Privacy Policy
Last updated: July 2, 2026
This document is provided for transparency and does not constitute legal advice. If you have questions about how this policy applies to your situation, please consult a licensed attorney. For data requests or privacy questions, contact info@brainvaultai.com.
Who We Are
BrainVaultAI is operated by Sheridan St of Florida LLC, a limited liability company organized under the laws of the State of Florida (“Sheridan St of Florida LLC,” “BrainVaultAI,” “we,” “us,” or “our”). Sheridan St of Florida LLC is the data controller for personal information collected through the Platform. For purposes of the GDPR, Sheridan St of Florida LLC is the controller. Sheridan St of Florida LLC is organized in Florida and maintains a Florida registered agent for service of process; Florida law governs our relationship with you. Our mailing address for written correspondence is 10909 Princeville Ct, Bakersfield, CA 93311, United States. Written privacy correspondence may be sent to that mailing address or by email to info@brainvaultai.com.
This Privacy Policy explains how we collect, use, share, and protect personal information when you use the Platform at brainvaultai.com, including any associated applications, tools, programs, and services. It also describes your rights regarding your personal data.
What Data We Collect
We collect the following categories of personal information:
Identity and contact information
- Name (first name, as provided)
- Email address
- Phone number (optional, when you choose to provide it on the SMB Toolkit form as a CRM contact detail)
Business and professional information
- Company role, job title, or business type (from application forms and the SMB flow)
- Business size, industry, and challenges (when provided)
- Quiz responses and AI readiness assessment results
Account and authentication data
- Supabase authentication user ID (a unique identifier tied to your email login)
- Magic-link email sign-in logs (we use passwordless magic-link sign-in; we do not store account passwords)
- Account creation date and last activity
Purchase and entitlement data
- Purchase history and entitlements (which products you have access to)
- Payment metadata from Stripe (transaction ID, amount, currency, product purchased). We do not store your full card number, CVV, or bank account details; those are held exclusively by Stripe.
Platform activity and usage data
- Lessons started and completed, modules opened, prompts copied
- Outcomes and results you log, case studies you generate
- Tool usage and workflow interactions
- Progress through cohort companion content
Technical and device data
- IP address
- Browser type and version
- Device type and operating system
- Referring URL and page views
- Session duration and navigation patterns
- Session replay data (see Section 7 for full disclosure of our session recording practices)
Lead and consent data
- Information submitted through any lead capture form on the Platform, including cohort applications, tool waitlists, newsletter sign-ups, and the SMB Toolkit form
- Email marketing consent status and timestamp
- Unsubscribe records
User-generated content
- Any content you voluntarily submit including testimonials, outcome descriptions, feedback, and application essays
How We Collect It
We collect personal information through:
- Directly from you: When you complete the AI Readiness Quiz, create an account, submit any form (application, waitlist, newsletter, SMB Toolkit, cohort application), make a purchase, or contact us.
- Automatically: When you use the Platform, we collect technical and usage data automatically through cookies, PostHog analytics (including session replay), and browser/device signals.
- From third-party processors: When you sign in via our Supabase-backed magic-link authentication or complete a purchase via Stripe, those providers return confirmation data to us (authentication status, payment confirmation).
- From local storage:The Platform stores certain preference and progress data in your browser's localStorage (e.g., readiness score, activity timeline) for performance and continuity. This data remains on your device.
How We Use Your Data
We use the personal information we collect to:
- Provide, operate, and maintain the Platform, including authenticating your account and delivering the content you are entitled to;
- Process payments, manage purchases, and maintain your entitlements and access rights;
- Personalize your experience, including your AI readiness roadmap and program recommendations;
- Send transactional emails (account confirmations, magic links, purchase receipts, program access instructions);
- Send marketing and educational emails where you have consented to receive them;
- Respond to your inquiries and provide customer support;
- Analyze usage patterns and product behavior to improve the Platform (including through PostHog analytics and session replay);
- Protect the security and integrity of the Platform, detect abuse, enforce rate limits, and prevent fraud;
- Comply with applicable legal obligations and enforce our Terms of Service;
- For high-ticket applications and cohort applications, evaluate your eligibility and notify our team;
- Display aggregated or anonymized testimonials and outcomes on the Platform and in marketing materials (see our Terms of Service, Section 18 for media release terms).
We do not sell your personal data to third parties.
Legal Bases for Processing
For users in the European Economic Area, United Kingdom, or other jurisdictions where the GDPR or equivalent laws apply, we rely on the following legal bases:
- Contractual necessity: Processing required to provide the Platform and fulfill your purchases (account creation, payment processing, entitlement management, transactional email).
- Legitimate interests: Security and fraud prevention, customer support, and core business operations, where those interests are not overridden by your rights.
- Consent:Marketing email communications, and analytics and session replay. Analytics and session replay are off by default and run only after you click Accept in our cookie consent banner; you can decline or change your choice at any time via “Manage cookies” (see Section 7). You may withdraw consent at any time without affecting the lawfulness of prior processing.
- Legal obligation: Compliance with applicable laws, tax records, and legal process.
Data Processors and Sharing
We share personal data only with service providers that help us operate the Platform. Each processes data on our behalf and is subject to data processing agreements consistent with applicable privacy law. We do not sell your data or share it with third parties for their own independent marketing purposes.
| Processor | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication (passwordless magic-link sign-in) and primary database: lead records, entitlements, purchase history, outcomes, and platform data storage | Email, authentication user ID, name, phone (where provided), entitlements, quiz data, application data, outcome logs, consent records |
| Stripe | Payment processing, checkout, and purchase records | Email, payment card data (held exclusively by Stripe), transaction details |
| Resend | Transactional and marketing email delivery | Email address, name, email content |
| PostHog | Product analytics, event tracking, behavioral analytics, surveys, and session replay recording (see Section 7 for full disclosure) | Supabase authentication user ID (pseudonymous identifier), behavioral events (page views, feature usage, quiz interactions, CTA clicks), session recordings of on-screen interactions. Email, name, and other personal identifiers are explicitly redacted from PostHog event properties. |
| GoHighLevel | Customer relationship management (CRM): contact records, lead management, tagging, and email marketing automation. | Email, first name, phone number (only if you optionally provide it), business type, and tags related to program interest. |
| Cal.com | Call scheduling. We embed a Cal.com booking widget so you can book a call (for example, a teams or organization training inquiry). | Name, email, and the scheduling details you enter when you book a call (only if you choose to book). |
| Vercel | Platform hosting and infrastructure | IP address, request logs (standard web hosting logs) |
We do not currently use advertising pixels or third-party ad trackers. If we add any such integrations in the future, we will update this policy before activating them.
We may disclose personal data if required by law, legal process, or a valid government request; to protect the rights, property, or safety of BrainVaultAI, its users, or others; or in connection with a merger, acquisition, or sale of substantially all assets, in which case personal data may be transferred to the acquiring entity subject to the same or equivalent privacy protections.
Email Marketing
We send marketing and educational emails only to those who have provided consent. Marketing emails are CAN-SPAM compliant and include our physical mailing address and an unsubscribe mechanism in every email.
How you enter an email flow.When you take an action that captures your email with consent, we may enroll you in a scheduled, automated email sequence. These capture points include: requesting a free lead magnet or the AI Readiness Kit; signing up for the newsletter or a tool waitlist; starting the “Build Your First AI Employee” flow; submitting a teams or organization training inquiry; and applying to a cohort. Depending on the action, you may receive a delivery email, an onboarding or activation sequence, an educational nurture sequence, challenge-related reminders, or a teams follow-up sequence. These are separate from one-off transactional emails.
One-click unsubscribe. Our marketing and sequence emails include a standard unsubscribe link and also set the List-Unsubscribe and List-Unsubscribe-Post email headers, which let supported email clients offer a built-in one-click unsubscribe. Using either method removes you from marketing sequences. You may also unsubscribe at any time by contacting us at info@brainvaultai.com. Unsubscribing from marketing email will not unsubscribe you from transactional emails (such as purchase receipts and account access instructions), which are necessary to operate your account.
All email is sent via Resend, and contact records and marketing automation are managed in GoHighLevel (see Section 6). Your email address is not shared with any third party for their own marketing purposes.
Data Retention
We retain your personal data for as long as is necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law.
- Account and entitlement data is retained for the duration of your account plus a reasonable period thereafter to handle any support or legal inquiries;
- Purchase and transaction records are retained for at least seven (7) years to comply with tax and financial record-keeping requirements;
- Marketing consent records are retained for the life of the consent plus a reasonable period for legal compliance purposes;
- Session replay recordings are retained for a limited period as configured in our analytics provider (PostHog) settings and are then automatically deleted. We configure this retention so that recordings are kept for no longer than twelve (12) months from the date of the session, and our current configured period is no longer than that ceiling. If we shorten or change the configured period, we will keep the actual setting within this stated maximum;
- Lead capture records are retained as part of our CRM, and you may request deletion at any time (see Section 11).
When data is no longer needed for the purposes described here and no legal obligation requires its retention, we delete or anonymize it.
Security
We implement reasonable technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration. These measures include: HTTPS encryption in transit; access controls and authentication for all administrative systems; use of reputable, security-certified service providers (Supabase, Stripe); and server-side rate limiting and input validation on all data submission endpoints.
However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach that affects your rights or freedoms, we will notify affected users as required by applicable law.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at info@brainvaultai.com. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.
- Right to access: Request a copy of the personal data we hold about you.
- Right to correction: Request that we correct inaccurate or incomplete personal data.
- Right to deletion: Request that we delete your personal data, subject to our legal retention obligations and contractual necessity.
- Right to data portability: Request that we provide your data in a structured, machine-readable format where technically feasible.
- Right to object: Object to processing based on our legitimate interests.
- Right to restrict processing: Request that we limit how we use your data in certain circumstances.
- Right to withdraw consent: Where processing is based on consent (e.g., marketing email, analytics, and session replay), you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to opt out of analytics: You may opt out of PostHog analytics and session replay at any time by clicking Decline in the cookie banner, using “Manage cookies,” blocking the PostHog script via a content blocker, or contacting us at info@brainvaultai.com.
- Right to unsubscribe: Click Unsubscribe in any marketing email.
Deletion requests: If you request deletion of your account and data, we will delete or anonymize your personal data from our active systems, subject to our need to retain certain data for legal, tax, fraud prevention, or contractual purposes. Deletion may take up to 30 days to fully process across all systems.
California Privacy Rights (CCPA/CPRA)
This section applies to California residents under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
Notice at Collection
At or before the point we collect your personal information, this is our Notice at Collection: we collect the categories of personal information described in Section 2 (identifiers, commercial information, internet and network activity, professional or business information, and inferences). We collect this information for the business purposes described in Section 4 (How We Use Your Data) and retain it for the periods described in Section 9 (Data Retention). We do not sell or share your personal information, and we do not collect or use sensitive personal information for purposes that trigger the right to limit. This Privacy Policy serves as the full notice required at collection; you can review it at any time at brainvaultai.com/privacy.
Do Not Sell or Share My Personal Information
We do not sell your personal information and we do not share it for cross-context behavioral advertising. Because we do not sell or share, there is no sale or share for you to opt out of. If this ever changes, we will add a clear “Do Not Sell or Share My Personal Information” link and update this policy before any such activity begins. To confirm your preference or ask a question in the meantime, you may contact us using either method described under “How to submit a request” below.
No sale or sharing
We do not sell your personal information for money, and we do not share your personal information for cross-context behavioral advertising. In the preceding twelve (12) months, we have not sold and have not shared the personal information of any consumer, as those terms are defined under the CCPA/CPRA. We do not currently use advertising pixels or third-party ad trackers.
Sensitive personal information
We do not collect sensitive personal information (SPI) for the purpose of inferring characteristics about you, and we do not use or disclose SPI for purposes beyond those permitted under the CCPA/CPRA. Because we do not use SPI for non-permitted purposes, the “right to limit the use of sensitive personal information” is generally not triggered; however, if you believe SPI has been used outside permitted purposes, you may contact us to exercise that right and we will honor it.
Categories collected and disclosed in the preceding 12 months
In the preceding twelve (12) months, we have collected the categories of personal information described in Section 2 (What Data We Collect), including identifiers (such as name, email, and optional phone), commercial information (purchases and entitlements), internet and network activity (usage and device data and, where consented, session replay), professional or business information, and inferences drawn from quiz responses. We have disclosed these categories for business purposes only to the service providers listed in Section 6 (Data Processors and Sharing), who are contractually limited to processing the data on our behalf. We have not disclosed personal information to any third party for that third party's own purposes.
Retention
We retain each category of personal information for the periods described in Section 9 (Data Retention), or for as long as reasonably necessary for the purpose for which it was collected and to meet our legal, tax, and recordkeeping obligations.
Your California rights
- Right to know what personal information we collect and how we use and disclose it;
- Right to request deletion of your personal information;
- Right to request correction of inaccurate personal information;
- Right to opt out of the sale or sharing of your personal information (we do not sell or share, so there is nothing to opt out of);
- Right to limit the use and disclosure of sensitive personal information (as noted above);
- Right to non-discrimination for exercising any of your CCPA/CPRA rights.
How to submit a request
You may submit a CCPA/CPRA request through either of the following two designated methods:
- By email: Send a request to info@brainvaultai.com with the subject line “California Privacy Request.”
- By mail: Send a written request to Sheridan St of Florida LLC, Attn: California Privacy Request, 10909 Princeville Ct, Bakersfield, CA 93311, United States.
BrainVaultAI operates exclusively online and interacts with consumers exclusively online; the two methods above are the designated request channels and we do not maintain a separate toll-free telephone line. You may use an authorized agent to submit a request on your behalf; we may require the agent to provide proof of your written authorization and may require you to verify your own identity directly with us. We will confirm receipt and respond within forty-five (45) days. If we need more time, we may extend that period by an additional forty-five (45) days and will notify you of the extension and the reason.
GDPR and International Users
BrainVaultAI is based in the United States and its servers and service providers are primarily located in the United States. If you access the Platform from the European Economic Area (EEA), the United Kingdom, or Switzerland, please be aware that your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.
For transfers of EEA personal data to the United States, we rely on Standard Contractual Clauses (SCCs) or other applicable transfer mechanisms to the extent required. Each of our sub-processors (Supabase, Stripe, Resend, PostHog, GoHighLevel, Cal.com, and Vercel) maintains its own cross-border transfer mechanism. The SCCs are incorporated through the standard data processing terms each processor publishes as part of its service agreement.
BrainVaultAI is a United States business that markets to and serves a primarily United States audience. We do not currently target our services to, or actively market in, the EEA, the United Kingdom, or Switzerland. Because we do not target those markets, we have not yet appointed an Article 27 EU or UK representative. If we begin to target or monitor individuals in the EEA or UK such that Article 27 or equivalent obligations apply, we will execute the required processor data processing agreements, appoint a qualifying representative, and update this Privacy Policy before doing so. EEA and UK visitors who choose to use the Platform may still exercise the rights described in Section 11 by contacting us.
If you are in the EEA or UK and believe we have not addressed your complaint satisfactorily, you have the right to lodge a complaint with your local data protection authority (DPA).
EEA and UK residents may exercise the data subject rights listed in Section 11 by contacting us at info@brainvaultai.com.
Note for counsel: This GDPR section is included conservatively for businesses with international visitors. If BrainVaultAI regularly targets or processes data from EEA residents, a formal Data Processing Agreement with each processor and, potentially, a UK or EEA representative appointment may be required. Please advise on the appropriate cross-border transfer mechanism and whether a formal Article 27 representative is needed.
Children's Privacy
BrainVaultAI is intended exclusively for adults 18 years of age or older, consistent with our Terms of Service eligibility requirement. The Platform is not directed to, and we do not knowingly collect personal data from, anyone under the age of 18.
If we become aware that we have collected personal data from someone under 18 without verified parental consent, we will take steps to delete that information promptly. Note for EEA users: the EEA digital consent age is 16 in most member states; users under 18 in those jurisdictions must have parental authorization to use the Platform in any case, as our minimum age for service is 18. If you believe we have inadvertently collected data from a minor, please contact us at info@brainvaultai.com.
Third-Party Links and Embedded Media
The Platform may contain links to third-party websites, tools, or resources. These links are provided for your convenience and do not constitute an endorsement by BrainVaultAI of those third parties. We have no control over the content, privacy policies, or practices of third-party websites and are not responsible for your interactions with them.
Some pages embed video hosted by third-party media providers, which may include YouTube, Vimeo, Loom, HeyGen, and Wistia. When you view a page containing an embedded video, the provider hosting that video may set its own cookies or collect viewing data under its own privacy policy, in the same way it would if you watched the video on the provider’s own site. Where a provider offers a privacy-enhanced embed mode (such as YouTube’s no-cookie player), we aim to use it.
We encourage you to review the privacy policy of every third-party site you visit.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date at the top of this page and, where required or appropriate, notify you by email or via a notice on the Platform.
Your continued use of the Platform after we post changes constitutes your acceptance of those changes. If you do not agree to the revised Privacy Policy, you must stop using the Platform.
Contact and Data Requests
For all privacy-related inquiries, data subject requests, or questions about this Privacy Policy, contact us:
Sheridan St of Florida LLC
Operating as BrainVaultAI
10909 Princeville Ct, Bakersfield, CA 93311, United States
Privacy and legal: info@brainvaultai.com
General support: info@brainvaultai.com
We will respond to all verifiable requests within 30 days (or sooner where required by applicable law). Where we are unable to fulfill a request, we will explain why.