The short version
gbrain.io is operated by The Overton Window Company, Inc., based in San Francisco, California. We host gbrain, the open-source knowledge layer for AI agents. Each brain you create lives on dedicated compute we run only for your brains. Not a shared database. Not a machine that runs anyone else’s brains. That compute belongs to your workspace until you delete it.
We don’t read your team’s content for product purposes. We don’t train AI on it. We don’t store it in our own databases. Your team’s content stays on your brain’s compute. The AI provider that processes prompts on your behalf sees the prompt for that request only, under that provider’s published policy. We don’t pipe your content anywhere it doesn’t have to go.
Like every hosted service, we have operator-level access to the infrastructure we run. Security covers what that means in practice and where the limits are.
1. Scope and definitions
“Customer” means the organization (workspace) that has agreed to the Terms of service.
“Customer data” means anything written to your brains (by you, by your workspace’s members, or by an AI client you’ve connected) and anything your brains generate in response, along with the configuration you provide and audit metadata about activity in those brains.
“Personal data” means information about identifiable individuals. Some customer data may be personal data (an email message addressed to an individual, for example). Where we process personal data on your behalf, we’re acting as a processor and you’re acting as a controller in the sense those terms are used in GDPR, CCPA, and similar frameworks.
This page is the controller-facing description of how we handle personal data. Customers who need a separately signed Data Processing Addendum can request one at legal@overton.xyz.
2. Data we collect
We collect three categories of data:
Account data. The email address you sign in with (asserted by Google when you use Google sign-in, or verified by an email magic link when you use that path), the workspace name and URL identifier you choose, the role of each user in the workspace, and billing identifiers (Stripe customer id).
Customer data. Anything you or an AI client you’ve connected writes to your brain (markdown notes, structured records, metadata) and anything your brain writes in response. Customer data lives on your brain’s compute as described in section 4, not in our control plane.
Operational telemetry. Request logs (HTTP method, path, status, duration, anonymized user id), structured app logs from our own code, and platform-level health metrics from our compute provider. We use this to debug, monitor health, and prevent abuse. We don’t try to read into request payloads.
3. How we use data
- To operate the service. Authenticating sessions, routing requests to your brains, sending the prompts a brain constructs to the AI provider, returning the response, billing your subscription.
- To support you. Responding to questions, debugging tickets you open, communicating about your account.
- To improve the service. Aggregate, non-identifying patterns (which features are used, where errors cluster, how long brain operations take). We do not feed customer data into model training.
- To meet legal obligations. Tax records, security incident reports, court orders we can’t reject.
We don’t sell, rent, or syndicate customer data or personal data to anyone.
4. Where data lives
Customer data lives on the dedicated compute we provision for each brain. Each brain has its own compute and its own encrypted storage volume, sized to the brain’s plan tier. No two brains share storage. Storage is encrypted at rest by the platform. All processing happens in the United States.
Account data lives in our control plane in a managed database, encrypted at rest, in the same country. OAuth tokens for connected sources get a second layer of encryption at the application layer (AES-GCM) before they’re written.
Operational telemetry lives in our compute provider’s logging and metrics systems, plus our own log aggregation. Retention is in section 6.
If you require data residency outside the United States, talk to us at legal@overton.xyz. We operate from the US today; EU residency is a known need we’ll size based on customer demand.
5. Subprocessors
We use the following subprocessors to deliver the service:
| Subprocessor | Purpose | Where it processes data |
|---|---|---|
| Fly.io | Hosts the control plane and per-brain compute + storage | US |
| Anthropic | Default AI provider invoked by brains | US |
| Stripe | Subscription billing, payment processing | US |
| OAuth sign-in, plus OAuth scopes a brain uses to access services you’ve authorized | US | |
| Resend | Email delivery (magic-link sign-in, account notifications) | US |
Adding or changing a subprocessor for material processing of customer personal data triggers email notice to workspace admins at least 30 days before the change takes effect. For emergency replacements (a subprocessor going out of business, for example) we’ll notify as soon as practical.
If a customer’s policy requires named subprocessor approval, that’s negotiable in a separate contract.
6. Data retention and deletion
| Data | Retention |
|---|---|
| Customer data on a brain’s compute | Until the brain is deleted, plus a short snapshot retention window for disaster recovery |
| Account data (workspace, members, billing identifiers) | Until the workspace is deleted, plus 30 days for backup rotation |
| Operational telemetry (request logs, app logs) | 30 days |
| Billing records (invoices, payment history) | 7 years (tax law) |
Deleting a brain is a one-way door. The compute is destroyed, the storage volume is destroyed, any credentials we held for the brain’s connected sources are destroyed with it, and any backup snapshots age out on the platform’s schedule. We don’t keep a separate “in case” archive. Revoking the connected source’s access at the provider itself (cutting Google’s OAuth grant, for example) is something you can do at any time from that provider’s account-settings page; we don’t do it automatically.
Deleting a workspace removes all of its brains and all account data tied to it, subject to the billing-records exception above.
7. International transfers
The service is operated from the United States. If your team uses the service from another country, your data is being transferred to the US for processing. By using the service, you authorize us to make those transfers as needed to operate it.
For customers subject to GDPR or UK GDPR who need transfer-mechanism documentation (Standard Contractual Clauses, Transfer Impact Assessment), reach out at legal@overton.xyz.
8. Customer rights
Workspace admins can:
- Delete a brain (and the data on it) at any time.
- Delete the workspace.
- Request an export of the workspace’s brain contents and configurations at privacy@overton.xyz; we’ll deliver it in a portable format.
Where individuals have rights under GDPR, CCPA, or similar laws (access, rectification, erasure, portability), workspace admins are the appropriate channel for individuals whose data appears in customer data. We support workspace admins in fulfilling those requests.
If you’re an individual and you can’t reach the workspace admin, write to privacy@overton.xyz with enough detail to identify your request and we’ll route it.
9. Security
The architectural details (brain isolation, encryption, access controls, vulnerability handling, incident response) live in Security. Two facts a procurement reviewer should know without digging:
- The service is not end-to-end encrypted. Your brain reads your team’s content in cleartext so an AI model can summarize it. That’s intrinsic to the product. Anyone offering “end-to-end encrypted” hosted summarization is misleading you.
- We do not hold SOC 2, ISO 27001, or comparable third-party certifications. The Security page describes the practices in place. Certifications follow when customers require them.
10. Breach notification
If we discover a security incident affecting customer data, we’ll notify affected workspace admins by email without unreasonable delay, with the details we have at the time and updates as the investigation proceeds. We aim to notify within 72 hours of confirming an incident; that target tightens as we mature.
Where law (GDPR, CCPA, state breach notification laws) prescribes a specific notification window or content, we’ll follow it.
11. Legal requests
If we receive a subpoena, court order, or other legal demand for your data, we will:
- Notify you, unless we are legally prohibited from doing so.
- Push back on requests that look overbroad.
- Produce only what we actually have. We don’t retain customer email or document inboxes; we have account records, workspace metadata, audit logs, and the customer data on the relevant brain’s storage at the time of the request.
Where law allows, we will summarize legal requests received and our response in a public transparency note, with identifying details redacted.
12. Children’s data
The service is not intended for individuals under 18. We don’t knowingly collect data from children. If you discover a child has signed up, write to privacy@overton.xyz and we’ll delete the account.
13. Changes to this page
We maintain a public change history for this page. Material changes (new categories of data we collect, changes to the subprocessor list, changes to retention periods) get email notice to workspace admins at least 30 days before they take effect, except for changes required by law or to prevent immediate harm. The Updated date at the top moves with each change.
14. Contact
- Privacy questions: privacy@overton.xyz
- Legal notices: legal@overton.xyz
- Everything else: reply to any email from us.
We don’t currently have a designated DPO. When we do, this page will say so.