CentralbrAIn
Book audit
Legal

Privacy policy

This page explains, in plain English, what data CentralbrAIn collects, why, where it lives, and the rights you have over it.

Last updated · 2026-05-02

Template notice. This page is a working template intended to be replaced by counsel-reviewed copy before any commercial launch. Section headings, scope, and definitions are reasonable defaults - the substantive language must be adapted to the operating jurisdiction(s), customer profile, and applicable processor relationships.

1. Who we are

CentralbrAIn (referred to as "we," "us," or the "Company" throughout this policy) is the operator of the CentralbrAIn platform. For privacy questions, the Data Protection Officer can be reached at privacy@centralbrain.io.

2. What we collect

We collect three categories of data:

  • Account information - email address, display name, locale, OAuth identifiers if you sign in via a third-party provider, and the audit-trail metadata described in our audit logs primer.
  • Operational data you connect - the contents of the SaaS systems you authorize CentralbrAIn to read or act upon (CRM records, billing entries, project tickets, knowledge-base contents). We process this on your behalf as a processor.
  • Telemetry - coarse product usage events used for billing, capacity planning, and abuse prevention. We do not sell or rent telemetry to third parties.

3. Why we collect it

  • To provide, secure, and improve the service.
  • To bill you accurately under your chosen plan.
  • To meet our legal and contractual obligations.
  • To detect and prevent fraud, abuse, and unauthorized access against your account and the platform as a whole.

4. Where it lives

The application infrastructure runs on a hyperscaler region of your choosing (typically the EU or US). Customer data on the Enterprise tier is hosted on dedicated hardware in Iceland behind contractual sovereignty guarantees. The full hosting profile of every tier is summarized on our pricing page.

5. How long we keep it

Account information is kept for the lifetime of the account plus 90 days to allow recovery from accidental deletion. Operational data is retained according to the retention policy you configure inside the product. Audit events default to 13 months; Enterprise customers may extend this.

Backups are retained for 30 days on rolling encrypted snapshots and are deleted on schedule.

6. Sub-processors

A current list of sub-processors and their function is published at /data-processing. Material additions are announced at least 30 days in advance.

7. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, and restrict the processing of your personal data. EEA, UK, and Swiss residents see our GDPR page for the data-subject-request process. California residents can exercise CCPA/CPRA rights via the same channel.

8. Cookies

We use a small set of strictly necessary cookies for authentication and session handling. We do not use advertising cookies. Full detail on our cookie page.

9. Security

Sensitive personal columns are stored as ciphertext under authenticated encryption, and every consequential action is recorded in an append-only audit log gated by row-level security. Operationally we follow the principle of least privilege internally and require MFA for any production access.

10. Changes to this policy

When we update this policy, we change the date at the top and - for material changes - notify the primary contact on each account at least 14 days before they take effect.

11. Contact

Privacy questions, complaints, or rights requests: privacy@centralbrain.io. We aim to respond within five business days.