Privacy Policy

Last updated: April 19, 2026 · Effective: April 19, 2026

Brainflood LLC ("Brainflood," "we," "us") operates the Brainflood trivia and live entertainment hosting platform available at brainflood.com, app.brainflood.com, and joinplay.net (the "Service"). This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to everyone who interacts with the Service — hosts, venues, and players.

1. Information we collect

Information you provide

• Account information: email, username, password hash, display name, and (optionally) avatar.
• Host/business details: business name, venue information, event schedules, and any branding you upload.
• Payment information: handled directly by our payment processor (Stripe). We store only billing metadata (plan, status, last 4 of card via Stripe reference) — we do not store full payment card numbers.
• Content you create: games, questions, answers, scores, forum posts, direct messages, slideshows, and other content you submit to the Service.
• Support communications: messages you send to support@brainflood.com or via forum/bug report channels.

Information collected automatically

• Usage data: pages viewed, features used, timestamps, game session events, WebSocket connection data.
• Device and technical data: IP address, browser type, operating system, screen size, and referring URL.
• Cookies and similar technologies: session tokens (including JWTs in httpOnly cookies), authentication state, and analytics identifiers. See Cookies and analytics.

Player information

Players who join a game typically provide only a display name and, in some game modes, a team assignment. Players do not need an account to join a game. Temporary player data (display name, answers, scores) is tied to the game session and retained per the retention schedule.

2. How we use information

• Provide, operate, and maintain the Service (hosting games, rendering displays, running real-time scoring).
• Authenticate you and keep your account secure.
• Process payments and manage subscriptions.
• Generate AI-assisted content (question generation, commentary, answer grading) using trusted AI providers.
• Communicate with you: service notifications, billing, security alerts, and (if you opt in) marketing.
• Improve the Service — aggregate analytics, bug reports, and performance monitoring.
• Comply with legal obligations and enforce our Terms of Service.

3. Legal bases for processing (EEA/UK users)

If you are in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases: (a) performance of a contract (to deliver the Service you signed up for); (b) legitimate interests (to secure, improve, and analyze the Service); (c) legal obligation (tax, accounting, compliance); and (d) consent (for optional marketing and non-essential cookies, which you may withdraw at any time).

4. When we share information

We do not sell your personal information. We share information only in these situations:

• With subprocessors that operate the Service on our behalf (see below).
• Within a game session: your display name, team, and scores are visible to other participants and may appear on public projector displays.
• For legal reasons: when we believe in good faith that disclosure is required by law, subpoena, or to protect the rights, property, or safety of Brainflood, our users, or the public.
• Business transfers: if Brainflood is involved in a merger, acquisition, or asset sale, we will notify you and any successor will be bound by this policy.
• With your consent: for anything else, we ask first.

5. Subprocessors and third-party services

We use the following subprocessors to deliver the Service:

• Stripe, Inc. — payment processing and subscription billing.
• Anthropic PBC — AI-assisted question generation, grading, and host commentary (via Claude API).
• Hetzner Online GmbH — infrastructure hosting (EU data centers).
• Google LLC — Google Analytics (website analytics) and Google OAuth (optional sign-in).
• Let's Encrypt (ISRG) — TLS certificate issuance.
• Proton AG — transactional and support email.
• YouTube (Google LLC) — video embeds for karaoke mode.
• OpenTDB — open trivia question database (licensed content).

Each subprocessor is contractually required to handle your data consistently with this policy and applicable law.

6. Data retention

• Account data: retained while your account is active and for up to 90 days after deletion (backups may persist up to 30 additional days).
• Completed game sessions: retained indefinitely as part of the host's game library unless the host deletes them.
• Player session data (non-account players): retained with the host's game for historical scoring; display names and answers may be deleted on request.
• Billing records: retained 7 years for tax and accounting compliance.
• Support communications: retained up to 3 years.

7. Security

We use industry-standard practices to protect your information, including encryption in transit (TLS 1.2+), bcrypt password hashing, JWT-based authentication with short-lived tokens, httpOnly cookies, rate limiting, Content Security Policy headers, firewall and intrusion prevention (UFW, fail2ban), and least-privilege infrastructure access. No system is perfectly secure — if you believe your account has been compromised, contact us immediately.

8. Your rights and choices

Depending on your jurisdiction, you may have rights to:

• Access the personal data we hold about you.
• Correct inaccurate information.
• Delete your account and associated personal data.
• Port your data to another service in a machine-readable format.
• Object to or restrict certain processing.
• Withdraw consent where processing is based on consent.

To exercise any of these rights, email support@brainflood.com. We will respond within 30 days. You may also lodge a complaint with your local data protection authority.

9. Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. Some jurisdictions (including the EEA/UK) set a higher age of digital consent — in those regions, users under 16 require parental consent. If you believe a child has provided us personal information, please contact us and we will delete it.

Note that players may participate in games hosted by venues without creating an account; hosts are responsible for ensuring age-appropriate participation at their events.

10. Cookies and analytics

We use cookies and similar technologies to:

• Keep you signed in (session cookies, JWT in httpOnly cookie).
• Remember preferences (theme, language).
• Measure traffic and performance (Google Analytics with IP anonymization).

You can control cookies via your browser settings. Disabling essential cookies will break sign-in. To opt out of Google Analytics, install the Google Analytics Opt-out Browser Add-on.

11. International data transfers

Brainflood is based in the United States; our primary infrastructure is hosted in the EU (Hetzner, Germany/Finland). By using the Service, you understand that your information may be transferred to and processed in the United States and other countries where our subprocessors operate. Where required by law, we rely on Standard Contractual Clauses or equivalent safeguards for cross-border transfers.

12. California residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information in the sense defined by the CCPA). We do not use or disclose sensitive personal information for purposes that would trigger a right to limit use. To exercise your rights, email support@brainflood.com. We will not discriminate against you for exercising your rights.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or via an in-Service notice before the changes take effect. The "Last updated" date at the top of this page reflects the current version.

14. Contact us