name;
  • Conversation data: content of emails on which BrainFlow is CC'd, including sender and recipient addresses;
  • Payment data: processed exclusively by Stripe — BrainFlow AI does not store any banking information.

No data is collected outside of threads where the BrainFlow assistant is explicitly CC'd.

3. Purpose of Processing

Data is processed for the following purposes:

  • Providing the email assistance service (drafts, alerts, question responses);
  • Maintaining service security and availability;
  • Complying with legal and regulatory obligations;
  • Communicating with the user when necessary (support, security alerts).

4. AI Processing

BrainFlow uses a self-hosted artificial intelligence infrastructure. No email content is transmitted to third-party services such as OpenAI, Anthropic, or Google for processing. All analysis is performed on servers controlled by BrainFlow AI, hosted within the European Union.

5. Cookies and Analytics

The website uses Google Analytics for audience measurement purposes. This service places anonymized cookies to analyze site traffic. You can disable Google Analytics via the cookie management panel or by installing the opt-out module available at: tools.google.com/dlpage/gaoptout.

6. Data Retention

Conversation data is retained as long as the user account is active. Upon account termination or deletion, all data is irreversibly deleted within 30 days, in accordance with our zero-data-retention policy.

7. Security

BrainFlow implements technical and organizational security measures in line with industry standards:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256);
  • Hosting on secure infrastructure, SOC 2 Type II certified;
  • Restricted access and traceability of actions on systems;
  • Zero-data-retention policy: no data is used to train AI models.

8. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access: obtain a copy of your data;
  • Right to rectification: correct inaccurate data;
  • Right to erasure: request deletion of your data;
  • Right to data portability: retrieve your data in a structured format;
  • Right to object: object to the processing of your data;
  • Right to restriction: temporarily restrict processing.

To exercise these rights, contact us at hello@brain-flow.ai. We respond to all requests within 30 days.

9. Sub-processors and Transfers

BrainFlow AI uses the following sub-processors for specific functions:

  • Stripe — payment processing (United States, covered by EU Commission Standard Contractual Clauses);
  • Google Analytics — audience measurement (United States, anonymized data).

No personal data is transferred outside the European Union, except for the above-mentioned cases covered by appropriate GDPR safeguards.

10. Changes to This Policy

BrainFlow AI reserves the right to modify this privacy policy. Any substantial change will be notified by email to registered users. We encourage you to review this page regularly.

11. Contact

For any questions regarding data protection: hello@brain-flow.ai

You also have the right to lodge a complaint with the CNIL.