← Back to sign in

Privacy Policy

Last updated: May 8, 2026

Brain Command Center (the "Service") is operated by Wolfson Equity ("Wolfson Equity", "we", "us"). This Privacy Policy explains what personal information we collect, why we collect it, how we use it, with whom we share it, and the choices you have. The Service is offered to customers in Canada and the United States. We handle personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Ontario's Personal Health Information Protection Act (PHIPA). For customers located in the United States, the same safeguards apply, and you should review where your data is stored (Section 4) before uploading information that is regulated in your jurisdiction (for example, U.S. health information governed by HIPAA).

1. Who this policy applies to

This policy applies to organizations and individuals who use the Brain Command Center web application at app.brain.wolfsonequity.com, anyone whose information is processed by the Service on behalf of those organizations, and visitors to our marketing pages.

Where Brain processes personal health information on behalf of a health information custodian (for example, a dental practice), we act as that custodian's information manager. The custodian remains responsible for that information; this policy describes the safeguards we apply on their behalf.

2. What we collect

We collect the following categories of information:

  • Account information. Name, email, profile picture, and authentication identifiers from the sign-in provider (Google or email/password).
  • Tenant information. Organization name, type, industry, region, billing plan, configured integrations, and any tenant-level settings you choose.
  • Operational data. Records, appointments, financial transactions, communications, and similar business records that you or your connected systems push into Brain in order to use the Service. This may include personal health information about your patients or clients.
  • Conversation data. Messages you exchange with the AI team members in the Brain interface, the actions they propose, the decisions you make on those proposals, and the resulting outcomes.
  • Audit and security data. IP address, user-agent, timestamps, sign-in events, sensitive actions taken in the operator console, and records of any impersonation or recovery sessions.
  • Billing data. Plan selection, invoice history, and a payment processor reference. Payment card data is handled by our payment processor and is not stored on Brain servers.

3. Why we collect it (purposes)

  • To deliver, maintain, and improve the Service.
  • To run the AI features that propose actions and answer questions on your behalf.
  • To prevent and investigate misuse, fraud, and security incidents (audit logs are retained for this purpose).
  • To bill you and to comply with our financial and tax obligations.
  • To communicate with you about the Service, including changes to this policy.
  • To meet legal, regulatory, and contractual obligations.

4. Where your data is stored

Brain stores tenant and conversation data in a managed PostgreSQL database operated by Supabase, in the ca-central-1 region (Montreal, Canada). Backups are kept in the same region. We do not transfer data outside Canada for storage.

AI features make outbound requests to model providers (currently OpenAI). Where this occurs, the prompt and the relevant context are sent for inference and a response is returned. We do not knowingly send direct identifiers (such as patient names) when a redacted alternative is available, and we do not authorize those providers to train their models on your data under our agreement with them.

5. Sub-processors

We rely on a small set of vetted sub-processors to operate the Service:

  • Supabase — database, authentication, file storage (Canada region).
  • Google LLC — sign-in via Google OAuth; optional Workspace integrations (Gmail, Calendar, Drive) where you connect them.
  • OpenAI — AI inference for the team-member conversation experience.
  • Payfirma — payment processing and recurring billing.
  • Resend — transactional email delivery (Ava agent sends).

Each sub-processor is bound by a written agreement that requires protection of personal information consistent with this policy.

6. Sharing and disclosure

We do not sell personal information. We disclose information only to the sub-processors listed above to the extent needed for them to provide their function, and otherwise only when required by law (a valid court order, search warrant, regulator request, or similar). If we ever receive such a request, we will, where lawfully permitted, notify the affected tenant before responding.

7. Retention

We retain tenant and conversation data while your subscription is active and for ninety (90) days after termination, after which the data is permanently deleted from active systems. Audit and security logs are retained for two (2) years to support investigations. Backups roll off on a 30-day cycle.

You may request earlier deletion at any time by writing to tamir@wolfsonequity.com.

8. Your rights

You have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate personal information, or ask us to update it.
  • Withdraw consent and request deletion of your personal information, subject to legal retention obligations.
  • Receive a portable export of your tenant data in a machine-readable format.
  • File a complaint with the Office of the Privacy Commissioner of Canada or, for health information in Ontario, with the Information and Privacy Commissioner of Ontario.

To exercise any of these rights, contact us at tamir@wolfsonequity.com. We will respond within thirty (30) days.

9. Security

We protect personal information using technical and organizational measures including encryption in transit (TLS), encryption at rest at the database layer, role-based access control, row-level isolation between tenants, audit logging of sensitive operator actions, and a reviewed access process for the small number of operators with platform-wide privileges.

Despite these measures, no system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you without undue delay and in line with applicable law.

10. Children

Brain is a workplace tool. It is not directed to children under sixteen, and we do not knowingly collect their personal information for our own purposes. Operational records you upload may contain information about minors (for example, pediatric dental records); that information is processed only on your instructions, as your information manager.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page shows when. Material changes will be communicated to active account holders by email or in-product notice at least thirty (30) days before they take effect.

12. Contact

Questions, requests, or complaints about this policy or our handling of personal information should go to:

Wolfson Equity — Brain Command Center
Privacy contact: tamir@wolfsonequity.com