Privacy policy
Last updated: June 26, 2026
The short version:we collect the minimum needed to run the app, your account, the content you save, and what you do with it. We don't sell your data, we don't show ads, and we don't train AI models on your content. You can delete everything at any time, and you can turn off analytics and reading-history tracking in Settings.
BrainRetain (operated by Vic Claw) turns the things you read, watch, and listen to into spaced-repetition quizzes so you remember more of them. This policy explains what we collect, why, who processes it, and the controls you have. It covers both the web app at brainretain.app and the BrainRetain iOS app, which share the same backend.
What we collect
Account
- Email address, to create your account, sign you in, and send password resets.
- Password, stored only as a salted hash by our auth provider (Supabase). We never see or store it in plain text. If you sign in with Google or Apple, we don't handle a password at all.
- Sign-in identity from Google or Apple if you use those, handled through Supabase Auth.
- A display name (you can edit it) and an internal account id that links your data to you.
- Your plan (free or pro) and the usage limits tied to it.
Content you save
- The links, pasted text, and photos or screenshots you submit to be quizzed on.
- For audio and video you share, the audio is transcribed to text so we can build questions from it.
- The quizzes, summaries, takeaways, and flashcards we generate from your inputs, plus your answers, ratings, and scores.
- Feedback you give on a question (thumbs up/down and the reason) or through the in-app feedback box.
Reading history (only if you turn it on)
The daily recap feature keeps a log of the links and titles of what you read or watch so it can quiz you at the end of the day. This is sensitive, so it's tied to a toggle in Settings, and these entries are automatically deleted after 90 days. If you connect a YouTube, Spotify, or Pocket account for recaps, we store an encrypted access token for that account so we can pull your recent activity. You can disconnect at any time.
Usage analytics
- We use PostHog (US cloud) to record page views and product events, which screens you use, where people drop off, and quiz outcomes like score and duration. After you sign in, these events are tied to your account id and email.
- We do not send the content of what you save (the links, your pasted text, or the generated questions) to analytics. Session recording is off.
- Analytics use a cookie and local storage to keep a device id. You can opt out any time in Settings, and the opt-out takes effect immediately.
Device and technical
- A push notification token if you enable reminders.
- Standard server logs (timestamp, IP address, request path) for debugging and abuse prevention. We don't use them to build a profile of you.
How your content gets processed
To turn what you save into a quiz, your text and transcripts go to Anthropic (Claude) for analysis and question generation, and photos you submit are read by the same service. Audio you share is transcribed by Groq (and by OpenAI only as a fallback if Groq is temporarily unavailable). These providers process your content to return a result to you, and their API terms prohibit using API-submitted content to train their models.
Who processes your data
We share data only with the services we need to run BrainRetain, each for the purpose below. Most run in the United States.
| Service | What it handles | Why |
|---|
| Supabase | Account, your content, sync | Database and sign-in |
| Fly.io | Backend traffic | App hosting (US-East) |
| Anthropic | Your text, transcripts, and images | Quiz and flashcard generation |
| Groq | Audio you share | Transcription (primary) |
| OpenAI | Audio you share | Transcription (fallback only) |
| PostHog | Usage events, account id, email | Product analytics |
| Apple | Payments; Sign in with Apple | App Store billing and login |
| RevenueCat | Account id, subscription status | Subscription management |
| Google | Sign in with Google; YouTube (if connected) | Login and recaps |
| Spotify / Pocket | Recent activity (if connected) | Daily recaps |
| Expo | Push token, notification title | Sending notifications |
Payments
Subscriptions are handled by Apple through the App Store. Apple processes your payment, so we never see or store your card number or billing details. We use RevenueCat to know whether your subscription is active, and all we keep on our side is your plan tier. Buying or managing a subscription happens in the iOS app.
What we don't do
- We don't sell, rent, or trade your data.
- We don't show third-party ads.
- We don't use the content you save to train AI models.
Keeping and deleting your data
- Delete your account (Settings then Delete account) permanently removes your account and everything tied to it, your cards, quizzes, history, reading log, feedback, and any connected-account tokens, across our database.
- Clear your saved content without deleting your account, from Settings, which removes your cards, quizzes, and history.
- Reading-history entries are deleted automatically after 90 days.
- Server logs are short-lived and used only for debugging and abuse prevention.
Your rights
You can:
- See and get a copy of your data (by request, or wherever export is offered in the app).
- Correct your account details in Settings.
- Delete your data, as described above.
- Opt out of analytics, and turn off reading-history tracking, in Settings.
- Withdraw consent at any time by deleting your account.
For any privacy request, including ones under GDPR or CCPA, email admin@brainretain.app. We respond within 30 days.
Security
- All traffic is encrypted in transit with HTTPS.
- Passwords are hashed by Supabase using standard algorithms.
- Database access is locked to your account with row-level security, so one user's data can't be returned to another.
- Connected-account tokens are encrypted before they're stored.
- Content saved on your own device (in the browser) isn't separately encrypted by the app, so use device-level protection if your computer is shared.
- No system is perfectly secure. If you think your account has been accessed, change your password and email us.
Children
BrainRetain isn't directed at children under 13 (or under 16 in the EU). We don't knowingly collect their data, and if we learn we have, we delete it.
Changes to this policy
We may update this policy as the app changes. If a change is significant, we'll let you know by email or an in-app notice before it takes effect. The date at the top reflects the most recent update.
Contact
Questions, complaints, or requests: admin@brainretain.app.