# Privacy Policy **Last updated**: 01/2026 The protection of your personal data is a priority for **Brainsto.re**. This privacy policy informs you about how your data is processed in accordance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and the French Data Protection Act. ## 1. Data Controller Identity The data controller is: ``` Matthieu SAUVET Email: contact@brainsto.re ``` ## 2. Fundamental Principle: LOCAL Data Processing **Brainsto.re is an application that runs entirely in your web browser.** ### What this means for your privacy: ✅ **All your conversations remain ON YOUR DEVICE** (browser) ✅ **No conversation data is sent to our servers** ✅ **AI models run locally in your browser (WebAssembly)** ✅ **No user account required** ✅ **No advertising tracking** ## 3. Data Collected and Processed ### 3.1 Data Stored Locally (in your browser) **Storage type**: IndexedDB (browser local database) **Data concerned**: - Your conversations with the AI (message history) - Your preference settings (selected model, TTS voice, etc.) - Generated images (stored as data URLs) - **Attached documents** (PDF, DOCX, TXT, code files) - Stored per conversation with extracted text content **Legal basis**: Consent (voluntary use of the application) **Retention period**: Data remains on your device until you manually delete it (conversation delete button) or clear your browser data. Attached files are automatically deleted when their associated conversation is deleted. **Access**: Only your browser has access to this data. It is never transmitted to our servers. ### 3.2 Data Transmitted to Third-Party Services **IMPORTANT**: The following third-party APIs are called **only when the AI uses the corresponding tools** to answer your questions. These are not systematic transmissions. #### 1. Wikipedia API **When?** When you use the Wikipedia search function (`!wiki` command) or when the AI automatically calls the Wikipedia tool **Data sent**: - Your search query - Your IP address (automatically collected by Wikipedia) **Legal basis**: Legitimate interest (information search functionality) **Recipient**: Wikimedia Foundation **Privacy Policy**: https://foundation.wikimedia.org/wiki/Privacy_policy **Note**: Brainsto.re has no control over data collected by Wikipedia. Consult their privacy policy. #### 2. Open-Meteo API (Weather) **When?** When you use the weather function (`!weather` command) or when the AI calls the weather tool **Data sent**: - Location name or geographic coordinates - Your IP address (automatically collected) **Legal basis**: Legitimate interest (weather information functionality) **Recipient**: Open-Meteo (open-source, free service) **Privacy Policy**: https://open-meteo.com/ **Note**: Open-Meteo is a free, open-source service with no tracking. No API key required. #### 3. ipapi.co (Geolocation) **When?** When the AI calls the geolocation tool to determine your approximate location **Data sent**: - Your IP address (used for geolocation) **Legal basis**: Legitimate interest (location-based services) **Recipient**: ipapi.co **Privacy Policy**: https://ipapi.co/privacy/ **Note**: Provides approximate location only (city level). Used for location-aware features. #### 4. RSS News Feeds **When?** When you use the news function (`!news` command) or when the AI calls the news tool **Data sent**: - HTTP request to public RSS feeds (Google News, BBC, Guardian, TechCrunch, Hacker News) - Your IP address (automatically collected by feed providers) **Legal basis**: Legitimate interest (news information functionality) **Recipients**: Various news providers (public feeds) **Note**: These are publicly accessible RSS feeds. No personal search data is transmitted. #### 5. DuckDuckGo Instant Answer API **When?** When the AI calls the DuckDuckGo search tool for instant answers **Data sent**: - Your search query (anonymized) - Your IP address (automatically collected) **Legal basis**: Legitimate interest (search functionality) **Recipient**: DuckDuckGo **Privacy Policy**: https://duckduckgo.com/privacy **Note**: DuckDuckGo is privacy-focused and doesn't track users. Searches are anonymous. #### 6. CORS Proxy (corsproxy.io) **When?** When the AI calls the URL fetch tool to retrieve web page content **Data sent**: - Requested URL - Your IP address (automatically collected) **Legal basis**: Technical necessity (bypass CORS restrictions) **Recipient**: corsproxy.io **Note**: This proxy is used only to access web content that would otherwise be blocked by browser CORS policies. #### 7. Web Search (DuckDuckGo HTML) **When?** When the AI calls the web search tool to find information online **Data sent**: - Your search query - Your IP address (automatically collected via CORS proxy) **Legal basis**: Legitimate interest (web search functionality) **Recipient**: DuckDuckGo (via CORS proxy) **Privacy Policy**: https://duckduckgo.com/privacy **Note**: Searches are performed via DuckDuckGo's HTML interface, which is privacy-focused and doesn't track users. #### AI Models (initial download) **When?** During the first loading of an AI model **Data sent**: - HTTP request to download model weights from HuggingFace or MLC-AI CDN - Your IP address (automatically collected) **Legal basis**: Technical necessity for service operation **Note**: Once downloaded, models are cached in your browser. Inference (text/image generation) then occurs **entirely locally**. ### 3.3 Cookies **Brainsto.re does NOT use tracking or advertising cookies.** The browser may use technical storage mechanisms (localStorage, IndexedDB, Cache API) necessary for application operation. This data remains local. ## 4. Processing Purposes Data is processed only for: - Enabling application operation (conversation and document storage) - Improving your user experience (saving preferences) - Enabling AI tools functionality: - Information search (Wikipedia, DuckDuckGo) - Weather information (Open-Meteo) - News retrieval (RSS feeds) - Geolocation services (ipapi.co) - Web content fetching (CORS proxy) - Document reading (local PDF/DOCX processing) **No commercial, advertising, or analytical use of your data.** ## 5. Your Rights (GDPR) In accordance with GDPR, you have the following rights: ### 5.1 Right of Access You can view all your conversations in the application history. ### 5.2 Right to Rectification You can modify your conversations by deleting them and creating new ones. ### 5.3 Right to Erasure ("right to be forgotten") You can delete your conversations at any time via the "Delete" button in the interface. **To delete ALL your data**: 1. Delete all your conversations via the interface 2. Clear site data in your browser settings: - Chrome/Edge: Settings > Privacy > Clear browsing data > Site storage - Firefox: Settings > Privacy > Clear Data - Safari: Preferences > Privacy > Manage Website Data ### 5.4 Right to Data Portability Since your data is stored locally in your browser, you can export it using your browser's developer tools (IndexedDB > brainstore). ### 5.5 Right to Object You can stop using the application at any time. ### 5.6 Right to Restriction of Processing You can use the application without saving conversations by immediately deleting each created conversation. ### 5.7 Right to Lodge a Complaint If you believe your rights are not being respected, you can file a complaint with CNIL: **Commission Nationale de l'Informatique et des Libertés (CNIL)** 3 Place de Fontenoy - TSA 80715 75334 PARIS CEDEX 07 Phone: 01 53 73 22 22 Website: https://www.cnil.fr/ ## 6. Data Security ### Technical measures implemented: - **HTML Sanitization**: All generated content is cleaned with DOMPurify to prevent XSS attacks - **Secure external links**: All external links use `rel="noopener noreferrer"` - **No server storage**: No data is transmitted to our servers - **Local execution**: AI models run in the secure browser context (WebAssembly sandbox) ### Recommendations to protect yourself: - Use an up-to-date browser - Enable HTTPS (required for WebAssembly) - Don't share your device with unauthorized persons - Delete sensitive conversations after use - Lock your session if you leave your workstation ## 7. Data Transfers Outside the EU **No transfer of personal data outside the European Union**, except when using specific AI tools: - **Wikipedia API**: May transit through Wikimedia Foundation international servers (GDPR compliant) - **Open-Meteo API**: Hosted in Europe (Germany/Switzerland) - **ipapi.co**: May use international servers - **DuckDuckGo API**: May use international servers (privacy-focused company) - **RSS News Feeds**: Various international news providers - **CORS Proxy**: May transit through international servers - **Model downloads**: HuggingFace and MLC-AI may use international CDNs These transfers comply with GDPR (standard contractual clauses, adequacy decisions). ## 8. Minors The application is not intended for children under 15 years old. If you are a parent and discover that your child has used the application, you can delete the data by following the procedure described in section 5.3. ## 9. Privacy Policy Modifications This policy may be modified at any time to reflect legal or technical changes. The last update date is indicated at the top of this document. Major modifications will be signaled by a warning in the application. ## 10. Contact - Data Protection Officer (DPO) For any questions regarding your personal data or to exercise your rights: **Email**: contact@brainsto.re We commit to responding within a maximum of 30 days. --- ## Summary in Key Points 1. 🔒 **Your conversations and documents remain on your device** - No transmission to our servers 2. 🔧 **External APIs used only by AI tools** - Wikipedia, Weather, News, DuckDuckGo, Web Search, Geolocation, URL fetcher 3. 📄 **Document and image processing is local** - PDF/DOCX files and OCR processing in your browser only 4. 🗑️ **You control your data** - Deletion at any time via the interface (conversations + attached files) 5. 🌐 **Transparent third-party services** - All external services documented with privacy policy links **Brainsto.re respects your privacy by design (Privacy by Design).**