Open Brain / Privacy Policy

Who We Are
Information We Collect
How We Use Your Information
Sharing Your Information
Data Retention
Security
Your Rights
Cookies and Tracking
Children's Privacy
International Transfers
Changes to This Policy
Contact Us

Open Brain ("we", "us", "our") operates Meridian. This Privacy Policy explains how we collect, use, share, and protect information about you when you use our Service. For the full operational and compliance deep-dive, see our Data Compliance page.

1. Who We Are

Open Brain is the data controller for personal data processed through the Meridian Service. We act as a data processor in relation to the third-party AI model providers we route your prompts through. Contact us at privacy@openbrain.ai.

2. Information We Collect

Information you provide

Account data: Name, email address, password (hashed), profile information
Billing data: Payment method details (processed by our payment provider; we do not store full card numbers)
User content: Prompts, messages, files, and other content you submit to the Service
Communications: Support requests and feedback you send us

Information collected automatically

Usage data: Features used, models selected, routing decisions, session duration
Log data: IP address, browser type, device identifiers, timestamps
Cookies: Session cookies required for authentication; optional analytics cookies with your consent

Information from third parties

If you sign in via OAuth (Google, GitHub), we receive your name and email from that provider
AI model responses from third-party providers routed through the Service

3. How We Use Your Information

Purpose	Lawful basis (GDPR)
Providing and maintaining the Service	Contract performance (Art. 6(1)(b))
Processing payments and managing subscriptions	Contract performance (Art. 6(1)(b))
Sending transactional emails (receipts, alerts)	Contract performance (Art. 6(1)(b))
Improving and developing the Service	Legitimate interests (Art. 6(1)(f))
Security and fraud prevention	Legitimate interests (Art. 6(1)(f))
Marketing communications (with opt-out)	Consent (Art. 6(1)(a))
Legal compliance and responding to legal requests	Legal obligation (Art. 6(1)(c))

We do not sell your personal data. We do not use your prompts or conversation content to train AI models without explicit consent.

We share your information only in the following circumstances:

AI model providers: Your prompts are transmitted to the third-party AI providers you select (Anthropic, OpenAI, Google, xAI, NVIDIA, etc.) to generate responses. Each provider's privacy policy governs their handling of this data.
Service providers: We use trusted sub-processors (hosting, payments, analytics) under data processing agreements. See our sub-processor list.
Legal requirements: We may disclose information if required by law, court order, or to protect rights and safety.
Business transfers: In the event of a merger or acquisition, your data may be transferred to the successor entity.

5. Data Retention

Account data: Retained while your account is active and for 30 days after deletion
Conversation data: Retained for the duration of your account; deleted within 30 days of account deletion
Billing records: Retained for 7 years as required by financial regulations
Log data: Retained for 90 days for security and debugging purposes
Backups: Encrypted backups retained for up to 35 days before permanent deletion

6. Security

We implement industry-standard security measures including TLS 1.3 encryption in transit, AES-256 encryption at rest, row-level security in our database, JWT-based authentication with short expiry, webhook signing for integrations, and environment-isolated secrets management. We maintain a vulnerability disclosure programme — report issues to security@openbrain.ai.

In the event of a data breach affecting your personal data, we will notify you and relevant authorities within 72 hours as required by applicable law.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your personal data ("right to be forgotten")
Portability: Receive your data in a structured, machine-readable format
Restriction: Restrict processing of your data in certain circumstances
Objection: Object to processing based on legitimate interests
Withdraw consent: Withdraw consent at any time where processing is consent-based

To exercise these rights, contact privacy@openbrain.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Cookies and Tracking

We use strictly necessary cookies for authentication and session management. With your consent, we may use analytics cookies to understand how the Service is used. You can manage cookie preferences at any time in your account settings. We do not use third-party advertising cookies or cross-site tracking.

9. Children's Privacy

The Service is not directed to children under 13 (or 16 in the EU). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact privacy@openbrain.ai and we will delete it promptly.

10. International Transfers

Open Brain operates globally. Your data may be processed in countries outside your own, including the United States and India. We rely on the EU Standard Contractual Clauses (2021) and the EU–US Data Privacy Framework for transfers from the EEA. For details, see our Data Compliance page.

11. Changes to This Policy

We will notify you of material changes by email or in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact Us

Privacy enquiries: privacy@openbrain.ai
Legal enquiries: legal@openbrain.ai
Website: openbrain.co.in

Privacy Policy

Table of Contents