Skip to content
Legal

Privacy Policy

Last updated: July 2, 2026

This document is provided for transparency and does not constitute legal advice. If you have questions about how this policy applies to your situation, please consult a licensed attorney. For data requests or privacy questions, contact info@brainvaultai.com.

01

Who We Are

BrainVaultAI is operated by Sheridan St of Florida LLC, a limited liability company organized under the laws of the State of Florida (“Sheridan St of Florida LLC,” “BrainVaultAI,” “we,” “us,” or “our”). Sheridan St of Florida LLC is the data controller for personal information collected through the Platform. For purposes of the GDPR, Sheridan St of Florida LLC is the controller. Sheridan St of Florida LLC is organized in Florida and maintains a Florida registered agent for service of process; Florida law governs our relationship with you. Our mailing address for written correspondence is 10909 Princeville Ct, Bakersfield, CA 93311, United States. Written privacy correspondence may be sent to that mailing address or by email to info@brainvaultai.com.

This Privacy Policy explains how we collect, use, share, and protect personal information when you use the Platform at brainvaultai.com, including any associated applications, tools, programs, and services. It also describes your rights regarding your personal data.

02

What Data We Collect

We collect the following categories of personal information:

Identity and contact information

  • Name (first name, as provided)
  • Email address
  • Phone number (optional, when you choose to provide it on the SMB Toolkit form as a CRM contact detail)

Business and professional information

  • Company role, job title, or business type (from application forms and the SMB flow)
  • Business size, industry, and challenges (when provided)
  • Quiz responses and AI readiness assessment results

Account and authentication data

  • Supabase authentication user ID (a unique identifier tied to your email login)
  • Magic-link email sign-in logs (we use passwordless magic-link sign-in; we do not store account passwords)
  • Account creation date and last activity

Purchase and entitlement data

  • Purchase history and entitlements (which products you have access to)
  • Payment metadata from Stripe (transaction ID, amount, currency, product purchased). We do not store your full card number, CVV, or bank account details; those are held exclusively by Stripe.

Platform activity and usage data

  • Lessons started and completed, modules opened, prompts copied
  • Outcomes and results you log, case studies you generate
  • Tool usage and workflow interactions
  • Progress through cohort companion content

Technical and device data

  • IP address
  • Browser type and version
  • Device type and operating system
  • Referring URL and page views
  • Session duration and navigation patterns
  • Session replay data (see Section 7 for full disclosure of our session recording practices)

Lead and consent data

  • Information submitted through any lead capture form on the Platform, including cohort applications, tool waitlists, newsletter sign-ups, and the SMB Toolkit form
  • Email marketing consent status and timestamp
  • Unsubscribe records

User-generated content

  • Any content you voluntarily submit including testimonials, outcome descriptions, feedback, and application essays
03

How We Collect It

We collect personal information through:

  • Directly from you: When you complete the AI Readiness Quiz, create an account, submit any form (application, waitlist, newsletter, SMB Toolkit, cohort application), make a purchase, or contact us.
  • Automatically: When you use the Platform, we collect technical and usage data automatically through cookies, PostHog analytics (including session replay), and browser/device signals.
  • From third-party processors: When you sign in via our Supabase-backed magic-link authentication or complete a purchase via Stripe, those providers return confirmation data to us (authentication status, payment confirmation).
  • From local storage:The Platform stores certain preference and progress data in your browser's localStorage (e.g., readiness score, activity timeline) for performance and continuity. This data remains on your device.
04

How We Use Your Data

We use the personal information we collect to:

  • Provide, operate, and maintain the Platform, including authenticating your account and delivering the content you are entitled to;
  • Process payments, manage purchases, and maintain your entitlements and access rights;
  • Personalize your experience, including your AI readiness roadmap and program recommendations;
  • Send transactional emails (account confirmations, magic links, purchase receipts, program access instructions);
  • Send marketing and educational emails where you have consented to receive them;
  • Respond to your inquiries and provide customer support;
  • Analyze usage patterns and product behavior to improve the Platform (including through PostHog analytics and session replay);
  • Protect the security and integrity of the Platform, detect abuse, enforce rate limits, and prevent fraud;
  • Comply with applicable legal obligations and enforce our Terms of Service;
  • For high-ticket applications and cohort applications, evaluate your eligibility and notify our team;
  • Display aggregated or anonymized testimonials and outcomes on the Platform and in marketing materials (see our Terms of Service, Section 18 for media release terms).

We do not sell your personal data to third parties.

06

Data Processors and Sharing

We share personal data only with service providers that help us operate the Platform. Each processes data on our behalf and is subject to data processing agreements consistent with applicable privacy law. We do not sell your data or share it with third parties for their own independent marketing purposes.

ProcessorPurposeData Shared
SupabaseAuthentication (passwordless magic-link sign-in) and primary database: lead records, entitlements, purchase history, outcomes, and platform data storageEmail, authentication user ID, name, phone (where provided), entitlements, quiz data, application data, outcome logs, consent records
StripePayment processing, checkout, and purchase recordsEmail, payment card data (held exclusively by Stripe), transaction details
ResendTransactional and marketing email deliveryEmail address, name, email content
PostHogProduct analytics, event tracking, behavioral analytics, surveys, and session replay recording (see Section 7 for full disclosure)Supabase authentication user ID (pseudonymous identifier), behavioral events (page views, feature usage, quiz interactions, CTA clicks), session recordings of on-screen interactions. Email, name, and other personal identifiers are explicitly redacted from PostHog event properties.
GoHighLevelCustomer relationship management (CRM): contact records, lead management, tagging, and email marketing automation.Email, first name, phone number (only if you optionally provide it), business type, and tags related to program interest.
Cal.comCall scheduling. We embed a Cal.com booking widget so you can book a call (for example, a teams or organization training inquiry).Name, email, and the scheduling details you enter when you book a call (only if you choose to book).
VercelPlatform hosting and infrastructureIP address, request logs (standard web hosting logs)

We do not currently use advertising pixels or third-party ad trackers. If we add any such integrations in the future, we will update this policy before activating them.

We may disclose personal data if required by law, legal process, or a valid government request; to protect the rights, property, or safety of BrainVaultAI, its users, or others; or in connection with a merger, acquisition, or sale of substantially all assets, in which case personal data may be transferred to the acquiring entity subject to the same or equivalent privacy protections.

07

Cookies, Analytics, and Session Recording

Cookies and local storage

The Platform uses cookies and browser local storage to maintain your session, remember your authentication state, store your activity timeline and readiness score locally, and provide a consistent experience. Essential cookies are required for the Platform to function. Blocking them may prevent login or break core features.

PostHog analytics (consent-gated)

We use PostHog for product analytics, behavioral event tracking, in-product surveys, and session replay. When enabled, PostHog receives a pseudonymous user identifier (your Supabase authentication user ID) and behavioral event data.

Analytics is off until you opt in. PostHog is initialized in an opted-out state and does not collect any analytics or session-replay data until you click “Accept” in our cookie consent banner. If you click “Decline,” no analytics or session-replay data is collected. You can change your choice at any time using the “Manage cookies” control.

Custom event properties sent to PostHog are sanitized before transmission: your email address, name, phone number, and the text of any prompts or messages are explicitly redacted from all event properties and never sent to PostHog as structured data.

Session replay disclosure (important)

PostHog's session replay feature records your interactions on the Platform, including mouse movements, clicks, scrolling, keyboard activity, navigation between pages, and the content visible on your screen during your session. This is separate from event properties: even though event properties are sanitized, the session replay captures what is rendered on screen.

We configure PostHog with maskAllInputs: true, which masks all HTML form fields in session recordings so that text you type into any input (email, phone, name, payment fields, and other form elements) is replaced with placeholder characters and never transmitted in the recording. However, content displayed as page text (not inside form inputs) may still appear in recordings. You should be aware that session replay is active when using the Platform.

Session recordings are stored by PostHog and accessible only to BrainVaultAI administrators. They are used exclusively to understand how users interact with the Platform, identify usability issues, and improve features, and are not used to share your behavior with third-party advertisers.

To opt out of PostHog analytics and session replay, click “Decline” in the cookie consent banner, or change a prior choice via the “Manage cookies” control on the site. You may also block the PostHog script using a content blocker or privacy browser extension, or contact us at info@brainvaultai.com.

Advertising pixels

We do not currently use advertising pixels or third-party ad trackers (such as Google Tag Manager or Meta pixel). If we add them in the future, we will update this policy before activating them.

08

Email Marketing

We send marketing and educational emails only to those who have provided consent. Marketing emails are CAN-SPAM compliant and include our physical mailing address and an unsubscribe mechanism in every email.

How you enter an email flow.When you take an action that captures your email with consent, we may enroll you in a scheduled, automated email sequence. These capture points include: requesting a free lead magnet or the AI Readiness Kit; signing up for the newsletter or a tool waitlist; starting the “Build Your First AI Employee” flow; submitting a teams or organization training inquiry; and applying to a cohort. Depending on the action, you may receive a delivery email, an onboarding or activation sequence, an educational nurture sequence, challenge-related reminders, or a teams follow-up sequence. These are separate from one-off transactional emails.

One-click unsubscribe. Our marketing and sequence emails include a standard unsubscribe link and also set the List-Unsubscribe and List-Unsubscribe-Post email headers, which let supported email clients offer a built-in one-click unsubscribe. Using either method removes you from marketing sequences. You may also unsubscribe at any time by contacting us at info@brainvaultai.com. Unsubscribing from marketing email will not unsubscribe you from transactional emails (such as purchase receipts and account access instructions), which are necessary to operate your account.

All email is sent via Resend, and contact records and marketing automation are managed in GoHighLevel (see Section 6). Your email address is not shared with any third party for their own marketing purposes.

09

Data Retention

We retain your personal data for as long as is necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law.

  • Account and entitlement data is retained for the duration of your account plus a reasonable period thereafter to handle any support or legal inquiries;
  • Purchase and transaction records are retained for at least seven (7) years to comply with tax and financial record-keeping requirements;
  • Marketing consent records are retained for the life of the consent plus a reasonable period for legal compliance purposes;
  • Session replay recordings are retained for a limited period as configured in our analytics provider (PostHog) settings and are then automatically deleted. We configure this retention so that recordings are kept for no longer than twelve (12) months from the date of the session, and our current configured period is no longer than that ceiling. If we shorten or change the configured period, we will keep the actual setting within this stated maximum;
  • Lead capture records are retained as part of our CRM, and you may request deletion at any time (see Section 11).

When data is no longer needed for the purposes described here and no legal obligation requires its retention, we delete or anonymize it.

10

Security

We implement reasonable technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration. These measures include: HTTPS encryption in transit; access controls and authentication for all administrative systems; use of reputable, security-certified service providers (Supabase, Stripe); and server-side rate limiting and input validation on all data submission endpoints.

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach that affects your rights or freedoms, we will notify affected users as required by applicable law.

11

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at info@brainvaultai.com. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

  • Right to access: Request a copy of the personal data we hold about you.
  • Right to correction: Request that we correct inaccurate or incomplete personal data.
  • Right to deletion: Request that we delete your personal data, subject to our legal retention obligations and contractual necessity.
  • Right to data portability: Request that we provide your data in a structured, machine-readable format where technically feasible.
  • Right to object: Object to processing based on our legitimate interests.
  • Right to restrict processing: Request that we limit how we use your data in certain circumstances.
  • Right to withdraw consent: Where processing is based on consent (e.g., marketing email, analytics, and session replay), you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to opt out of analytics: You may opt out of PostHog analytics and session replay at any time by clicking Decline in the cookie banner, using “Manage cookies,” blocking the PostHog script via a content blocker, or contacting us at info@brainvaultai.com.
  • Right to unsubscribe: Click Unsubscribe in any marketing email.

Deletion requests: If you request deletion of your account and data, we will delete or anonymize your personal data from our active systems, subject to our need to retain certain data for legal, tax, fraud prevention, or contractual purposes. Deletion may take up to 30 days to fully process across all systems.

12

California Privacy Rights (CCPA/CPRA)

This section applies to California residents under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

Notice at Collection

At or before the point we collect your personal information, this is our Notice at Collection: we collect the categories of personal information described in Section 2 (identifiers, commercial information, internet and network activity, professional or business information, and inferences). We collect this information for the business purposes described in Section 4 (How We Use Your Data) and retain it for the periods described in Section 9 (Data Retention). We do not sell or share your personal information, and we do not collect or use sensitive personal information for purposes that trigger the right to limit. This Privacy Policy serves as the full notice required at collection; you can review it at any time at brainvaultai.com/privacy.

Do Not Sell or Share My Personal Information

We do not sell your personal information and we do not share it for cross-context behavioral advertising. Because we do not sell or share, there is no sale or share for you to opt out of. If this ever changes, we will add a clear “Do Not Sell or Share My Personal Information” link and update this policy before any such activity begins. To confirm your preference or ask a question in the meantime, you may contact us using either method described under “How to submit a request” below.

No sale or sharing

We do not sell your personal information for money, and we do not share your personal information for cross-context behavioral advertising. In the preceding twelve (12) months, we have not sold and have not shared the personal information of any consumer, as those terms are defined under the CCPA/CPRA. We do not currently use advertising pixels or third-party ad trackers.

Sensitive personal information

We do not collect sensitive personal information (SPI) for the purpose of inferring characteristics about you, and we do not use or disclose SPI for purposes beyond those permitted under the CCPA/CPRA. Because we do not use SPI for non-permitted purposes, the “right to limit the use of sensitive personal information” is generally not triggered; however, if you believe SPI has been used outside permitted purposes, you may contact us to exercise that right and we will honor it.

Categories collected and disclosed in the preceding 12 months

In the preceding twelve (12) months, we have collected the categories of personal information described in Section 2 (What Data We Collect), including identifiers (such as name, email, and optional phone), commercial information (purchases and entitlements), internet and network activity (usage and device data and, where consented, session replay), professional or business information, and inferences drawn from quiz responses. We have disclosed these categories for business purposes only to the service providers listed in Section 6 (Data Processors and Sharing), who are contractually limited to processing the data on our behalf. We have not disclosed personal information to any third party for that third party's own purposes.

Retention

We retain each category of personal information for the periods described in Section 9 (Data Retention), or for as long as reasonably necessary for the purpose for which it was collected and to meet our legal, tax, and recordkeeping obligations.

Your California rights

  • Right to know what personal information we collect and how we use and disclose it;
  • Right to request deletion of your personal information;
  • Right to request correction of inaccurate personal information;
  • Right to opt out of the sale or sharing of your personal information (we do not sell or share, so there is nothing to opt out of);
  • Right to limit the use and disclosure of sensitive personal information (as noted above);
  • Right to non-discrimination for exercising any of your CCPA/CPRA rights.

How to submit a request

You may submit a CCPA/CPRA request through either of the following two designated methods:

  • By email: Send a request to info@brainvaultai.com with the subject line “California Privacy Request.”
  • By mail: Send a written request to Sheridan St of Florida LLC, Attn: California Privacy Request, 10909 Princeville Ct, Bakersfield, CA 93311, United States.

BrainVaultAI operates exclusively online and interacts with consumers exclusively online; the two methods above are the designated request channels and we do not maintain a separate toll-free telephone line. You may use an authorized agent to submit a request on your behalf; we may require the agent to provide proof of your written authorization and may require you to verify your own identity directly with us. We will confirm receipt and respond within forty-five (45) days. If we need more time, we may extend that period by an additional forty-five (45) days and will notify you of the extension and the reason.

13

GDPR and International Users

BrainVaultAI is based in the United States and its servers and service providers are primarily located in the United States. If you access the Platform from the European Economic Area (EEA), the United Kingdom, or Switzerland, please be aware that your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

For transfers of EEA personal data to the United States, we rely on Standard Contractual Clauses (SCCs) or other applicable transfer mechanisms to the extent required. Each of our sub-processors (Supabase, Stripe, Resend, PostHog, GoHighLevel, Cal.com, and Vercel) maintains its own cross-border transfer mechanism. The SCCs are incorporated through the standard data processing terms each processor publishes as part of its service agreement.

BrainVaultAI is a United States business that markets to and serves a primarily United States audience. We do not currently target our services to, or actively market in, the EEA, the United Kingdom, or Switzerland. Because we do not target those markets, we have not yet appointed an Article 27 EU or UK representative. If we begin to target or monitor individuals in the EEA or UK such that Article 27 or equivalent obligations apply, we will execute the required processor data processing agreements, appoint a qualifying representative, and update this Privacy Policy before doing so. EEA and UK visitors who choose to use the Platform may still exercise the rights described in Section 11 by contacting us.

If you are in the EEA or UK and believe we have not addressed your complaint satisfactorily, you have the right to lodge a complaint with your local data protection authority (DPA).

EEA and UK residents may exercise the data subject rights listed in Section 11 by contacting us at info@brainvaultai.com.

Note for counsel: This GDPR section is included conservatively for businesses with international visitors. If BrainVaultAI regularly targets or processes data from EEA residents, a formal Data Processing Agreement with each processor and, potentially, a UK or EEA representative appointment may be required. Please advise on the appropriate cross-border transfer mechanism and whether a formal Article 27 representative is needed.

14

Children's Privacy

BrainVaultAI is intended exclusively for adults 18 years of age or older, consistent with our Terms of Service eligibility requirement. The Platform is not directed to, and we do not knowingly collect personal data from, anyone under the age of 18.

If we become aware that we have collected personal data from someone under 18 without verified parental consent, we will take steps to delete that information promptly. Note for EEA users: the EEA digital consent age is 16 in most member states; users under 18 in those jurisdictions must have parental authorization to use the Platform in any case, as our minimum age for service is 18. If you believe we have inadvertently collected data from a minor, please contact us at info@brainvaultai.com.

16

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date at the top of this page and, where required or appropriate, notify you by email or via a notice on the Platform.

Your continued use of the Platform after we post changes constitutes your acceptance of those changes. If you do not agree to the revised Privacy Policy, you must stop using the Platform.

17

Contact and Data Requests

For all privacy-related inquiries, data subject requests, or questions about this Privacy Policy, contact us:

Sheridan St of Florida LLC

Operating as BrainVaultAI

10909 Princeville Ct, Bakersfield, CA 93311, United States

Privacy and legal: info@brainvaultai.com

General support: info@brainvaultai.com

We will respond to all verifiable requests within 30 days (or sooner where required by applicable law). Where we are unable to fulfill a request, we will explain why.