Privacy Policy

Effective date: 7 May 2026 Last updated: 7 May 2026

1. About this policy

This Privacy Policy explains how Dimitris Goudis Consulting Ltd (trading as 3Nuggets) collects, uses, shares, and protects personal data when you use Brain Graph (the "Service"), available at https://itsbraingraph.ai. It also explains your rights and how to exercise them.

In this policy, "we", "us", and "our" mean Dimitris Goudis Consulting Ltd. "You" and "your" mean the individual using the Service.

For the purposes of the EU and UK General Data Protection Regulation, we are the data controller for the personal data described in this policy.

This policy should be read together with our Cookie Policy and our Terms of Service.

2. Quick summary

We collect what we need to run the Service: account information, billing data (handled by Stripe), and the documents and conversations you create inside Brain Graph.
We do not run analytics, advertising, or behavioural-tracking scripts. We do not sell or share your personal data for advertising.
We use third-party AI providers to power Brain Graph's features. We do not currently have no-training agreements with all of them. Section 7 explains exactly what is sent and where.
You can delete your account and all of your data from inside the Service. The deletion is immediate.
You have rights under the GDPR. We respond within 30 days. You can email us at support@itsbraingraph.ai.

3. Personal data we collect

3.1 Account data

When you create an account we collect:

Email address
Name
Password (stored only as a bcrypt hash — see Section 12; we never store or log your plaintext password)
Optional profile fields you choose to add: company, role, and short descriptions about your work and goals

3.2 Billing data

When you upgrade to a paid plan, payment is processed by Stripe. We do not see, store, or log your card details. Stripe shares with us a customer ID, your subscription status, and high-level billing metadata. Read Stripe's policy at https://stripe.com/privacy.

3.3 Content you upload and create

When you use Brain Graph you can upload meeting transcripts and documents and have conversations about them. We store:

The documents and transcripts you upload
The knowledge graph that Brain Graph builds from them (entities, relationships, summaries)
Your conversation history with the Service
API keys you generate inside the Service

This content frequently contains personal data about other people (for example, names of meeting attendees, their roles, things they said, problems they raised). Section 8 explains how that interacts with your responsibilities and ours.

3.4 Operational telemetry

Brain Graph itself does not collect IP addresses, user-agent strings, device fingerprints, or behavioural-analytics signals. We do not store HTTP request logs.

The application emits short operational messages to stdout containing the affected user ID and the outcome of the action (e.g. "account deletion succeeded"). These are kept in our hosting provider's rolling log buffer for approximately 24 hours and then discarded.

Our subprocessors (Supabase, Railway, Stripe, OpenRouter, Resend, etc.) maintain their own operational logs for security, billing, and abuse-prevention purposes under their respective privacy policies.

3.5 Cookies and similar technologies

See the Cookie Policy for a full breakdown. In summary: no analytics, no advertising pixels, no behavioural tracking. Stripe sets fraud-prevention cookies on payment pages, and Supabase stores your authentication session in your browser's localStorage.

4. How we use your personal data

We use the personal data described above for the following purposes, on the following legal bases under Article 6 GDPR.

Purpose	Legal basis
Creating and operating your account, authenticating you, providing the core features of the Service	Performance of a contract with you (Art. 6(1)(b))
Processing payments, managing subscriptions, preventing payment fraud	Performance of a contract (Art. 6(1)(b)) and our legitimate interest in being paid and preventing fraud (Art. 6(1)(f))
Sending transactional emails (sign-up confirmations, password resets, billing receipts, security notices)	Performance of a contract (Art. 6(1)(b))
Sending marketing emails about our mastermind events, only to people who explicitly opt in on the mastermind page	Your consent (Art. 6(1)(a)) — you can withdraw at any time
Responding to your support requests	Performance of a contract (Art. 6(1)(b))
Securing the Service, investigating abuse, defending legal claims	Our legitimate interest in keeping the Service safe and our legal rights protected (Art. 6(1)(f))
Complying with our legal obligations (tax, accounting, responding to lawful requests)	Legal obligation (Art. 6(1)(c))

We do not use your content to train any of our own models. We run only health checks on the knowledge graphs we generate.

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing.

5. How we share your personal data

We share personal data only with the subprocessors below, each of whom acts under contract and only to the extent necessary to provide the Service.

5.1 Infrastructure

Subprocessor	Role	Region	Reference
Railway, Inc.	Application hosting	EU (Amsterdam, Netherlands)	DPA
Supabase, Inc.	Authentication, Postgres database, file storage	EU (Frankfurt, Germany)	DPA
FalkorDB Ltd	Knowledge-graph database	europe-west1 (Google Cloud)	Contact
Stripe Payments Europe, Ltd / Stripe, Inc.	Payment processing	Ireland & United States	Privacy Policy
Resend	Transactional email (e.g. welcome email, password resets, account notices)	United States	Privacy

5.2 AI providers

See Section 7 for a detailed disclosure of how AI processing works and what is sent to each provider.

5.3 Other recipients

We may also disclose personal data:

To professional advisors (lawyers, accountants) under duties of confidentiality, where strictly necessary;
To public authorities, courts, or regulators where we are legally required to do so;
In connection with a sale, merger, or reorganisation of our business — in which case we will notify you in advance and your rights will be preserved.

We do not sell your personal data. We do not share it for cross-context behavioural advertising.

6. Marketing

We do not run a general newsletter and we do not send marketing emails to people simply because they signed up for Brain Graph. The only marketing we send is about our mastermind events, and only to people who explicitly opt in on the mastermind sign-up page. You can unsubscribe at any time using the link in any such email or by emailing support@itsbraingraph.ai.

7. AI processing — how Brain Graph uses third-party AI providers

This section is deliberately detailed because Brain Graph relies on AI providers to deliver its core features. Please read it carefully.

7.1 The pipeline

Your prompts and the document content needed to answer them are sent from Brain Graph through OpenRouter, Inc. (the routing gateway), which forwards them to one of the underlying model providers below depending on the task:

Provider	Used for	Country of processing
Google (Gemini models)	Generative AI tasks	United States and other Google data centres
Anthropic, PBC (Claude models)	Generative AI tasks	United States
Moonshot AI (Kimi models)	Generative AI tasks	People's Republic of China
Voyage AI	Generating text embeddings	United States

OpenRouter itself is a US company.

7.2 What is sent

For each AI request, Brain Graph sends:

Your account identifier (your Supabase user UUID), included as the user field on every request — used by providers for abuse and rate-limit attribution.
The system instructions Brain Graph uses to operate the model.
The prompt content, which includes the parts of your documents and conversation needed to answer your request. Because that content is sent verbatim, it may include any personal data about you or about other people that you have placed into Brain Graph (for example, names, roles, and statements from a meeting transcript).

We do not send your email address or our internal document/transcript IDs to AI providers.

7.3 No-training agreements

We do not currently have a no-training or zero-data-retention agreement in place with the model providers reached through OpenRouter. This means that, by default, your prompts and the content sent with them may be retained, reviewed for safety, or used to improve those providers' services according to each provider's standard terms.

We are working to put no-training arrangements in place. Until we do, please do not upload to Brain Graph any content you would not be willing to share with the AI providers listed above — and do not upload personal data about other people unless you have a lawful basis to do so (see Section 8).

7.4 Prompt caching

To keep costs down and responses fast, Brain Graph uses ephemeral prompt caching on the static system instructions it sends to AI providers. The cache lives on the provider's edge for approximately five minutes and contains only Brain Graph's own instruction prompt — it does not cache your document content or your prompts.

7.5 No file persistence

Brain Graph does not upload your documents to any AI provider's persistent file storage (for example, OpenAI Files or Anthropic Files). Each AI request is made with inline content and is ephemeral as far as our integration is concerned; what each provider does with that content on their side is governed by their own terms (see Section 7.3).

8. Content you upload about other people

When you upload meeting transcripts or other documents to Brain Graph that contain personal data about people other than you, you are the data controller for that personal data, and we act as your data processor. You are responsible for:

Having a valid lawful basis under the GDPR (or equivalent law) to upload and process that personal data through the Service;
Telling those people about that processing where required (for example, in your meeting privacy notice);
Honouring requests they make to you about their data.

We will help you respond to such requests where it is reasonable to do so.

If you are using Brain Graph in a business context and need a Data Processing Addendum (DPA), we will sign one on request — email support@itsbraingraph.ai.

9. International transfers

Brain Graph is established in the European Union (Cyprus). When we use subprocessors located outside the European Economic Area, we put appropriate safeguards in place under Chapter V of the GDPR.

Destination	Safeguard
United States (Stripe, Resend, OpenRouter, Anthropic, Google entities, Voyage AI)	Where the recipient is certified under the EU–US Data Privacy Framework, we rely on that adequacy decision. For any recipient that is not DPF-certified, we rely on the European Commission's Standard Contractual Clauses (2021) together with a transfer impact assessment.
People's Republic of China (Moonshot AI / Kimi, when reached via OpenRouter)	China is not the subject of an EU adequacy decision and Moonshot is not DPF-certified. Where Brain Graph routes a request to a Kimi model, your prompt content is processed in China under the SCCs alone. We are evaluating supplementary measures and may restrict Kimi routing for users in the EEA in a future update. If you are concerned about this transfer, please contact us before uploading sensitive content.

Destination

Safeguard

United States (Stripe, Resend, OpenRouter, Anthropic, Google entities, Voyage AI)

Where the recipient is certified under the EU–US Data Privacy Framework, we rely on that adequacy decision. For any recipient that is not DPF-certified, we rely on the European Commission's Standard Contractual Clauses (2021) together with a transfer impact assessment.

People's Republic of China (Moonshot AI / Kimi, when reached via OpenRouter)

China is not the subject of an EU adequacy decision and Moonshot is not DPF-certified. Where Brain Graph routes a request to a Kimi model, your prompt content is processed in China under the SCCs alone. We are evaluating supplementary measures and may restrict Kimi routing for users in the EEA in a future update. If you are concerned about this transfer, please contact us before uploading sensitive content.

You can ask us for a copy of the relevant transfer mechanism by emailing support@itsbraingraph.ai.

10. How long we keep your personal data

10.1 Account and content

We keep your account information and the content you upload for as long as your account is active.

10.2 Deleting a single document

When you delete an individual document or transcript inside Brain Graph, we immediately and permanently delete the corresponding rows from our Postgres database. There is no soft-delete and no recovery period.

The knowledge-graph entries that were derived from that document remain in the graph database until you trigger Clear Brain or delete your account. This is because the graph stores derived facts that are not tied one-to-one to individual source documents.

10.3 Deleting your account

You can delete your account at any time from Settings → Danger Zone inside the Service. When you do, we hard-delete in the same request:

Your knowledge graph;
All uploaded documents and transcripts;
Your conversations and analyses;
Your profile, API keys, and any other account-scoped data;
Your files in our object storage;
Your active Stripe subscription and customer record;
Your identity in our authentication provider (Supabase Auth), so the email is no longer associated with the Service.

There is no grace period. There is no recovery.

10.4 Backups

For disaster-recovery purposes, our hosting and database providers retain encrypted backups for a limited period (currently up to seven days under our Supabase plan tier). Residual copies of deleted data may exist in those backups until the backup window rolls past, after which they are overwritten.

10.5 Operational logs

Application stdout messages are retained in our hosting provider's rolling buffer for approximately 24 hours and then discarded. We do not maintain our own access logs (see Section 3.4).

10.6 Records we are required to keep

We retain a minimal set of billing and tax records for as long as required by Cypriot tax and accounting law, even after you delete your account.

11. Your rights

If you are in the European Economic Area or the United Kingdom, you have the following rights under the GDPR:

Access — to know what personal data we hold about you and to receive a copy.
Rectification — to correct inaccurate or incomplete personal data.
Erasure — to have your personal data deleted ("the right to be forgotten"). For most data, you can do this yourself by deleting your account (Section 10.3).
Restriction — to limit how we process your personal data in certain circumstances.
Portability — to receive a machine-readable copy of personal data you have provided to us.
Objection — to object to processing based on our legitimate interests.
Withdraw consent — where we rely on your consent (for example, for mastermind marketing emails), you can withdraw it at any time.
Lodge a complaint with a supervisory authority. Our lead supervisory authority is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (https://www.dataprotection.gov.cy). You can also complain to the supervisory authority of the EU country where you live or work.

To exercise any right that is not already self-serve in the Service, email support@itsbraingraph.ai. We will respond within 30 days. We may need to verify your identity first.

12. Security

We protect personal data with the following measures:

Encryption in transit. All connections between you and the Service are protected with TLS, and HSTS is enabled. Connections between our application and Railway's internal infrastructure are end-to-end encrypted with WireGuard.
Encryption at rest. All customer data stored by Supabase and Railway is encrypted at rest with AES-256. Supabase additionally encrypts sensitive tokens and keys at the application level before they reach the database.
Password handling. User passwords are hashed with bcrypt (cost factor 10) by our authentication provider, Supabase Auth. Plaintext passwords are never stored or logged. We do not see your password.
Stateless authentication. The Service uses stateless JSON Web Tokens issued by Supabase Auth; we do not maintain server-side session storage.
API authentication. Calls to our public API are authenticated with bearer tokens in the Authorization header, not cookies, removing CSRF as an attack vector.
No personal-data logging. Brain Graph does not log IP addresses, user-agent strings, or request metadata; see Section 3.4.

We do not currently hold a formal security certification (such as SOC 2 or ISO 27001).

Breach notification. In the event of a personal data breach, we will notify the competent supervisory authority and, where required, affected individuals without undue delay, and within 72 hours where the breach is likely to result in a risk to your rights and freedoms, in line with Articles 33 and 34 of the GDPR.

13. Children

The Service is intended for adults aged 18 or over. We do not knowingly collect personal data from anyone under 18. We do not currently verify users' age. If you become aware that a person under 18 has provided us personal data, please contact support@itsbraingraph.ai and we will delete it.

14. Changes to this policy

We may update this policy from time to time. When we make a material change, we will (a) update the "Last updated" date at the top, (b) update the published version on itsbraingraph.ai/privacy-policy, and (c) notify registered users by email so you have time to review the change before it takes effect.

15. Contact

For privacy questions, requests, and complaints:

Email: support@itsbraingraph.ai (or support@3nuggets.io)
Postal address: Dimitris Goudis Consulting Ltd, Chrysanthou Mylona 11, Agioi Omologites, 1085 Nicosia, Cyprus

You also have the right to contact your local data protection authority. For Cyprus residents, that is the Office of the Commissioner for Personal Data Protection (https://www.dataprotection.gov.cy).