Privacy Policy

This describes what AquaBrain collects, why, and what we do with it. Plain language first, lawyer language never.

1. Who we are

AquaBrain (“we”, “us”) is a private-beta service operated by Ian Gotts. Contact: hello@aquabrain.ai.

2. What we collect

2.1 Account data

• Email address — used for magic-link sign-in and to send invite and account-related messages.
• Invite token — issued by an admin and consumed when you sign up.
• Authentication metadata — IP address and user-agent at sign-in time, kept by our auth provider for abuse prevention.

2.2 Content you create

• Thoughts, notes, decisions, insights, people records — everything you capture through the web app, the iOS app, the Chrome extension, or an MCP-connected AI client.
• Lenses and schemas — the editorial rules you configure.
• Personal Access Tokens (PATs) — hashed before storage; we never store the plaintext token after issuance.

2.3 Operational data

• Request logs — paths, status codes, response times, retained briefly for debugging.
• Error reports — stack traces and request context when something fails. Scrubbed of user content where practical.

2.4 Payment data

• Subscription and billing details — when you subscribe to a paid plan, payment is collected and processed by Stripe. Stripe handles your card details directly; we never receive or store your full card number. We retain only limited billing metadata (such as your plan, subscription status, and the card brand and last four digits) to manage your subscription.

3. AI inference

AquaBrain uses OpenRouter to generate embeddings and atomic memory statements from your captured thoughts. By default, your requests flow through an AquaBrain-owned OpenRouter account so that you don't have to bring your own key to use the product. If you prefer, you can configure your own OpenRouter key in Settings → LLM providers; we then bypass our shared account entirely and your usage is billed to you directly. In neither case do we log the bodies of inference requests beyond what is needed to return the immediate response.

4. What we do not collect

• Tracking pixels, third-party ad tags, marketing analytics — none are loaded on the marketing site or the app.
• Full card numbers — card details are entered with and held by Stripe; they never reach our servers. See section 2.4.

5. How we use your data

• To run the service: sign you in, store and return your thoughts, render your Lenses, sync between web and iOS.
• To respond to abuse or security events.
• To improve the product. We do not train AI models on your content. We do not sell your data.

6. Who processes your data on our behalf

We use a small set of infrastructure providers (“sub-processors”). Each receives only the data needed for their role.

• Supabase — auth, Postgres database, file storage, Edge Functions. Hosts the bulk of your content.
• Railway — REST API container hosting.
• Vercel — web app and marketing site hosting.
• Resend — transactional email (magic-link sign-in, invite delivery).
• Stripe — payment processing and subscription billing. Receives the payment and billing details you enter when subscribing to a paid plan.
• Sentry — error reports and crash diagnostics.
• Apple — iOS app distribution via TestFlight / App Store; APNs delivery if you opt into notifications.
• OpenRouter — AI inference for embeddings and atomic memory generation. Your prompts and completions pass through OpenRouter en route to the underlying model. See section 3 for the BYOK option.

7. Where your data lives

Primary storage is in the United States via Supabase. If you are in the UK / EU / EEA, your data is transferred and stored in the US under the standard contractual terms our sub-processors offer.

8. How long we keep it

• Active content — for as long as your account exists.
• Deleted notes — purged from primary storage immediately; may persist in encrypted backups for up to 30 days before rolling off.
• Account deletion — email hello@aquabrain.ai and we will erase your account and content from primary storage within 7 days.
• Request and error logs — 30 days.

9. Your rights

You can:

• Extract everything from /extract in the web app.
• Delete any note from the app at any time.
• Request full account deletion (see above).
• Request a copy of what we hold on you.
• If you are in the UK / EU, exercise GDPR rights including objection, restriction, and complaint to your supervisory authority.

10. Security

All traffic is TLS. Database access is gated by row-level security so users only see their own rows. PATs are hashed before storage. Backups are encrypted at rest. No service is uncrackable, so do not store secrets in your notes that you would be unwilling to lose.

11. Children

AquaBrain is not intended for anyone under 18. We do not knowingly collect data from minors.

12. Changes

If this policy changes materially, we will email everyone with an active account before the change takes effect.

Last updated: 9 June 2026. Questions: hello@aquabrain.ai.