Privacy policy

Effective date: 4 May 2026
Last updated: 4 May 2026

1. Who we are

Team Brain (“Team Brain”, “we”, “us”, “our”) operates the Team Brain Service available at team-brain.com (the “Service”). For the purposes of the General Data Protection Regulation, the UK GDPR, and equivalent privacy laws, the controller of personal data described in this notice is Team Brain. Where you use the Service through a workspace operated by your employer, organization, or another third party (a “Workspace Owner”), the Workspace Owner is the controller of the content stored in that workspace and Team Brain acts as a processor on their behalf in respect of that content.

2. Scope of this notice

This notice describes the personal data we collect when you visit our website, sign up for an account, sign in to an existing account, use the Service, view a public share link, or otherwise interact with Team Brain. It also describes how we use that data, the legal grounds we rely on, who we share it with, how long we keep it, and what rights you have. Where the Service is provided to you under a separate agreement with a Workspace Owner, that agreement and the Workspace Owner's own privacy notice may govern how your content within the workspace is processed.

3. Data we collect

3.1 Account data

When you create an account we collect your email address, the name you choose, the password you set (stored only as a salted hash), and the type of account you select (personal or business). If you choose business, we also ask for your company size, industry, whether you have an engineer on your team, and whether you or your team have built agents before. This information is used to create your login, to communicate with you about the Service, and to help us understand who is using Team Brain.

3.2 Authentication data

To keep you signed in we issue a short-lived access token (held in your browser's session storage for the lifetime of the tab) and a long-lived refresh token (set as an HTTP-only, Secure, SameSite=Lax cookie that lasts up to seven days). When you connect to real-time collaboration we also issue a short-lived collaboration token that is held in memory only. We log the time you sign in, sign out, request a password reset, or verify a new email.

3.3 Workspace and content data

When you create or join a workspace we store the workspace name, slug, and the role assigned to each member (owner, admin, member, or viewer). Inside a workspace we store the content you put into Team Brain, including documents, pages, databases and their rows, properties, views, comments, files you upload, site pages you build, and the version history of those items. Real-time collaborative documents are stored as Yjs CRDT snapshots so that we can re-open them at the position you left them. We also store the activity log of changes made by you and other members.

3.4 Files and uploads

Files that you upload to Team Brain (images, attachments, exports, site assets) are stored on Amazon S3 in the workspaces/{workspaceId}/ prefix. By default these objects are readable over the public Internet so that they can be embedded in saved pages without expiring URLs. Treat anything you upload as if it could be reachable by someone who learns the URL.

3.5 Integration and credential data

If you connect a third-party integration (for example Gmail, Google Drive, Google Calendar, or another OAuth provider) we store the OAuth tokens we receive from the provider so that we can perform the actions you ask us to perform. We also store any service credentials, API keys, and secrets you choose to add to your workspace. Secrets are encrypted at rest using a workspace-scoped key derived from ENCRYPTION_KEY.

3.6 Agent and automation data

If you build, run, or schedule agents we store the agent definition (name, system prompt, model, tool list, compiled JavaScript, version history) and the runs that have been executed (status, messages, script logs, tokens used, start and finish time, abort reason). Agents run inside a sandboxed worker thread with strict CPU, memory, and concurrency limits. We also record the LLM usage associated with each run so that we can bill the workspace and so that you can see your own usage.

3.7 Technical and diagnostic data

When you use the Service we automatically receive technical data such as your IP address, the time of your request, the user agent reported by your browser, the page or API endpoint you accessed, and the outcome of the request. We use this data to operate, secure, and debug the Service. We do not currently run any third-party advertising or marketing analytics on the Service.

4. How we use your data and the lawful basis

4.1 To provide the Service (contract)

We process account, authentication, workspace, content, file, integration, and agent data in order to deliver the Service to you under our terms. Without this processing the Service cannot work.

4.2 To keep the Service secure (legitimate interests, legal obligation)

We process technical data, authentication events, and audit logs to detect abuse, prevent unauthorized access, and comply with security obligations. We have a legitimate interest in protecting Team Brain, our users, and our infrastructure.

4.3 To support and communicate with you (contract, legitimate interests)

We use your email address to send transactional messages (verification codes, password resets, invitations, security notices) and to respond when you contact us. If you opt in we may also send product news. You can unsubscribe from non-transactional messages at any time.

4.4 To run agents and integrations (contract)

When you ask Team Brain to run an agent or to perform an action through an integration, we process the relevant content and credentials in order to carry out that action. The output is recorded as a run so that you can review it.

4.5 To bill the Service (contract, legitimate interests)

Where the Service is paid we process workspace credit balances, top-ups, and LLM usage records to issue invoices and to enforce fair use.

4.6 To improve the Service (legitimate interests)

We may aggregate technical data and usage records to understand which features are used and to plan changes. We do not use the contents of your documents, pages, or databases to train any model. We do not sell your data.

4.7 To comply with the law (legal obligation)

We may process your data when we are required to do so by applicable law, including responding to lawful requests from public authorities and meeting tax, accounting, and record-keeping obligations.

5. Automated decisions and agents

Team Brain itself does not make automated decisions that produce legal effects on you. Agents that you or your workspace build can take automated actions on your behalf, such as updating a database row, sending an email through a connected Gmail account, or calling an HTTP endpoint. These agents are configured by you. You are responsible for the actions they take inside your workspace and on the third-party services you connect.

6. Sharing and disclosure

6.1 Other workspace members

Content you put into a workspace is visible to other members of that workspace according to their role and the permissions on the document, page, or database.

6.2 People you share with

When you create a share link for a doc, page, or site, anyone who has the link can open it according to the access settings you choose. If you require an email-based invite, the invited recipient must verify their email through a one-time code before they can read the share.

6.3 Sub-processors

We use the sub-processors listed in section 7 to host the Service, store files, send email, deliver large language model responses, and perform similar operational tasks. Sub-processors act on our instructions under data-processing terms.

6.4 Acquirers and successors

If Team Brain is involved in a merger, acquisition, financing, reorganization, or sale of assets, your data may be transferred as part of that transaction. We will tell you, and we will not transfer the data to a recipient that does not provide equivalent protection.

6.5 Compliance and protection

We may disclose your data when we believe in good faith that disclosure is required by law, is needed to enforce our terms, or is necessary to protect the rights, property, or safety of Team Brain, our users, or the public.

7. Sub-processors

Team Brain currently uses the following categories of sub-processor: cloud hosting and database (the provider that hosts the application servers and PostgreSQL database), object storage (Amazon S3 for files and site assets), transactional email (the SMTP provider configured for the deployment), and large language model providers (OpenRouter, OpenAI, and the underlying model vendors that you choose for an agent or AI feature). When you connect an integration such as Gmail, Google Drive, or Google Calendar, the corresponding Google service is also a recipient of the relevant data. The current list of named sub-processors is available on request from the contact address in section 14.

8. International transfers

Team Brain is operated from, and stores data in, jurisdictions that may differ from the country in which you live. When we transfer personal data out of the United Kingdom, the European Economic Area, or Switzerland, we rely on appropriate safeguards such as the European Commission's standard contractual clauses, the UK International Data Transfer Addendum, or an equivalent mechanism, together with supplementary measures where necessary.

9. Data retention

We keep your personal data only for as long as we need it for the purposes described in this notice. After that we delete it or anonymize it. The principal retention periods are:

10. Your rights

Depending on where you live, you have rights in respect of your personal data, including the right to access a copy of your data, to ask us to correct it, to ask us to delete it, to object to or restrict processing, to withdraw consent (where consent is the legal basis), and to receive your data in a portable form. You can exercise most of these rights inside the Service: you can update your account details on the settings page, you can delete or archive content, and you can close your account from settings or by contacting us. To exercise the remaining rights please write to the address in section 14. We will respond within the time required by applicable law (typically one month). You also have the right to lodge a complaint with the data protection authority where you live or work.

11. Security

We take security seriously. Passwords are stored as salted hashes only. Refresh tokens are HTTP-only, Secure, SameSite=Lax cookies. Connections to the Service are made over TLS. Workspace secrets are encrypted at rest. Agents run inside a sandboxed worker thread with CPU, memory, and concurrency limits, and they cannot make outbound network calls except through the documented sandbox APIs. Access to production data is restricted and logged. No system can be made completely secure, so please use a strong, unique password for Team Brain and take care of who you invite to your workspace.

12. Children

Team Brain is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has given us personal data, please contact us at the address in section 14 and we will delete it.

13. Changes to this notice

We may update this notice from time to time. When we make a material change we will revise the “Last updated” date at the top and, where appropriate, send you a notice inside the Service or by email. Your continued use of the Service after the change becomes effective means that you accept the updated notice.

14. Contact

If you have any question about this notice or about how Team Brain handles personal data, please contact us at privacy@team-brain.com. If you are based in the European Economic Area, the United Kingdom, or Switzerland, you also have the right to complain to your local supervisory authority.