Privacy Policy

How we collect, use, and protect your data.

Last updated: June 24, 2026

Index Brain ("Index.brain", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and what choices you have. By using Index.brain, you agree to the practices described here.

What we collect

We collect the following categories of information:

Account information: your name, email address, and profile picture, provided through Google OAuth when you sign in. We do not collect or store passwords.
Company information: your company name and any details you provide during onboarding or in settings.
Integration data: content from the tools you connect (Gmail, Slack, Notion, GitHub, Jira, Linear, Asana, Granola, Fathom, your website). We read this content to extract structured knowledge. We do not store raw emails, messages, or documents. We store only the knowledge extracted from them.
AI conversation data: if you use the AI Sync feature, content from Claude, ChatGPT, or Cursor conversations you choose to upload.
Usage data: activity logs, sync history, and feature usage within the dashboard. This is used solely to operate the service.
Technical data: IP address, browser type, and session tokens used to authenticate your account. Session data is managed via secure cookies.

How we use it

We use your data solely to provide the Index.brain service. Specifically:

To extract structured knowledge from your connected tools and organize it into skills
To deliver those skills to the AI agents you authorize (Claude, Cursor, ChatGPT, and others)
To operate the sync pipeline, process updates, and maintain your company brain
To send you service-related notifications (sync status, security alerts)

We never sell your data. We never use your data to train AI models, including our own systems or any third-party models. Your data is never used for advertising or analytics purposes.

AI processing disclosure

Index.brain uses Anthropic's Claude API to extract and structure knowledge from the content you connect. This means content from your integrations (such as emails, messages, and documents) is sent to Anthropic's API for processing. Anthropic processes this content to return structured results and does not use it to train their models. You can review Anthropic's privacy policy at anthropic.com/privacy.

We apply noise filtering before any content is sent for extraction, removing signatures, automated notifications, and irrelevant messages. Only meaningful content is processed.

Cookies and local storage

We use session cookies to keep you signed in. These are essential for the service to function. We do not use advertising cookies or third-party tracking cookies. No personal data is stored in browser local storage beyond what is required for authentication.

Data security

We take security seriously. Our measures include:

All data encrypted in transit using TLS 1.2 or higher
All data encrypted at rest using AES-256
OAuth tokens stored encrypted, never in plain text
Complete data isolation between accounts. No data crosses between organizations.
Audit logging of all data access events
Least-privilege access controls across all systems

Data retention

We retain your data for as long as your account is active and as needed to provide the service. Extracted knowledge (skills and facts) is stored in your account until you delete it or close your account. Raw source content from your integrations is never stored.

Data deletion

You are in full control of your data. From your dashboard you can:

Disconnect an integration: removes all data extracted from that source. Permanent and irreversible.
Delete specific facts or skills: remove individual pieces of knowledge from your brain at any time.
Reset your brain: selectively wipe facts, skills, insights, or procedures while keeping your integrations connected.
Delete your account: permanently removes all data, integrations, and account information within 24 hours.

We will notify you within 72 hours of any confirmed personal data breach.

Third-party services

We use the following third-party services to operate Index.brain:

Amazon Web Services (AWS): infrastructure, server hosting, and database storage. Data is stored in the United States.
Anthropic: Claude API used for AI knowledge extraction. Content is processed to return structured knowledge and is not stored or used to train models by Anthropic.
Google: OAuth sign-in. We receive your name, email, and profile picture from Google when you sign in.
Vercel: frontend hosting. No personal data stored.
Sentry: error monitoring. Error reports contain metadata only. No content from your integrations is ever included.

We do not share your company data with any third party for advertising, analytics, or any purpose beyond providing this service.

Your rights

Depending on your location, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you
Correction: ask us to correct inaccurate data
Deletion: request that we delete your personal data
Portability: request your data in a machine-readable format
Objection: object to certain types of processing

To exercise any of these rights, email us at privacy@indexbrain.online. We will respond within 30 days.

International transfers

Index.brain stores and processes all data in the United States on AWS infrastructure. If you access the service from outside the United States, your data will be transferred to and processed in the US. By using the service, you acknowledge and consent to this transfer.

Changes to this policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the changes take effect. Continued use of the service after changes take effect constitutes your acceptance of the updated policy.

Contact

Questions or concerns about this policy? Contact us at privacy@indexbrain.online.