Privacy Policy
Effective: March 4, 2026
Overview
BrainstormRouter is a free AI research project. We collect the minimum data necessary to operate the service. We do not sell, share, or monetize your data in any way.
What We Collect
Account Information
When you sign in via GitHub or Google OAuth, we receive your name, email address, and profile picture from the OAuth provider. This is used solely to identify your account and tenant.
Provider API Keys
If you store provider API keys (OpenAI, Anthropic, etc.) through the dashboard, they are encrypted at rest using tenant-specific key derivation. Plaintext keys are never stored in logs, sent to the browser after initial storage, or shared with any third party.
Request Data
When you send requests through the BrainstormRouter API, we process the request to route it to the appropriate provider. Request and response metadata (model, tokens, latency, cost) is logged for your usage dashboard. Request content may be temporarily cached for performance optimization.
Usage Metrics
We collect aggregate usage data (request counts, token usage, cost, latency) to display in your dashboard and to improve routing intelligence. This data is scoped to your tenant and not shared across tenants.
What We Do NOT Collect
- Payment information (there is nothing to pay)
- Browser fingerprints or tracking pixels
- Third-party analytics or advertising cookies
- Personal data beyond what OAuth provides
How We Use Your Data
- Authentication: To identify you and scope your tenant
- Routing: To route requests using your provider keys
- Dashboard: To display your usage, costs, and insights
- Optimization: To improve routing via Thompson sampling and quality scoring
Data Storage
Data is stored on AWS infrastructure (US East region) using:
- PostgreSQL (RDS): Account data, API keys, usage records
- Redis (ElastiCache): Session cache, rate limiting, semantic cache
- EFS: Persistent configuration state
All storage is encrypted at rest and in transit. Provider keys receive additional application-level encryption.
Data Retention
Account data is retained while your account is active. Usage data is retained for up to 90 days. If you delete your account, all associated data (keys, usage history, tenant configuration) is permanently deleted.
Third-Party Services
BrainstormRouter uses the following third-party services:
- Supabase: OAuth authentication
- AWS: Infrastructure hosting (ECS, RDS, ElastiCache, EFS)
- Cloudflare: DNS and DDoS protection
- Vercel: Marketing site and dashboard hosting
We do not share your data with any other third parties.
Your Rights
You can at any time:
- View all data associated with your account via the dashboard
- Delete your provider keys
- Revoke your API keys
- Request full account deletion by contacting us
GDPR (European Users)
If you are in the European Economic Area, the following applies:
- Lawful Basis: We process your data under legitimate interest (operating the service you requested) and consent (OAuth sign-in).
- Data Controller: The individual operator of BrainstormRouter.
- Right of Access: You may request a copy of all personal data we hold about you.
- Right to Erasure: You may request deletion of your account and all associated data.
- Right to Portability: You may request your data in a machine-readable format.
- Right to Restriction: You may request that we restrict processing of your data.
To exercise these rights, email hello@brainstormrouter.com. We will respond within 30 days.
CCPA (California Users)
Under the California Consumer Privacy Act, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell personal information)
- Non-discrimination for exercising your rights
Cookies
The marketing site uses no cookies. The dashboard uses a session cookie for authentication (Supabase auth token). No analytics cookies, tracking pixels, or third-party cookies are used anywhere.
International Transfers
Data is stored in AWS US East (N. Virginia). If you are outside the US, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| AWS | Infrastructure (ECS, RDS, ElastiCache) | US East |
| Supabase | OAuth authentication | US |
| Cloudflare | DNS, DDoS protection | Global |
| Vercel | Site hosting | US |
Contact
Privacy questions should be directed to hello@brainstormrouter.com.