BrainstormRouter
Features How it works Models MCP Pricing Developers
Dashboard Get started
Legal

Privacy Policy

Effective March 4, 2026

Overview

BrainstormRouter is a free AI research project. We collect the minimum data necessary to operate the service. We do not sell, share, or monetize your data in any way.

What we collect

Account information. When you sign in via GitHub or Google OAuth, we receive your name, email address, and profile picture. Used solely to identify your account and tenant.

Provider API keys. Encrypted at rest using tenant-specific key derivation. Plaintext keys are never stored in logs, sent to the browser after initial storage, or shared with any third party.

Request data. Processed to route to the appropriate provider. Metadata (model, tokens, latency, cost) is logged for your usage dashboard. Content may be temporarily cached for performance.

Usage metrics. Aggregate counts, token usage, cost, latency. Tenant-scoped, not shared across tenants.

What we do NOT collect

  • • Payment information (nothing to pay)
  • • Browser fingerprints or tracking pixels
  • • Third-party analytics or advertising cookies
  • • Personal data beyond what OAuth provides

How we use your data

  • Authentication — to identify you and scope your tenant.
  • Routing — to route requests using your provider keys.
  • Dashboard — to display your usage, costs, and insights.
  • Optimization — to improve routing via Thompson sampling and quality scoring.

Data storage

AWS infrastructure, US East region. PostgreSQL (RDS) for account data, API keys, usage records. Redis (ElastiCache) for session cache, rate limiting, semantic cache. EFS for persistent configuration state. All storage encrypted at rest and in transit. Provider keys receive additional application-level encryption.

Data retention

Account data retained while your account is active. Usage data retained for up to 90 days. Account deletion permanently removes all associated data (keys, usage history, tenant configuration).

Third-party services

Supabase (OAuth), AWS (infrastructure), Cloudflare (DNS, DDoS), Vercel (marketing site + dashboard hosting). We do not share your data with any other third parties.

Your rights

  • • View all data associated with your account via the dashboard.
  • • Delete your provider keys and revoke your API keys at any time.
  • • Request full account deletion by emailing hello@brainstormrouter.com.

GDPR (European users)

If you are in the European Economic Area, we process your data under legitimate interest and consent. The individual operator of BrainstormRouter is the Data Controller. You have rights of access, erasure, portability, and restriction of processing. Email hello@brainstormrouter.com. We respond within 30 days.

CCPA (California users)

Rights to know what personal information we collect and how it is used, request deletion, opt out of the sale of personal information (we do not sell it), and non-discrimination for exercising your rights.

Cookies

The marketing site uses no cookies. The dashboard uses a single session cookie for authentication (Supabase auth token). No analytics cookies, tracking pixels, or third-party cookies are used anywhere.

International transfers

Data is stored in AWS US East (N. Virginia). If you are outside the US, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

Sub-processors

  • AWS — infrastructure (ECS, RDS, ElastiCache). US East.
  • Supabase — OAuth authentication. US.
  • Cloudflare — DNS, DDoS protection. Global.
  • Vercel — site hosting. US.

Contact

Privacy questions: hello@brainstormrouter.com.