A memory you can actually trust.
Brain holds the most sensitive thing you have — the way your team thinks, decides and works. We treat it with the seriousness of a vault, not a feed. This Privacy Policy explains, in GDPR terms, what we collect, why, how long we keep it, and the rights you have.
Last updated: 3 June 2026
Yours. Always.
Your memory belongs to you. Export everything as plain markdown with one click. No lock-in, ever.
Encrypted end-to-endComing soon
Brain is encrypted at rest and in transit. Per-workspace keys, no shortcuts.
Never trained on
Your knowledge never feeds a foundation model. Not ours, not theirs. Full stop.
EU-hosted by default
Data lives in EU regions. Sub-processors documented. Data Processing Agreement available on request.
Zero third-party trackers
No analytics that follow you around the web. No session replay on private content.
Workspace isolation
Row-level security at the database layer. Each workspace is sealed. RLS, not vibes.
1. Who we are (the controller)
Brain is operated by Soon Technologies B.V., a company registered in the Netherlands at Herengracht 420, 1017 BZ Amsterdam, Netherlands (KvK 75939401, VAT NL860449403B01). For any privacy matter you can reach us at privacy@brain.app. Soon Technologies B.V. is the data controller for personal data processed about visitors, account holders and workspace members. For data your workspace puts into Brain, your organisation is the controller and Soon Technologies B.V. acts as processor under a Data Processing Agreement (available on request).
2. What we collect
Account data: name, email, password hash, workspace name, role. Content data: memories, sources, comments, versions, questions and any files you upload or forward in by email. Usage data: minimal server logs (timestamp, route, status code, IP) kept for security and debugging. Billing data: handled by our payment processor; we only store the customer ID and invoice metadata. We do not collect biometric data, browsing history outside Brain, or content from your other tools unless you explicitly connect them.
3. Why we process it (legal bases)
Performance of the contract with you (Art. 6(1)(b) GDPR) for everything needed to deliver the product. Legitimate interest (Art. 6(1)(f)) for security, fraud prevention and product analytics on aggregated, non-identifying signals. Legal obligation (Art. 6(1)(c)) for tax and accounting records. Consent (Art. 6(1)(a)) for optional cookies and any marketing email — always opt-in, always revocable.
4. Where your data lives
All primary storage and compute runs in EU regions (Frankfurt and Amsterdam). Backups stay in the EU. Where a sub-processor offers a model that is only available outside the EEA, we either route around it or rely on Standard Contractual Clauses with supplementary measures. The current list of sub-processors is published and updated with notice before any change.
5. AI processing
When you use AI features (suggestions, summarisation, ask), your prompt and the relevant memory excerpts are sent to a model provider strictly to generate a response. Providers are contractually forbidden from training on your content and from retaining it beyond the request. You can disable AI features per workspace at any time.
6. How long we keep it
Account and workspace content: for as long as the workspace is active, then 30 days after deletion in soft-delete, then purged. Server logs: 30 days. Backups: 35 days rolling. Billing records: 7 years (Dutch tax law). You can request earlier deletion at any time; we will honour it unless a legal obligation requires retention.
7. Sharing
We do not sell personal data. We share it only with sub-processors strictly needed to run the service (hosting, email delivery, AI gateway, payments), under written data processing terms. We will disclose data to authorities only when compelled by a valid legal order from a competent EU authority, and we will notify you unless legally prohibited.
8. Security
TLS in transit, AES-256 at rest, row-level security per workspace, hardened authentication, audit logs, principle of least privilege for staff access. We test changes in isolated environments and run periodic reviews. In the event of a personal data breach affecting you, we will notify the Dutch Autoriteit Persoonsgegevens within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.
9. Your rights under GDPR
You may access, rectify, erase, restrict, port, and object to processing of your personal data, and withdraw consent at any time. Email privacy@brain.app — a human responds within 30 days (usually within 48 hours). You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).
10. Cookies
We use a minimal set of strictly necessary cookies and no third-party trackers. See our Cookie Policy for the full list.
11. Children
Brain is not directed to anyone under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact privacy@brain.app and we will delete it.
12. Changes
If we materially change this policy we will notify account holders by email at least 30 days before it takes effect. Older versions are kept on request.
Questions? Email privacy@brain.app and a human will answer within 48 hours.