Privacy Policy

1Introduction

RacingMinds ("we," "us," or "our") operates Brooke, an AI-powered business assistant available at brooke.com and associated domains (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use Brooke.

By accessing or using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

This policy applies to all users of Brooke, including individuals using Brooke on behalf of their organization. If you are using Brooke on behalf of a company, "you" includes both you and your organization.

2Information We Collect

Account Information

When you create a Brooke account, we collect your email address, name, and company name (optional). We use this to identify your account, send important communications, and provide the service.

Usage Data

We collect information about how you use the Service, including: runs you execute, features you use, pages you visit, error logs, browser type and version, operating system, device type, and IP address. This helps us improve reliability and diagnose problems.

Content You Provide

When you use Brooke, you provide content in the form of tasks, instructions, documents you upload, and messages. This content is processed to execute your requests. See Section 4 for details on how AI providers handle this content.

Integration Data

When you connect third-party services (such as Gmail, Google Drive, Notion, or HubSpot), Brooke accesses data from those services that is necessary to execute your tasks. For example, if you ask Brooke to summarize your emails, it will access your Gmail messages. The scope of access is limited to what's required for your task. See Section 6 for details.

Payment Information

If you subscribe to a paid plan, payment is processed by a third-party payment processor (Stripe). We receive a confirmation of payment and your subscription status. We do not store your credit card number, CVV, or full card details.

Communications

If you contact us by email or through support channels, we retain those communications to respond to you and improve our support. We may also send you transactional emails (run completions, approval requests, billing receipts) and, with your consent, product updates.

3How We Use Your Information

We use the information we collect for the following purposes:

• To provide the Service: Execute runs, generate artifacts, manage your workspace, and fulfill your requests.
• To improve reliability: Diagnose errors, monitor performance, and prevent service disruptions.
• To send transactional communications: Run completion notices, approval requests requiring your action, billing confirmations, and security alerts.
• To provide customer support: Respond to questions, troubleshoot issues, and improve our help documentation.
• To enforce our Terms of Service: Detect and prevent abuse, violations, and fraudulent activity.
• To comply with legal obligations: Respond to legal requests, court orders, and applicable law.

4AI Processing & Third-Party AI Providers

Brooke routes tasks through third-party AI providers to generate responses, artifacts, and analysis. When you submit a task, relevant content from your request (and potentially from connected integrations, as needed) is sent to one or more AI providers.

Current AI Providers

How We Handle AI Provider Data

• Content sent to AI providers is subject to their respective data handling and privacy policies.
• We use zero-data-retention (ZDR) API agreements with providers where available — meaning providers do not store your content for model training.
• Your content is never used to train or fine-tune third-party AI models through our API agreements.
• We select the appropriate AI provider based on the task type and your workspace configuration.

Provider Privacy Policies

We encourage you to review the privacy policies of our AI providers:

• OpenAI Privacy Policy
• Anthropic Privacy Policy
• Google Privacy Policy

5Data Sharing

We share your information only in the following circumstances:

Service Providers

We work with third-party companies that help us provide the Service, including infrastructure providers (Cloudflare), payment processors (Stripe), and analytics tools. These providers access your information only as necessary to perform services on our behalf and are contractually bound to protect it.

AI Model Providers

As described in Section 4, content from your tasks is sent to AI providers to generate responses. This is essential to the function of the Service.

Integration Partners

When you connect and use integrations (e.g., Gmail, Notion, HubSpot), we send data to and receive data from those services on your behalf. This only happens when you authorize it and when needed to complete your requested task.

Legal Requirements

We may disclose your information if required to do so by law, court order, subpoena, or other legal process, or if we believe disclosure is necessary to protect the safety of any person, investigate fraud, or respond to a government request.

Business Transfers

If RacingMinds is acquired, merges with another company, or sells assets, your information may be transferred as part of that transaction. We will notify affected users by email and/or a prominent notice on our website prior to any transfer.

With Your Consent

We may share your information in other circumstances with your explicit consent.

6Integration Data

Brooke supports connections to third-party platforms including Gmail, Google Drive, Google Calendar, Slack, Notion, HubSpot, Salesforce, GitHub, Shopify, Dropbox, Trello, LinkedIn, and Discord. When you connect an integration:

• You authorize Brooke to access your account on that platform using OAuth or API keys.
• We request only the minimum permissions (OAuth scopes) needed to perform the tasks you request. We never request broad administrative access when narrower scopes suffice.
• Integration access tokens are encrypted at rest and scoped to your workspace. They are never shared across workspaces or customers.
• Integration data (emails, documents, CRM records) is accessed on-demand when you execute a relevant task. We do not continuously sync or cache your integration data unless required to complete a specific run.
• You can disconnect any integration at any time from your workspace settings. Disconnecting immediately revokes our access to that service.
• Upon disconnection, cached integration data from that service is deleted within 30 days.

You remain responsible for compliance with the terms of service of each third-party platform you connect to Brooke.

7Data Storage & Security

Infrastructure

Brooke is built on Cloudflare's infrastructure — Workers (compute), D1 (database), and R2 (object storage). All data is processed and stored within Cloudflare's global network.

Encryption

• In transit: All communication with Brooke is encrypted using TLS 1.3. We do not accept unencrypted connections.
• At rest: All data stored in D1 and R2 is encrypted at rest using AES-256 encryption.

Retention Periods

• Artifacts (PPTX, DOCX, XLSX, etc.): Stored for 90 days by default. Enterprise plans may configure longer retention.
• Run logs and step history: Retained for 12 months.
• Account data: Retained for the duration of your account, plus 30 days after deletion to allow for recovery.
• Integration tokens: Retained until you disconnect the integration or delete your workspace.

Workspace Isolation

Each workspace is fully isolated at the data layer. Your data is scoped to your workspace ID and cannot be accessed by or leaked to other customers — this is enforced by architecture, not just access controls.

Security Practices

For a detailed description of our security practices, please see our Security page.

8Your Rights (GDPR / CCPA)

Depending on your location, you may have the following rights regarding your personal data:

How to Exercise Your Rights

To exercise any of the above rights, contact us at privacy@brooke.com. We will respond within 30 days. We may need to verify your identity before fulfilling your request.

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what categories of personal information we collect, the right to deletion, and the right to opt-out of sale (we do not sell personal data). To exercise these rights, contact us at privacy@brooke.com.

Complaints

If you are in the EU/EEA and believe we have not handled your data in accordance with GDPR, you have the right to lodge a complaint with your local data protection authority.

9Cookies & Tracking

Strictly Necessary Cookies

We use session cookies and authentication tokens to keep you logged in and to secure your session. These are essential to the operation of the Service and cannot be disabled.

Analytics

We may use analytics tools to understand aggregate usage patterns (e.g., which features are most used, where errors occur). Analytics data is anonymized and aggregated — it cannot be used to identify individual users.

No Advertising Cookies

We do not use third-party advertising cookies, tracking pixels, or behavioral advertising technology. We do not participate in ad networks or retargeting programs.

Managing Cookies

You can manage or delete cookies through your browser settings. Note that disabling strictly necessary cookies will prevent you from using the Service. Disabling analytics cookies will not affect your ability to use Brooke.

10Children's Privacy

Brooke is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@brooke.com and we will delete that information.

Users must be at least 18 years old to create a Brooke account, or 13 years old with verifiable parental consent where local law permits.

11International Transfers

Brooke is operated on Cloudflare's global network. Your data may be processed in data centers located in various countries. Cloudflare maintains global infrastructure subject to its own privacy and security practices.

EU/EEA Users

If you are located in the European Economic Area, your personal data may be transferred to and processed in countries that do not provide the same level of data protection as your home country. We rely on the following safeguards for such transfers:

• Standard Contractual Clauses (SCCs): We have SCCs in place with our key service providers and AI model providers for transfers from the EU/EEA.
• Data Processing Agreements: Available upon request for enterprise customers at privacy@brooke.com.

12Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by sending an email to the address associated with your account at least 30 days before the changes take effect.

Non-material changes (such as clarifications, fixing typos, or updating contact information) may be made without advance notice. The "Effective date" at the top of this page reflects the date of the most recent revision.

If you disagree with a material change to this policy, you may close your account before the change takes effect. Continued use of the Service after the effective date of any change constitutes acceptance of the updated policy.

13Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@brooke.com
• Company: RacingMinds
• Website: racingminds.com

We aim to respond to all privacy-related inquiries within 5 business days, and to fulfill data subject requests within 30 days.

For urgent security concerns, please contact security@brooke.com.