Privacy Policy

Brainloot, operated by Neuro Pathmaker LLC (“Company,” “we,” “us,” or “our”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services (collectively, the “Service”).

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly, including:

• Account Information: Name, email address, password, and profile information
• Patient Information: Names, ages, diagnoses, and health-related observations you choose to track
• Symptom and Factor Data: Symptoms, contributing factors, severity ratings, and notes you enter
• Event Data: Meltdowns, regressions, great days, and other events you log
• Care Team Information: Information about healthcare providers you add to your care team
• Communications: Messages, feedback, and support requests

1.2 Biometric and Health Data

When you connect third-party wearable devices (such as Oura Ring), we collect biometric data including:

• Sleep Data: Duration, stages (REM, deep, light), efficiency, latency, timing
• Heart Data: Resting heart rate and heart rate variability (HRV)
• Activity Data: Steps, calories, movement intensity levels
• Readiness Data: Readiness scores, recovery index
• Body Data: Temperature variations

1.3 Automatically Collected Information

We automatically collect certain information when you use our Service:

• Device information (type, operating system, browser)
• Log data (IP address, access times, pages viewed)
• Usage patterns and feature interactions
• Error logs and performance data

1.4 Derived Information

We generate derived information from your data, including:

• Baselines: Rolling averages calculated from your historical data
• Deviations: Differences between current readings and your personal baselines
• Delta Reports: Analysis of what changed before logged events
• Patterns: Correlations between factors, symptoms, and biomarkers

2. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve our Service
• Calculate personal baselines and detect deviations from your normal patterns
• Generate Delta Detection reports showing changes before events
• Identify potential correlations between factors, symptoms, and biomarkers (Key Connections)
• Send you notifications, updates, and support communications
• Process transactions and send related information
• Respond to your comments, questions, and requests
• Monitor and analyze trends, usage, and activities
• Improve our algorithms and analytical features
• Protect against fraudulent, unauthorized, or illegal activity

3. Data Sharing and Disclosure

We may share your information in the following circumstances:

• With Your Consent: When you explicitly authorize sharing
• Service Providers: With vendors who perform services on our behalf (hosting, analytics, payment processing), bound by confidentiality agreements
• Care Team: With healthcare providers you explicitly add to your care team, with access limited to patients you specify
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to you
• Anonymized Research: We may use anonymized, aggregated data for research purposes; this data cannot be used to identify you

4. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (TLS) and at rest
• Row-level security ensuring users can only access their own data
• Secure authentication through industry-standard providers
• Access controls limiting employee access to personal data
• Regular security assessments and monitoring
• Encrypted storage of third-party API tokens

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services.

• Active Accounts: Data retained indefinitely while account is active
• Deleted Accounts: Data deleted within 30 days of account deletion, except as required by law
• Backups: Backup copies may persist for up to 90 days after deletion
• Anonymized Data: Anonymized, aggregated data may be retained indefinitely

You may request deletion of your data at any time through account settings or by contacting us.

6. Your Rights and Choices

Depending on your location, you may have the following rights:

• Access: Request access to your personal information
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your personal information
• Portability: Request a copy of your data in a portable format (JSON or CSV)
• Disconnect Wearables: Disconnect third-party devices at any time through account settings; this stops future syncing but preserves existing data
• Delete Wearable Data: Request deletion of all data synced from a specific wearable
• Opt-Out: Opt out of promotional communications

To exercise these rights, contact us at privacy@brainloot.com or use the relevant features in your account settings.

7. Children's Privacy

Our Service is designed for use by parents and guardians to track information about their family members, including minor children.

• We do not knowingly collect personal information directly from children under 13
• Parents and guardians may enter information about their minor children for tracking purposes
• Only the parent/guardian account holder can access and manage their children's data
• If you believe we have collected information from a child without parental consent, please contact us immediately

8. Third-Party Wearable Devices

When you connect third-party wearable devices (such as Oura Ring, Fitbit, Apple Health, or similar devices):

• We access data through their APIs with your explicit authorization
• We only access data necessary to provide our Service
• Your use of third-party devices is subject to their respective privacy policies
• You can disconnect these integrations at any time through your account settings
• Disconnecting stops future syncing but preserves previously synced data (unless you request deletion)
• We store OAuth tokens securely and encrypted

9. Cookies and Tracking

We use cookies and similar technologies to:

• Maintain your session and authentication state
• Remember your preferences
• Analyze usage patterns to improve our Service

You can control cookies through your browser settings. Disabling cookies may affect Service functionality.

10. International Data Transfers

Your information may be transferred to and processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place to protect your information in accordance with applicable law, including standard contractual clauses where required.

11. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about data collection practices
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do not sell personal information
• Non-Discrimination: We will not discriminate against you for exercising your rights

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the new Privacy Policy on our website
• Updating the effective date
• Sending you an email notification for significant changes

We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

Email: privacy@neuropathmaker.com

Last updated: January 13, 2026