Last updated: 1st October 2025
We respect your privacy. This policy explains how Pinnacle Trading Services Ltd(“we”, “us”, “our”) collects and uses your information when you use www.369brain.com (the “Service”).
What we do (summary)
We provide a prompt-generation service. You fill out short forms with your requirements, click Generate, and a prompt is displayed within seconds. We use LLM to help generate prompts and may add other providers in future. We do not use your prompts or generated prompts to train our systems at this time. The Service is for users aged 18+ and is available globally (no geographic blocks).
How and why we use your data (lawful bases)
We use your data for the purposes below. For each purpose we state the categories of data and our lawful basis under UK GDPR.
| Purpose | Data we use | Lawful basis | What this involves |
|---|---|---|---|
| Create & manage your account | Name, email, password hash, country/locale, [company name if provided] | Contract | Account creation, login, dashboard access, showing credit balance/expiry, age restriction (18+). |
| Provide the Service (prompt generation & history) | Prompt inputs you provide, generated prompts you choose to save, usage timestamps | Contract | Generating prompts; saving to history; showing usage in the dashboard. |
| Process payments & prevent fraud | Purchase details, plan, limited billing metadata from Stripe (we don’t store full card numbers), IP/device info | Contract; Legitimate interests (fraud prevention) | Taking payments; managing subscriptions/credits; preventing abuse and fraudulent transactions (Stripe may use automated fraud checks). |
| Customer support & service communications | Email, account details, support messages | Contract; Legitimate interests | Answering questions; sending important service notices (e.g., expiry, policy or security updates). |
| Improve, secure & debug the Service | Usage logs, device/browser data, error logs, aggregated/anonymised analytics | Legitimate interests | Monitoring performance and errors; preventing abuse; improving user experience. |
| Marketing emails (future) | Name, email, plan status (if used later) | Consent (opt-in) and/or Soft opt-in under PECR for existing customers, with opt-out | If enabled later, we’ll send product updates/tips/offers only in line with your choices; every email will include an unsubscribe link. |
| Analytics cookies (if enabled) | Cookie/online identifiers, device/browser, pages viewed | Consent | Measuring site usage to improve the Service. Non-essential cookies load only if you consent. |
| Legal & compliance | Transaction records, correspondence | Legal obligation; Legitimate interests | Tax/accounting retention; handling complaints/disputes; enforcing our terms. |
Sharing your data (processors/recipients)
We share data with trusted providers who process personal data on our instructions and under appropriate safeguards. Where suppliers are outside the UK/EEA, we use lawful transfer mechanisms (e.g., EU Standard Contractual Clauses and the UK IDTA) and apply appropriate safeguards.
- Stripe — payments processing and fraud prevention; processes billing details and limited metadata. International transfers: Stripe may process data in the UK/EU/US (and other countries) and relies on SCCs/IDTA for restricted transfers. stripe.com+2stripe.com+2
- LLM generates prompts from your inputs; processes prompt inputs to return generated text. International transfers: LLM now offers EU data residency options for Enterprise/Edu/API; where residency isn’t selected, data may be processed in the US, with transfers covered by SCCs/IDTA. Hosting / Infrastructure: Hostinger — web/app hosting, storage, logs, and security. International transfers: Primary hosting is in the EU; Hostinger also operates data centers and services globally (e.g., US, Brazil, Singapore, Indonesia). Transfers outside the EEA occur with GDPR-compliant safeguards (e.g., SCCs/IDTA). Hostinger
- CDN / Security: Not currently used. If we add a CDN (e.g., Cloudflare) for DDoS protection/performance, it may process IP addresses and logs globally with SCCs/UK Addendum for restricted transfers. We will update this policy before enabling it. Cloudflare+1
- Email delivery/support: Not currently using a third-party email delivery or helpdesk beyond our standard email service. If we add a provider (e.g., SendGrid/Mailgun/HelpScout/Gmail workspace), it will process contact details and message content; transfers outside the UK/EEA will be covered by SCCs/IDTA. We will update this policy before enabling it.
- Analytics : Google Analytics — only with your consent; processes online identifiers/cookies and usage data. International transfers: may involve transfers to the US covered by SCCs/IDTA (the regulatory landscape continues to evolve). We will not load non-essential analytics cookies without your consent. https://secureprivacy.ai/+1
- Error monitoring/logging: Not currently used. If we enable a service (e.g., Sentry/LogRocket), it may process pseudonymous diagnostics and usage data; any restricted transfers will be covered by SCCs/IDTA. We will update this policy before enabling it.
- Backups/storage: Handled within our Hostinger infrastructure (no separate processor at this time). If this changes, we will update this policy.
We may also share data where required by law or to protect rights, safety, or the Service (e.g., with regulators or law enforcement), and in connection with a corporate transaction (e.g., merger or acquisition).
International transfers
Your data may be processed outside the UK/EEA due to the locations of our providers (e.g., Stripe, analytics or email infrastructure). When transfers occur, we rely on SCCs/IDTA and additional safeguards where appropriate. You can contact us for details of current transfer mechanisms.
Cookies & similar technologies
We use strictly necessary cookies to operate the site (login, checkout, security). With your consent, we may use analytics cookies (e.g., Google Analytics) to understand site usage.
- On first visit, we show a consent banner. You can accept or reject non-essential cookies and change preferences anytime via [Manage Cookies link/URL].
- Non-essential cookies load only after consent.
- Analytics retention (if enabled): [14 months].
For full details, see our Cookie Policy.
7) What we collect (categories)
- Account data: name, email, password (hashed), country/locale, [company name if provided].
- Transactional data: purchases, plan, credit balance/usage, invoices/receipts.
- Payments: handled by Stripe; we receive limited billing metadata and transaction IDs. We do not store full card numbers.
- Usage/telemetry: device/browser info, IP address, pages viewed, events (e.g., generations), timestamps, error logs.
- Prompt data: information you enter in forms and the generated prompts; items you choose to save to history.
- Support: messages/emails you send us and our replies.
- Cookies/online identifiers: consent state, session cookies; analytics cookies only with consent.
Retention
We keep data only as long as necessary for the purposes above or as required by law:
- Account/profile: kept while your account is active; deleted or anonymised within 24 months after closure or last activity.
- Prompt history: retained until you delete it (you control deletion in your account) or as required by law.
- Billing/transactions: 6 years (legal obligation).
- Support tickets: 12 months after resolution.
- Logs/telemetry: 12 months.
- Marketing data: until you opt out or after [24 months] of inactivity.
We may retain information longer where necessary to comply with law, resolve disputes, or enforce our terms.
Security
We apply industry-standard measures including: HTTPS/TLS, hashed passwords, access controls/least privilege, monitoring/logging and rate-limiting, regular updates/patching, backups and tested restores, and vendor due-diligence with data protection agreements. No method is 100% secure, but we work to protect your data.
Your rights
Under UK GDPR, you have the right to access, rectify, erase, restrict, object to certain processing, and data portability. Where we rely on consent, you can withdraw it at any time (e.g., unsubscribe from emails; reject analytics cookies).
- How to exercise your rights: Email from your registered address. We may ask for information to verify your identity.
- Response time: We aim to respond within 30 days.
- Account deletion: You can request account deletion via emailing or link in setup.
You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk. We’d appreciate the chance to address your concerns first.
Children
The Service is for 18+ only. We do not knowingly collect data from children. If you believe a minor has used the Service, contact us.
Changes to this policy
We may update this policy from time to time. If changes are material, we’ll notify you by email and/or via an in-product notice. The new version will have an updated “Last updated” date.