BrainHost Privacy Policy

Last updated: 2026-04-10

This Privacy Policy explains how BrainHost (“BrainHost”, “we”, “us”, or “our”) collects, uses, discloses, stores, and otherwise processes personal data when you visit our website, create an account, place an order, use our customer portal, use our APIs, purchase or manage hosting or infrastructure services, contact support, subscribe to marketing communications, or otherwise interact with us.

This Privacy Policy should be read together with our Terms of Service, Acceptable Use Policy, any applicable Data Processing Addendum, cookie settings, and any product-specific terms we make available.

Related: Terms of Service · Acceptable Use Policy · Docs · Support

1. Who We Are

Controller. The controller for personal data covered by this Privacy Policy is:

SCEPTRE AI LTD
Company number: 16688726
Registered office: 71-75 Shelton Street Covent Garden London WC2H 9JQ UNITED KINGDOM
Privacy email: support@brainhost.ai
General support: https://brainhost.ai/support

If a different BrainHost group company is identified in your order form, checkout summary, invoice, or service-specific terms as the provider of a particular Service, that entity may also act as controller for data relating to that Service.

If we are required to appoint an EU or UK representative and/or a data protection officer, their contact details will be listed here or in a relevant regional supplement.

2. Scope

This Privacy Policy applies to personal data that we process in connection with:

our website and landing pages;
the customer portal and account dashboard;
account creation, orders, payments, and billing;
support requests, support tickets, and service communications;
APIs, automation tools, and developer resources;
service provisioning, monitoring, logging, fraud prevention, and security operations;
marketing communications and events; and
any other interactions where this Privacy Policy is presented or referenced.

This Privacy Policy does not apply to:

third-party websites, products, or services that are governed by their own privacy notices;
personal data that we process solely as a processor or service provider on behalf of our customers, where our customer is the controller (for example, data hosted by a customer in workloads they manage through our Services). In those cases, the relevant customer’s privacy notice applies.

3. Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data.

3.1 Account and identity information

name;
email address;
username;
company or organisation name;
country or region;
account profile details;
login and authentication information.

3.2 Billing and transaction information

billing contact details;
billing address;
VAT, tax, or business registration details where applicable;
payment method metadata, payment tokens, payment status, and the last four digits of a payment card where provided by our payment processor;
invoices, receipts, credits, refunds, and transaction history.

We do not typically store full payment card numbers. Payment card data is generally processed by our payment processors in accordance with their own compliance obligations and privacy notices.

3.3 Service configuration and usage information

products or plans selected;
region, data center, and instance selections;
service identifiers;
deployment history;
backup, snapshot, and restore metadata;
IP address allocations;
hostname, DNS, and configuration metadata;
API usage metadata;
customer portal actions;
resource usage metrics, service health information, and similar operational data.

3.4 Technical, device, and log information

IP addresses;
user-agent strings;
browser and device information;
timestamps;
authentication logs;
session identifiers;
network, access, audit, and security logs;
error reports and diagnostic information.

3.5 Support and communications data

support tickets;
live chat or email correspondence;
call or meeting notes where applicable;
attachments, screenshots, logs, and files you choose to provide;
feedback, survey responses, and complaint records.

3.6 Marketing and preference information

newsletter preferences;
consent records;
event registrations;
communication preferences;
interactions with our emails or promotional pages where permitted by law.

cookie identifiers;
local storage entries;
analytics identifiers;
preference settings;
information about how you interact with our site and portal, subject to your choices and applicable law.

3.8 Information from third parties

We may receive personal data from third parties such as:

payment processors;
fraud prevention and abuse monitoring providers;
analytics providers;
advertising partners, where permitted by law;
resellers, affiliates, or referral partners;
public blocklists or security intelligence sources;
corporate customers or account administrators who create or manage an account for you.

4. How We Use Personal Data and Our Legal Bases

Where UK GDPR, EU GDPR, or similar laws apply, we rely on one or more of the following legal bases: performance of a contract, compliance with legal obligations, legitimate interests, and consent.

4.1 To provide and manage the Services

We use personal data to:

create and manage accounts;
verify identity where necessary;
process orders;
provision, configure, maintain, suspend, and terminate Services;
deliver customer support;
communicate about service status, billing, renewals, and operational issues.

Legal basis: performance of a contract; legitimate interests in operating and improving our Services.

4.2 To process payments, billing, and accounting

We use personal data to:

process charges and refunds;
generate invoices and receipts;
maintain tax and accounting records;
detect payment fraud and manage disputes or chargebacks.

Legal basis: performance of a contract; compliance with legal obligations; legitimate interests in securing revenue and preventing fraud.

4.3 To secure the Services and prevent abuse

We use personal data to:

monitor service performance and integrity;
detect, investigate, and prevent abuse, spam, fraud, unauthorised access, denial-of-service activity, malware, and other harmful or unlawful activity;
enforce our Terms of Service and Acceptable Use Policy;
protect our infrastructure, personnel, customers, and third parties.

Legal basis: legitimate interests in keeping our Services secure and reliable; compliance with legal obligations where applicable.

4.4 To improve our website, products, and support

We use personal data to:

troubleshoot errors;
analyse service performance;
understand how users interact with our website and portal;
develop and improve features, documentation, and support processes.

Legal basis: legitimate interests in improving our business and Services; consent where required for non-essential analytics technologies.

4.5 To send service and administrative communications

We use personal data to send:

account confirmations;
billing notices;
renewal reminders;
security notices;
service announcements;
policy updates and other important administrative messages.

Legal basis: performance of a contract; compliance with legal obligations; legitimate interests in administering our Services.

4.6 To send marketing communications

We may use personal data to send newsletters, updates, promotional messages, and event invitations.

Legal basis: consent where required by law; otherwise our legitimate interests, subject to applicable electronic marketing rules and your rights to opt out.

You can unsubscribe from marketing emails at any time using the unsubscribe link in the message or by contacting us.

4.7 To comply with law and protect rights

We may process personal data to:

comply with legal, tax, accounting, sanctions, export control, data protection, and regulatory obligations;
respond to lawful requests from regulators, courts, or law enforcement;
establish, exercise, or defend legal claims.

Legal basis: compliance with legal obligations; legitimate interests in protecting our legal rights.

5. When We Act as Controller and When We Act as Processor

For most account, billing, website, support, fraud prevention, and service administration activities, BrainHost acts as a controller.

Where customers use our infrastructure or hosting services to store or process personal data in their own applications, websites, databases, or workloads, BrainHost may act as a processor or service provider on behalf of that customer. In those circumstances:

the customer is primarily responsible for the lawfulness of the hosted personal data;
the customer’s privacy notice governs the customer’s collection and use of that data; and
our processing is governed by our contract with the customer, including any applicable Data Processing Addendum.

We may share personal data with the following categories of recipients where necessary and appropriate:

payment processors and financial service providers for billing, fraud checks, refunds, and payment administration;
hosting, infrastructure, monitoring, logging, and support tool providers that help us deliver and maintain the Services;
customer management and billing system providers;
email and communications providers;
security, fraud prevention, and abuse monitoring providers;
professional advisers such as lawyers, auditors, insurers, and accountants;
group companies and affiliates where necessary for internal administration, support, or restructuring;
law enforcement, regulators, courts, and public authorities where we are legally required or reasonably believe disclosure is necessary to comply with law or protect rights;
a buyer, investor, successor, or transaction counterparty in connection with a merger, acquisition, financing, reorganisation, or sale of all or part of our business, subject to appropriate confidentiality protections.

We do not sell personal data for money.

We do not use personal data for cross-context behavioural advertising unless and until we provide any notices and choices required by applicable law.

7. International Transfers

Your personal data may be processed in countries other than the country in which you are located.

Where we transfer personal data internationally and applicable law requires safeguards, we will use an appropriate transfer mechanism, which may include:

an adequacy decision or adequacy regulation;
the European Commission’s Standard Contractual Clauses for transfers subject to the EU GDPR;
the UK International Data Transfer Agreement (IDTA) or the UK Addendum, where required for transfers subject to the UK GDPR; or
another legally recognised transfer mechanism.

You may contact us using the details in Section 14 if you would like more information about the safeguards relevant to a particular transfer.

8. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, maintain security, comply with law, resolve disputes, and enforce agreements.

Retention periods vary depending on the type of data and the reason we hold it. For example:

account profile and billing records: for the duration of the account relationship and thereafter for a period necessary to comply with accounting, tax, audit, dispute, and legal obligations;
transaction, invoice, and tax records: for the period required by applicable accounting and tax laws;
technical, access, and security logs: for a period proportionate to security, fraud prevention, abuse monitoring, troubleshooting, and legal compliance needs;
support tickets and related correspondence: for as long as needed to resolve the issue and for a reasonable period afterwards for quality, training, dispute, and legal purposes;
marketing preferences and consent records: until you withdraw consent or opt out, plus a limited period to maintain suppression records and demonstrate compliance;
cookie data: according to the specific cookie’s purpose and duration, as explained in our cookie notice or cookie settings.

We may anonymise or aggregate data so that it no longer identifies you. We may retain anonymised or aggregated information for longer periods where permitted by law.

9. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, and disclosure. These measures may include, where appropriate, access controls, logging, network protections, encryption in transit, backup procedures, role-based permissions, staff training, and incident response processes.

No system is completely secure. You are responsible for maintaining the confidentiality of your account credentials, using strong passwords, enabling multi-factor authentication where available, and protecting the systems and devices you use to access the Services.

10. Your Rights

Depending on your location and applicable law, you may have the right to:

access personal data we hold about you;
correct inaccurate or incomplete personal data;
request deletion of personal data;
restrict or object to certain processing;
receive a portable copy of certain personal data;
withdraw consent where processing is based on consent;
opt out of certain marketing or advertising-related processing; and
lodge a complaint with a supervisory authority or regulator.

To exercise your rights, please contact PRIVACY EMAIL.

We may need to verify your identity before acting on a request. We will respond within the time required by applicable law. In many cases this is within one month, although we may be entitled to extend the period where the request is complex or numerous.

Your rights may be limited in some circumstances, including where we have overriding legitimate grounds, must comply with legal obligations, or need to establish, exercise, or defend legal claims.

11. Marketing Communications

Where permitted by law, we may send you marketing messages about products, services, updates, or events that may interest you.

Where consent is required, we will ask for it before sending marketing communications. You may opt out at any time by clicking the unsubscribe link in a message, changing your preferences in your account where available, or contacting us.

Opting out of marketing messages does not affect service-related or legally required communications.

12. Cookies and Similar Technologies

We use cookies and similar technologies to operate our website and customer portal, remember preferences, keep you signed in, understand website usage, improve performance, and, where permitted, support marketing.

These technologies may fall into the following categories:

strictly necessary cookies, which are required for core functionality and security;
functional cookies, which remember settings and preferences;
analytics cookies, which help us understand usage and improve performance;
advertising or marketing cookies, which may be used to measure campaigns or support relevant advertising.

Where required by law, we will ask for your consent before placing non-essential cookies, including analytics or marketing cookies.

You can manage your preferences through COOKIE BANNER TOOL and through your browser settings. Blocking some cookies may affect site functionality.

For more detailed information, including cookie names, providers, purposes, and durations, see our Cookie Settings.

13. Children’s Privacy

Our Services are not directed to children under the age of 18, and we do not knowingly collect personal data from children in connection with the Services.

If you believe that a child has provided us with personal data in breach of this section, please contact us at support@brainhost.ai so we can review and take appropriate action.

14. Contact Us

For privacy-related questions, complaints, or rights requests, please contact:

SCEPTRE AI LTD
71-75 Shelton Street Covent Garden London WC2H 9JQ UNITED KINGDOM
Privacy email: support@brainhost.ai
Support: https://brainhost.ai/support

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, operational practices, or technology.

When we make changes, we will update the “Last updated” date at the top of this page. Where required by law or where the changes are material, we may also provide additional notice, such as by email, account notification, or website banner.

Your continued use of the Services after the effective date of an updated Privacy Policy is subject to the updated version.

16. Regional Supplement: United Kingdom and European Economic Area

If UK GDPR or EU GDPR applies to our processing of your personal data, the following also applies.

16.1 Legal bases

Our legal bases are described in Section 4. Where we rely on legitimate interests, those interests generally include operating, securing, improving, and supporting our Services; preventing fraud and abuse; communicating with customers; and protecting our legal and commercial interests.

16.2 Rights

You may have the rights described in Section 10, including the right to lodge a complaint with your local supervisory authority. If you are in the UK, this may include the Information Commissioner’s Office.

16.3 International transfers

Where required, we apply appropriate safeguards for international transfers as described in Section 7.

16.4 Provision of data

Some personal data is necessary for us to provide the Services, process payments, maintain security, or comply with law. If you do not provide required information, we may not be able to create your account, complete your order, or provide some or all of the Services.

16.5 Automated decision-making

We may use automated tools to detect abuse, fraud, spam, or suspicious activity. We do not make decisions producing legal or similarly significant effects based solely on automated processing unless permitted by law and subject to appropriate safeguards.

17. Regional Supplement: California

This section applies to California residents to the extent the California Consumer Privacy Act, as amended (“CCPA”), applies.

17.1 Categories of personal information

In the preceding 12 months, we may have collected the following categories of personal information:

identifiers;
customer records information;
commercial information;
internet or other electronic network activity information;
geolocation data inferred from IP address at a city or region level;
professional or employment-related information where provided;
audio, visual, or similar information where you submit recordings, screenshots, or support materials;
inferences drawn from the information above for fraud prevention, service administration, and support purposes.

We do not knowingly collect or use sensitive personal information for purposes other than those permitted by law and necessary to provide the Services, maintain security, comply with law, or administer our business.

17.2 Sources

We collect personal information:

directly from you;
automatically from your devices and interactions with our website, portal, and Services;
from payment processors, fraud prevention providers, analytics providers, and other service providers;
from account administrators or business customers who provide your details to create or manage your account.

17.3 Purposes

We collect and use California personal information for the purposes described in Section 4, including to provide Services, process orders, secure our systems, detect abuse and fraud, communicate with you, improve our Services, and comply with law.

17.4 Disclosure

We may disclose the categories of personal information listed above to the categories of recipients described in Section 6 for business purposes.

We do not sell personal information for money.

We do not share personal information for cross-context behavioural advertising unless and until we provide any notices and opt-out rights required by the CCPA.

17.6 Retention

We retain California personal information for the periods described in Section 8, taking into account the business purpose for collection, our legal obligations, operational needs, dispute resolution, and security requirements.

17.7 Your California rights

Subject to verification and applicable exceptions, California residents may have the right to:

know what personal information we have collected, used, disclosed, sold, or shared;
access specific pieces of personal information;
request deletion of personal information;
request correction of inaccurate personal information;
opt out of sale or sharing, if applicable;
limit certain uses of sensitive personal information, if applicable; and
not receive discriminatory treatment for exercising privacy rights.

To submit a request, contact support@brainhost.ai.

If we recognise an opt-out preference signal such as Global Privacy Control for relevant processing, we will handle it in accordance with applicable law and our technical capabilities as disclosed in our notice at collection or cookie notice.