top of page

Privacy Policy

This privacy notice for FutureLab Consulting (doing business as describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:

  • Visit our website at

  • Download and use our Slack application (BrainstormBot), or any other application of ours that links to this privacy notice

  • Engage with us in other related ways, including any sales, marketing, or events


Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at


In Short: We collect personal information that you provide to us.


We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

  • names

  • phone numbers

  • email addresses

  • mailing addresses

  • usernames

  • passwords

  • contact preferences

  • contact or authentication data

  • billing addresses

  • debit/credit card numbers

Organizational Data. To create or update an Organization account, you or the relevant Customer (e.g. your employer) will supply BrainstormBot with an email address, phone number, password, domain and/or similar account details. This may also happen if you are a User whose employer has purchased an Enterprise subscription of the Services. In addition, Customers that purchase a paid version of the Services provide BrainstormBot (or its payment processors) with billing details such as credit card information, banking information and/or a billing address.

Payment Data. We may collect data necessary to process your payment if you make purchases, such as your payment instrument number, and the security code associated with your payment instrument. All payment data is stored by Stripe. You may find their privacy notice link(s) here:

Application Data. If you use our application(s), we may request to send you push notifications regarding your account or certain features of the application. If you wish to opt out from receiving these types of communications, you may turn them off in your device's settings. This information is primarily needed to maintain the security and operation of our application, for troubleshooting, and for our internal analytics and reporting purposes.


Service metadata. When an Authorized User interacts with the Services, metadata is generated to provide additional context about their use of the Services. For example, BrainstormBot logs the Organizations, boards, people, features, content and links that you view or interact with, as well the types of files shared and any Third-Party Services that you use.

Log data. Like most websites and services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Services, recording this information in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Website or Services, your browser type and settings, the date and time the Services were used, information about browser configuration and plugins, and language preferences.

Device data. BrainstormBot collects information about devices accessing the Services, including the type of device, operating system used, device settings, application IDs, unique device identifiers and crash data. Whether we collect some or all of this Other Data often depends on the type of device used and its settings.

Location data. We receive information from you, the relevant Customer and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer or an IP address received from your browser or device to determine approximate location, in accordance with the consent provided by your device.

Third-party data. BrainstormBot may receive data about organizations, industries, lists of companies that are customers, Website visitors, marketing campaigns and other matters relevant to our business from parent corporations, affiliates and subsidiaries, our partners, or other third parties that we use to make our own information more useful. This data may be combined and may include aggregate-level data. For example, information about how well an online marketing or email campaign performed, or to create a business contacts directory.

Cookie data. BrainstormBot uses a variety of cookies and similar technologies in our Websites and Services to help us collect Other Data. For more details about how we use these technologies, as well as your opt-out opportunities and other options, please see our Cookie Notice.

Email performance data. BrainstormBot uses a ‘clear image’ (gif) in email communications in order to track engagement and performance metrics. Much of this data is aggregated and does not contain personal data. If you wish to turn off this tracking, you can do so by turning off images in the email itself. 

Third-Party Services data. A Customer may choose to use Third-Party Services. If Customer enables Third-Party Services, BrainstormBot may access and exchange Customer Content and Other Data with the Third-Party on Customer’s behalf, in accordance with our agreement with the Third-Party Services and any permissions granted by the Customer (including its Authorized User(s)).

Contact data. In accordance with the consent provided by your device or other third-party API, we process any contact information that an Authorized User chooses to import when using the Services.

Community data. We also receive Other Data when submitted to our Websites or in other ways, such as if you participate in the BrainstormBot community, Spark Plug service, and deliver BrainstormBot training services. This data is either submitted directly to the Services, or collected during forums, programs, contests, activities, events, or educational programs hosted by BrainstormBot.

Call data. Our Customer Success team may record video or telephone calls with Customers for the purposes of training and quality assurance. You will be notified of this when a recording is made, and can request that BrainstormBot does not record these calls.

Additional data provided to BrainstormBot. We also receive Other Data when submitted to our Websites or in other ways, such as when you request support, interact with our social media accounts or otherwise communicate with BrainstormBot.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.


In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:


  • To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.

  • To request feedback. We may process your information when necessary to request feedback and to contact you about your use of our Services.

  • To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.

  • To identify usage trends. We may process information about how you use our Services to better understand how they are being used so we can improve them.

  • To save or protect an individual's vital interest. We may process your information when necessary to save or protect an individual’s vital interest, such as to prevent harm.

  • To develop, test and provide search, learning and productivity tools and additional features: BrainstormBot tries to make the Services as useful as possible. For example, we make Services suggestions based on historical use and predictive models, identify organizational trends and insights, customize your experience of the Services, or to create and develop new features and products.

  • To conduct market and user research: To improve our Services and troubleshoot new products and features, we may carry out research. For example we may survey Customers (including Admins, Users and other contacts) or third parties about customer satisfaction, user experience, the effectiveness of our marketing campaigns, and their broader interests.

  • To send emails and other communications. 

  • Transactional: As part of our services, we provide users with certain communications and updates, We may send you service, transactional, technical and other administrative communications, such as communications about your account, our Service offerings, changes to the Services, and important Services-related notices, such as security and fraud notices. We consider these communications as part of our Services to you.

  • Soft opt-in / Legitimate Interests: In addition, where you are a non-enterprise user or you if you have opted-in as an enterprise user, we sometimes send emails about new product features, recommendations and promotional communications, or other news about BrainstormBot. You can opt-out of these messages at any time by using the unsubscribe link included in all of these communications.

  • For billing, account management and other administrative matters: BrainstormBot may need to contact you for invoicing, account management, and similar reasons and we use account data to administer accounts and keep track of billing and payments.

  • To investigate and help prevent security issues and abuse.

  • To manage and to contact you with regard to involvement: We may need to manage and contact you with regard to your involvement and participation in the BrainstormBot community (such as forums, contests, activities, events or educational programs hosted by BrainstormBot or a collaborating vendor).

  • If information is aggregated or de-identified so that it can no longer reasonably be associated with an identified or identifiable natural person, BrainstormBot may use it for any business purpose. To the extent information is associated with an identified or identifiable natural person and is protected as personal data under applicable data protection law, it is referred to in this Privacy Policy as “Personal Data.”



In Short: In order to provide AI functionality, BrainstormBot uses specific types of data.

BrainstormBot offers certain AI-supported functionalities within the product, which will refer to as BrainstormBot AI. If you choose to use these features, Customer Content (including user-generated prompts) will be processed by AI and machine learning models in order to improve the functionality of the overall system. Some of these models sit internally within our product, and some are provided by a third party. 

In order to provide AI functionality, BrainstormBot uses the following types of data:

  • User-generated prompts submitted by Users, which the models will use to generate content or make changes to your board. This is Customer Content, and we process it as a data processor on your instructions in order to provide the Services. Please be aware that any personal data you submit as a prompt will be processed by BrainstormBot AI.

  • Usage metadata about how Users engage with BrainstormBot AI, which BrainstormBot processes as a data controller in order to prevent or address service errors, security or technical issues, and to analyze and monitor usage of BrainstormBot AI. Usage metadata does not contain Customer Content.

  • BrainstormBot AI might share limited data with ChatGPT for the above purposes and to monitor compliance with codes of conduct.


However, neither BrainstormBot nor the integrated ChatGPT engine will store or use data that is generated by the customer, in order to train its models. ChatGPT’s privacy policy specifically acknowledges that it does not store or use data that is generated in the usage of ChatGPT, see: Similarly, BrainstormBot’s explicit policy is not to use any customer generated data for training, but will store data temporarily to improve the quality of its service, by providing context for brainstorms and design sprints.


In Short: We may share information in specific situations described in this section and/or with the following third parties.

This section describes how BrainstormBot may share and disclose personal data, as described above. Customers determine their own policies and practices for the sharing and disclosure of personal data. BrainstormBot may share and disclose personal data in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and the Customer’s use of the Services and in compliance with applicable law. 

We may need to share your personal information in the following situations:

  • Displaying the Services. When an Authorized User submits Customer Content (including personal data), it may be displayed to other Authorized Users that have access to the same BrainstormBot channel. For example, an Authorized User’s name and BrainstormBot profile may be displayed. 

  • Customer access. Owners, administrators, Authorized Users, and other Customer representatives and personnel may be able to access, modify, or restrict access to personal data. 

  • Subcontractors. We may engage third-party companies or individuals as sub-processors to process personal data. These third parties may, for example, provide virtual computing and storage services, or we may share business information to develop strategic partnerships to support our Customers. 

  • Third-Party Services. Customers may enable Third-Party Services. When enabled, BrainstormBot may access and exchange Customer Content with the provider of a Third-Party Service on Customer’s behalf. Third-Party Services are not owned or controlled by BrainstormBot and third parties that have been granted access to personal data may have their own policies and practices for its collection, use, and sharing. 

  • Partners. We may share personal data with developers, partners and others we engage to create BrainstormBot applications and/or integrating BrainstormBot features.

  • Forums. The information you choose to provide in a community forum, including personal data, may later become publicly available.

  • Corporate Affiliates. BrainstormBot may share personal data with its corporate affiliates, parents and/or subsidiaries for business continuity purposes.

  • During a change to BrainstormBot’s business. If BrainstormBot engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of BrainstormBot’s assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities, some or all personal data may be shared or transferred, subject to standard confidentiality arrangements.

  • To comply with laws. If we receive a request for personal data, we may disclose personal data if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.

  • To enforce our rights, prevent fraud, and for safety. To protect and defend the rights, property or safety of BrainstormBot, its users, or third parties, including enforcing its contracts or policies, or in connection with investigating and preventing illegal activity, fraud, or security issues, including to prevent death or imminent bodily harm.



In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law.

BrainstormBot will retain Customer Content in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of the Services, and as required by applicable law. Beyond this, BrainstormBot may retain Other Data for as long as necessary for the purposes described in this Privacy Policy. Further, note that we may keep certain types of Other Data after the deactivation of an account for the period needed for BrainstormBot to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes, and enforce our agreements.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.


In Short: We aim to protect your personal information through a system of organizational and technical security measures.

BrainstormBot takes security of personal data very seriously. BrainstormBot strives to protect all Personal Data from loss, misuse, and unauthorized access or disclosure. Given the nature of communications and information processing technology, BrainstormBot cannot guarantee that, during transmission through the internet or while stored on our systems or otherwise in our care, personal data will be absolutely safe from intrusion by others.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.


In Short: A user can delete the user account upon request (via email to

This data is deleted from the system immediately and cannot be recovered by any users or BrainstormBot employees after this point. Data which has been deleted or otherwise destroyed can not be recovered at any time. Sufficient warning is given to the account administrator before data are permanently deleted. Data may still remain in the systems back-up files, which will be deleted periodically.


In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at


In Short: In some regions, such as the European Economic Area (EEA), United Kingdom (UK), and Canada, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time.

In some regions (like the EEA, UK, and Canada), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. We will consider and act upon any request in accordance with applicable data protection laws.
If you have questions or comments about your privacy rights, you may email us at


If you are located in the EU or UK, this section applies to you. GDPR means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC:


  • Consent. We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time. Learn more about withdrawing your consent.

  • Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order to: Analyze how our Services are used so we can improve them to engage and retain usersDiagnose problems and/or prevent fraudulent activitiesUnderstand how our users use our products and services so we can improve user experience.

  • Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.

  • Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

  • If you are located in Canada, this section applies to you. We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time.

  • In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including, for example:

  • If collection is clearly in the interests of an individual and consent cannot be obtained in a timely way

  • For investigations and fraud detection and prevention

  • For business transactions provided certain conditions are met

  • If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim

  • For identifying injured, ill, or deceased persons and communicating with next of kin

  • If we have reasonable grounds to believe an individual has been, is, or may be victim of financial abuse

  • If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province

  • If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records

  • If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced

  • If the collection is solely for journalistic, artistic, or literary purposes

  • If the information is publicly available and is specified by the regulations

If you are located in California, this section applies to you. The California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020, provide you with the rights to request that we disclose certain information to you about our collection, use, disclosure or sale of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access and Deletion Rights), and subject to certain limitations that we describe below, we will disclose such information. You have the right to request any or all of the following: 


  • The categories of personal information we collected about you. 

  • The categories of sources from which the personal information is collected. 

  • The categories of third parties with whom we share that personal information. 

  • The specific pieces of personal information we collected about you (also called a data portability request). 

  • Notice of Sale. We do not sell the personal information of California residents. We also do not have any actual knowledge of selling the personal information of any California resident who is 16 years or younger.

  • Right to Request Deletion. You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records. However, we may retain personal information that has been de-identified or aggregated. Furthermore, we may deny your deletion request if retaining the information is necessary for us or our service provider(s) in order to perform certain actions set forth under the California Data Protection Laws, such as detecting security incidents and protecting against fraudulent or illegal activity. 

  • Exercising Access and Deletion Rights. To exercise the access and deletion rights described above, please submit a request to us by sending an email to Only you, or a person or business entity registered with the California Secretary of State that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. You may also make a request on behalf of your minor child. The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide adequate information that we can reasonably verify that you are the person about whom we collected the personal information.

  • We will respond to consumer requests in a reasonably timely manner. If we require extra time to respond, we will inform you of the reason and extension period in writing. In order to protect the security of your personal information, we will not honour a request if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. The method used to verify your identity will depend on the type, sensitivity and value of the information, including the risk of harm to you posed by any authorized access or deletion. Generally speaking, verification will be performed by matching the identifying information provided by you to the personal information that we already have.

  • Any disclosures we provide will only cover the 12-month period preceding our receipt of your request (and will not be made more than twice in a 12-month period). If we cannot comply with a request, or cannot fully comply with a request, the response we provide will also explain the reasons we cannot comply. 

  • Non-Discrimination. We will not discriminate against you for exercising any of your CCPA based on the California Data Protection Laws, including, but not limited to, by: Denying you goods or services. Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties. Providing you a different level or quality of goods or services. Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

If you are located in Virginia, note that the Virginia Consumer Data Protection Act the information we collect, use, and disclose about you will vary depending on how you interact with our Services.

If you are using an authorized agent to exercise your rights, we may deny a request if the authorized agent does not submit proof that they have been validly authorized to act on your behalf.



In Short: We will update this notice as necessary to stay compliant with relevant laws.

BrainstormBot may change this Privacy Policy from time to time. Laws, regulations, and industry standards evolve, which may make those changes necessary, or we may make changes to our services or business. We will post the changes to this page and we encourage you to review our Privacy Policy to stay informed. If we make changes that materially alter your privacy rights, BrainstormBot will provide additional notice, such as via email or through the Services. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information. If you disagree with the changes to this Privacy Notice, you should deactivate your account. 


If you have questions or comments about this notice, you may email us at or contact us by post at:

FutureLab Consulting
211 Cleveland Court
Mill Valley, CA 94941
United States


bottom of page