Brahmalabs ("we", "our", "us") operates the brahmalabs.io website and the Brahmalabs platform (the "Service"). This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our Service.
1. Information we collect
Account information
When you register for Brahmalabs, we collect:
- Name and email address, whether provided directly or via your single sign-on provider
- Organisation name and billing contact
- Authentication credentials managed by your identity provider
Usage data
We automatically collect:
- Workflow execution metadata — run identifiers, durations, token counts, cost
- Feature usage patterns within the dashboard
- API request logs — endpoint, status code, latency
Device information
We collect standard technical data:
- IP address, browser type, operating system
- Referring URL and pages visited
- Device type and screen resolution
2. What we do not collect
- No analytics cookies on the marketing site by default. brahmalabs.io runs analytics in a cookieless, consent-gated mode — Cloudflare Web Analytics, plus Google Analytics under Consent Mode (denied by default). No analytics or advertising cookies are set unless you explicitly consent, and we never fingerprint you or track you across sites.
- No sale of data. We never sell, rent, or trade your personal information to third parties.
- No training on your content. Your workflow definitions, agent prompts, execution outputs, and knowledge base content are never used to train machine-learning models — ours or anyone else's.
3. How we use your information
- To provide, maintain, and improve the Service
- To authenticate your identity and manage your account
- To process billing and enforce usage limits
- To send transactional communications — password resets, billing receipts, security alerts
- To respond to support requests
- To detect, prevent, and address security issues
4. Tenant isolation
Every customer organisation's workflows, agent configurations, credentials, execution logs, and audit records live in a dedicated, logically-bounded space. Cross-tenant access is structurally impossible at the data layer — not merely prevented by application logic.
5. Encryption
- In transit: All connections use TLS 1.3. HSTS is enforced with preload.
- At rest: Sensitive credentials — API keys, OAuth tokens, integration secrets — are encrypted with AES-256-GCM in our platform vault. Database volumes use full-disk encryption.
- Key management: Encryption keys are managed separately from encrypted data and are never logged or exposed in application code.
6. Data residency
Production infrastructure is hosted in the European Union. Data does not leave the EU unless you explicitly configure an integration that calls an external API in another region.
7. Retention periods
| Data type | Retention |
|---|
| Account information | 30 days after account deletion |
| Execution logs | 7 / 90 / 365 days (Free / Pro / Enterprise) |
| Audit logs | 7 / 90 / 365 days (Free / Pro / Enterprise) |
| Billing records | 7 years (legal requirement) |
| Support correspondence | 2 years after resolution |
8. Your rights under GDPR
If you are located in the European Economic Area, you have the following rights:
- Access. Request a copy of the personal data we hold about you.
- Rectification. Request correction of inaccurate personal data.
- Erasure. Request deletion of your personal data — the "right to be forgotten".
- Portability. Receive your data in a structured, commonly-used format.
- Restriction. Request that we limit processing of your data.
- Objection. Object to processing based on legitimate interests.
- Withdraw consent. Where processing is based on consent, you may withdraw at any time.
To exercise any of these rights, email privacy@brahmalabs.io. We respond within 30 days.
9. Third-party services
| Service | Purpose | Data shared |
|---|
| Cloudflare | Content delivery, DDoS protection, DNS | IP address, request metadata |
| Google Analytics | Aggregate marketing-site traffic (consent-gated; cookieless by default) | Truncated IP, page & referrer, device type |
| Cal.com | Calendar booking for technical briefings (loaded only on /briefing) | Name, email, booking time (entered by you) |
| Tally | Contact form intake (loaded only on /contact) | Whatever you submit in the form |
| WorkOS | Authentication and single sign-on | Email, name, organisation membership |
| Stripe | Payment processing | Billing contact, payment method |
We do not share personal data with any other third parties except as required by law.
10. LLM provider data handling
When Brahmalabs invokes language models on your behalf:
- Prompts and completions are sent via API to the provider you configured.
- We do not store model outputs beyond what is required for execution logs — subject to your plan's retention period.
- Major providers have committed to not using API inputs for training. We recommend reviewing each provider's data policy.
- PII guardrails can be configured to redact sensitive information before it reaches the model provider.
11. Cookies
- Marketing site (brahmalabs.io). No cookies are set by default. Analytics run cookieless (Consent Mode denied); analytics or advertising cookies are set only with your explicit consent.
- Application (app.brahmalabs.io). Essential session cookies only — used to maintain your authenticated session. No analytics, no marketing cookies.
12. Children's privacy
Brahmalabs is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@brahmalabs.io.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to account owners at least 30 days before taking effect. The "Last updated" date above indicates the most recent revision.
14. Contact
For questions about this policy or to exercise your data rights: