BrainPal BrainPal / Privacy Policy

Privacy Policy

Last updated March 31, 2026

At BrainPal, we care about your privacy. This Privacy Policy explains how EpowerX Labs Private Limited and its affiliates ("EpowerX", "we", "us", or "our") collect, use, and share your personal information when you use the BrainPal mobile app and related services ("Service"). It also explains your rights and choices in relation to your personal information.

  1. Information We Collect

    When you use the Service, we may collect the following information about you.

    a. Account Registration

    You can use BrainPal without creating an account. If you choose to sign in with Google, we receive your Google account ID, name, email address, and profile photo. An account is required for features like battles, connecting with friends, backing up your reels count history to our servers, and syncing your battle and social data across devices.

    b. App and Device Data

    We collect technical information needed to run and secure the Service, including app instance IDs, device model, operating system, app version, language, time zone, crash reports, diagnostics, push notification tokens, install referrer data from Google Play, and standard server logs such as IP address and request metadata.

    c. Reels, Battles, and Invites

    We collect the data needed to provide our core features, including reel counts, session timing, Block Reels settings, friend and battle information, your display name and profile photo (shown to friends in battles), and any feedback or support messages you send us.

    d. What We Do Not Collect

    We do not collect or store the content of your reels, videos, messages, or social media posts. We do not read text you type in any app. We do not access your contacts, photos, camera, or microphone. We do not request your device's precise location permission or collect GPS location. We do not collect accessibility data from apps outside our supported list.

    e. When Data Is Required

    Some data is optional, and some is required to provide specific features. For example, Google account information is only required if you choose to sign in, and accessibility, overlay, notification, and battery-related permissions are only required for the features that depend on them. If you do not provide certain information or permissions, some parts of the Service may not work.

  2. Accessibility Permission

    Android's accessibility permission is powerful — apps that have it can potentially see what is on your screen. We know that can feel uncomfortable, and rightly so. This section explains exactly what we do with this permission and what we do not do.

    a. Why We Need It

    We use accessibility to power two features: the reels counter (counting how many reels or shorts you scroll through) and Block Reels (showing a full-screen overlay when you hit your configured limit). There is no other way on Android to detect when a reel is on screen inside another app — accessibility is the only available mechanism.

    b. How It Works

    When you open a supported app, Android sends accessibility events to us. We check two things: first, is this a supported app? We check the app's package name against a hardcoded list — if the app is not on the list, we ignore the event completely. Second, is a reel or short on screen? We read basic screen metadata — such as content descriptions and view IDs that Android provides to accessibility services — to determine whether the current screen is a short-form video feed. If both checks pass, we increment your reel count. That is all. No content is read, recorded, or transmitted.

    c. Supported Apps

    Our detection only runs for a specific list of short-form video apps — everything else is ignored. As of this update, the supported apps are: Instagram and Instagram Lite, YouTube, Snapchat and Snapchat Lite, and Facebook and Facebook Lite. We may add support for additional short-form video apps (such as TikTok or LinkedIn) in the future. This list is hardcoded in the app and cannot be changed remotely — any addition requires a new version to be published to the Play Store, reviewed by Google, and installed by you before it takes effect. For apps outside this list, we do not process accessibility data beyond checking whether the app is on the supported list, and we ignore those events.

    d. What Accessibility Does Not Do

    It does not read, record, or send the content of any reel, video, photo, or story to our servers. It does not run for banking apps, payment apps, UPI apps, wallets, or any financial service. It does not read your chats, emails, messages, or anything you type in any app. It does not capture passwords, OTPs, PINs, or authentication codes. It does not take screenshots, record your screen, or capture images of any kind. It does not monitor, log, or report which apps you open other than the supported list above. It does not run at all when you are using any app that is not on the supported list. It does not send screen content or raw accessibility event data to third-party analytics or advertising services.

    e. What Data Leaves Your Device

    The accessibility-related data that may leave your device is limited to derived usage stats such as reel counts, app-level reel counts (for example, counts for Instagram or YouTube), and related battle or sync records needed for the Service. We do not send screen content, messages, typed text, raw screenshots, browsing history, or raw accessibility event payloads to our servers.

    f. You Are in Control

    You can revoke accessibility permission at any time in Android Settings. The app will continue to work, but the reels counter and Block Reels features will stop functioning since they depend on this permission.

  3. Other Permissions

    a. Display Over Other Apps (Overlay)

    Shows the on-screen counter, milestone animations, and Block Reels UI on top of supported apps.

    b. Notifications

    Used for battle updates, reminders, and service messages. You can turn notifications off in Android settings at any time.

    c. Battery and Background Settings

    We may ask you to disable battery restrictions so the counter, syncing, and notifications keep working reliably when your phone is locked or restarted.

  4. How We Process Your Information

    We process personal information under different legal bases depending on the purpose: to perform our contract with you when we provide the Service you ask for, for our legitimate interests in operating and improving the Service where permitted by law, to comply with legal obligations, and with your consent where consent is required or where you choose to provide optional information.

    a. Providing and Improving the Service

    We process your information to sign you in, manage your account, run the reels counter, Block Reels, battles, invites, syncing, notifications, and subscriptions. We also use information to understand product usage and improve BrainPal, debug problems, prevent abuse, and keep the service secure. We use product analytics tools (Mixpanel, Firebase, and our own self-hosted analytics systems) to do this under our legitimate interests where permitted by law, and on consent where required by law.

    b. Campaign Measurement

    We share limited conversion events — such as "a user installed the app" or "a user subscribed" — with Google Ads and Meta Ads to measure whether our install campaigns are working. These events do not include your name, email, reel counts, or any app-specific usage data. This processing is based on consent where required by law, and otherwise on our legitimate interests in understanding the effectiveness of our campaigns.

    c. Communicating With You

    We may send you push notifications for battle updates, reminders, and service messages. We may also send you emails — for example, when a friend joins using your invite link, or to re-engage you if you have been inactive, where permitted by law. You can turn off push notifications in Android settings and unsubscribe from non-essential emails at any time.

    d. Complying With Law

    We may process and share personal information if necessary to comply with legal requests such as court orders, or when we believe it is necessary to protect our interests, prevent fraud, or assist law enforcement.

    e. With Your Consent

    When you choose to share device logs or screenshots through our feedback feature, or when you send us support emails, you are providing consent for us to process that information. Device logs may include technical debugging data such as accessibility event details from supported apps. Logs and screenshots are never sent by default — you choose whether to include them.

  5. Who We Share Information With

    a. Friends You Connect With

    If you use the invite or battle features, anyone who opens your invite link is automatically connected as your friend — no separate approval is needed. Once connected, both users can see each other's display name, profile photo, and shared battle stats. Keep your invite link private and only share it with people you trust. No other user can see your data.

    b. Service Providers

    We use a small set of service providers to run the Service. Each provider only receives the data it needs to perform its function:

    • Google — Google Sign-In, Firebase (crash reporting, analytics, remote config, cloud messaging), Google Play billing, install referrer, and Google Ads conversion measurement.
    • Meta — Meta Ads conversion measurement. We share limited install and purchase events with Meta to measure campaign effectiveness. Meta does not receive your name, email, reel counts, or any of your usage data.
    • RevenueCat — Subscription status and purchase restoration.
    • Mixpanel — Product analytics. Data is stored in the EU (Mixpanel EU data residency).
    • Our self-hosted analytics infrastructure — We run analytics pipelines on our own servers using open-source components such as Segment, Jitsu, and OpenPanel. These systems process product analytics data under our control.
    • Hetzner — Server hosting and infrastructure (EU-based).
    • Our own infrastructure — Event processing, databases, storage, and logs hosted on Hetzner servers managed by us.

    c. What We Do Not Share

    We do not sell your personal data to anyone. We do not show ads inside the app. We do not share your reel counts, battle stats, usage patterns, or in-app behaviour with any advertising platform. The only data shared with ad platforms is limited conversion events (installs and subscriptions) for campaign measurement, as described above.

    d. Legal or Safety Reasons

    We may disclose information if required by law, legal process, or a valid government request, or when reasonably necessary to protect users, EpowerX, or the public.

  6. Payments and Subscriptions

    Our Android subscriptions are processed through Google Play. RevenueCat helps us manage entitlements, renewals, cancellations, and purchase restoration. We do not store your full payment card number on our servers.

  7. Security and Data Handling

    We use technical and organisational measures designed to protect personal information, including restricting access to authorized personnel and service providers, using safeguards for data sent between the app and our servers, and relying on provider-managed security controls for hosted infrastructure. No method of transmission over the internet or electronic storage is completely secure, so we cannot guarantee absolute security.

  8. Your Rights and Choices

    You have the following rights in relation to the personal information we hold about you:

    • Access a copy of the personal information we hold about you.
    • Request that we correct any inaccurate personal information about you.
    • Request that we delete your personal information.
    • Object to our processing of your personal information.
    • Withdraw any consent you previously gave us.
    • Lodge a complaint with your local data protection or privacy regulator where applicable.

    You can also:

    • Revoke accessibility, overlay, notification, and background permissions at any time in Android settings.
    • Delete your account and all associated data at https://api.brainrotapp.ai/auth/delete, or through the "Delete account and data" option in the app's account settings.

    To make a privacy-related request, please email privacy@brainrotapp.ai.

    We do not use your personal information for solely automated decisions that produce legal or similarly significant effects on you.

  9. Data Retention

    We will generally retain your personal information until your account is deleted. Specific retention periods:

    • Account data (profile, friends, settings) and reel counts — kept while your account is active, deleted when you delete your account.
    • Analytics data — retained while your account is active for product improvement, deleted or anonymised when you delete your account.
    • Crash reports and diagnostics — retained for up to 90 days.
    • Server logs (IP addresses, request metadata) — retained for up to 90 days.
    • Subscription records — retained as required by tax and accounting laws.

    We may retain certain information longer if necessary to comply with legal requirements, resolve disputes, investigate misuse, or defend our legitimate interests. We may also retain anonymous data indefinitely.

  10. Account Deletion

    You can delete your account at https://api.brainrotapp.ai/auth/delete, or through the app's account settings. Deletion is typically completed within 30 days. When you delete your account, we remove your profile, Google account link, sign-in records, friend connections, battle history, invite links, device registrations, daily reel stats, reel-event records, and push notification tokens.

    Some limited information may be retained where required for fraud prevention, security, financial reporting, legal compliance, or backup-recovery windows. Analytics data associated with your account will be anonymised or deleted within the retention periods listed above.

  11. Children's Privacy

    The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to us, please contact privacy@brainrotapp.ai and we will delete it.

  12. International Data Processing

    Our servers are hosted by Hetzner in Germany and Finland (EU). Mixpanel analytics data is stored in the EU under Mixpanel's EU data residency programme. Some service providers (Google, RevenueCat, Meta) may process data in other countries. Where required by applicable law, we use transfer mechanisms such as standard contractual clauses or equivalent safeguards for cross-border transfers.

  13. Privacy Policy Updates

    We may update this Privacy Policy to reflect changes to our information practices. If we make a material change, we will update the date at the top of this page and may notify you through the app.

  14. Contact Us

    EpowerX Labs Private Limited is the data controller of your data. For all privacy inquiries, please contact us at privacy@brainrotapp.ai.

    EpowerX Labs Private Limited
    Plot No. 77, JBR Tech Park, 6th Rd
    Whitefield, EPIP Zone
    Bangalore, Karnataka 560066
    India