Privacy Policy

How Xalerate AB processes data submitted to Brain Orchestra under GDPR.

Brain Orchestra — Privacy Policy

Effective date: April 25, 2026 Last updated: 2026-04-25

1. Who we are

Brain Orchestra is operated by Xalerate AB, a Swedish limited liability company with registered office in Stockholm, Sweden (Swedish company registration number 559575-8698). We are the controller of personal data described in this Privacy Policy, and we are registered with the Swedish supervisory authority (Integritetsskyddsmyndigheten, IMY).

Contact: support@xalerate.com — Stockholm, Sweden.

This Privacy Policy describes processing for which Xalerate AB acts as controller, including:

(a) Website Data — personal data we collect from visitors to our websites (brainorchestra.ai, www.brainorchestra.ai, and app.brainorchestra.ai); (b) Account Data — personal data we collect from customers in connection with account registration and management; (c) Billing Data — payment, invoicing, and prepaid-balance information; (d) Security Logs — IP addresses, session metadata, and rate-limiting data collected to protect the Service; (e) Usage Metadata — aggregated and anonymized service usage statistics.

Where customers submit content to the Service for processing by LLM providers ("Customer Content"), Xalerate AB processes that data as processor on the customer's behalf, and the customer is the controller. The Data Processing Agreement at legal/DPA.md governs that processing, and the customer is responsible for providing any required privacy notice to its end users. The remainder of this Privacy Policy addresses the personal data categories (a)–(e) above for which we act as controller.

2. What personal data we collect

2.1 From website visitors

When you visit our public websites, we may collect:

  • IP address and a hashed session identifier, used to rate-limit public endpoints and detect automated abuse.
  • Browser headers (User-Agent, Accept-Language), used to route the request and to present an appropriate language variant.
  • Minimal analytics events: page views and coarse-grained navigation timing. We do not use third-party advertising trackers.

2.2 From waitlist and signup forms

If you submit a waitlist signup or create an account, we collect:

  • your name and email address;
  • if you represent a company, the company name, and optionally the organization number, VAT number, and country of establishment;
  • your password (stored only as a scrypt-hashed value, never in plaintext); and
  • a timestamp of your acceptance of the Terms of Service and Data Processing Agreement.

2.3 From customer accounts during service use

Once your account is approved and active, we collect:

  • account and billing information: preferred currency, Stripe customer ID (if applicable), prepaid balance transactions, and invoice history;
  • operational metadata: which projects you have created, the API keys you have minted (stored as SHA-256 hashes), the actors you have registered, and the subprocessors you have configured ("bring-your-own-key" provider credentials stored under envelope encryption);
  • audit log metadata: per-request timestamps, model selections, provider routing, tokens consumed, costs, latency, territorial tier applied, PII detection summary counts, and — if your project's content retention setting is changed from the default — the prompt and response content;
  • session cookies and tokens: a server-side session is created when you log in to the dashboard, with the session token stored hashed in our database and expiry enforced on every request.

2.4 From our customers' end users

If you are a natural person whose data is submitted to Brain Orchestra by one of our customers (for example because your employer uses Brain Orchestra's LLM gateway and you are a user of their application), the customer is the controller of that data. Please direct any questions about that processing to the customer. We process it as a processor on the customer's instructions, governed by the DPA.

3. Why we process personal data

We process personal data for the following purposes and on the following legal bases (Article 6(1) GDPR):

PurposeLegal basis
Providing and operating the Service (account provisioning, routing requests, billing, audit logs)Contract (Art. 6(1)(b))
Communicating with you about your account, security incidents, or material changes to the TermsContract (Art. 6(1)(b))
Protecting the Service from fraud, abuse, and security threatsLegitimate interest (Art. 6(1)(f))
Complying with our legal obligations (tax, accounting, anti-money-laundering)Legal obligation (Art. 6(1)(c))
Defending or establishing legal claimsLegitimate interest (Art. 6(1)(f))
Sending you marketing communications about related servicesConsent (Art. 6(1)(a)) — you may withdraw consent at any time
Waitlist management, including informing you when the service becomes available to your accountLegitimate interest (Art. 6(1)(f)) pending the review we described in §2.2

Waitlist communications are limited to notifying you when the Service becomes available. You may opt out at any time by contacting us.

4. Who we share personal data with

We share personal data with the following categories of recipients:

4.1 Infrastructure and subprocessors

The full, current list of subprocessors is maintained at legal/SUBPROCESSORS.md and summarized here:

  • Railway (Netherlands, EU) — hosting provider for the gateway, dashboard, website, and PostgreSQL database.
  • Stripe (global) — payment processing for subscription charges, prepaid balance top-ups, and payment method management.
  • Resend (United States) — transactional email delivery (signup confirmations, password reset, notifications). Transfers to Resend are made under the EU Standard Contractual Clauses.
  • Anthropic, OpenAI, Mistral, Google, Amazon Web Services (AWS Bedrock), Cohere — LLM providers that receive customer-submitted prompts when the customer's project routes requests to them. The customer controls which providers are enabled for their projects through the territorial tier and allowed-models configuration. When the customer uses the unrestricted territorial tier, prompts may be transferred to providers hosted outside the EEA.

4.2 Professional advisors

We may share personal data with our legal, tax, accounting, and audit advisors where necessary and subject to confidentiality obligations.

4.3 Compliance with law

We may disclose personal data to governmental authorities, law enforcement, or courts where we are legally required to do so, or where necessary to establish, exercise, or defend legal claims.

4.4 Business transfers

In the event of a merger, acquisition, restructuring, or sale of substantially all of our assets, personal data may be transferred to the acquiring entity, subject to notification to you and the opportunity to exercise your data subject rights.

We do not sell personal data. We do not share personal data with advertising networks or data brokers.

5. International transfers

Brain Orchestra's infrastructure is hosted in the European Union (Railway europe-west4 region, the Netherlands). By default, customer data stays in the EU.

Where personal data is transferred outside the European Economic Area — for example to an LLM provider in the United States when the customer's project is configured to route there — those transfers are made under appropriate safeguards, including the EU Standard Contractual Clauses and any additional safeguards required by applicable law following the Schrems II decision.

Customers who need stricter geographical controls should configure their projects to use one of the EU-only territorial tiers: eu_cloud, eu_strict, or eu_sweden. See the Brain Orchestra Integration Guide and the customer dashboard for details.

Details of the applicable transfer mechanisms, including SCC module selection and sub-processor transfer information, are set out in the DPA at legal/DPA.md Section 6.4 and Annex III.

6. How long we keep personal data

CategoryRetention
Website visitor rate-limit buckets60 seconds (rolling window)
Waitlist signups, if not converted12 months, then purged
Rejected account applications12 months, then purged
Active customer account dataFor the life of the account
Dashboard session tokens12 hours (configurable), then expire
API key hashesUntil revoked by the customer
Actor token hashesUntil revoked or expired by the customer
Audit log metadata (customer-visible)Per project configuration; default 365 days
Audit log content (prompts / responses)Per project content-retention setting; default metadata-only (not stored)
Billing and invoicing records7 years (Swedish Bookkeeping Act, bokföringslagen)
Backups of the aboveUp to 90 days from creation, then overwritten by rotation

On termination of the customer's account, or upon a verified Article 17 erasure request, data is deleted following a 30-day hold period and then purged by a transactional cascade across audit logs, trace records, and supporting tables. Billing records subject to the 7-year bokföringslag obligation are retained only to the extent required, and their access is restricted to accounting purposes.

The 7-year retention applies specifically to invoicing records, receipts, and related accounting documentation (räkenskapsinformation) as required by bokföringslagen (1999:1078) Chapter 7 §2.

7. Your rights

You have the following rights with respect to your personal data under the GDPR:

  • Access (Art. 15): obtain a copy of the personal data we hold about you.
  • Rectification (Art. 16): correct inaccurate personal data.
  • Erasure (Art. 17): request deletion of your personal data, subject to legal retention obligations.
  • Restriction (Art. 18): ask us to temporarily limit processing.
  • Portability (Art. 20): receive your personal data in a commonly used electronic format.
  • Objection (Art. 21): object to processing based on our legitimate interests.
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing before the withdrawal.

To exercise any of these rights, contact us at support@xalerate.com. We will respond within one month (extendable by two further months for complex requests, in which case we will inform you of the extension within the first month).

You also have the right to lodge a complaint with a supervisory authority. In Sweden, that authority is Integritetsskyddsmyndigheten (IMY) — imy.se. If you live in another EEA Member State, you may contact that Member State's supervisory authority instead.

8. Security

We take reasonable technical and organizational measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Measures include TLS 1.2+ in transit, at-rest encryption at the database layer, hashed storage of API keys and actor tokens, server-side session validation, role-based dashboard authorization, territorial tier enforcement, PII pseudonymization (optional per project), per-project rate limits, per-project spending caps, and an audit log that persists even on request failure.

A fuller description of our technical and organizational measures is in Annex II of our Data Processing Agreement at legal/DPA.md.

9. Cookies and similar technologies

We use a minimal set of first-party cookies and localStorage for the following strictly-necessary purposes:

  • Session authentication: the bo_session cookie (HttpOnly, Secure, SameSite=Lax) maintains your dashboard login across requests. The cookie contains a cryptographically random session identifier; the session is stored server-side with configurable expiry.
  • Project selection: the currently-selected project identifier is stored in localStorage so that your dashboard state persists across page reloads.

We do not use advertising cookies, third-party analytics cookies, or cross-site tracking technologies. No cookie banner is required for strictly-necessary storage under current Swedish PTS guidance (lagen om elektronisk kommunikation).

10. Children

The Service is not intended for or directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us at support@xalerate.com and we will take steps to delete it.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to account holders at least 30 days before they take effect, and by an in-product notice. The "Last updated" date at the top of this Privacy Policy reflects the most recent revision.

12. How to contact us

If you have questions specifically about data processed through the Service on behalf of one of our customers, please contact the customer directly. We will assist the customer as their processor, but we are not the controller of that data.

Contact: Xalerate AB — support@xalerate.com — Stockholm, Sweden

Terms of ServicePrivacy PolicyData Processing AgreementSub-processorsQuestions about these terms? support@xalerate.com