Privacy Policy

• Account data — your email address and optional full name, used to create and secure your account.
• Business data you enter — your business profile (name, industry, team size, challenges, goals), brand-voice samples, financial figures such as pasted P&L numbers, and chat history with the AI executives. This content may contain commercially sensitive information.
• Billing data — your Stripe customer ID and subscription status. Card details are handled entirely by Stripe and are never stored by us.
• Usage metadata — token usage, login timestamps, and IP address, used for security and to operate the Service.

We use your data to:

• Provide, maintain, and secure the Service;
• Generate AI outputs tailored to your business context;
• Process payments and manage your subscription;
• Provide support, respond to requests, and send service-related communications;
• Comply with legal obligations and prevent abuse.

When you use AI features, the relevant prompts and business context are sent to Anthropic (the provider of the Claude models) to generate a response. Under Anthropic's API terms, your inputs and outputs are not used to train Anthropic's models and are retained only for a limited period for abuse-monitoring before deletion.

Because AI features process the content you submit, avoid pasting data you are not comfortable sending for processing. AI outputs are decision-support only — see our Terms of Service.

We process your data on the basis of your consent (given when you create an account and use the Service), to perform our contract with you, and to pursue our legitimate interests in operating and securing the Service. You may withdraw consent at any time as described in Your PDPA Rights below; withdrawal does not affect processing carried out before withdrawal.

We do not sell your personal data. We share it only with the sub-processors needed to run the Service:

• Supabase — database, authentication, and storage (hosted in Singapore, ap-southeast-1).
• Cloudflare — application hosting and network delivery.
• Anthropic — AI processing for the Command Executives.
• Stripe — payment processing and billing.
• Resend — transactional email delivery.

Each sub-processor handles data under its own terms and applicable data-protection law. We may also disclose data where required by law.

We keep your data for as long as your account is active and as needed to provide the Service. When you delete your account, your workspace data is deleted from our database, with related records cascading on deletion. Backups and provider logs (for example, Cloudflare request logs) are retained for short periods on their normal cycles. We retain limited records where required for legal, tax, or accounting purposes.

Under the PDPA, you have the right to:

• Access — request a copy of the personal data we hold about you;
• Correction — ask us to correct inaccurate or incomplete data;
• Withdraw consent — withdraw your consent to processing, and request deletion of your data, subject to legal retention requirements.

To exercise these rights, contact us using the details below. We aim to respond within 30 days.

We protect your data with row-level security (RLS) in our database — so each workspace owner can only access their own workspace — and with encryption in transit (TLS) and at rest. Service keys are held only in a server-side secret store and are never exposed to the browser. No system is perfectly secure, but we work to safeguard your data and respond promptly to any incident.

We use essential cookies to keep you signed in and to remember your preferences (such as your light/dark theme). These are required for the Service to function; we do not use them for third-party advertising.

Your data is stored in Singapore (Supabase) and processed by providers that may operate in other countries, including the United States (Anthropic, Stripe, Cloudflare, Resend). Where data is transferred outside Malaysia, we rely on the protections offered by these providers and applicable data-protection safeguards.

For privacy questions or to exercise your rights, contact our Data Protection Officer at privacy@brainybunch.com, or by post at: Raudhah Tech (Brainy Bunch Group), [registered address].