Privacy Policy

1. Data controller

The data controller responsible for your personal data is 1Brain. For privacy-related requests, contact: privacy@1brain.app.

2. Categories of personal data we collect

• Account data: email address, auth provider (e.g. Google, GitHub), and user ID.
• Workspace data: documents you upload, conversations, artifacts, and embeddings derived from your content.
• Integration data: OAuth tokens (stored encrypted) and synced content from Jira, Linear, Google, and similar services.
• Usage data: analytics events (event name, path, session ID, workspace ID) stored in our product_events system.
• Technical data: IP address in audit logs where relevant, and browser cookies used for authentication.

2a. Browser Extension Data

When you use the 1Brain Chrome Extension:

• What we collect: Content you explicitly capture from PM tools (Jira, Linear, Confluence, etc.), page URLs, and extension tokens (hashed) to authenticate your device. We do not collect content from blocked domains (banking, healthcare, auth, email, password managers, social DMs).
• What we don't collect: Passwords, financial data, or any content from sensitive sites. The extension does not run on blocked domains.
• Processing: Captured content is indexed for RAG search and used in AI generation within your workspace. PII is auto-redacted before AI processing.
• Retention: Captured documents follow the same retention as workspace data — until you or your workspace deletes them. Extension tokens expire after 30 days and can be revoked from Settings.

3. Purposes and lawful basis

We process your data only where we have a valid legal basis under GDPR Article 6:

• Account and authentication: contract performance (Art. 6(1)(b)) — necessary to provide the service.
• Workspace data (documents, conversations, AI processing): contract performance and, where applicable, your explicit consent for AI processing.
• Analytics (product_events): legitimate interest (Art. 6(1)(f)) to improve the product; you can opt out via settings or data deletion.
• Training consent: explicit consent (Art. 6(1)(a)) — on by default, turn off at any time in Settings.
• Integration tokens: contract performance to sync your connected services.

4. Recipients and subprocessors

We use the following subprocessors to operate the service. Each processes personal data only as necessary for the purpose listed:

5. International transfers

Where we transfer personal data outside the EEA, we rely on adequacy decisions or Standard Contractual Clauses (SCCs) to ensure an adequate level of protection.

6. Retention periods

• Account data: until you delete your account.
• Workspace data: until you or your workspace deletes it.
• Analytics (product_events): up to 12 months, then anonymized or deleted.
• Audit logs: up to 90 days.
• Conversation history: until you delete it.

7. Your rights

Under the GDPR you have the right to: access your data; rectification; erasure ("right to be forgotten"); data portability; restriction of processing; object to processing; and to withdraw consent where processing is based on consent. You can export and delete your data from Settings. To exercise other rights, contact us at privacy@1brain.app.

8. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority in your country of residence or place of work.

9. Automated decision-making

We use AI to generate content and suggestions. This does not constitute automated decision-making with legal or similarly significant effects. You remain responsible for reviewing and approving any outputs.

10. Cookies and local storage

We use: (1) Auth cookies (e.g. sb-auth) — strictly necessary for authentication; (2) Local storage for preferences (e.g. theme, onboarding state, consent flags). These are functional and not used for cross-site tracking. We do not use non-essential marketing or tracking cookies without separate consent.