Privacy Policy

1. Introduction

Twobrains Inc. ("we," "our," or "us") operates twobrains.ai, an AI-powered software platform that helps users make better decisions. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our service.

As a Canadian corporation, we comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act respecting the protection of personal information in the private sector (Law 25), and other applicable privacy laws. For users in the European Union, we also comply with the General Data Protection Regulation (GDPR). By using twobrains.ai, you consent to the collection, use, and disclosure of your personal information as described in this policy.

2. Information We Collect

2.1 Information You Provide Directly

• Account information when you create an account
• Content you create or input while using our decision-making tools
• Communications you send to us (support requests, feedback)

2.2 Information Collected Through Authentication

We use magic link authentication through Supabase, which means:

• Email address - Used for account creation, login authentication via magic links, and essential service communications
• Account metadata - Basic account information necessary for service functionality
• Authentication tokens - Secure tokens for maintaining your login session

No additional personal information is collected during authentication - we only store your email address and essential account data.

2.3 Automatically Collected Information

• Usage Analytics: We use Mixpanel and Google Analytics to collect anonymized data about how you interact with our service, including page views, feature usage, and user flows
• Technical Information: IP address, browser type, device information, and operating system
• Performance Data: Information about service performance, errors, and technical issues to help us improve our platform
• Cookies and Similar Technologies: We use cookies and similar tracking technologies to enhance your experience and analyze service usage

3. Legal Basis for Processing (EU Users)

For users in the European Union, we process your personal data based on the following legal bases:

• Consent: When you explicitly agree to our data processing (e.g., account creation, marketing communications)
• Legitimate Interest: To provide and improve our service, ensure security, and analyze usage patterns
• Contractual Necessity: To fulfill our obligations in providing the twobrains.ai service to you
• Legal Obligation: To comply with applicable laws and regulations

You have the right to withdraw consent at any time and object to processing based on legitimate interest.

4. How We Use Your Information

4.1 Core Service Functionality

• Provide and maintain our AI-powered decision-making platform
• Authenticate your identity and manage your account
• Personalize your user experience
• Process and respond to your requests and communications

4.2 Service Improvement

• Analyze usage patterns to improve our AI algorithms and user interface
• Identify and fix technical issues and bugs
• Develop new features and functionality
• Conduct research to enhance our decision-making tools

4.3 Communications

• Send essential service notifications and updates
• Respond to support requests and customer service inquiries
• Provide important security and legal notices

We do not use your information for advertising or marketing purposes without your explicit consent.

4.4 AI Data Processing

5. Information Sharing and Disclosure

5.1 Third-Party Service Providers

We share information with trusted third-party service providers who help us operate our platform:

• Supabase Inc. - For database services, authentication infrastructure, and backend services
• Mixpanel Inc. - For user analytics and usage tracking
• Google LLC - For Google Analytics (website analytics) and Gemini AI services
• OpenAI LLC - For AI processing services and language models
• Netlify Inc. - For website and application hosting, content delivery
• Render Services Inc. - For additional application hosting and deployment services

These providers are contractually obligated to protect your information and use it only for the specified services.

5.2 Legal Requirements

We may disclose your information when required by law or when we believe disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests
• Protect our rights, property, or safety, or that of our users or the public
• Investigate potential violations of our Terms of Service

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity, subject to the same privacy protections outlined in this policy.

6. International Data Transfers

6.1 Cross-Border Data Storage and GDPR Compliance

Your personal information may be stored and processed in Canada, the United States, and other countries where our service providers operate.

For Canadian Users: Data stored outside Canada may be subject to foreign laws, including potential access by foreign government authorities under applicable legal processes.

For EU Users: When we transfer your data outside the European Economic Area (EEA):

• Canada has been recognized by the European Commission as providing adequate protection for personal data
• For transfers to other countries (such as the United States), we implement appropriate safeguards including Standard Contractual Clauses (SCCs) and other approved transfer mechanisms
• Your data receives the same level of protection regardless of where it is processed

6.2 Consent for Cross-Border Transfer

By using our service, you consent to the transfer, storage, and processing of your personal information as described above.

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls and authentication requirements
• Secure data storage with our trusted service providers

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7.1 Breach Notification

In accordance with Canadian, Quebec, and EU privacy law requirements, if we experience a data breach that poses a real risk of significant harm to you, we will:

• Notify relevant privacy authorities (Privacy Commissioner of Canada, Quebec's CAI, and/or EU supervisory authorities) as required by law
• Notify affected users without unreasonable delay (within 72 hours for EU users where feasible)
• Provide information about the breach and steps being taken to address it
• Maintain records of all breaches for at least 24 months after discovery, as required by PIPEDA

8. Data Retention

8.1 Account Data

We retain your account information and associated data for one (1) year following your last use of the service. This allows you to return to your account and access your previous work.

8.2 Deletion Requests

If you request deletion of your account and data, we will process your request within seven (7) business days. Upon deletion:

• Your account will be permanently removed
• All personal information will be deleted from our systems
• Some anonymized, aggregated data may be retained for analytics purposes only

8.3 Legal Retention

We may retain information longer when required by law or for legitimate business purposes (such as fraud prevention or legal compliance).

9. Your Rights and Choices

9.1 Rights for All Users

You have the following rights regarding your personal information:

• Access: Request access to the personal information we hold about you
• Correction: Update or correct your account information through your profile settings
• Deletion: Delete your account and request removal of your personal information
• Portability: Request a copy of your data in a portable format

9.2 Additional Rights for EU Users

Under GDPR, EU residents have additional rights including:

• Right to Object: Object to processing based on legitimate interest or for direct marketing
• Right to Restrict Processing: Request limitation of processing in certain circumstances
• Right to Withdraw Consent: Withdraw consent at any time (without affecting lawfulness of prior processing)
• Right to Lodge Complaints: File complaints with supervisory authorities in your EU member state
• Right to Data Protection Impact Assessment: Information about automated decision-making and profiling

9.3 Authentication Control

• Magic Link Access: You can control access to your account through your email
• Account Deletion: You can delete your account and all associated data at any time
• Email Changes: Contact us to update your registered email address

9.4 Analytics and Cookies

• Cookie Management: You can control cookies through your browser settings
• Analytics Opt-Out: You can opt out of Google Analytics tracking through Google's opt-out tools, and contact us to opt out of Mixpanel tracking while continuing to use our core service
• EU Users: You can withdraw consent for non-essential cookies at any time

To exercise any of these rights, contact us at info@twobrains.ai.

9.5 Privacy Authority Contacts

For users outside Quebec:
Office of the Privacy Commissioner of Canada: www.priv.gc.ca, Phone: 1-800-282-1376

For Quebec users:
Commission d'accès à l'information du Québec (CAI): www.cai.gouv.qc.ca, Phone: 1-888-528-7741

For EU users:
Contact your local supervisory authority or visit: https://edpb.europa.eu/about-edpb/about-edpb/members_en

9.6 Enhanced Rights for Quebec Users

If you are a Quebec resident, you have additional rights under Quebec's Law 25, including:

• Enhanced portability rights: Request your data in a structured, commonly used format
• Right to rectification: Request correction of incomplete or inaccurate information
• Advanced consent management: More granular control over how your information is used
• Algorithmic transparency: Right to understand automated decision-making processes affecting you

10. Children's Privacy

Our service is not intended for children: under 13 years of age generally, under 14 in Quebec (parental or tutor consent required), and under 16 in the EU (member-state rules may vary). We do not knowingly collect personal information from children under these ages. If we discover we have collected such information, we will delete it immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Posting the updated policy on our website
• Sending notice to your registered email address (where required by law)
• For EU users: Providing at least 30 days notice of material changes affecting your rights

Your continued use of our service after such notification constitutes acceptance of the updated policy, except where additional consent is required by law.

Last Updated: September 25, 2025
Version: 2.1