At FrontBrain AI, operated by FrontBrain AI LTD (“we,” “us,” or “our”), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our SaaS platform, or interact with our services.
Please read this policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.
1. Who we are (Data Controller)
FrontBrain AI LTD is the data controller for personal data processed through this website and the FrontBrain AI platform. We are a company incorporated in England and Wales.
2. Information we collect
We collect information that you provide directly to us, as well as information generated automatically when you use the Service:
- Account details: Your name, email address, password, company name, and contact details when you register or request early access.
- Billing & customer identifiers: Subscription tier, credit usage history, transaction records, and billing details. All payment card processing is handled securely by our third-party payment processors, including Paddle where applicable. We do not store full credit or debit card numbers.
- Technical logs & usage data: IP addresses, browser types, device information, operating systems, access times, pages viewed, and other diagnostics.
- Prompts, task history, & outputs: The instructions, code, configurations, database details, prompts, files, connector configuration metadata, audit logs, approval records, task state, and tool-call records you provide to the platform.
- Support communications: Correspondence, emails, feedback, and transcripts from support requests or sales inquiries.
- Cookies & similar technologies: See Section 10 below.
We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
3. Legal basis for processing
Under the UK GDPR we rely on the following lawful bases (Article 6):
- Contract (Art. 6(1)(b)): to provide you with the Service you have signed up for, including authentication, billing, task execution, connector operation, and audit history.
- Legitimate interests (Art. 6(1)(f)): to secure our infrastructure, prevent fraud and abuse, improve reliability, and communicate with prospective customers who have expressed interest. Our legitimate interests do not override your rights and freedoms.
- Legal obligation (Art. 6(1)(c)): to keep tax, accounting, and other records required by UK law and to respond to lawful requests from regulators or courts.
- Consent (Art. 6(1)(a)): for non-essential cookies, analytics where used, and any marketing communications outside an existing customer relationship. You can withdraw consent at any time (see Sections 10 and 11).
4. How we use your data
- Providing and maintaining the Service: operating the platform, applying usage credits, executing automated tasks, and processing subscriptions.
- Improving reliability and performance: analysing usage trends, diagnostic logs, and platform interactions to optimise AI task execution, refine workflows, and improve system reliability.
- Security and abuse prevention: monitoring for fraudulent, abusive, or unauthorised activities, enforcing our Terms of Service, and securing our infrastructure.
- Customer support: responding to support tickets, resolving technical issues, and assisting with platform setup.
- Audit trails: maintaining detailed logs of system actions, tool calls, and approvals to provide auditability and compliance evidence for your organisation.
5. Credential security & encryption
FrontBrain AI is built with a security-first architecture. Any credentials, API keys, private keys, passwords, model keys, API tokens, service account JSON, certificates, or client workspace scopes you connect to the Platform are encrypted in transit and at rest within our secure credential vault. These credentials are used solely to execute the tasks you authorise and are never displayed back in plain text or shared with unauthorised parties. BYOK keys and infrastructure credentials are used only to perform authorised model calls, tool actions, or connected-system workflows requested through the platform.
6. Remote Gateway — customer-side agent
If you choose to deploy the FrontBrain AI Remote Gateway inside your network, the agent installed on your machine is a small Linux service. The data flows are deliberately narrow and asymmetric:
What the gateway sends to FrontBrain AI Cloud:
- An outbound TLS WebSocket carrying tool-call results (stdout, exit codes, returned objects), redacted parameters, timing, success/failure status, and correlation identifiers.
- Heartbeat pings and reconnect telemetry to keep the session alive.
- A one-line install-event record (timestamp and the customer’s acknowledged install posture — signed vs. pilot unsigned).
- On enrollment: the agent’s Ed25519 public key and SHA-256 fingerprint, your supplied hostname and OS, the agent version, and the install posture. The corresponding private key is generated locally and never leaves the gateway machine.
What stays on the gateway machine and never leaves your network:
- The agent’s Ed25519 private key.
- The local append-only audit log at
/var/log/frontbrain-gateway/audit.jsonl, with credential keys scrubbed using each tool’s redaction declaration.
- The agent’s operational log at
/var/log/frontbrain-gateway/agent.log.
- If you operate the gateway in Local credential mode (alpha): all infrastructure credentials are sealed with ChaCha20-Poly1305 on disk and resolved locally per call. FrontBrain AI Cloud only ever sees credential references; the credential plaintext never leaves your network.
- Cached temporary files inside
/var/lib/frontbrain-gateway/work/, which the agent cleans after each call.
What FrontBrain AI Cloud stores about the gateway:
- The gateway row (name, status, agent version, hostname, OS, fingerprint, install posture, dry-run state, credential mode, last-seen timestamp).
- The SHA-256 of the long-lived bearer credential issued at enrollment. The cleartext is shown to the admin once and never persisted.
- The append-only
gateway_events log (created, enrolled, install_posture, connected, disconnected, edited, revoked, rotated, config_pushed_live, config_queued_for_reconnect).
- A short-window (30-day default)
gateway_routes table holding the correlation ID, tool name, tenant + workspace, started/completed timestamps, success and error class. This is debugging telemetry; the source of truth for billing and compliance is audit_logs.
You can pull either the cloud audit log (per tenant, per workspace, or per gateway) as NDJSON for ingestion into your own SIEM. The local JSONL log is yours to ship anywhere you want.
7. Data sharing & disclosures
We do not sell your personal data. We share your information with trusted third-party processors required to operate the Service, all bound by written data-processing agreements that meet UK GDPR requirements:
- Hosting & infrastructure: cloud hosting, database, and storage providers (such as AWS and our private server infrastructure).
- AI API providers: approved model and AI compute providers used to process prompts, task context, and outputs, depending on your selected deployment and routing configuration.
- Payment processors: Paddle (as merchant of record) and their sub-processors for subscriptions, invoicing, and transactions.
- Communications: email delivery and support ticketing systems.
- Legal requirements: where required by law, regulation, or legal process to protect the rights, property, or safety of FrontBrain AI LTD, our users, or the public.
A current sub-processor list is available on request from privacy@frontbrain.ai.
8. International transfers
Some of our sub-processors are located outside the United Kingdom. Where we transfer personal data outside the UK, we rely on one of the following safeguards:
- Transfers to countries covered by a UK adequacy regulation (for example, the EEA, or the UK Extension to the EU–US Data Privacy Framework where applicable);
- The UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum, together with a transfer risk assessment where required; or
- Any other transfer mechanism recognised under UK GDPR.
You can request a copy of the relevant safeguards by writing to privacy@frontbrain.ai.
9. Retention
We keep personal data only for as long as is necessary for the purposes described above and to meet our legal obligations:
- Account & billing records: retained for the life of the account and for up to 7 years after closure, to meet UK tax and accounting obligations.
- Prompts, task history & outputs: retained while your account is active and for up to 30 days after account deletion, unless a longer period is required by law or you have configured a shorter workspace retention.
- Audit logs: retained for up to 24 months by default; enterprise customers may configure longer retention.
- Support communications: retained for up to 3 years after the last interaction.
- Marketing consent records: retained until consent is withdrawn, plus a proof-of-withdrawal record for compliance.
After the applicable retention period ends, we delete or irreversibly anonymise the data.
10. Cookies & similar technologies
Our website uses a small number of cookies. On your first visit you will see a consent banner offering three options: Accept all, Reject non-essential, or Customise. Your choice is remembered locally and can be changed at any time from the “Cookie settings” link in the footer.
We use the following categories:
- Strictly necessary (always on): a single cookie or local storage entry that records your cookie-consent choice so we do not ask again on every page load. This is required for the site to function and does not require consent.
- Analytics (off by default): if enabled in the future, this category would help us understand aggregate site usage. It is only loaded after you actively opt in.
- Marketing (off by default): if enabled in the future, this category would support advertising measurement. It is only loaded after you actively opt in.
We do not currently load any analytics or marketing cookies. If that changes, the consent banner will be updated to enumerate them by name, purpose, provider, and duration before any such cookie is set. You can withdraw consent at any point by clicking “Cookie settings” in the footer, which clears the stored preference and re-shows the banner.
11. Your rights under the UK GDPR
You have the following rights over your personal data:
- Right of access — receive a copy of the personal data we hold about you.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”) — ask us to delete your data, subject to legal or compliance retention.
- Right to restrict processing — ask us to limit how we use your data in certain circumstances.
- Right to data portability — receive your data in a structured, commonly used, machine-readable format.
- Right to object — object to processing based on our legitimate interests, and to direct marketing at any time.
- Rights related to automated decision-making — we do not make solely automated decisions that produce legal or similarly significant effects on you.
- Right to withdraw consent — where processing is based on consent, you can withdraw it at any time; this does not affect the lawfulness of prior processing.
To exercise any of these rights, email privacy@frontbrain.ai. We will respond within one month, extendable by a further two months for complex requests. Access requests are free of charge except where they are manifestly unfounded or excessive.
12. Complaints — Information Commissioner’s Office (ICO)
If you are unhappy with how we have handled your personal data, we would like a chance to put it right — please contact us first at privacy@frontbrain.ai. You also have the right to lodge a complaint with the UK Information Commissioner’s Office:
- Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Helpline: 0303 123 1113
- Website: ico.org.uk/make-a-complaint
13. Security
We use technical and organisational measures appropriate to the risk to protect personal data, including TLS in transit, encryption at rest, credential vaulting, workspace isolation, approval gates, and audit logging. No system is perfectly secure, but if we ever suspect a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO and, where required, affected users without undue delay.
14. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices or regulatory requirements. We will post any updates on this page and revise the effective date accordingly. Where changes are material, we will also give you reasonable prior notice by email or in-app.
15. Contact us
If you have any questions or concerns about this Privacy Policy or our data-handling practices, please contact us at privacy@frontbrain.ai.