Privacy Policy

Effective Date: February 13, 2026 Last Updated: February 13, 2026

1. Introduction

This Privacy Policy explains how Robert Wallin, operating as "Wallin Solutions" ("we," "us," or "our"), collects, uses, stores, and protects your personal data in connection with the Brain NAS software and the website brainos.wallinsolutions.se (the "Service").

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Swedish data protection legislation.

2. Data Controller

Name: Robert Wallin, operating as Wallin Solutions Website: brainos.wallinsolutions.se Email: robban@techflip.se Governing Law: Swedish Law Supervisory Authority: Integritetsskyddsmyndigheten (IMY), Sweden

3. Personal Data We Collect and Process

3.1 Email Address

  • Source: Provided by you at the time of purchase.
  • Purpose: To deliver your license key, send purchase confirmations, communicate important product updates (e.g., security patches), and provide customer support.
  • Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)).
  • Retention Period: Duration of your active license plus three (3) years after license expiration or termination.

3.2 Hardware Identifier (HWID)

  • Source: Automatically generated as a SHA-256 hash derived from the USB boot device on which Brain NAS is installed.
  • Purpose: To bind your license to a specific installation and prevent unauthorized use.
  • Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)).
  • Retention Period: Duration of your active license. Deleted upon license termination or upon your request.
  • Note: The HWID is a one-way cryptographic hash and cannot be reversed to identify the underlying hardware. We treat it as personal data out of an abundance of caution.

3.3 Payment Information

  • Source: Provided by you during checkout.
  • Purpose: To process your payment for the license.
  • Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)).
  • Processing: All payment data is processed exclusively by our payment processor, Stripe Inc. We do not receive, store, or have access to your full credit or debit card details. We receive only a transaction reference, the last four digits of your card, and the payment status.
  • Retention Period: Transaction records are retained for the duration required by applicable tax and accounting laws (currently seven (7) years under Swedish Bokföringslagen).

3.4 License Key and License Tier

  • Source: Generated at the time of purchase.
  • Purpose: To grant and manage your access to Brain NAS features according to your purchased tier.
  • Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)).
  • Retention Period: Duration of your active license plus three (3) years.

3.5 IP Address

  • Source: Automatically collected by our web server when you access our website.
  • Purpose: Security monitoring, protection against abuse, and maintaining server integrity.
  • Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)). Our legitimate interest is to ensure the security and proper operation of our website and services.
  • Retention Period: Server access logs containing IP addresses are retained for ninety (90) days, after which they are automatically deleted.

3.6 Coupon Codes

  • Source: Provided by you during checkout, if applicable.
  • Purpose: To apply discounts to your purchase.
  • Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)).
  • Retention Period: Retained as part of the transaction record for the duration required by applicable tax and accounting laws.

3.7 License Validation Data

  • Source: Automatically transmitted by the Brain NAS software.
  • Purpose: To verify that your license remains valid and has not been revoked. This is necessary to enforce license terms and protect against unauthorized redistribution.
  • Data Transmitted: Hardware Identifier (HWID) only, transmitted as part of the request URL. No license key, software version, or other data is included in the request.
  • Frequency: The software performs a license validation check approximately once every twenty-four (24) hours when an internet connection is available. No check is performed when the system is offline.
  • Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)) — license validation is a necessary component of the licensing system agreed to when purchasing or using the Software. Additionally, legitimate interest (GDPR Art. 6(1)(f)) — the Licensor has a legitimate interest in preventing unauthorized use and enforcing license terms.
  • Retention Period: Validation requests are processed in real time. The Licensor does not retain individual validation request logs beyond what is necessary for rate limiting and abuse prevention (maximum ninety (90) days).
  • Offline Behavior: If the software has been successfully validated at least once and subsequently loses connectivity to the license server, the license remains fully valid indefinitely — network failures alone will never cause license degradation. For licenses that have never been successfully validated online (e.g., a newly activated license on a NAS without internet), a thirty (30) day grace period applies, after which the software will temporarily revert to the free tier (2 disk limit) until a successful validation check is completed. This is described further in the EULA (Section 12.7).
  • Note: No telemetry, usage data, file names, IP addresses of connected clients, or any User Data is transmitted during the license validation check. Only the minimum data necessary for license verification is sent.

4. Data the Software Does Not Collect

We want to be transparent about the boundaries of our data collection:

  • No Telemetry: The Brain NAS software does not transmit any usage data, system configuration details, installed applications, disk contents, or system performance metrics to us or any third party.
  • No Usage Analytics: We do not track how you use the Brain NAS software, which features you use, or how often you use them.
  • No Tracking Cookies: Our website does not use tracking cookies, advertising cookies, or third-party analytics services. If essential session cookies are used, they are strictly necessary for the website to function and do not track your activity.
  • No Profiling: We do not build profiles about you or your behavior.
  • No User Data Access: We cannot see, access, or retrieve any files, documents, media, or other data stored on your NAS. Your data remains entirely on your local hardware.
  • License Validation Only: As described in Section 3.7, the software performs a periodic license check transmitting only HWID, license key identifier, and version number. This is the only network communication initiated by the software to our servers.

5. How We Use Your Data

We use your personal data solely for the following purposes:

1. License Fulfillment: Delivering your license key and binding it to your installation. 2. Payment Processing: Completing your purchase transaction through Stripe. 3. Customer Support: Responding to your inquiries and providing technical assistance. 4. Product Notifications: Sending critical communications such as security updates or important changes to the Service. We do not send marketing emails unless you have separately opted in. 5. Security: Protecting our website and services against unauthorized access and abuse. 6. Legal Compliance: Meeting our obligations under Swedish tax, accounting, and commercial law.

6. Sub-Processors

We share your personal data with the following sub-processors, each of which is contractually bound to protect your data:

6.1 Stripe Inc.

  • Purpose: Payment processing.
  • Data Shared: Payment details (card information, billing address), email address, IP address, transaction amount.
  • Location: United States and European Union.
  • Safeguards: Stripe processes data in accordance with GDPR. For transfers to the United States, Stripe relies on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) as adopted by the European Commission.
  • Privacy Policy: https://stripe.com/privacy

6.2 Hetzner Online GmbH

  • Purpose: Web hosting and server infrastructure.
  • Data Shared: IP addresses and any data transmitted to our servers in the course of using the website.
  • Location: Germany (European Union).
  • Safeguards: Data remains within the EU. Hetzner is subject to GDPR.
  • Privacy Policy: https://www.hetzner.com/legal/privacy-policy

7. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA (specifically to Stripe's operations in the United States), such transfers are protected by:

  • The EU-U.S. Data Privacy Framework (where applicable); and
  • Standard Contractual Clauses (SCCs) as adopted by the European Commission pursuant to GDPR Art. 46(2)(c).

You may request a copy of the applicable safeguards by contacting us at the email address provided in Section 2.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS).
  • Secure storage of license and account data.
  • Access controls limiting data access to authorized personnel only.
  • Regular review of our security practices.

While we take data security seriously, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.

9. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR:

9.1 Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.

9.2 Right to Rectification (Art. 16)

You have the right to request correction of inaccurate personal data or completion of incomplete data.

9.3 Right to Erasure (Art. 17)

You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent (if consent was the legal basis). Note that we may need to retain certain data to comply with legal obligations (e.g., tax records).

9.4 Right to Restriction of Processing (Art. 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

9.5 Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

9.6 Right to Object (Art. 21)

You have the right to object to the processing of your personal data where we rely on legitimate interest as the legal basis. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

9.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

9.8 How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

Email: robban@techflip.se

We will respond to your request without undue delay and in any event within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one (1) month of receipt of your request.

We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

10. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with the Swedish supervisory authority:

Integritetsskyddsmyndigheten (IMY) Box 8114 104 20 Stockholm, Sweden Website: https://www.imy.se Email: imy@imy.se

You also have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence or place of work.

11. Automated Decision-Making

We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significant effects on you, as described in GDPR Art. 22.

12. Children's Privacy

Our Service is not directed at children under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data promptly.

13. Data Retention Summary

Data CategoryRetention Period
Email addressLicense duration + 3 years
Hardware ID (HWID)License duration
Payment transaction records7 years (legal requirement)
License key and tierLicense duration + 3 years
IP address (server logs)90 days
Coupon codes7 years (as part of transaction records)
License validation requests90 days

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this policy.
  • Where practicable, notify you by email or through a prominent notice on our website.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acknowledgment of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:

Robert Wallin / Wallin Solutions Email: robban@techflip.se Website: brainos.wallinsolutions.se