Privacy Policy

MetaBrain is an AI-powered metadata generation tool for microstock photographers, operated at metabrain.online. For the purposes of data protection law, MetaBrain is the data controller with respect to your personal data. For questions regarding this policy, contact us at privacy@metabrain.online.

We collect the following categories of data:

Account Data

• Email address and display name, obtained from your Google or Apple account at sign-in.
• Profile photo URL (Google accounts only), used to display your avatar in the application interface.
• A unique user identifier assigned by our authentication provider (Supabase).

Usage Data

• Number and type of AI processing requests made (mode, model used, timestamp).
• Token counts and estimated processing cost per request (used for subscription enforcement and business analytics).
• Processing history: file names, generated metadata (titles, descriptions, keywords), and thumbnails stored on your behalf for in-app history display.
• Application error events and session heartbeat signals (anonymous telemetry for reliability monitoring).

Device Data

• A hashed hardware identifier (SHA-256) derived from your Mac's platform UUID. This identifier is one-way hashed before transmission and is used exclusively for abuse prevention (detecting multiple accounts per device). The raw UUID is never transmitted.
• IP address at the time of account registration, retained for fraud and abuse detection.

Content Data

• Images and videos you submit for AI processing are transmitted to our backend and to third-party AI providers (Google Gemini API and/or OpenAI API) for the sole purpose of generating metadata. These files are not permanently stored by MetaBrain; they are processed in memory and discarded after the response is returned. Google and OpenAI may process your content under their respective data processing agreements.

We use your data for the following purposes:

• Service delivery — to authenticate you, enforce subscription limits, process your images, and return generated metadata.
• Billing — to track credit usage and subscription status. Payment data (card details) is handled exclusively by Paddle and is never accessible to MetaBrain.
• Abuse prevention — to detect and prevent fraudulent account creation, misuse of the free tier, and violation of our Terms of Service.
• Service improvement — to monitor errors, track aggregate usage trends, and improve the reliability and quality of the Software. We do not use your Content to train AI models.
• Legal compliance — to comply with applicable law, respond to lawful requests, and enforce our Terms of Service.

For users in the European Economic Area (EEA) and the United Kingdom, we process your personal data on the following legal bases:

• Contract performance — processing necessary to provide the Service you have requested (account management, AI processing, subscription enforcement).
• Legitimate interests — fraud prevention, abuse detection, and service reliability monitoring, where our interests are not overridden by your rights.
• Legal obligation — where we are required to retain or disclose data to comply with applicable law.

We do not sell, rent, or trade your personal data. We share data only with the following third-party service providers, each of whom processes data on our behalf under appropriate data protection agreements:

• Supabase, Inc. — provides our database, authentication, and backend infrastructure. Data is stored in US-East (Virginia) data centres. Supabase is SOC 2 Type II certified.
• Google LLC — provides OAuth sign-in (Google accounts) and the Gemini AI API used for image analysis. Google processes submitted images under their API Data Processing Terms.
• OpenAI, L.L.C. — provides the GPT-4o-mini API, used as an alternative AI model for certain content types. OpenAI processes submitted images under their API usage policies.
• Paddle.com — processes all payments as the Merchant of Record. Paddle collects and retains billing information including payment card details, billing address, and transaction history. Paddle's privacy policy governs their use of your payment data.
• Cloudflare, Inc. — hosts our application distribution files (macOS installer packages). Cloudflare may log download requests including IP addresses.
• Vercel, Inc. — hosts our web portal at metabrain.online. Vercel may collect standard web server logs including IP addresses and browser information.

We retain your data for the following periods:

• Account data — retained for the duration of your account plus 30 days following deletion, to allow for dispute resolution.
• Processing history — the last 10 processing records are retained per user. Older records are automatically purged.
• AI usage logs — retained for 12 months for billing, cost analysis, and legal compliance purposes.
• Content (images/videos) — not permanently stored. Processed in memory and discarded immediately after the AI response is returned.
• Telemetry data — anonymised aggregates retained for 90 days; individual events purged after 30 days.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — the right to request a copy of the personal data we hold about you.
• Rectification — the right to request correction of inaccurate personal data.
• Erasure — the right to request deletion of your personal data, subject to our legal retention obligations.
• Portability — the right to receive your data in a structured, machine-readable format.
• Objection — the right to object to processing based on legitimate interests.
• Withdrawal of consent — where processing is based on consent, the right to withdraw it at any time.

To exercise any of these rights, please contact us at privacy@metabrain.online. We will respond within 30 days. We may require identity verification before processing your request.

We implement industry-standard security measures to protect your personal data, including TLS encryption for all data in transit, row-level security (RLS) policies ensuring users can access only their own data, JWT-based authentication with automatic token expiry and refresh, and hashed hardware identifiers to avoid storing raw device UUIDs. Despite these measures, no system is completely secure. We cannot guarantee absolute security and accept no liability for unauthorised access beyond what is required by applicable law.

The MetaBrain desktop application does not use browser cookies. The web portal at metabrain.online uses only strictly necessary session cookies required for authentication (managed by Supabase Auth). We do not use advertising cookies, tracking pixels, or third-party analytics services on the public-facing website.

Your personal data may be transferred to and processed in the United States and other countries where our service providers operate. Where data is transferred outside the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or the adequacy decisions of the relevant data protection authority. By using MetaBrain, you acknowledge that your data may be processed internationally.

MetaBrain is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately at privacy@metabrain.online and we will take steps to delete such data promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Effective date" at the top of this page and, where appropriate, by in-app notification. Your continued use of MetaBrain after the updated policy takes effect constitutes acceptance of the changes.

For any privacy-related questions, requests, or complaints, please contact us at privacy@metabrain.online. If you are located in the EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.