App: BrainRot Factory (com.flxcode.brainrot)
Operator: FlxCode
Contact: flxcodelab@gmail.com
1. Summary
BrainRot Factory generates short videos from user-provided text or prompts. We log anonymous usage analytics, show ads, and call third-party AI services to do the generation. Anonymous use is the default; signing in with Google is optional and only required to make purchases. We do not sell your data.
2. Data we collect
2.1 You enter
- Text, file uploads, or URLs you provide to generate a video. These are sent to our backend and forwarded to AI providers (OpenAI for script + character text + cloud TTS + Whisper word alignment; Cloudflare Workers AI for free-tier image generation; OpenAI gpt-image-1 for paid-tier image generation).
- Uploaded photos (when you use "Use my photo" on Mode B) are stored in our R2 bucket under the
user-uploads/prefix and used as the character image. We auto-delete uploaded photos after 30 days. - Generated video files are stored only on your device. We do not retain copies on our servers.
- Google account info when you sign in with Google — your email address, display name, and profile photo URL. Used to bind credits and purchases to your account so they survive reinstalls. We never receive or store your Google password.
2.2 We collect automatically
- Firebase Authentication identifier — a unique user ID generated by Firebase on first launch (anonymous) or on Google sign-in. Sent in the
Authorization: Bearerheader on every backend request so we can attribute credits, usage cost, and purchases to your account. Anonymous IDs are cleared on uninstall; Google-signed-in IDs persist across devices. - App usage events — screen views, button taps, generation parameters (mode, voice, background, style, quality), generation timing and success/failure, ad impressions, purchase attempts. Sent to PostHog. No content (your text, scripts, images) is sent to PostHog.
- Per-impression ad revenue (AdMob ILR) — when an ad is shown, AdMob reports the impression's USD value to our backend. We store this with your Firebase user ID and approximate country (from IP, never the IP itself) so we can measure whether the free tier breaks even per region.
- Per-generation cost — server-side log of AI service costs (USD) for each request, keyed by the Firebase user ID. Used for unit-economics tracking only.
- Credit ledger — every credit grant (signup bonus, daily reload, ad reward, IAP purchase, subscription) and every credit spend (per generation) is logged server-side so we can answer support questions about your balance.
- Purchase records — when you buy a credit pack or subscribe, we receive the Play Billing purchase token + product ID from Google Play. We store these to verify with Google and to fulfil the purchase. We do not see your credit card details — those stay with Google Play.
- Crash reports — stack traces and device info (model, OS version) when the app crashes. (Currently disabled; will be enabled via Firebase Crashlytics in a future release.)
- Ad identifiers — Google AdMob uses your device's advertising ID (resettable from system settings) to serve ads. You can opt out of personalised ads via the in-app consent dialog (EU/UK/CH) or your device's privacy settings.
3. How we use it
- Generate videos — process your prompts through the AI pipeline.
- Run the credit economy — track grants and spends so we don't charge twice for the same generation and so you can see your balance.
- Verify purchases — Google Play hands us a purchase token; we verify it with Google's API and grant credits / activate your subscription.
- Improve the app — analytics help us spot UX issues and crash patterns.
- Show ads — AdMob shows rewarded and interstitial ads to keep the app free.
- Moderate content — every input and AI output is sent to OpenAI's moderation API to block harmful content. Flagged inputs are rejected; we keep no record of the content beyond the API call.
4. Third parties
| Service | Purpose | Data shared |
|---|---|---|
| OpenAI | Script + character LLM, moderation, cloud TTS (tts-1 + tts-1-hd), word alignment (Whisper), paid-tier image gen (gpt-image-1) | Your prompts and generated text; not used to train OpenAI models per their API terms |
| Cloudflare Workers AI | Free-tier Mode B image generation (Flux Schnell) | The composed image prompt (not your raw inputs) |
| Cloudflare | Backend hosting, R2 storage (incl. uploaded photos), AI Gateway proxy, Unified Billing for OpenAI traffic, D1 database for credit ledger and subscriptions | All API traffic between the app and AI services |
| Google Firebase | Authentication (anonymous + Google sign-in), Cloud Messaging (planned) | Your email + display name (when Google sign-in used), device push tokens (when enabled) |
| Google Play Billing | In-app purchases and subscriptions | Purchase tokens, product IDs, your Google Play account (handled by Google; we never see card details) |
| Google AdMob | Advertising + per-impression revenue tracking | Advertising ID, IP, device info, impression value (USD) per AdMob's privacy disclosures |
| PostHog (EU) | Product analytics | Firebase user ID, event names, parameters; no prompt content |
We use Cloudflare AI Gateway as a privacy- and cost-monitoring layer in front of OpenAI.
5. Data retention
- On-device generated videos — stored on your device only, until you delete them or uninstall.
- Backend asset cache (R2) — generated audio and images are stored for up to 30 days, then deleted. User-uploaded photos are also auto-deleted after 30 days.
- Credit ledger and purchase records — kept for 7 years to comply with financial recordkeeping requirements.
- PostHog analytics — retained per PostHog's standard retention (7 years for events).
- AdMob — see Google's ad data policy.
6. Your rights
You can:
- Opt out of personalised ads — open Settings → Privacy → Ads on your device, or use the in-app consent dialog (shown to EU/UK/CH users).
- Sign out — opens up a fresh anonymous account on the same device. Your credits remain bound to the Google-signed-in account and reappear when you sign back in.
- Request account deletion — write to flxcodelab@gmail.com with your Firebase user ID (Settings → Account shows a short prefix). We delete the account and all attached data within 30 days. Aggregate ad-revenue and cost-accounting data remain in anonymised form for financial audit.
- Request data export — write to flxcodelab@gmail.com.
If you are in the EEA / UK, you have additional GDPR rights (access, rectification, erasure, restriction, portability, objection). Exercise them by emailing flxcodelab@gmail.com.
7. Children
BrainRot Factory is rated Teen (13+) on the Play Store. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has used the app, contact us and we will delete any data associated with that account.
8. Changes to this policy
Material changes will be announced in-app and the "Last updated" date above will change. Continued use of the app constitutes acceptance.
9. Contact
FlxCode
flxcodelab@gmail.com