Privacy Policy

Effective Date: March 1, 2026 · Last Updated: March 1, 2026

Brainflood ("we," "us," or "our") operates the website at brainflood.com and the Brainflood platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: When you register, we collect your name, email address, username, and password (stored as a salted hash — we never store plaintext passwords).
• Profile Information: Optional details you add to your profile, such as a display name, avatar image, or bio.
• Payment Information: If you subscribe to a paid plan, payment is processed by our third-party payment processor. We do not store credit card numbers, CVVs, or full payment card details on our servers. We may store a truncated card identifier, billing address, and transaction history for record-keeping.
• User-Generated Content: Trivia questions you create, team names, game configurations, forum posts, messages, and other content you submit through the Service.
• Communications: If you contact us via email, we retain the content of your messages, your email address, and our responses.
• Email Signup: If you submit your email via our alpha/beta signup form, we collect your email address solely to notify you of launch availability.

1.2 Information Collected from Players

Players who join games via QR code or game code are not required to create an account. For these anonymous players, we collect:

• Player Display Name: The nickname entered when joining a game (this is user-chosen and may be a pseudonym).
• Game Participation Data: Answers submitted, scores, and game interaction timestamps.
• Device Information: Browser type, screen size, and IP address (used for session management and abuse prevention).

Player game data is associated with the game session, not with a persistent identity, unless the player is also a registered user.

1.3 Information Collected Automatically

• Usage Data: Pages visited, features used, click patterns, time spent on pages, referring URLs, and navigation paths.
• Device & Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preference.
• Cookies & Similar Technologies: See Section 6 (Cookies) below.
• Log Data: Server logs that record requests, timestamps, HTTP status codes, and related technical data.

2. How We Use Your Information

We use collected information for the following purposes:

• Provide and Operate the Service: Authenticate users, manage accounts, host games, track scores, and deliver features you request.
• AI Features: When you use AI-powered features (AI Host Engine, AI question generation), your game configuration and prompts are sent to our AI provider (Anthropic) for processing. We do not send your personal account information (email, password) to AI providers. See Section 4 for details.
• Analytics and Improvement: Understand how users interact with the Service to improve features, fix bugs, and optimize performance.
• Communication: Send transactional emails (account verification, password resets, subscription confirmations), and if you opt in, product updates and announcements.
• Billing and Payments: Process subscriptions, issue receipts, and manage billing inquiries.
• Security and Fraud Prevention: Detect, investigate, and prevent unauthorized access, abuse, spam, and other harmful activity.
• Legal Obligations: Comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

• Service Providers: We use third-party vendors to help operate the Service (hosting, analytics, payment processing, email delivery). These providers access your information only as necessary to perform their functions and are contractually obligated to protect it.
• Game Participants: During a game, player display names and scores are visible to the host and other players in that game session. This is a core feature of the Service.
• Forum and Community: Posts, comments, and profile information you share in community features are visible to other registered users.
• Legal Requirements: We may disclose information if required by law, subpoena, court order, or government regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
• With Your Consent: We may share information for other purposes if you give us explicit consent.

4. AI Features and Third-Party AI Processing

Brainflood uses artificial intelligence to power features such as the AI Host Engine (automated trivia hosting with text-to-speech and commentary) and AI-powered question generation.

• AI Provider: AI features are powered by Anthropic's Claude. When you use AI features, relevant game data (question text, round configuration, AI personality settings) is sent to Anthropic's API for processing.
• What Is Sent: Game content and configuration data. We do not send your email, password, payment information, or other personal account details to AI providers.
• What Is Not Sent: Personal identification information, payment details, or private messages.
• Data Retention by AI Provider: Anthropic's data handling is governed by their own privacy policy and terms of service. We recommend reviewing Anthropic's Privacy Policy for details on how they handle data received through their API.
• Opting Out: AI features are optional. You can host games manually without using the AI Host Engine or AI question generation.

5. Third-Party Services

We use the following third-party services that may collect information:

• Google Analytics (GA4): We use Google Analytics to understand how visitors interact with our website. Google Analytics collects information such as pages visited, session duration, and general geographic region. This data is aggregated and does not personally identify you. You can opt out using the Google Analytics Opt-out Browser Add-on. See Google's Privacy Policy.
• Google Fonts: We load fonts from Google Fonts, which may collect your IP address. See Google Fonts Privacy FAQ.
• Payment Processor: Subscription payments are handled by a third-party payment processor. Your payment information is collected and processed directly by the processor under their own privacy policy.

6. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential Cookies: Required for authentication (JWT session tokens stored in httpOnly cookies), security, and basic Service functionality. These cannot be disabled without breaking the Service.
• Preference Cookies: Store your settings such as theme preference (dark/light mode). These improve your experience but are not strictly required.
• Analytics Cookies: Used by Google Analytics to collect aggregated usage data. These help us understand traffic patterns and improve the Service.

We do not use advertising cookies or third-party tracking cookies for ad targeting.

Managing Cookies: You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling essential cookies will prevent you from logging in and using core features.

7. Data Retention

• Account Data: Retained for as long as your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
• Game Data: Game session data (questions asked, scores, player answers) is retained to provide analytics and game history features. Anonymized game data may be retained indefinitely for aggregate analytics.
• Anonymous Player Data: Game participation data from anonymous players (those who join via QR code without an account) is retained with the game session and does not include persistent personal identifiers.
• Server Logs: Retained for up to 90 days for security and debugging purposes, then automatically purged.
• Beta Signup Emails: Retained until we send the launch notification, after which they are deleted unless you create an account.

8. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• All data transmitted between your browser and our servers is encrypted via TLS (HTTPS).
• Passwords are hashed using industry-standard algorithms (bcrypt) and are never stored in plaintext.
• Authentication tokens (JWT) are stored in httpOnly cookies to prevent cross-site scripting (XSS) access.
• Database access is restricted and credentials are managed through a dedicated secrets management system.
• We conduct regular security reviews of our codebase and infrastructure.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that we correct inaccurate or incomplete data.
• Deletion: Request that we delete your personal data (subject to legal retention requirements).
• Data Portability: Request your data in a structured, machine-readable format.
• Objection: Object to the processing of your data in certain circumstances.
• Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time.

To exercise any of these rights, contact us at hello@brainflood.com. We will respond within 30 days.

10. Children's Privacy

The Service is not intended for children under the age of 13 (or the minimum age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will promptly delete it. If you believe a child under 13 has provided us with personal information, please contact us at hello@brainflood.com.

Players under 18 may participate in games as anonymous players (via QR code) under the supervision of the game host and/or a parent or guardian. Anonymous play does not require account creation or the collection of identifying personal information.

11. International Data Transfers

Brainflood is operated from servers located in Europe. If you access the Service from outside the European Economic Area, your information may be transferred to and processed in countries with different data protection laws. By using the Service, you consent to such transfers. We take steps to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• No Sale of Data: We do not sell personal information as defined under the CCPA.

To make a CCPA request, email hello@brainflood.com with the subject line "CCPA Request."

13. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, the General Data Protection Regulation (GDPR) provides you with additional rights as described in Section 9 above. Our legal bases for processing are:

• Contract Performance: Processing necessary to provide the Service you signed up for (account management, game hosting, scoring).
• Legitimate Interests: Analytics, security, fraud prevention, and Service improvement, balanced against your privacy rights.
• Consent: Marketing emails and optional analytics cookies, which you may withdraw at any time.
• Legal Obligation: Where we are required to process data by law.

You may lodge a complaint with your local data protection authority if you believe your rights have been violated.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you via email or a notice on the Service. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, contact us at:

• Email: hello@brainflood.com
• Website: brainflood.com