Last updated: April 1, 2026
This Privacy Policy informs you pursuant to Art. 13 and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) about the processing of your personal data when using OneBrain (hereinafter "Service"). OneBrain is an AI memory layer that stores user preferences, knowledge, decisions, and projects in a structured system and delivers optimized context to AI assistants via REST API or MCP protocol. The Service is offered both as a hosted SaaS solution and for self-hosting. This policy applies to both deployment modes.
The data controller within the meaning of the GDPR is: OneBrain Project Email: legal@onebrain.rocks Data Protection Officer: datenschutz@onebrain.rocks
We process only data that is necessary for providing the Service or that you voluntarily share with us. The principle of data minimization pursuant to Art. 5(1)(c) GDPR applies. The following sections detail each data category.
Upon registration, we collect your email address as a unique identifier. You may optionally provide a display name. When using password authentication, your password is stored exclusively as an bcrypt hash — the plaintext password is never persisted. When using OAuth (Google, Apple, GitHub), we receive only the email address and provider ID you have authorized. When two-factor authentication (TOTP) is enabled, the TOTP secret is optionally encrypted with AES-256-GCM.
The core of the Service consists of storing your memories, entities, projects, and brain profile. This data is actively entered by you or generated by AI extraction from texts you provide. Memory data can optionally be encrypted with AES-256-GCM per tenant (MEMORY_ENCRYPTION_KEY). Access is strictly limited to your user account.
Each time you access the Service, the following data is automatically processed: IP address (masked in logs per GDPR), timestamp, HTTP method and path, user agent, request ID for traceability. Session data is processed as JWT tokens (httpOnly, secure, SameSite) and refresh tokens (hashed value in database). IP addresses are automatically masked in audit logs and never stored in plaintext.
For paid plans, payment processing is handled exclusively by Stripe Inc. We do not receive or store credit card numbers or bank details. Stripe transmits only a customer ID, payment status, and invoice information to us. See Section 7 for details.
AI agents can create accounts automatically via the provisioning endpoint. A synthetic email address is generated for agents (agent-[uuid]@agents.onebrain.local) that is not associated with any natural person. Agent accounts are marked with the type 'agent' and are subject to the same access restrictions as user accounts.
Your personal data is processed on the following legal bases: a) Contract performance (Art. 6(1)(b) GDPR): Processing of account data, memory data, session data, and API keys for providing the Service pursuant to our Terms of Service. b) Legitimate interest (Art. 6(1)(f) GDPR): Processing of technical data for IT security, fraud prevention, abuse detection, rate limiting, and system stability. Our interest prevails as we process only minimally required data and mask IP addresses. c) Consent (Art. 6(1)(a) GDPR): Setting optional statistics and marketing cookies, sending BrainPulse briefings via email. You may withdraw your consent at any time with effect for the future. d) Legal obligation (Art. 6(1)(c) GDPR): Retention of invoice data pursuant to tax law retention periods (6 or 10 years).
We store your data only as long as necessary for the respective purpose: - Account data: Lifetime of the account + 30 days after deletion - Memory data: Lifetime of the account + 30 days after deletion. Configurable TTL (default: 365 days) for automatic cleanup - Session data: 30 days after token expiry - Usage data and API activity: 24 months - Audit logs: 90 days - Consent records: 3 years (proof obligation) - Invoice data: 10 years (commercial law retention requirement) - Magic link tokens: 15 minutes, then automatically deleted After the retention period expires, data is automatically and irrevocably deleted. The retention job runs every 6 hours by default.
We use the following cookie categories: a) Necessary cookies (always active): Authentication cookies (httpOnly, secure, SameSite=Lax), consent cookie for storing your cookie preferences. Legal basis: Art. 6(1)(b) GDPR. b) Statistics cookies (opt-in): Only with explicit consent via the cookie banner. Legal basis: Art. 6(1)(a) GDPR. c) Marketing cookies (opt-in): Only with explicit consent via the cookie banner. Legal basis: Art. 6(1)(a) GDPR. You can change your cookie settings at any time via the cookie banner. Consent is logged with timestamp and version.
We share your personal data with third parties only insofar as necessary for providing the Service or with your consent. Data processing agreements pursuant to Art. 28 GDPR are in place with all processors.
Hosting and infrastructure. Server location: Nuremberg, Germany (EU). Hetzner processes data exclusively within the scope of data processing. Privacy information: https://www.hetzner.com/legal/privacy-policy
Payment processing for paid plans. Stripe is certified under the EU-U.S. Data Privacy Framework. Only payment-relevant data is transmitted (email, payment amounts). Privacy information: https://stripe.com/privacy
Transactional emails (magic links, BrainPulse briefings). Email address and email content are transmitted. Servers in EU/USA.
For the DeepRecall feature (semantic search), memory contents may optionally be processed as embedding vectors. This only occurs when you activate the feature. Texts are sent to the embedding API, are not stored there, and are used exclusively to generate numerical vectors.
Data is principally processed within the EU/EEA (server location: Germany). Insofar as data processors transfer data to the USA (Stripe, optionally OpenAI), this is done on the basis of the EU-U.S. Data Privacy Framework (EU Commission adequacy decision) or on the basis of EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
You have the following rights regarding your personal data. To exercise them, send an email to datenschutz@onebrain.rocks or use the corresponding functions in your account settings.
You have the right to obtain information about the personal data we process. You can download your data at any time via the export function in your account settings as a JSON file.
You have the right to have inaccurate personal data corrected. You can edit your profile, memories, and all other data at any time via the dashboard.
You have the right to erasure of your data ("right to be forgotten"). You can delete individual memories, reset your entire brain, or completely delete your account. After account deletion, all data is irrevocably removed within 30 days. GDPR endpoints (data export, account deletion) are available via the API.
You have the right to receive your data in a structured, commonly used, and machine-readable format. The export function provides all memory data, entities, projects, and your brain profile as JSON.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on Art. 6(1)(f) GDPR.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
We implement appropriate technical and organizational measures to protect your personal data pursuant to Art. 32 GDPR: - Encryption: TLS 1.2+ for all data transmissions, optional AES-256-GCM encryption for memory data and TOTP secrets - Access control: Strict per-user data isolation, API keys with scope restrictions, role-based access control for administrators - Authentication: Password hashing with bcrypt, JWT tokens with short lifetime (15 minutes), httpOnly refresh cookies, optional TOTP two-factor authentication - Network security: Helmet.js security headers (CSP, HSTS, X-Frame-Options), rate limiting on all endpoints, CORS whitelisting in production - Monitoring: Audit logging of all security-relevant actions, IP masking in logs, no personal data in log output - Infrastructure: Docker containers with non-root user, memory limits, regular security updates
The Service is not directed at persons under 16 years of age. We do not knowingly collect personal data from persons under 16. If we become aware that data of a child under 16 has been stored, we will delete it immediately.
We reserve the right to update this Privacy Policy as needed, for example due to changes in the Service or legal requirements. The current version is always available at https://onebrain.rocks/datenschutz. For material changes, we will notify you by email or through a notice in the Service.
For questions about data protection, to exercise your data subject rights, or for complaints, please contact: OneBrain Project Email: datenschutz@onebrain.rocks We will respond to your request without delay, at the latest within one month (Art. 12(3) GDPR).