Privacy Policy

Last updated: May 3, 2026

BrainBeat ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our mobile application and related services.

1. Information We Collect

1.1 Account Information

Email address and display name when you create an account, or Apple ID / Google ID if you use social sign-in.

1.2 Learning Data

Vocabulary progress, session history, language preferences, CEFR level, flashcards, dialogue transcripts, and learning statistics.

1.3 Health & Safety Consent Data

Before using binaural audio features, we collect your explicit acknowledgement regarding pre-existing conditions (epilepsy history, cardiac pacemaker, pregnancy). This data is classified as special category data under GDPR Article 9 and sensitive personal data under LGPD Article 11. We collect this solely to ensure your safety and comply with Apple App Review Guidelines (Guideline 1.4). The legal basis for this processing is your explicit consent (GDPR Art. 9(2)(a)).

1.4 Device & Technical Information

Device type, operating system version, app version, IP address (captured automatically for security monitoring), and user agent string.

1.5 Voice Input

When you use pronunciation practice or voice recording features, audio is processed in real-time by our text-to-speech provider. We do not store voice recordings on our servers. Voice processing is handled by ElevenLabs (see Section 5).

1.6 Usage Analytics

Anonymous session events (session start/end, feature usage) for improving the app. No personally identifiable information is included in analytics events.

1.7 Crash Reports

In the event of app crashes, diagnostic data (including a pseudonymised user identifier) is sent to our crash reporting service (see Section 5).

2. Information We Do NOT Collect

Biometric data: Our binaural audio technology plays sound through headphones. It does not measure, record, or analyse brain activity, heart rate, or any physiological signal.
Location data: We do not collect GPS, Wi-Fi, or cell tower location data.
Contacts, photos, or camera data.
We do NOT sell your personal information to third parties, and we never will.

3. Legal Basis for Processing (GDPR Art. 6 & Art. 9)

Data Category	Legal Basis	Purpose
Account information	Contract performance (Art. 6(1)(b))	Provide the service
Learning data	Contract performance (Art. 6(1)(b))	Track progress, personalise experience
Health & safety consent	Explicit consent (Art. 9(2)(a))	User safety, regulatory compliance
Device/technical info	Legitimate interest (Art. 6(1)(f))	Security, compatibility, support
Usage analytics	Legitimate interest (Art. 6(1)(f))	Improve the app
Crash reports	Legitimate interest (Art. 6(1)(f))	Fix bugs, maintain stability

4. How We Use Your Information

To provide and maintain our language learning service
To track your learning progress and personalise your experience
To ensure your safety when using binaural audio features
To process AI-powered dialogue and conversation practice
To manage subscriptions and payments (via App Store / Play Store)
To send important service updates (with your consent)
To improve our app, fix bugs, and develop new features
To detect and prevent fraud, abuse, and security incidents

5. Third-Party Services (Sub-Processors)

We use the following third-party services to operate BrainBeat:

Service	Purpose	Data Processed	Location
Supabase	Database, authentication, edge functions	All account and learning data	EU (Frankfurt)
Anthropic (Claude)	AI dialogue and conversation generation	Conversation context (no PII sent)	USA
ElevenLabs	Text-to-speech voice synthesis	Text for voice generation (no PII)	USA
RevenueCat	Subscription and payment management	Purchase receipts, subscription status	USA
Sentry	Crash reporting and error tracking	Pseudonymised user ID, crash diagnostics	USA
Cloudflare	CDN, DDoS protection, WAF	IP address, request metadata	Global (EU included)
Expo/EAS	App builds and over-the-air updates	Build metadata (no user data)	USA
Apple / Google	App distribution, in-app purchases	As per their respective privacy policies	USA / Global

For transfers to the USA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or the service provider's participation in adequate safeguard mechanisms (GDPR Art. 46).

6. Data Storage, Security & Retention

Your primary data is stored on Supabase servers in the European Union (Frankfurt, Germany). We use industry-standard encryption for data in transit (TLS 1.3) and at rest (AES-256). Access is restricted via Row Level Security policies and service-role authentication.

Retention Periods

Data	Retention
Account & learning data	Until account deletion or 1 year after last activity
Health consent records	Until account deletion (required for legal compliance)
Analytics events	90 days
Crash reports	90 days (Sentry default)
Rate limiting logs	24 hours
API usage logs	30 days

7. Your Rights

7.1 GDPR Rights (EEA Residents)

Under the General Data Protection Regulation, you have the right to:

Access: Request a copy of your personal data
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your personal data ("right to be forgotten")
Portability: Request your data in a machine-readable format (JSON)
Restriction: Request restriction of processing
Objection: Object to processing based on legitimate interest
Withdraw consent: Withdraw consent for health data processing at any time

You may also lodge a complaint with your national Data Protection Authority. For Portugal: CNPD.

7.2 CCPA Rights (California Residents)

Under the California Consumer Privacy Act, California residents have the right to:

Know: What personal information we collect and how we use it
Delete: Request deletion of your personal information
Non-discrimination: We will not discriminate against you for exercising your rights
Do Not Sell: We do NOT sell personal information. No opt-out is necessary because no sale occurs.

To exercise your CCPA rights, email privacy@brainbeat.app.

7.3 LGPD Rights (Brazilian Residents)

Under the Lei Geral de Protecao de Dados (LGPD), Brazilian residents have the right to:

Confirmation of the existence of data processing
Access to your data
Correction of incomplete, inaccurate, or outdated data
Anonymisation, blocking, or deletion of unnecessary or excessive data
Data portability to another service provider
Deletion of personal data processed with your consent
Information about public and private entities with which your data has been shared
Revocation of consent

To exercise your LGPD rights, email privacy@brainbeat.app.

7.4 How to Exercise Your Rights

For all privacy requests, contact us at privacy@brainbeat.app. We will respond within 30 days. You may also delete your account directly within the app (Settings > Delete Account), which permanently removes all your data from our servers.

8. Children's Privacy

BrainBeat is rated 12+ and recommended for users aged 14 and above. Users under 14 should use BrainBeat only with parental supervision. We do not knowingly collect personal information from children under 13 (COPPA) or under 16 without parental consent (GDPR Art. 8). If you believe a child has provided us with personal information without parental consent, please contact us immediately.

9. International Data Transfers

Your primary data is stored in the EU. Some sub-processors (Anthropic, ElevenLabs, RevenueCat, Sentry) are based in the United States. For these transfers, we rely on:

Standard Contractual Clauses (SCCs) as adopted by the European Commission
The service provider's own data protection commitments and certifications

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes affecting your rights, we will notify you via email or in-app notification.

11. Contact Us

For privacy-related inquiries, data requests, or concerns:

Privacy email: privacy@brainbeat.app
General email: hello@brainbeat.app
Data Controller: Saturnino Rodrigues, Portugal