Skip to main content
Drag & Drop Brain

Last updated 2026-05-16

Privacy Policy

Information we collect

We collect and may retain all data you submit to, generate in, or create through Drag & Drop Brain, including account details, invitation and subscription status, brain files, raw items, chats, prompts, proposals, approvals, rejections, exports, settings, model choices, token usage, agent connector tokens and audit events, support messages, billing identifiers, and technical logs. If you provide a bring-your-own provider key, the app stores it as an encrypted short-lived session and may store related key hints, expiry records, and usage metadata. Stripe handles card details; the app stores Stripe customer and subscription identifiers, not card numbers.

How we use it

Drag & Drop Brain is an MVP-stage private beta. To the fullest extent allowed by law, we use this information to operate the service, authenticate users, gate private beta and paid access, sync the brain, run AI agents, create and review proposals, export markdown, serve read-only agent connector requests, debug problems, improve the product, measure product-market fit, develop features, prevent abuse, secure the service, perform business administration, and meet legal obligations. If you do not agree to this broad MVP-stage use, do not use Drag & Drop Brain.

Who receives it and how it is disclosed

Data is disclosed through secure service integrations to Supabase for authentication and database storage, Stripe for billing, Vercel for hosting and logs, and configured AI providers such as xAI, OpenAI, Anthropic, or OpenRouter for model processing. If you create an agent connector token, MCP-compatible clients such as Codex, Cursor, VS Code, Claude Code, ChatGPT, Grok, or other tools can receive the approved portable brain files they request through that read-only token. Support emails are disclosed by email to the recipients needed to answer the request.

Security practices

We use Supabase authentication, server-only service-role access, hosted database controls, HTTPS, provider-side payment handling, encrypted short-lived provider key sessions, hashed agent connector tokens, scoped environment variables, webhook verification, and operational logging. Agent connector tokens are revocable and read-only, but anyone who has a live token can read the portable brain until the token expires or is revoked. Do not submit confidential, sensitive, regulated, illegal, or third-party personal data unless you have permission and accept this MVP-stage handling.

Retention and rights

Account, brain, proposal, chat, generated, usage, billing, support, provider-key metadata, and technical data may be kept for as long as reasonably needed for the purposes above, including product development, debugging, legal, security, audit, backup, and abuse-prevention needs. You can ask for access, correction, deletion, or export of personal data, and requests will be handled as required by applicable law.

Privacy requests can be sent to support@drag-drop-brain.com.