Privacy Policy

This Privacy Policy describes how Brainsmithy, LLC. ('we,' 'us,' or 'our') collects, uses, and shares information when you use Conduit.

Last Updated: February 7, 2026

Version: 1.1

Introduction

Effective Date: February 7, 2026

This Privacy Policy describes how Brainsmithy, LLC. ("we," "us," or "our") collects, uses, discloses, and protects information when you use the Conduit platform (the "Service"). By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

Conduit is an AI-powered automation platform that connects various third-party integrations to execute tasks on your behalf. This Privacy Policy covers our data practices and the data practices of our third-party service providers.

Company Information:
Brainsmithy, LLC.
Email: privacy@brainsmithy.ai

Information We Collect

We collect several types of information when you use our Service:

Account Information

  • Email address
  • Display name
  • Profile picture (if provided)
  • Account preferences and settings

OAuth Integration Data

  • Access tokens (stored encrypted using AES-256-GCM)
  • Refresh tokens (stored encrypted using AES-256-GCM)
  • Integration metadata (account names, scopes granted, connection status)
  • OAuth state parameters for CSRF protection

Payment Information

Payment information is processed by our payment processors (Stripe and PayPal). We do not store credit card numbers or payment method details. We only retain:

  • Transaction identifiers
  • Subscription status and billing history
  • Invoice records
  • Stripe customer identifiers

Usage Data

  • AI action usage (number of actions consumed)
  • Token consumption metrics (input and output tokens)
  • Model selection and usage patterns
  • Conversation metadata
  • Request latency and performance metrics

Conversation History

Your conversation history with our AI assistant is stored in Zep Cloud, a third-party memory management service. This includes:

  • Messages sent to and received from the AI assistant
  • Extracted entities and facts from conversations
  • Knowledge graph relationships
  • Conversation context and summaries

Task Data

  • User-created tasks and their descriptions
  • Task completion status and timestamps
  • Task metadata and analytics

User-Provided API Keys (BYOK)

If you use the Flex plan and provide your own API keys for third-party services, we encrypt and store these keys using AES-256-GCM encryption. We never use these keys for any purpose other than executing your requested actions.

How We Use Your Information

We use the information we collect for the following purposes:

Service Provision

  • Execute AI actions based on your instructions
  • Manage and maintain your integration connections
  • Process and respond to your conversations with the AI assistant
  • Provide customer support and respond to inquiries

Integration Functionality

  • Connect to and interact with Gmail, Google Calendar, GitHub, Slack, Notion, Stripe, and PayPal on your behalf
  • Send emails, create calendar events, manage repositories, post messages, and perform other actions as directed by you
  • Maintain and refresh OAuth tokens to ensure continued access

AI Processing

  • Route your messages to AI providers for language model inference
  • Generate responses using state-of-the-art AI models
  • Analyze conversation context to provide relevant responses

Memory Storage

  • Store conversation context in Zep Cloud for continuity across sessions
  • Build and maintain a knowledge graph of entities and relationships
  • Provide personalized responses based on historical context

Billing and Payments

  • Process subscription payments and action pack purchases via Stripe
  • Track usage for billing purposes
  • Generate invoices and maintain transaction records

Security and Fraud Prevention

  • Detect and prevent fraudulent or abusive behavior
  • Enforce rate limits and usage policies
  • Protect the security and integrity of our Service

Third-Party Services and Data Sharing

Conduit integrates with various third-party services to provide its functionality. When you connect an integration, we share certain information with these services to execute actions on your behalf. The following sections describe how we interact with each third-party service.

Google OAuth (Gmail & Calendar)

Scopes Requested:

  • gmail.send - Send emails on your behalf (note: we cannot read or search your emails)
  • calendar - Full calendar access
  • calendar.events - Create and manage events
  • contacts.readonly - Read your contacts
  • userinfo.email - View your email address
  • userinfo.profile - View your basic profile info

Data Accessed:

  • Calendar events and metadata
  • Contact information (names and email addresses)
  • User profile information (name, email address, profile picture)

Note: Conduit can only send emails through Gmail. We cannot read, search, or access your inbox contents due to Google API restrictions.

How We Use This Data:

  • We only access Gmail when you explicitly request an action involving emails
  • Email content is processed transiently to execute your command and is not stored permanently
  • Calendar data is accessed to create, read, update, and delete events based on your instructions
  • We do not share email or calendar data with third parties except as necessary to execute your commands

Data Retention:

  • OAuth access and refresh tokens are stored encrypted in our database
  • Email content is not stored; it is processed in memory only
  • Calendar event metadata may be cached temporarily for performance

User Control:

You can revoke Conduit's access to your Google account at any time through your Google Account settings (https://myaccount.google.com/permissions) or through Conduit's integration management page.

Important Notice:

We do not sell, rent, or share your Google user data with third parties for their own purposes. Google user data is only used to provide the features and functionality you request within Conduit.

GitHub OAuth

Scopes: Repository access as granted by you during the OAuth flow

Data Accessed: Repository data, issues, pull requests, commit history

Usage: Execute repository automation tasks as directed by you

Data Retention: OAuth tokens are encrypted and stored in our database

User Control: Disconnect the integration anytime via Conduit settings or GitHub account settings

Slack OAuth

Scopes: Workspace access, message posting

Data Accessed: Workspace information, channel data

Usage: Send messages and automate Slack-related tasks

Data Retention: OAuth tokens encrypted in database

User Control: Revoke access via Conduit settings or Slack workspace settings

Notion Integration

Data Accessed: Notion pages, databases (based on permissions granted to integration token)

Usage: Create, read, update content and manage tasks in Notion

Data Retention: Integration tokens encrypted in database

User Control: Disconnect via Conduit settings or Notion workspace settings

Stripe (Payment Processing)

Data Shared: Customer information, subscription details, payment intent records

Usage: Process subscription payments and action pack purchases

PCI Compliance: Stripe is a certified Level 1 PCI DSS service provider. Conduit never accesses or stores credit card numbers or payment method details.

BYOK (Bring Your Own Key): If you provide your own Stripe API key, data is shared directly between you and Stripe under your own agreement with Stripe.

Data Retention: We store transaction identifiers and subscription metadata; Stripe retains payment data per their privacy policy.

PayPal

Data Shared: Account linking information, transaction processing data

Usage: Alternative payment processing for subscriptions and purchases

Data Retention: OAuth credentials encrypted in database; PayPal retains payment data per their privacy policy

AI/LLM Providers

Data Sent: Your messages, conversation context, system prompts

Usage: Route your requests to AI providers for language model inference

Data Retention: Data retention is governed by the privacy policies of the AI providers we work with

BYOK Disclaimer: If you use the Flex plan and provide your own API key, your messages are sent directly to the provider under your own agreement with them. We do not control how they use or retain your data.

Note: When using Conduit's AI features, your conversation content is transmitted to external AI providers for processing. While we strive to work with reputable providers, we cannot control their data practices beyond what is specified in their privacy policies.

Zep Cloud (Memory System)

Data Stored: Conversation history, extracted entities and facts, knowledge graph relationships

Usage: Provide persistent memory across conversations, enabling context continuity

Data Retention: Conversation data is stored in Zep Cloud until you delete it via memory management features or delete your account

Security: Data is encrypted in transit (HTTPS/TLS) and at rest

User Control: Clear memory via Conduit's memory management settings

Interest List and Marketing Communications

If you sign up for our interest list or pre-launch notifications, we collect and process the following information:

Information Collected

  • Email address (required)
  • Name (optional)
  • Company (optional)
  • Use case description (optional)
  • Referral source (optional)
  • IP address - for consent verification and fraud prevention
  • User agent - for technical auditing
  • Consent timestamp - exact date and time you agreed to receive communications
  • Consent text - the exact language you agreed to at signup

Double Opt-In Process

We use a double opt-in process to verify your email address and ensure you intended to subscribe:

  1. You submit your email on our signup form
  2. We send a confirmation email to your address
  3. You click the confirmation link to verify your subscription
  4. Only after confirmation do you receive our communications

How We Use This Information

  • Send launch announcements and product updates
  • Notify you of early access opportunities
  • Share relevant product news and features
  • Communicate important service updates

We do not:

  • Sell, rent, or share your email with third parties for their marketing purposes
  • Send unsolicited commercial emails unrelated to Conduit
  • Add you to any lists without your explicit consent

Unsubscribe Options

You can unsubscribe from our communications at any time through:

  • One-click unsubscribe: Every email includes an unsubscribe link that immediately removes you from our list
  • Email request: Contact us at support@conduitapp.ai to be removed

Unsubscribe requests are processed immediately upon clicking the link.

Data Retention

Interest list data is retained as follows:

  • Active subscribers: Data retained until you unsubscribe or request deletion
  • Unsubscribed users: Email address retained (marked as unsubscribed) to honor your preference and prevent re-subscription without consent
  • Consent records: Retained for compliance and audit purposes

CAN-SPAM Compliance

Our email communications comply with the CAN-SPAM Act. All emails include clear identification, our contact information, and an easy way to unsubscribe.

Data Security

We implement industry-standard security measures to protect your information:

Encryption at Rest

All user-provided API keys and OAuth tokens are encrypted using AES-256-GCM cipher before being stored in our database. Each encrypted value includes:

  • A random initialization vector (IV)
  • An authentication tag for integrity verification
  • The encrypted data itself

Format: iv:authTag:encrypted

Encryption in Transit

All communications between your browser and our servers use HTTPS/TLS encryption. OAuth flows use secure redirect URIs and state validation to prevent interception.

Token Storage and Management

  • OAuth access tokens and refresh tokens are encrypted before storage
  • Tokens are automatically refreshed when they expire
  • Token transmission occurs over secure HTTPS connections only

Infrastructure Security

We use Supabase for our database infrastructure, which provides:

  • Database encryption at rest
  • Row Level Security (RLS) policies to isolate user data
  • Automated backups
  • Secure network isolation

Authentication

User authentication is managed via Supabase Auth using JWT-based session management. Sessions are securely stored and validated on each request.

CSRF Protection

OAuth flows include cryptographically random state parameters that are validated to prevent Cross-Site Request Forgery (CSRF) attacks.

Data Retention

We retain different types of data for varying periods:

  • Account Data: Retained while your account is active
  • Conversation History: Stored in Zep Cloud until you delete it or terminate your account
  • Integration Tokens: Retained while the integration is connected; soft-deleted upon disconnection (can be hard-deleted upon request)
  • Usage Analytics: Retained for billing purposes and service improvement
  • Transaction Records: Retained for accounting and tax compliance purposes (typically 7 years)

Data Deletion

You may request deletion of your data by contacting us at privacy@brainsmithy.ai. We will delete your data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., accounting records).

Your Rights and Choices

You have the following rights regarding your information:

  • Access Integration Settings: View and manage all connected integrations through your account settings
  • Disconnect Integrations: Revoke OAuth access to any third-party service at any time
  • Clear Memory: Delete your conversation history via memory management settings
  • Delete Account: Contact support@brainsmithy.ai to request account deletion
  • Manage Subscriptions: Cancel subscriptions anytime (no refund for unused time per our Terms of Service)
  • Opt Out of Analytics: Usage metrics collection is minimal and required for billing; you may request to limit analytics by contacting privacy@brainsmithy.ai

To exercise any of these rights, please contact us at privacy@brainsmithy.ai.

Cookies and Tracking

Essential Cookies

  • Authentication Session: Supabase authentication cookie to maintain your logged-in session
  • Theme Preference: Stores your light/dark mode preference (localStorage key: conduit-theme)

Third-Party Cookies

When you use our payment features, Stripe and PayPal may set cookies for payment processing purposes. These cookies are governed by their respective privacy policies.

Analytics

We currently have minimal tracking. Usage metrics are collected solely for billing purposes (counting actions consumed). We do not use third-party analytics services like Google Analytics.

Advertising and Third-Party Cookies

Conduit displays advertisements on our free tier to support the service. We use Google AdSense to serve ads, which may use cookies and similar technologies to provide personalized advertising based on your interests.

How Advertising Works

  • Third-party vendors, including Google, use cookies to serve ads based on your prior visits to our website or other websites
  • Google's use of advertising cookies enables it and its partners to serve ads based on your visit to Conduit and/or other sites
  • We do not control the cookies placed by third-party advertisers

Your Advertising Choices

You can opt out of personalized advertising by visiting Google Ads Settings. You can also opt out of third-party vendor use of cookies by visiting aboutads.info.

For more information about how Google uses data, visit How Google uses information from sites or apps that use our services.

Note: Paid subscribers do not see advertisements and are not subject to advertising cookies.

Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you are under 18, do not use our Service or provide any information to us.

If we learn that we have collected personal information from a child under 18, we will delete that information promptly. If you believe we may have collected information from a child, please contact us at privacy@brainsmithy.ai.

International Data Transfers

Conduit processes data primarily in the United States. When you use our Service, your information may be transferred to and processed in the United States and other countries where our service providers operate.

Third-Party Service Locations:

  • Supabase: United States
  • Zep Cloud: United States
  • OpenRouter: United States
  • Stripe: United States (global processing)
  • PayPal: United States (global processing)

By using our Service, you consent to the transfer of your information to these locations.

Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes, we will:

  • Notify you via email to the address associated with your account
  • Display an in-app notification
  • Update the "Last Updated" date at the top of this policy

Your continued use of the Service after such notification constitutes acceptance of the revised Privacy Policy.

Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Contact Information

Brainsmithy, LLC.

Privacy Inquiries

privacy@brainsmithy.ai

General Support

support@brainsmithy.ai