SecondBrainOS
Privacy Policy
Last updated: 3 July 2026
This Privacy Policy explains how SECOND BRAIN OS INFORMATION TECHNOLOGY CO. L.L.C(“SecondBrainOS”, “we”, “us”) collects, uses, and protects personal data when you use secondbrainos.com, the CRM at crm.secondbrainos.com, and our related services and APIs (the “Service”). This policy applies across the SecondBrainOS platform, including our subdomains (for example crm., api., schema., credits., and openapi.secondbrainos.com). We act as the data controller for account data, and as a processor on behalf of our business customers for the customer conversations they manage through the Service.
1. Data we collect
- Account & authentication data — email address, name, phone number, and profile information. Accounts are created when a purchase is made; we do not offer public self-signup. Login is passwordless (magic link).
- Platform content — knowledge bases, workflows, prompts, uploaded documents, vectorized content, and AI agent configuration you create.
- Messaging data from connected channels — when you connect a WhatsApp Business or Instagram Business account, we receive message content, sender identifiers, and account metadata in order to deliver inbound messages to your inbox and send your replies. See section 4.
- Usage data — IP address, browser and device information, pages visited, timestamps, and similar technical logs, collected automatically for security and performance.
- Payment data — processed solely by Stripe. We do not store card numbers or bank details.
2. How we use your data
We process personal data only to:
- provide platform access, authentication, and account management;
- deliver core functionality — knowledge management, workflow execution, AI agent responses, and the unified messaging inbox;
- route inbound messages and send outbound replies on connected channels;
- process payments through Stripe;
- maintain security, prevent fraud, and comply with legal obligations.
We do not sell your personal data, use it for advertising, or use it to train AI models.
3. AI processing
Certain features send content you submit (for example a message you ask an AI agent to answer, or a document you vectorize) to third-party AI providers to generate a response or embedding. Where an AI feature is enabled, this may involve OpenAI. This data is used solely to deliver the requested functionality and is not used by us for marketing or model training.
4. Data received from Meta (WhatsApp & Instagram)
SecondBrainOS is a SaaS platform that lets businesses connect their own WhatsApp Business and Instagram Business accounts to a unified inbox where human agents and custom AI assistants respond to customer messages.
- We receive message content, sender identifiers, and account metadata from Meta solelyto deliver inbound messages to the correct customer’s inbox and to send outbound replies back.
- Each customer owns their own WhatsApp Business Account and Instagram Business account. We do not pool, resell, or analyze this data across customers.
- We do not use Platform Data for any purpose other than providing the messaging functionality the customer connected the account for. Our use of data received through Meta’s APIs complies with the Meta Platform Terms and Developer Policies.
When a customer disconnects a WhatsApp or Instagram channel, we stop receiving new messages for that account and remove the associated channel credentials.
5. Sub-processors
We rely on the following service providers to operate the Service. Each processes data only as needed to provide their function:
- Google Cloud Platform(Cloud Run & Cloud Functions) — compute, hosting, and storage (US-Central-1).
- Vercel — frontend hosting and content delivery.
- Cloudflare — CDN and TLS termination.
- Upstash — managed Redis for caching and session state.
- Airtable — internal records and workflow management.
- OpenAI — AI inference and embeddings (when an AI feature is enabled).
- Stripe — payment processing (no financial data stored by us).
We will notify users of material changes to this list via email or platform notification.
6. Data location, security & retention
Data is processed and stored primarily in Google Cloud Platform (US-Central-1). It is encrypted in transit and at rest, with access controlled through Google Cloud IAM. International transfers are protected by appropriate safeguards, including standard contractual clauses.
We retain account data, knowledge bases, and purchased content for as long as your account is active or as required to provide the Service and meet legal obligations. On account deletion, personal data is removed as described in our Data Deletion page.
7. Your rights
Subject to applicable law (including GDPR and CCPA), you may access, correct, export, restrict, or delete your personal data, object to processing, and withdraw consent. We do not sell personal information and do not discriminate against you for exercising these rights. To exercise any right, contact us using the details below or use the in-app deletion flow described on our Data Deletion page. We respond within one month.
8. Children
The Service is not intended for individuals under 18. We do not knowingly collect data from anyone under 18 and will delete such data if we become aware of it.
9. Changes & contact
We may update this policy from time to time and will note the date of the latest revision above. Contact the data controller, SECOND BRAIN OS INFORMATION TECHNOLOGY CO. L.L.C, at umair.kamil@secondbrainos.com or newsletter@umairkamil.com.