Privacy Policy

Last updated: June 13, 2026

1. Who we are

Index.brain ("we," "our," or "us") is a knowledge extraction service that connects to your business tools, extracts structured knowledge, and delivers it to AI agents via MCP and REST API. Our website is indexbrain.online. For privacy questions, contact us at legal@indexbrain.online.

2. What we collect

Account information

When you sign up, we collect your name, email address, company name, and role. This is used to create and identify your account.

OAuth access tokens

When you connect an integration (Gmail, Slack, Notion, Jira, Linear, Asana, GitHub, Granola, Fathom), we store the OAuth access token securely, encrypted at rest. We use this token only to read data from that source on your behalf. We never ask for or store passwords.

Extracted knowledge — not raw data

We do not store raw emails, Slack messages, Notion pages, or any other original content. We read your data, extract structured facts (decisions, processes, policies, knowledge), and discard the source content. Only the extracted knowledge — facts, skill summaries, confidence scores, and source references (e.g., "Slack #engineering, June 2026") — is stored.

Usage and activity data

We collect processing timestamps, sync logs, API call counts, and activity logs. This data is used to show you the status of your brain and to debug issues.

Technical data

Standard web server logs including IP address, browser type, and pages visited. This data is retained for 30 days and used for security and debugging only.

3. How we use your data

We use your data solely to provide and improve the Index.brain service:

  • Authenticating your account and managing sessions
  • Reading connected integrations to extract knowledge
  • Running AI extraction via the Claude API (Anthropic)
  • Organizing extracted facts into skills and categories
  • Delivering skills to authorized AI agents via MCP and API
  • Showing you activity logs, review queues, and processing status
  • Sending transactional emails (processing complete, security alerts, billing receipts)
  • Diagnosing errors via Sentry (no user content is sent to Sentry)

We never sell your data. We never use your data to train AI models.

4. Data isolation

Every organization's data is completely separated at the database level. Every query is filtered by organization ID. It is architecturally impossible for one organization's knowledge to be returned to another. Team member access within an organization is further controlled by the permissions matrix in your account settings.

5. AI processing

We use the Claude API (Anthropic) to extract structured knowledge from content read from your integrations. Content is sent to Anthropic's API under their enterprise API terms, which prohibit using API inputs or outputs to train Anthropic's models. We use Claude Haiku for simple classification tasks and Claude Sonnet for complex extraction. Content sent to the API is the minimum necessary for extraction and is not retained by us after processing.

6. Third-party sub-processors

We share data with the following sub-processors to operate the service. A full list is maintained in our Data Processing Agreement.

Sub-processorPurposeLocation
Amazon Web ServicesBackend API and database hosting (EC2)USA
CloudflareDNS, DDoS protection, SSL, traffic proxyGlobal
VercelFrontend hostingUSA / Global CDN
AnthropicAI knowledge extraction (Claude API)USA
ResendTransactional email deliveryUSA
SentryError monitoring (no user content)USA

7. Data retention

  • Extracted knowledge and skills: Retained until you delete them or delete your account.
  • OAuth tokens: Retained while the integration is connected. Deleted immediately upon disconnection.
  • Activity logs: Retained for 90 days, then automatically purged.
  • Server logs: Retained for 30 days.
  • Billing records: Retained for 7 years as required by law.

8. Your rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Correct inaccurate or incomplete personal data
  • Deletion: Request deletion of your personal data (right to be forgotten)
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Restriction: Request restriction of processing while a dispute is resolved

To exercise any of these rights, email legal@indexbrain.online. We will respond within 30 days.

9. Deletion

You can delete your account and all associated data at any time from Settings → Data Management.

  • All extracted knowledge and skills: deleted within 24 hours
  • OAuth tokens: deleted immediately
  • Activity logs: deleted within 7 days
  • Account record: deleted within 24 hours
  • Billing records: retained for 7 years as required by law

When you disconnect a single integration, you choose whether to keep the extracted knowledge or delete it. That choice is permanent.

10. Security

  • All data encrypted in transit (HTTPS/TLS 1.2+)
  • All data encrypted at rest (AES-256)
  • OAuth tokens and API keys stored encrypted
  • Authentication via Google OAuth — no passwords stored
  • Every data access event logged in activity logs
  • Regular security reviews and dependency audits

In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware of it.

11. Cookies

We use essential cookies for authentication and session management. We do not use advertising cookies. See our Cookie Policy for full details.

12. Children

Index.brain is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at legal@indexbrain.online and we will delete it.

13. Changes to this policy

We may update this Privacy Policy. Significant changes will be communicated by email at least 30 days before they take effect. The "Last updated" date at the top of this page will always reflect the most recent version.

14. Contact

For privacy questions or to exercise your rights:
Email: legal@indexbrain.online
Response time: within 30 days