Privacy Policy

Effective Date: February 13, 2026
Last Updated: May 28, 2026

1. Introduction

This Privacy Policy explains how Wallin Solutions AB ("we," "us," or "our"), collects, uses, stores, and protects your personal data in connection with the Brain OS software and the website brainos.wallinsolutions.se (the "Service").

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Swedish data protection legislation.

2. Data Controller

Name: Wallin Solutions AB
Website: brainos.wallinsolutions.se
Email: robban@techflip.se
Governing Law: Swedish Law
Supervisory Authority: Integritetsskyddsmyndigheten (IMY), Sweden

3. Personal Data We Collect and Process

3.1 Email Address

Source: Provided by you at the time of purchase.
Purpose: To deliver your license key, send purchase confirmations, communicate important product updates (e.g., security patches), and provide customer support.
Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)).
Retention Period: Duration of your active license plus three (3) years after license expiration or termination.

3.2 Hardware Identifier (HWID)

Source: Automatically generated as a SHA-256 hash derived from the combination of the USB boot device serial number and the host computer's motherboard identifier (DMI product UUID or board serial number).
Purpose: To bind your license to a specific installation and prevent unauthorized use.
Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)).
Retention Period: Duration of your active license. Deleted upon license termination or upon your request.
Note: The HWID is a one-way cryptographic hash and cannot be reversed to identify the underlying hardware. We treat it as personal data out of an abundance of caution.

3.3 Payment Information

Source: Provided by you during checkout.
Purpose: To process your payment for the license.
Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)).
Processing: All payment data is processed exclusively by our payment processor, Stripe Inc. We do not receive, store, or have access to your full credit or debit card details. We receive only a transaction reference, the last four digits of your card, and the payment status.
Retention Period: Transaction records are retained for the duration required by applicable tax and accounting laws (currently seven (7) years under Swedish Bokföringslagen).

3.4 License Key and License Tier

Source: Generated at the time of purchase.
Purpose: To grant and manage your access to Brain OS features according to your purchased tier.
Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)).
Retention Period: Duration of your active license plus three (3) years.

3.5 IP Address

Source: Automatically collected by our web server when you access our website.
Purpose: Security monitoring, protection against abuse, and maintaining server integrity.
Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)). Our legitimate interest is to ensure the security and proper operation of our website and services.
Retention Period: Server access logs containing IP addresses are retained for ninety (90) days, after which they are automatically deleted.

3.6 Coupon Codes

Source: Provided by you during checkout, if applicable.
Purpose: To apply discounts to your purchase.
Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)).
Retention Period: Retained as part of the transaction record for the duration required by applicable tax and accounting laws.

3.7 License Validation Data

Source: Automatically transmitted by the Brain OS software.
Purpose: To verify that your license remains valid and has not been revoked. This is necessary to enforce license terms and protect against unauthorized redistribution.
Data Transmitted: Hardware Identifier (HWID) only, transmitted as part of the request URL. No license key, software version, or other data is included in the request.
Frequency: The software performs a license validation check approximately once every twenty-four (24) hours when an internet connection is available. No check is performed when the system is offline.
Legal Basis: Performance of a contract (GDPR Art. 6(1)(b)) — license validation is a necessary component of the licensing system agreed to when purchasing or using the Software. Additionally, legitimate interest (GDPR Art. 6(1)(f)) — the Licensor has a legitimate interest in preventing unauthorized use and enforcing license terms.
Retention Period: Validation requests are processed in real time. The Licensor does not retain individual validation request logs beyond what is necessary for rate limiting and abuse prevention (maximum ninety (90) days).
Offline Behavior: If the software has been successfully validated at least once and subsequently loses connectivity to the license server, the license remains fully valid indefinitely — network failures alone will never cause license degradation. For licenses that have never been successfully validated online (e.g., a newly activated license on a system without internet), a thirty (30) day grace period applies, after which the software will temporarily revert to the free tier (2 disk limit) until a successful validation check is completed. This is described further in the EULA (Section 12.7).
Note: No telemetry, usage data, file names, IP addresses of connected clients, or any User Data is transmitted during the license validation check. Only the minimum data necessary for license verification is sent.

4. Data the Software Does Not Collect

We want to be transparent about the boundaries of our data collection:

No Telemetry: The Brain OS software does not transmit any usage data, system configuration details, installed applications, disk contents, or system performance metrics to us or any third party.
No Usage Analytics: We do not track how you use the Brain OS software, which features you use, or how often you use them.
No Tracking Cookies: Our website does not use tracking cookies, advertising cookies, or third-party analytics services. If essential session cookies are used, they are strictly necessary for the website to function and do not track your activity.
No Profiling: We do not build profiles about you or your behavior.
No User Data Access: We cannot see, access, or retrieve any files, documents, media, or other data stored on your system. Your data remains entirely on your local hardware.
License Validation Only: As described in Section 3.7, the software performs a periodic license check transmitting only the HWID. No license key, software version, or other data is included in the request. This is the only network communication initiated by the software to our servers.

5. How We Use Your Data

We use your personal data solely for the following purposes:

License Fulfillment: Delivering your license key and binding it to your installation.
Payment Processing: Completing your purchase transaction through Stripe.
Customer Support: Responding to your inquiries and providing technical assistance.
Product Notifications: Sending critical communications such as security updates or important changes to the Service. We do not send marketing emails unless you have separately opted in.
Security: Protecting our website and services against unauthorized access and abuse.
Legal Compliance: Meeting our obligations under Swedish tax, accounting, and commercial law.

6. Sub-Processors

We share your personal data with the following sub-processors, each of which is contractually bound to protect your data:

6.1 Stripe Inc.

Purpose: Payment processing.
Data Shared: Payment details (card information, billing address), email address, IP address, transaction amount.
Location: United States and European Union.
Safeguards: Stripe processes data in accordance with GDPR. For transfers to the United States, Stripe relies on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) as adopted by the European Commission.
Privacy Policy: https://stripe.com/privacy

6.2 Hetzner Online GmbH

Purpose: Web hosting and server infrastructure.
Data Shared: IP addresses and any data transmitted to our servers in the course of using the website.
Location: Germany (European Union).
Safeguards: Data remains within the EU. Hetzner is subject to GDPR.
Privacy Policy: https://www.hetzner.com/legal/privacy-policy

7. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA (specifically to Stripe's operations in the United States), such transfers are protected by:

The EU-U.S. Data Privacy Framework (where applicable); and
Standard Contractual Clauses (SCCs) as adopted by the European Commission pursuant to GDPR Art. 46(2)(c).

You may request a copy of the applicable safeguards by contacting us at the email address provided in Section 2.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit (TLS/HTTPS).
Secure storage of license and account data.
Access controls limiting data access to authorized personnel only.
Regular review of our security practices.

While we take data security seriously, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.

As a data subject, you have the following rights under GDPR:

9.1 Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.

9.2 Right to Rectification (Art. 16)

You have the right to request correction of inaccurate personal data or completion of incomplete data.

9.3 Right to Erasure (Art. 17)

You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent (if consent was the legal basis). Note that we may need to retain certain data to comply with legal obligations (e.g., tax records).

9.4 Right to Restriction of Processing (Art. 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

9.5 Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

9.6 Right to Object (Art. 21)

You have the right to object to the processing of your personal data where we rely on legitimate interest as the legal basis. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

9.8 How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

Email: robban@techflip.se

We will respond to your request without undue delay and in any event within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one (1) month of receipt of your request.

We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

10. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with the Swedish supervisory authority:

Integritetsskyddsmyndigheten (IMY)
Box 8114
104 20 Stockholm, Sweden
Website: https://www.imy.se
Email: imy@imy.se

You also have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence or place of work.

11. Automated Decision-Making

We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significant effects on you, as described in GDPR Art. 22.

12. Children's Privacy

Our Service is not directed at children under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data promptly.

12.2 United States — COPPA (Children Under 13)

For Users located in the United States: Our Service is not directed at children under the age of thirteen (13), and we do not knowingly collect personal data from children under 13 within the meaning of the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. §§ 6501–6506, and the FTC's implementing regulations at 16 C.F.R. Part 312. If a parent or legal guardian believes that we have inadvertently collected personal data from a child under 13, please contact us at robban@techflip.se and we will promptly delete the data and terminate any associated account.

13. Data Retention Summary

Data Category	Retention Period
Email address	License duration + 3 years
Hardware ID (HWID)	License duration
Payment transaction records	7 years (legal requirement)
License key and tier	License duration + 3 years
IP address (server logs)	90 days
Coupon codes	7 years (as part of transaction records)
License validation requests	90 days

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make material changes, we will:

Update the "Last Updated" date at the top of this policy.
Where practicable, notify you by email or through a prominent notice on our website.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acknowledgment of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:

Wallin Solutions AB
Robert Wallin
Email: robban@techflip.se
Website: brainos.wallinsolutions.se

16. United States State Privacy Law Disclosures

16.1 Scope and Applicability

This Section 16 applies to residents of the United States and provides disclosures required by various US state privacy laws, including:

California: California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), Cal. Civ. Code §§ 1798.100 et seq.
Virginia: Virginia Consumer Data Protection Act ("VCDPA"), Va. Code §§ 59.1-575 et seq.
Colorado: Colorado Privacy Act ("CPA"), Colo. Rev. Stat. §§ 6-1-1301 et seq.
Connecticut: Connecticut Data Privacy Act ("CTDPA"), Conn. Gen. Stat. §§ 42-515 et seq.
Utah: Utah Consumer Privacy Act ("UCPA"), Utah Code §§ 13-61-101 et seq.
Texas: Texas Data Privacy and Security Act ("TDPSA"), Tex. Bus. & Com. Code §§ 541.001 et seq.
Oregon, Montana, Tennessee, Iowa, Indiana, Delaware, New Hampshire, Nebraska, New Jersey, Minnesota, Maryland, Kentucky, Rhode Island: comparable state privacy statutes adopted 2023–2026.

Where these state laws grant you rights in addition to or different from those described elsewhere in this Privacy Policy, this Section 16 controls.

16.2 Categories of Personal Information Collected (CCPA/CPRA)

In the preceding 12 months, we have collected the following categories of personal information as enumerated in Cal. Civ. Code § 1798.140(v):

CCPA Category	Examples	Collected?
Identifiers (A)	Email address, HWID, IP address	Yes
Categories listed in Cal. Civ. Code § 1798.80(e)	Name, contact info, payment information (via Stripe)	Yes (limited)
Protected classifications (race, gender, etc.)	None	No
Commercial information	License purchase history	Yes
Biometric information	None	No
Internet or other electronic network activity	Website logs (IP, request timestamps)	Yes
Geolocation data	Inferred from IP only (city-level, server-log purposes)	Limited
Sensory data (audio, video, etc.)	None	No
Professional or employment information	None	No
Education information	None	No
Inferences drawn from the above	None	No
Sensitive personal information (CPRA)	None	No

16.3 Sources, Purposes, and Retention

Sources, business/commercial purposes, and retention periods for each category are detailed in Section 3 of this Policy. We use personal information only for the purposes disclosed at the time of collection.

WE DO NOT SELL OR SHARE YOUR PERSONAL INFORMATION as those terms are defined in the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, or comparable state laws. We have not sold or shared personal information for monetary or other valuable consideration to any third party in the preceding 12 months and have no plans to do so. We do not engage in "targeted advertising" or "profiling for decisions that produce legal or similarly significant effects."

Because we do not sell or share personal information, no opt-out mechanism is required. We nevertheless honor any Global Privacy Control ("GPC") signal received from your browser as an opt-out signal as a matter of policy.

16.5 Your Rights Under US State Privacy Laws

Depending on your state of residence, you may have the following rights:

Right to Know / Right of Access: Confirm whether we process your personal information and obtain a copy.
Right to Delete: Request deletion of personal information we have collected from you, subject to legal exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Portability: Receive your personal information in a structured, commonly used format.
Right to Opt-Out of Sale/Sharing: Not applicable — we do not sell or share (see Section 16.4).
Right to Opt-Out of Targeted Advertising: Not applicable — we do not engage in targeted advertising.
Right to Opt-Out of Profiling: Not applicable — we do not engage in profiling that produces legal or similarly significant effects.
Right to Limit Use of Sensitive Personal Information: Not applicable — we do not collect sensitive personal information.
Right of Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
Right to Appeal (where applicable, e.g. Virginia, Colorado, Connecticut): If we decline to act on your request, you may appeal the decision by contacting us at robban@techflip.se with "Privacy Rights Appeal" in the subject line.

16.6 Submitting a Request

To submit any privacy rights request, email us at robban@techflip.se with "Privacy Rights Request" in the subject line, and include:

(a) Your full name and email address;
(b) The state in which you reside;
(c) The specific right you are exercising;
(d) Sufficient information to verify your identity (typically the email address used for purchase and/or the HWID associated with your license).

We will respond within the time period required by applicable law (typically 45 days, extendable by an additional 45 days for complex requests).

16.7 Authorized Agents

You may use an authorized agent to submit a request on your behalf. The authorized agent must provide written authorization signed by you and proof of their authority. We may require you to verify your identity directly with us before processing the request.

16.8 Financial Incentive Programs (CCPA)

We do not offer financial incentives in exchange for the collection, sale, or retention of personal information.

16.9 California "Shine the Light" Disclosure (Cal. Civ. Code § 1798.83)

California residents may request information about the categories of personal information we have disclosed to third parties for direct marketing purposes during the preceding calendar year. We do not disclose personal information to third parties for direct marketing purposes; therefore, no such disclosure occurs.

16.10 Notice of Right to Know Re Identity Theft (Cal. Civ. Code § 1798.84)

In the event of a data breach affecting California residents, we will provide notification as required by California Civil Code § 1798.82 and other applicable law.

17. Other Jurisdiction-Specific Disclosures

17.1 Canada (PIPEDA)

For Users in Canada, our processing of personal information is governed by the Personal Information Protection and Electronic Documents Act ("PIPEDA"). The rights described in Section 9 (GDPR) and Section 16 (US state laws) provide broadly comparable protections; Canadian Users may also submit complaints to the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca).

For Users in the United Kingdom, our processing is governed by the UK GDPR and the Data Protection Act 2018. UK Users have substantially the same rights as EU/EEA Users described in Section 9. UK supervisory authority: Information Commissioner's Office (https://ico.org.uk).

17.3 Australia (Privacy Act 1988)

For Users in Australia, our processing complies with the Australian Privacy Principles ("APPs") under the Privacy Act 1988 (Cth). Australian Users may lodge complaints with the Office of the Australian Information Commissioner (https://www.oaic.gov.au).

17.4 Other Jurisdictions

For Users in other jurisdictions, we comply with applicable local data protection law and will respond to legitimate requests for access, correction, deletion, or restriction in accordance with such law.

18. Conflict and Construction

Where this Privacy Policy provides protections that exceed the minimum required by your applicable local law, the more protective provisions apply. Where local mandatory law provides protections that exceed those in this Privacy Policy, the local law prevails. Nothing in this Privacy Policy shall be construed to waive any non-waivable right under applicable data protection law.