This page provides the operational compliance details that auditors, data protection officers (DPOs), enterprise procurement teams, and regulators ask for. It supplements our Privacy Policy and is binding as part of our overall privacy framework.
| Party | Role | Scope |
|---|---|---|
| Open Brain | Data Controller | Account data, usage analytics, billing records, log data, and any personal data collected directly from users through the Service |
| Open Brain | Data Processor | User prompt content transmitted to third-party AI model providers at user direction |
| AI Model Providers (Anthropic, OpenAI, Google, xAI, NVIDIA, etc.) | Independent Controllers or Sub-processors | Processing of prompts and responses under their own terms and privacy policies |
| Infrastructure Sub-processors | Data Processors | Storage, compute, and delivery of the Service on behalf of Open Brain |
Where Open Brain acts as a data processor on behalf of enterprise customers, a Data Processing Agreement (DPA) is available on request at legal@openbrain.ai.
| Category | Examples | Source |
|---|---|---|
| Identity data | Name, email address, username, profile picture | Provided by user at registration or via OAuth |
| Authentication data | Password hash, OAuth tokens, session tokens, MFA state | Generated during account creation and login |
| Billing data | Subscription tier, billing address, last 4 digits of card (full card numbers processed only by payment processor) | Provided at checkout; tokenised by payment processor |
| Content data | Prompts, AI responses, uploaded files, project rules, workspace settings | Submitted by user during Service use |
| Usage data | Feature interactions, models selected, routing decisions, token counts, session duration, click events | Collected automatically during Service use |
| Technical data | IP address, browser fingerprint, device type, operating system, timestamps, error logs | Collected automatically via server logs and analytics |
| Processing Activity | Lawful Basis | Art. 6 |
|---|---|---|
| Account creation and authentication | Performance of a contract | 6(1)(b) |
| Providing the Service (prompt routing, workspace) | Performance of a contract | 6(1)(b) |
| Payment processing and billing | Performance of a contract | 6(1)(b) |
| Transactional communications (receipts, alerts) | Performance of a contract | 6(1)(b) |
| Service improvement and analytics | Legitimate interests | 6(1)(f) |
| Security monitoring and fraud prevention | Legitimate interests | 6(1)(f) |
| Marketing and product updates | Consent (with opt-out) | 6(1)(a) |
| Tax and financial record-keeping | Legal obligation | 6(1)(c) |
| Compliance with law enforcement requests | Legal obligation | 6(1)(c) |
A Legitimate Interests Assessment (LIA) for the processing activities listed under 6(1)(f) is available on request at privacy@openbrain.ai.
| Data Category | Retention Period | Deletion Trigger |
|---|---|---|
| Account and identity data | Duration of account + 30 days | Account deletion request or inactivity termination |
| Content data (prompts, files) | Duration of account + 30 days | Account deletion or explicit content deletion |
| Usage and analytics data | 24 months (aggregated after 12 months) | Rolling deletion; aggregated data retained indefinitely |
| Billing and financial records | 7 years | Legal obligation under financial regulations |
| Server and access logs | 90 days | Rolling deletion |
| Security incident logs | 3 years | Rolling deletion after 3 years |
| Encrypted backups | 35 days | Automatic cascade deletion on rolling 35-day schedule |
| Sub-Processor | Role | Region |
|---|---|---|
| Vercel Inc. | Hosting, edge network, and deployment infrastructure | Global (US-based) |
| Supabase Inc. | Database, authentication, and file storage | US / EU (region-selectable) |
| Stripe Inc. | Payment processing and billing | US / EU |
| Anthropic PBC | Claude AI model inference (at user direction) | US |
| OpenAI LLC | GPT-4o model inference (at user direction) | US |
| Google LLC | Gemini model inference (at user direction) | US / EU |
| PostHog Inc. | Product analytics and session recording (anonymised) | US / EU |
All sub-processors are bound by data processing agreements ensuring GDPR-equivalent protections. We will notify enterprise customers of material sub-processor changes with at least 30 days' notice.
Open Brain is headquartered in India. Some of our sub-processors are located in the United States and other countries. We rely on the following mechanisms for international transfers from the EEA, UK, and Switzerland:
Transfer impact assessments (TIAs) are conducted for all cross-border transfers. Copies are available to enterprise customers on request.
| Right | Article | How to Exercise |
|---|---|---|
| Right of access — obtain a copy of your personal data | Art. 15 | Email privacy@openbrain.ai or use account settings |
| Right to rectification — correct inaccurate data | Art. 16 | Account settings or email request |
| Right to erasure ("right to be forgotten") | Art. 17 | Delete account in settings or email request |
| Right to restriction of processing | Art. 18 | Email request with specific grounds |
| Right to data portability — export in machine-readable format | Art. 20 | Account settings → Export data |
| Right to object to processing based on legitimate interests | Art. 21 | Email request with specific grounds |
| Rights related to automated decision-making | Art. 22 | Email request; we do not make solely automated decisions with legal effects |
Response SLA: We will acknowledge rights requests within 5 business days and provide a substantive response within 30 calendar days (extendable to 90 days for complex requests with notice). All rights requests are free of charge.
You have the right to lodge a complaint with your local supervisory authority. EEA users may contact their national data protection authority. UK users may contact the ICO at ico.org.uk.
California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
To exercise CCPA rights, contact privacy@openbrain.ai or use the "Delete my account" option in settings. We will respond within 45 days (extendable to 90 days with notice).
We implement the following technical and organisational measures:
In the event of a personal data breach, Open Brain will:
To report a security vulnerability, contact security@openbrain.ai.
The Service is not directed to children under 13 (16 in the EU/UK). We do not knowingly process children's personal data. We do not process special categories of personal data as defined in GDPR Art. 9 (health, biometric, genetic, religious, political, or similar data) and our Terms of Use prohibit users from submitting such data through the Service.
The Service is not designed for use cases regulated by HIPAA (US health data), FERPA (US educational records), or PCI-DSS beyond the standard payment processing handled by our certified payment processor. Enterprise customers with regulated data requirements should contact legal@openbrain.ai before use.
Email: privacy@openbrain.ai
Legal / DPA requests: legal@openbrain.ai
Security / breach reporting: security@openbrain.ai
Response SLA: 5 business days acknowledgement · 30 days substantive response
Open Brain operates under the laws of India. For GDPR Art. 27(2) purposes, EU/EEA residents may contact us directly at the email above. We are evaluating the appointment of a formal EU Representative and will update this page when appointed.