Privacy Policy
This Privacy Policy outlines the practices of BrainFx AI Inc. ("BrainFx", "we", "our", or "us") regarding the collection, use, disclosure, and protection of information in connection with your access to and use of the BrainFx Vitals mobile application (the "App"), made available through Google Play and the Apple App Store.
By creating an account, completing the in-app consent screens, or otherwise using the App, you acknowledge that you have read and understood this Privacy Policy.
1. Who We Are
Data Controller: BrainFx AI Inc.
Address: 1400 Bayly Street, Unit 13A, Pickering, Ontario L1W 3R2, Canada
Privacy contact: privacy@brainfx.com
Our Privacy Officer is responsible for our compliance with this Privacy Policy and with applicable privacy laws, and can be reached at the email address above.
2. Summary of the App and Why Privacy Matters
BrainFx Vitals is a session-based wellness companion for general self-awareness. In a typical session, the App uses your device's front-facing camera to capture a short video sequence, processes that video entirely on your device to derive wellness-related signals, and then optionally shares those numerical signals together with profile information you provide with Google's Gemini AI service to generate a personalized, informational summary.
The App is a wellness tool, not a medical device. The signals and insights it provides are informational estimates and are not intended to diagnose, treat, cure, prevent, or mitigate any disease or medical condition. Always consult a qualified healthcare professional for any personal health concerns.
3. Information We Collect
3.1 Information You Provide to Us
Account information. When you create an account we collect:
- Email address
- Password stored in hashed form by Firebase Authentication
- Optional first and last name
Health profile (Risk Factors). If you choose to complete the health profile in the App, we collect the following categories of information so the App can tailor your wellness insights:
- Demographic information: gender, country, ethnicity
- Physical information: age, height, weight, waist circumference
- Family medical history: parental hypertension, family diabetes
- Personal medical history: prior high glucose, prior hypertension, hypertension treatment status, diabetes diagnosis
- Lifestyle information: physical activity level, smoking status, fruit and vegetable consumption
- Optional clinical values: systolic and diastolic blood pressure, total cholesterol, HDL cholesterol, triglycerides, fasting glucose
Providing this information is optional. If you do not provide it, some wellness insights may be less personalized or unavailable.
AI interactions. If you use the in-App AI Wellness Assistant:
- Text chat. The text of your messages is processed to generate a response.
- Voice assistant. Your voice audio is streamed in real time to Google's Gemini service so the assistant can respond.
3.2 Information Generated by the App
Session data (wellness signals). During each scanning session, the App's on-device video analysis produces numerical estimates that may include:
- Circulation estimate (blood-pressure-related)
- Circulation / pulse-rhythm signal
- Warmth signal (temperature-related)
- Metabolic estimate (glucose-related)
- Lifestyle estimate
- Derived organ-system signals (heart, liver, lungs, kidney, blood, brain)
These signals are saved to your account so you can see your history and trends.
Usage and device information. We collect technical information needed to operate the App and diagnose problems, including device model, operating system and version, App version, language preference, IP address, and anonymous crash and performance diagnostics.
3.3 Information We Do NOT Collect or Store
- Raw video frames and facial images are processed entirely on your device and are discarded immediately after each session.
- No facial recognition or biometric identification is performed.
- We do not collect precise location (GPS) data.
- We do not collect contacts, calendar, photos, SMS, or files from your device.
4. Device Permissions We Request
| Permission | Why we need it |
|---|---|
| Camera | Required to capture the short face-video sequence used for on-device wellness analysis. Frames are processed locally and are never uploaded or stored. |
| Microphone | Required only when you choose to use the AI Voice Wellness Assistant. Audio is streamed in real time to Google Gemini to generate a response and is not retained by the App after the conversation. |
| Keep screen on | Prevents the screen from sleeping during an active scan. |
| Internet access | Required to sign in, sync session data, generate AI insights, and check network availability. |
You can revoke any permission at any time in your device settings. Revoking camera access will prevent you from running wellness scans.
5. How We Use Your Information
- Create and secure your account and authenticate your sign-ins.
- Run wellness sessions and derive the on-device signals described above.
- Generate personalized wellness insights, text summaries, and PDF session reports, including through the Google Gemini AI service.
- Power the AI Wellness Assistant, including text and voice.
- Save your session history so you can view trends over time.
- Enforce per-user session limits to protect the service and our AI costs.
- Detect, investigate, and prevent fraud, abuse, and security incidents.
- Diagnose crashes and improve the App's reliability and performance.
- Communicate with you about your account, service issues, and material updates to this Privacy Policy or our Terms.
- Comply with applicable laws and respond to lawful requests.
We do not use your information to serve advertising. We do not sell or rent your personal information to anyone.
6. Legal Bases for Processing (EU/UK Users)
- Performance of a contract - to provide the App and the features you request.
- Consent - for the in-App consent to medical disclaimer, camera/face analysis, and AI data sharing; and for processing special-category health data you choose to enter.
- Legitimate interests - for securing the App, preventing abuse, and improving reliability.
- Legal obligation - where we must retain or disclose information to comply with law.
You may withdraw consent at any time by emailing privacy@brainfx.com or by deleting your account in the App. Withdrawal does not affect the lawfulness of processing before withdrawal.
7. Third-Party Services We Rely On
We share the minimum information necessary with the following service providers. Each provider acts as our data processor and is contractually required to protect your information.
7.1 Google Firebase (Google LLC / Google Ireland Ltd.)
- Firebase Authentication stores your email and hashed password and authenticates sign-ins.
- Cloud Firestore stores your profile, risk-factor answers, session signals, session history, and App configuration.
- Firebase App Check helps us verify that requests come from genuine, unmodified installations of the App.
- Firebase AI / Vertex AI (Gemini 2.5 Flash) generates wellness summaries and powers the AI Wellness Assistant.
Google's privacy practices are described at policies.google.com/privacy and firebase.google.com/support/privacy.
7.2 Google Gemini (Google LLC)
When you use the AI Wellness Assistant or request an AI-generated wellness summary, we send the following to Google Gemini through the Firebase AI interface:
- The numerical wellness signals from your current and/or recent sessions.
- Relevant portions of your health profile.
- Your chat messages for text chat or streamed voice audio for the voice assistant.
Google Gemini returns a generated response to the App. Per the in-App consent you accept before using AI features, streamed voice audio is processed for real-time response and is not persisted by the App after the conversation ends.
7.3 Apple and Google
Apple and Google receive the minimum information they require for app distribution, payments if applicable, crash reporting, and compliance with their store policies, under their own privacy practices.
We do not share your information with advertisers, data brokers, or analytics providers beyond what is described above.
8. Where Your Data Is Processed
Your account and session data is stored in Google Cloud regions operated by Google for Firebase Authentication and Cloud Firestore. AI requests are processed by Google Gemini through Google-operated infrastructure. Depending on Google's regional routing, your data may be processed in Canada, the United States, the European Union, or other regions where Google operates.
When personal information is transferred outside your country of residence, we rely on appropriate legal transfer mechanisms including, where applicable, the European Commission's Standard Contractual Clauses, and on Google's own transfer frameworks.
9. How Long We Keep Your Information
- Account, profile, and session data - retained while your account is active, and deleted on request or on account deletion.
- Raw video frames and facial images - never retained.
- AI voice audio - streamed for real-time processing and not retained by the App after your conversation ends.
- AI chat transcripts - retained for the length of the chat session and may be stored with your session history if surfaced in the App; we do not use your chats to train AI models.
- Crash and diagnostic logs - retained for a limited period needed to diagnose issues, typically no more than 90 days.
- Backups - residual copies may persist in encrypted backups for a short period after deletion and are purged on our standard backup rotation.
We will keep information longer only where required by law.
10. Your Rights and Choices
Depending on where you live, you may have some or all of the following rights regarding your personal information:
- Access - request a copy of the personal information we hold about you.
- Correction - ask us to correct information that is inaccurate or incomplete.
- Deletion - ask us to delete your account and associated data.
- Portability - request a copy of the information you have provided in a structured, commonly used, machine-readable format.
- Restriction / Objection - ask us to restrict or object to certain processing.
- Withdraw consent - withdraw any consent you previously gave, including the in-App consents.
- Lodge a complaint - complain to your local data-protection authority.
How to delete your account and data
You can delete your account and all associated personal information at any time in one of two ways:
- From within the App - open the Profile screen and use the "Delete Account" option in the Danger Zone section. Your account and associated data will be deleted immediately.
- By email - write to privacy@brainfx.com from the email address associated with your account with the subject line "Delete my BrainFx Vitals account". We will confirm your identity and complete the deletion within 30 days, and send you written confirmation.
Residual copies may persist briefly in encrypted backups as described above. We will respond to any rights request within the time limits required by applicable law. We may ask you to verify your identity before acting on a request.
California residents (CCPA / CPRA)
California residents have the rights described above, including the right to know, correct, delete, and limit the use of sensitive personal information, and the right to opt out of "sales" and "sharing" of personal information. BrainFx does not sell or share personal information for cross-context behavioral advertising. You may exercise your rights by emailing privacy@brainfx.com.
Canadian residents (PIPEDA)
We comply with Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"). Our Privacy Officer is accountable for our handling of personal information and can be reached at privacy@brainfx.com.
EU/EEA and UK residents (GDPR)
In addition to the rights listed above, you have the right to lodge a complaint with your local supervisory authority.
11. Security
- Encryption in transit (TLS) for all network connections between the App and our servers.
- Encryption at rest for account and session data stored in Firebase.
- Password hashing performed by Firebase Authentication.
- Firebase App Check to reduce abuse from unauthorized clients.
- Access controls limiting which BrainFx personnel can access production data.
No method of electronic transmission or storage is 100% secure. If we become aware of a security breach that affects your personal information, we will notify you and regulators as required by law.
12. Children
The App is not directed to children under 13 years of age, or under 16 in the European Economic Area and other jurisdictions where a higher age of digital consent applies. We do not knowingly collect personal information from children under those ages. If you believe a child has provided us with personal information, please contact privacy@brainfx.com and we will promptly delete the account and data.
13. Medical Disclaimer
BrainFx Vitals is a session-based wellness companion for general self-awareness. The signals, estimates, insights, summaries, and AI-generated content produced by the App are informational only and are not intended to diagnose, treat, cure, prevent, or mitigate any disease or medical condition, replace consultation by a qualified healthcare professional, or be used in a medical emergency.
If you are experiencing a medical emergency, call your local emergency number immediately. Always consult a qualified healthcare professional for any personal health concerns. Your use of the App is subject to our Terms of Service, including the disclaimers and limitations of liability set out there.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in the App, the services we rely on, or the law. When we make material changes, we will update the "Last Updated" date above and, where appropriate, provide notice in the App or by email before the changes take effect. Your continued use of the App after the changes take effect constitutes your acceptance of the updated Privacy Policy.