← Back

Privacy Policy

Last updated: 29 April 2026

1. Overview

Brainbase ("we", "us", "our") operates a voice-first AI operations platform for municipal councils and similar organisations. This Privacy Policy explains how we collect, use, store, and protect information when you use the Service. We are committed to handling all data in accordance with applicable privacy legislation, including the Australian Privacy Act 1988 and the Australian Privacy Principles.

2. Information We Collect

We collect and process the following categories of information:

  • Account information: Username, hashed password, name, and email address of platform users.
  • Operational data: Data uploaded by your organisation including waste metrics, fleet records, and service request data.
  • Usage data: Session activity, dashboard interactions, and AI query history for the purpose of service improvement and auditing.
  • Integration data: Configuration and data retrieved from connected external systems, scoped to your organisation.

3. How We Use Your Information

  • To authenticate users and enforce role-based access controls
  • To provide operational dashboards, AI insights, and reporting functionality
  • To process voice and text queries through our AI engine (HLNA)
  • To sync data via configured integrations and generate trend analysis
  • To maintain audit logs for compliance and security purposes
  • To improve and develop the Service

4. AI Processing

The Service uses Anthropic's Claude AI models to generate insights, answers, and recommendations from your operational data. When you interact with HLNA, relevant data context may be included in prompts sent to Anthropic's API. Anthropic processes this data under their own privacy terms. We minimise the data sent to AI models and do not include personally identifiable employee data beyond what is necessary for the query.

5. Data Storage and Security

All data is stored in encrypted PostgreSQL databases hosted on Neon (a Vercel-affiliated cloud provider). We implement the following security controls:

  • Passwords are hashed using bcrypt with a cost factor of 12 — plaintext passwords are never stored
  • Sessions are managed via HS256-signed JWTs stored in httpOnly, SameSite cookies
  • All data is scoped to organisation identifiers — cross-tenant access is prevented at the query level
  • All API routes require an authenticated session with a valid organisation ID
  • File uploads are limited to 10 MB and validated for permitted formats

6. Data Sharing

We do not sell your data. We share data only in these circumstances:

  • Service providers: Neon (database), Vercel (hosting), Anthropic (AI), ElevenLabs (voice synthesis), Spotify (optional music integration). Each is bound by their own data processing terms.
  • Legal requirements: Where required by law, court order, or regulatory authority.
  • Business transfers: In the event of a merger or acquisition, data may transfer subject to equivalent protections.

7. Data Retention

Operational data is retained for the duration of your organisation's subscription and for a 90-day grace period following termination. Audit logs are retained for 12 months. You may request deletion of your organisation's data at any time by contacting us.

8. Your Rights

Under applicable privacy laws, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information
  • Object to or restrict certain processing activities
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

To exercise these rights, contact us at privacy@brainbase.app.

9. Cookies

We use a single session cookie to authenticate users. This cookie is httpOnly, secure in production, and expires after 7 days. We do not use advertising or third-party tracking cookies.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated to organisation administrators by email. Continued use of the Service after updates constitutes acceptance of the revised policy.

11. Contact

For privacy enquiries, contact us at privacy@brainbase.app or at Brainbase, Adelaide, South Australia, Australia.