Privacy Policy

Last updated: March 10, 2026

ScrappyLabs ("we", "us", "our") operates brainjack.ai and the BrainJack mobile application. This policy describes what data we collect, how it flows, and your choices — especially regarding the two service tiers.

How BrainJack Works

BrainJack converts your voice into keystrokes on a target computer. The data flow depends on which tier you use:

Data	Free Tier	Pro
Voice audio	Apple on-device ASR only (never leaves phone)	On-device, your own server, or ScrappyLabs Fleet ASR (600 min/mo)
Transcribed text	Sent directly to your agent	Optionally processed by our AI cleanup, then forwarded
Keystroke commands	Over your local network (never cloud)	Over your local network (never cloud)
Device IPs / tokens	Stored on-device only	Stored on-device only

What We Collect

Voice Audio (Free Tier)

FREE TIER

Free-tier voice recognition uses Apple's on-device speech recognition. Your audio never leaves your phone. Apple processes it locally on the device. We never see, receive, or process your voice audio on the free tier.

Voice Audio (Pro — Your Own Backend)

PRO — YOUR CHOICE

Pro users can configure their own ASR backend: Apple on-device, a self-hosted Whisper server, or any compatible endpoint. When using on-device or self-hosted ASR, no audio data leaves your device or local network. We never see or process it. Usage with your own infrastructure is unlimited.

Voice Audio (Pro — ScrappyLabs Fleet ASR)

PRO — OUR SERVERS

Pro users can optionally use ScrappyLabs Fleet ASR for higher-quality transcription and AI text cleanup (up to 600 minutes per month). When using this option, your voice audio is sent to ScrappyLabs servers, processed in real-time, and immediately discarded. We do not store, record, retain, or train on your voice data. Ever.

Keystroke Commands

ALL TIERS

Keystroke commands (type, key, combo) are sent over WebSocket directly from your phone to the BrainJack agent running on your target computer. This traffic stays on your local network. It never passes through our servers. We cannot see what you type.

Device Configuration

ALL TIERS

Device names, IP addresses, and authentication tokens are stored locally on your device (iOS UserDefaults / Keychain). This data is never sent to our servers.

What We Don't Collect

Keystroke content — we never see what you type into target machines
Location data
Contacts, photos, or camera data
Browsing or search history
Advertising identifiers or tracking data
Financial or payment information (payments handled by Apple)

Device Permissions

Microphone — Required for voice-to-keystroke. Audio is only captured when you actively tap the record button.
Speech Recognition — Used for on-device ASR (Pro tier with Apple backend). Processed by Apple on your device.
Local Network — Required to communicate with BrainJack agents on your network.
Bluetooth — Optional. Used for BLE HID devices (ESP32 dongles, Flipper Zero).

Third-Party Services

Depending on your configuration:

Apple Speech Recognition — When using on-device ASR. Subject to Apple's privacy policy.
ScrappyLabs ASR — Free tier only. Processed on our infrastructure (US-based). Not shared with third parties.

Data Security

WebSocket connections support TLS encryption (wss://)
Agent authentication uses HMAC constant-time token comparison
Agent audit logs record connection events but never log keystroke content
All server-side processing uses encrypted connections

Children's Privacy

BrainJack is intended for users 13 and older. We do not knowingly collect personal information from children under 13.

Your Rights

Switch to Pro — Eliminate all server-side processing by configuring your own ASR backend
Delete app data — Uninstalling the app removes all locally stored configuration
Request data deletion — Contact us to confirm no data is retained on our servers

Changes to This Policy

We may update this policy from time to time. Changes will be posted here with an updated date.

Contact

Questions? privacy@scrappylabs.ai