// LEGAL

Privacy Policy

Last updated: June 10, 2026

brains is a memory layer for your work. We take privacy seriously because the whole product only works if you trust us with sensitive material — your inbox, your calendar, your documents. This page explains, in plain language, what we collect, why, and what we never do with it.

1. Who we are

brains (referred to as "brains," "we," "us," or "our") operates the website at mybrains.ai and the application at app.mybrains.ai. If you have questions about this policy or your data, email us at privacy@mybrains.ai.

2. What we collect

Account information

When you sign up, we collect your name, email address, profile picture (if you sign in via Google or another OAuth provider), and authentication tokens.

Connected integrations

When you connect an integration (Gmail, Google Calendar, Google Drive, GitHub, Monday, Telegram, and others), brains ingests the content you authorize so it can be searched, queried, and acted upon by you and your agents. Each integration is scoped to the minimum permissions needed and uses OAuth — we never see or store your password.

Specifically, when you connect Google services we access only the following, and only after you grant consent on Google's OAuth screen:

  • Gmail — message metadata (sender, recipients, subject, date, labels), message bodies, and attachments for messages you have authorized us to read. Used to make your inbox searchable inside brains and to draft / send replies on your behalf when you explicitly ask.
  • Google Calendar — event title, description, location, start/end time, attendees, and RSVP status for calendars you have authorized. Used to surface your agenda inside brains and, on your explicit confirmation, create or update events.
  • Google Drive — file metadata (name, type, owner, modified time) and file contents (Docs, Sheets, Slides, PDFs, images) for files you have authorized. Used to make your documents searchable and to create new files on your explicit confirmation.
  • Google Account profile — your name, email address, and profile picture, for sign-in and display inside brains.

You can disconnect any Google integration at any time from your brains settings, which revokes our access token. You can also revoke access directly from your Google Account permissions page.

Content you create

Pages, boards, automations, mini-sites, workflows, chat transcripts, and any other content you create or upload to brains.

Usage data

Standard server logs (IP address, user agent, request paths, timestamps) and product analytics (which features you use, error reports). We use this to keep the service running and to improve it.

3. What we do with it

We use the data we collect to:

  • Provide the brains service — sync your integrations, run your automations, serve your pages and dashboards.
  • Authenticate you and protect your account.
  • Send you transactional notifications (billing, security alerts, integration failures).
  • Diagnose bugs and improve the product.
  • Comply with legal obligations.

4. What we never do

We do not use or transfer data we collect — including data obtained through Google APIs — for any of the following purposes:

  • We never train AI models on your content. Your data is not used by us, or by any LLM provider we route to, to train, develop, or fine-tune generalized AI or ML models. When you use brains with Claude, ChatGPT, Gemini, or any other LLM, we use API endpoints that contractually prohibit training on customer data.
  • We never use your data for advertising. No targeted advertising, no personalized advertising, no ad re-targeting, no audience profiling.
  • We never sell your data or transfer it to data brokers or information resellers.
  • We never use your data to determine credit-worthiness or for lending purposes.
  • We never share your data with other users unless you explicitly share a specific brain, board, mini-site, or workflow with them.
  • No human at brains reads your content except (a) with your explicit permission (for example, when you ask us to debug an issue), (b) for security investigations, (c) to comply with applicable law, or (d) on anonymized / aggregated data for internal operations such as capacity planning.

5. Google user data — Limited Use compliance

brains' use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Concretely, this means data obtained from Gmail, Google Calendar, Google Drive, and other Google APIs is used only to:

  • Provide and improve the user-facing features of brains that you see in the product — search, agenda, document Q&A, drafting, automations you author, and the dashboards and mini-sites you build.
  • Respond to your explicit, in-product actions (for example, drafting a reply you confirmed, creating a calendar event you confirmed, or producing a file you requested).

We do not transfer Google user data to third parties except (a) as needed to provide or improve those user-facing features, and only with your consent, (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) as part of a merger, acquisition, or sale of assets with notice to you. We do not use Google user data to serve advertisements, including retargeted, personalized, or interest-based advertising. We do not use Google user data for credit-worthiness or lending purposes. We do not allow humans to read Google user data except in the limited circumstances described in section 4 above.

Google's restricted scopes used by brains include gmail.modify, calendar, and drive. We request the narrowest scope sufficient for the feature you turn on.

6. Who sees your data

Your data is visible to:

  • You, through the brains application and any LLM or surface you connect to it.
  • People you explicitly share with — when you grant owner / contributor / observer access on a brain, board, or workflow.
  • Subprocessors we use to operate the service: cloud infrastructure (AWS), LLM providers (Anthropic, OpenAI, Google, and others you route to), email and identity providers, error monitoring, and analytics. Each is bound by data processing terms equivalent to or stricter than this policy.
  • Authorities, only when legally required by a valid order. We narrow the scope of any disclosure to what the law requires and, where permitted, will notify you first.

7. How we protect your data

All data — including data obtained from Google APIs — is encrypted in transit (TLS) and at rest. OAuth refresh tokens are encrypted at the application layer with keys held outside the database. Access to production systems is restricted to a small number of operators, requires multi-factor authentication, and is logged. We run continuous security monitoring and review our practices regularly.

8. Where your data lives

brains hosts data on Google Cloud Platform in the United States. We do not move your data outside the United States without your consent.

9. How long we keep it, and deletion

We keep your content for as long as your account is active. You can delete individual pages, boards, brains, or your entire account at any time from within the product. When you delete:

  • The data is removed from our live production systems within 7 days.
  • Encrypted backups are rotated out within 30 days.
  • Disconnecting a Google integration revokes our OAuth token immediately and deletes the corresponding ingested Gmail / Calendar / Drive pages from brains within 7 days.
  • Deleting your account removes all your content, including all data ingested from Google APIs, on the same schedule.

You can also revoke brains' access to your Google account at any time via myaccount.google.com/permissions.

10. Your rights

Depending on where you live, you have the right to:

  • Access the data we hold about you.
  • Correct inaccurate data.
  • Delete your data.
  • Export your data in a portable format.
  • Object to specific kinds of processing.

To exercise any of these rights, email privacy@mybrains.ai. Most of these you can do yourself from within the product — disconnect an integration, delete a page, or close your account from your settings.

11. Cookies

We use a small number of cookies and similar technologies for authentication (keeping you signed in), preferences (remembering whether you dismissed a banner, your theme), and basic analytics. We do not use third-party advertising cookies.

12. Children

brains is not intended for use by anyone under the age of 16. We do not knowingly collect data from children.

13. Changes to this policy

We may update this policy as the product evolves. When we make material changes that affect how Google user data is collected, used, shared, or retained, we will notify you in-product before the change takes effect and update the "Last updated" date at the top of this page.

14. Contact

Questions, requests, or complaints about this policy or about data we hold — email privacy@mybrains.ai. We respond within 7 business days.