What AI compliance laws apply to my business?

AI compliance laws vary by state. Over 23 US states have enacted AI-related legislation covering 30+ laws. This tool scans websites for AI tools and maps applicable state and local laws based on business context.

How does the AI compliance scanner work?

The scanner analyzes website source code, network requests, and DOM elements to detect AI-powered tools such as chatbots, recommendation engines, analytics, and ad targeting systems.

Is this tool a substitute for legal advice?

No. This tool provides informational summaries only and does not constitute legal advice. Consult a qualified attorney for compliance guidance specific to your business.

Brainiac Privacy Policy

Last Updated: [TO BE DETERMINED]

This Privacy Policy describes how [TO BE DETERMINED] ("Brainiac," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use the Brainiac platform and related services (the "Service").

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

Account Information

Email address
Name
Password (stored as a cryptographic hash; we never store plaintext passwords)

Business Context

Company name and address
Number of employees
States of operation
Industry and business type
AI tools in use (self-reported)
Data practices and categories of data processed
Assessment responses about your business operations
Insurance and benefits information relevant to AI compliance

Payment Information

Processed by Stripe, our payment processor
We do NOT store credit card numbers, expiration dates, or CVV codes
We receive and store: billing name, billing address, last four digits of card number, and transaction history

Support Communications

Emails, support tickets, and other communications you send us

1.2 Information We Collect Automatically

Scan Results

When you use our scanning feature, we scan your publicly accessible website to detect AI tools and services
Scan results include: detected tools, page URLs where tools were found, detection method, and scan timestamp
We only scan publicly accessible pages; we do not access authenticated or private areas of your website

Usage Data

Pages viewed, features used, and actions taken within the Service
Browser type, operating system, and device information
IP address and approximate geographic location
Error logs and performance data

We use essential cookies for authentication and session management
We use analytics cookies to understand Service usage (you may opt out via browser settings)
We do not use advertising or tracking cookies

1.3 Information We Generate

Compliance Documents

Disclosure notices, impact assessments, consent forms, and other documents generated based on your Business Context and our Law Data

Compliance Assessments

Compliance scores, applicable law determinations, and deadline calculations derived from your Business Context

2. How We Use Your Information

We use your information for the following purposes:

Providing the Service -- Generating Compliance Documents, determining applicable laws, calculating compliance scores, and displaying your dashboard
Document Generation -- Your Business Context is processed by AI systems to generate Compliance Documents. Only the minimum necessary Business Context is sent to our AI provider for each generation request.
Scanning -- Analyzing your public website to detect AI tools
Account Management -- Authentication, billing, and support
Service Improvement -- Analyzing aggregate, anonymized usage patterns to improve the Service
Communications -- Sending transactional emails (account confirmations, compliance deadline reminders, law change notifications) via our email provider
Legal Compliance -- Meeting our own legal obligations

We do NOT use your information for:

AI Model Training -- We do NOT use your Business Context, Scan Results, or Compliance Documents to train, fine-tune, or improve AI models. Your data is used solely to provide the Service to you.
Advertising -- We do not serve ads or share your information with advertisers.
Data Sales -- We do not sell your personal information to third parties.

We share your information only in the following circumstances:

3.1 Sub-processors

We use the following third-party services to operate the Service:

Sub-processor	Purpose	Data Shared
Supabase	Database and authentication	All account and business data (encrypted at rest, Row Level Security enforced)
Vercel	Application hosting	HTTP request logs, IP addresses, usage analytics
AI provider	Compliance document generation	Business Context necessary for each generation request (not retained by provider per their API terms)
Stripe	Payment processing	Payment information, billing details
Resend	Transactional email	Email addresses, notification content

3.2 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or government request. Where legally permitted, we will notify you before disclosure and cooperate with you to seek a protective order.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.

We may share your information with third parties when you explicitly consent to such sharing.

4. Hosted Disclosure Pages

If you publish a Hosted Disclosure Page, the content you approve for publication will be publicly accessible. This may include company name, AI tools in use, data practices, and compliance disclosures. You control what is published and may unpublish at any time.

5. Data Retention

We retain your information as follows:

Active accounts: Data is retained for the duration of your account
After account termination: Data is retained for 30 days to allow you to request export or reactivate
After 30-day retention period: Business Context and Compliance Documents are permanently deleted
Audit trail data: Anonymized records of document generation events may be retained for up to 12 months after account termination for our compliance and audit obligations
Payment records: Retained as required by tax and financial regulations

6. Data Security

We implement the following security measures:

Encryption at rest: All data stored in our database is encrypted at rest
Encryption in transit: All data transmitted between your browser and our servers uses TLS encryption
Authentication: Managed by Supabase Auth with secure password hashing
Row Level Security: Database access policies ensure users can only access their own data
Access controls: Application-level access controls enforce Subscription tier permissions
Infrastructure security: Hosted on Vercel (automatic HTTPS, DDoS protection, edge network) with Supabase (managed PostgreSQL with encryption)

No system is perfectly secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security.

7. Your Rights

7.1 All Users

You have the right to:

Access your personal information by logging into your account
Update your Business Context and account information at any time
Delete your account and associated data by contacting us at [TO BE DETERMINED]
Export your data in a portable format by contacting us at [TO BE DETERMINED]

7.2 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

Right to Know -- You may request that we disclose the categories and specific pieces of personal information we have collected about you
Right to Delete -- You may request deletion of your personal information, subject to certain exceptions
Right to Correct -- You may request correction of inaccurate personal information
Right to Opt-Out of Sale -- We do not sell personal information. There is nothing to opt out of.
Non-Discrimination -- We will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights, contact us at [TO BE DETERMINED].

7.3 European Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation:

Right of Access -- Request a copy of your personal data
Right to Rectification -- Request correction of inaccurate data
Right to Erasure -- Request deletion of your data ("right to be forgotten")
Right to Restriction -- Request restriction of processing
Right to Portability -- Receive your data in a structured, machine-readable format
Right to Object -- Object to processing based on legitimate interests
Right to Withdraw Consent -- Withdraw consent at any time where processing is based on consent

Our legal basis for processing your data is: (a) performance of a contract (providing the Service), (b) legitimate interests (service improvement, security), and (c) your consent (where applicable).

To exercise your GDPR rights, contact us at [TO BE DETERMINED].

8. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. We rely on standard contractual clauses where required for international transfers.

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete that information promptly.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or prominent notice within the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

[TO BE DETERMINED]
Email: [TO BE DETERMINED]
Address: [TO BE DETERMINED]