The short version
gbrain.io is operated by The Overton Window Company, Inc. When your team uses the service, the data flowing in lives on isolated compute that runs only your organization’s brains. Not a shared database, not a machine with other customers on it. That compute belongs to your workspace until you delete it.
We don’t read your team’s content for product purposes. We don’t train AI on it. We don’t store it in our own databases. The AI model your brains call (Anthropic’s Claude by default) sees prompts on a per-request basis under Anthropic’s published policy; we don’t add a pipeline that retains your content elsewhere.
Like every hosted service, we have operator-level access to the infrastructure we run. Section 9 (“Security”) covers what that means in practice and where the limits are.
1. Scope and definitions
“Customer” means the organization (workspace) that has agreed to the Terms of service.
“Customer data” means anything your brains ingest, generate, or store on your behalf: content from connected sources, the notes and summaries brains write, configuration you provide, and audit metadata about brain activity.
“Personal data” means information about identifiable individuals. Some customer data may be personal data (an email message addressed to an individual, for example). Where we process personal data on your behalf, we’re acting as a processor and you’re acting as a controller in the sense those terms are used in GDPR, CCPA, and similar frameworks.
This page is the controller-facing description of how we handle personal data. Customers who need a separately signed Data Processing Addendum can request one at legal@overton.xyz.
2. Data we collect
We collect three categories of data:
Account data — the email address Google asserts at sign-in, the workspace name and slug you choose, the org-membership role of each user, billing identifiers (Stripe customer id), and a minimal audit log of administrative actions (who signed in, when a brain was provisioned, when a token was refreshed).
Customer data — everything your brains ingest from sources you connect (Gmail messages, Slack channel history, calendar events, public web pages an ability crawls), plus the notes, summaries, and intermediate state your brains write while operating. Customer data lives on the per-brain volume described in section 4, not in our control plane.
Operational telemetry — request logs (HTTP method, path, status, duration, IP, anonymized user id), structured app logs from our own code, and Fly.io’s platform-level metrics. We use this to debug, monitor health, and prevent abuse. We don’t try to read into request payloads.
3. How we use data
- To operate the service. Authenticating sessions, routing requests to your brains, executing the abilities you’ve enabled, sending the prompts a brain constructs to the AI model provider, returning the response, billing your subscription.
- To support you. Responding to questions, debugging tickets you open, communicating about your account.
- To improve the service. Aggregate, non-identifying patterns (which abilities are used, where errors cluster, how long brain operations take). We do not feed customer data into model training.
- To meet legal obligations. Tax records, security incident reports, court orders we can’t reject.
We don’t sell, rent, or syndicate customer data or personal data to anyone.
4. Where data lives
Customer data lives on a per-brain Fly Machine and Fly Volume in the United States (Chicago, ORD region). Each Fly Machine is a Firecracker microVM (the same isolation technology AWS Lambda uses); no other customer’s brain runs in the same microVM as yours. The Volume is an NVMe drive encrypted at rest, mounted only inside your microVM.
Account data lives in our control plane: a Postgres database in the same region, operated by Fly’s Managed Postgres service. OAuth tokens for connected channels are encrypted at the application layer (AES-GCM) before they’re stored.
Operational telemetry lives in Fly’s logging and metrics systems and in our own log aggregation, retained for the period in section 6.
If you require data residency outside the US, talk to us at legal@overton.xyz. We don’t currently operate outside ORD/DFW; supporting EU residency is a known need we’ll size based on customer demand.
5. Subprocessors
We use the following subprocessors to deliver the service:
| Subprocessor | Purpose | Where it processes data |
|---|---|---|
| Fly.io | Hosts the control plane and per-brain compute + storage | US (ORD primary) |
| Anthropic | Default AI model provider invoked by brains | US |
| Stripe | Subscription billing, payment processing | US |
| OAuth sign-in, Gmail / Calendar OAuth scopes (when a brain connects them) | US |
Adding or changing a subprocessor for material processing of customer personal data triggers email notice to workspace admins at least 30 days before the change takes effect, except for emergency replacements (e.g. a subprocessor going out of business), where we’ll notify as soon as practical.
If a customer’s policy requires named subprocessor approval, that’s negotiable in a separate contract.
6. Data retention and deletion
| Data | Retention |
|---|---|
| Customer data on a brain’s Volume | Until the brain is deleted, plus Fly’s snapshot retention (currently 5 days) for disaster recovery |
| Account data (workspace, members, billing identifiers) | Until the workspace is deleted, plus 30 days for backup rotation |
| Audit log entries | 1 year |
| Operational telemetry (request logs, app logs) | 30 days |
| Billing records (invoices, payment history) | 7 years (tax law) |
Deleting a brain is a one-way door: the Machine is destroyed, the Volume is destroyed, OAuth tokens for that brain’s channels are revoked at the provider, and snapshot copies age out on Fly’s schedule. We don’t keep a separate “in case” archive.
Deleting a workspace removes all of its brains and all account data tied to it, subject to the billing-records exception above.
7. International transfers
The service is operated from the United States. If your team uses the service from another country, your data is being transferred to the US for processing. By using the service, you authorize us to make those transfers as needed to operate it.
For customers subject to GDPR or UK GDPR who need transfer-mechanism documentation (Standard Contractual Clauses, Transfer Impact Assessment), reach out at legal@overton.xyz.
8. Customer rights
Workspace admins can:
- Export the workspace’s brain configurations and audit log at any time.
- Delete a brain (and the data on it) at any time.
- Delete the workspace.
Where individuals have rights under GDPR, CCPA, or similar laws (access, rectification, erasure, portability), workspace admins are the appropriate channel for individuals whose data appears in customer data. We support workspace admins in fulfilling those requests.
If you’re an individual and you can’t reach the workspace admin, write to privacy@overton.xyz with enough detail to identify your request and we’ll route it.
9. Security
The architectural details (tenant isolation, encryption, access controls, vulnerability handling, incident response) live in Security. Two disclosures upfront so a procurement reviewer doesn’t have to dig:
- We are not end-to-end encrypted. The agent inside each brain reads your team’s content in cleartext to summarize it; that’s intrinsic to the product. Anyone offering “end-to-end encrypted” hosted summarization is misleading you.
- We do not have SOC 2, ISO 27001, or similar third-party certifications today. The Security page describes the practices we have in place; certifications follow when customers require them.
10. Breach notification
If we discover a security incident affecting customer data, we’ll notify affected workspace admins by email without unreasonable delay, with the details we have at the time and updates as the investigation proceeds. We aim to notify within 72 hours of confirming an incident; that target tightens as we mature.
Where law (GDPR, CCPA, state breach notification laws) prescribes a specific notification window or content, we’ll follow it.
11. Legal requests
If we receive a subpoena, court order, or other legal demand for your data, we will:
- Notify you, unless we are legally prohibited from doing so.
- Push back on requests that look overbroad.
- Produce only what we actually have. We don’t retain customer email or document inboxes; we have account records, workspace metadata, audit logs, and the customer data on each brain’s Volume at the time of the request.
We publish a brief transparency note in the engineering log when we receive (and respond to) such requests, with identifying details redacted, unless law prohibits.
12. Children’s data
The service is not intended for individuals under 18. We don’t knowingly collect data from children. If you discover a child has signed up, write to privacy@overton.xyz and we’ll delete the account.
13. Changes to this page
This page lives in our public git repository. Every change is a public commit. Material changes (where we collect new categories of data, change the subprocessor list, change retention periods) get email notice to workspace admins at least 30 days before they take effect, except for changes required by law or to prevent immediate harm.
The Updated date at the top moves with each change.
14. Contact
- Privacy questions: privacy@overton.xyz
- Legal notices: legal@overton.xyz
- Everything else: reply to any email from us.
We don’t currently have a designated DPO. When we do, this page will say so.