Privacy Policy
Last updated: 18 May 2026 Version: 1.0
This Privacy Policy describes how The eBrain Group B.V. (hereafter "eBrain", "we", "us" or "our") processes your personal data when you use our website (ebrain.ai), our platform (app.ebrain.ai) or otherwise interact with us. This policy is drafted in accordance with the General Data Protection Regulation (GDPR / AVG) and the Dutch Implementation Act (UAVG).
Note on language. The Dutch version of this Privacy Policy is the authoritative text. This English translation is provided for convenience. In the event of any conflict between the two versions, the Dutch text prevails.
1. Who we are
eBrain is a Dutch software company providing a secure, AI-powered productivity platform to businesses and their employees. We are registered with the Dutch Chamber of Commerce.
| Item | Information |
|---|---|
| Legal name | The eBrain Group B.V. |
| Trade name | eBrain |
| Chamber of Commerce (KvK) number | 96714239 |
| VAT number | NL867728127B01 |
| Registered office | H.J.E. Wenckebachweg 230, 1096 AS Amsterdam, Netherlands |
| Privacy contact | [email protected] |
| General contact | [email protected] |
This Privacy Policy is a derivative of The eBrain Group B.V.'s Corporate Privacy Policy, implemented specifically for our website and platform.
2. Who this Privacy Policy applies to
This policy applies to the processing of personal data of:
- Visitors to our website
ebrain.ai; - Subscribers to our newsletter or anyone contacting us;
- Job applicants responding to a vacancy;
- Administrators and users within customer organizations who access our platform
app.ebrain.ai; - Business contacts at prospects, customers and partners.
For content that customers process through our platform — such as business documents, emails, calendar items, and customer records pertaining to their end users — a separate Data Processing Agreement (DPA) applies between the customer organization and eBrain. See section 4.
3. What personal data do we process?
We process only those personal data necessary for the purpose for which we collect them. The categories differ by situation.
3.1 Website visits
When you visit ebrain.ai we process limited technical data via our infrastructure (Cloudflare): IP address, browser type, language preference, pages visited and visit timestamp. These technical data are used for security, abuse prevention and reliable operation of the site.
In addition — subject to your consent via the cookie banner — we use analytics services (including Google Analytics) to understand how the website is used, and may deploy retargeting pixels from advertising platforms to show you relevant advertisements on other websites you visit. These services are only activated after explicit consent. See section 12 for the full cookie overview.
3.2 Newsletter
When you subscribe to our newsletter we process your email address.
3.3 Contact forms and email
When you contact us via a contact form, by email or by phone, we process your name, contact details and the content of your message.
3.4 Job applications
When you apply for a position we process your name, contact details, CV, cover letter, educational and employment history, and any additional information you choose to provide.
3.5 Platform accounts (app.ebrain.ai)
When a user creates an account on the eBrain platform we process, via our identity provider Auth0: name, business email address, role/job title, and — where available from your identity provider — profile picture. We also process authentication data (session tokens, login events, IP addresses associated with login attempts) for security purposes.
3.6 Billing
For paid subscriptions we process invoicing and payment data: company name, Chamber of Commerce number, VAT number, billing address, contact person, IBAN or card details (the latter only via our payment provider, not on our own systems). Bookkeeping processing takes place via our billing orchestration and payment provider (see section 7).
For our own accounting, eBrain may share invoicing and accounts-receivable data with our external accountant via their accounting software (Exact). This is done on the basis of our statutory obligation to maintain proper books and records, and is subject to our tax retention obligation (see section 10).
3.7 Platform usage and log files
While you use the platform we record: technical API requests, error messages, session duration and feature usage statistics. These data support stability, error diagnosis, capacity planning and security.
3.8 Content you process within the platform
As a platform user you can process documents, emails, calendar items, contacts and other business information via the various modules and features of the platform. This content belongs to the customer organization. For this processing eBrain acts as processor on behalf of the customer organization; see section 4.
3.9 Special categories of personal data
In principle we do not process special categories of personal data (such as data concerning health, race, religion or biometric data) in connection with our platform. For identity verification and qualified signing, we work with one or more identity verification providers and qualified trust service providers (including Cleverbase; see section 7), with limited identity information being processed. The legal basis for this is Article 9(2)(a) GDPR (the data subject's explicit consent), within the regulatory framework of the eIDAS Regulation (Regulation (EU) 910/2014).
3.10 Sources of information
In principle we collect personal data directly from you. In a number of specific cases we receive or enrich data from other sources:
- Overheid.io — for automated retrieval of company and Chamber of Commerce data (name, address and role of directors and contact persons) for customer registration, billing and compliance checks;
- WhatsApp Cloud API (provided by Meta Platforms Ireland Limited) — when you contact us via WhatsApp or use the platform via WhatsApp, we receive your phone number (stored encrypted), your name and the content of your messages;
- Cleverbase — for qualified identification and signing, in addition to your name and email address we receive information about your signing certificate (issuer and validity period);
- Public sources — publicly available company and contact information (for example company websites, professional networks and the Chamber of Commerce register) is used to verify and enrich prospect data.
4. Our role: controller and processor
Under the GDPR we may act in two distinct roles.
Controller. For the data described in sections 3.1 through 3.7 — website visits, newsletter, contact, job applications, account data, billing and log files — we determine the purposes and means of processing ourselves. In that role we are the controller, and this Privacy Policy applies directly.
Processor. For content that customers process through our platform (see section 3.8) we act on the instructions of and on behalf of the customer organization. The customer organization is the controller in that case; eBrain is the processor. These arrangements are set out in a Data Processing Agreement (DPA) that forms part of the contract between the customer organization and eBrain. For questions about how a customer organization processes your data, please address that organization first.
5. Purposes and legal bases
We process personal data only on the basis of a valid ground under Article 6 GDPR:
| Purpose | Data categories | Legal basis |
|---|---|---|
| Providing, maintaining and securing our website | Technical data (3.1) | Legitimate interest (Art. 6(1)(f) GDPR) |
| Sending the newsletter | Email address (3.2) | Consent (Art. 6(1)(a) GDPR) |
| Responding to questions and requests | Contact details and message content (3.3) | Legitimate interest or performance of a contract (Art. 6(1)(b)/(f) GDPR) |
| Processing job applications | Application data (3.4) | Steps at the request of the data subject prior to entering a contract (Art. 6(1)(b) GDPR) |
| Providing and operating the platform for customers | Account data, platform usage (3.5, 3.7) | Performance of a contract (Art. 6(1)(b) GDPR) |
| Billing and accounting | Invoice data (3.6) | Performance of a contract and legal obligation (Art. 6(1)(b)/(c) GDPR; Dutch General State Taxes Act Art. 52) |
| Security, fraud prevention and log files | Login, session and error data (3.5, 3.7) | Legitimate interest (Art. 6(1)(f) GDPR) |
| Compliance with legal obligations | Various | Legal obligation (Art. 6(1)(c) GDPR) |
For content that customers process through the platform (section 3.8), the legal basis is determined by the customer organization itself; eBrain processes that content solely on the basis of the instructions in the Data Processing Agreement.
Provision of personal data. For some processing activities, providing personal data is necessary. For account registration, billing and job applications, provision is a contractual or pre-contractual requirement; without these data we cannot respectively provide platform access, issue an invoice or run a selection procedure. Subscription to the newsletter is entirely voluntary.
6. Automated decision-making and AI
The eBrain platform contains AI functionality that can generate text, summarize documents, make suggestions and assist with tasks. Key principles:
- No solely automated decision-making with legal effect. We do not take decisions about individuals that have legal effect or that similarly significantly affect them, based solely on automated processing within the meaning of Article 22 GDPR. AI outputs within our platform serve as assistance and require human review before action is taken.
- EU AI Act alignment. We design our AI features in line with the requirements of the EU AI Act (Regulation (EU) 2024/1689) and on request provide customers with insight into the nature and risk classification of the AI systems applied.
- No training on customer content. Content you process within the platform — documents, emails, calendar data, data fetched via OAuth, and other customer content you provide — is not used to train, fine-tune or otherwise improve AI models, neither our own nor those of our AI providers. Our contracts with AI providers explicitly exclude the use of customer content for model training. Aggregated, de-identified usage telemetry (such as request volumes, latency and feature adoption) may be used to improve the eBrain service itself; this telemetry contains no identifiable customer content.
AI infrastructure
AI inference (the execution of AI requests within the platform) currently runs through the OpenAI API, under a contract that excludes training on customer data and imposes zero-data-retention. We are currently in the process of migrating AI inference to Nebius, a European provider operating private compute in its own data centers. This Privacy Policy will be updated when the migration is complete.
7. With whom do we share your data? (sub-processors)
We share your data only with third parties that are strictly necessary to provide our services, and only on the basis of a data processing agreement that meets the requirements of Article 28 GDPR. We never sell or rent personal data.
The following is an overview of our sub-processors, their role and their location.
7.1 Sub-processors where eBrain acts as controller
| Sub-processor | Role | Location / transfer mechanism |
|---|---|---|
| Auth0 (Okta) | Authentication and account management for the platform | EU region; controlling entity in the US — transfer under SCCs and EU-US Data Privacy Framework |
| Resend | Sending newsletter and account-related emails | US — transfer under SCCs and EU-US Data Privacy Framework |
| Stripe | Payment processing for subscriptions | EU (Stripe Payments Europe Ltd., Ireland) |
| Alguna | Quote-to-cash and billing orchestration | United Kingdom — under the European Commission's UK adequacy decision |
| Exact | Accounting software used by our external accountant for eBrain's financial administration | Netherlands (EU) |
| HubSpot | Internal sales and CRM pipeline (prospect and customer contact data) | US — transfer under SCCs and EU-US Data Privacy Framework |
| Sentry | Error monitoring for the platform | EU region (Frankfurt); controlling entity in the US — transfer under EU-US Data Privacy Framework and SCCs |
| Google (Workspace) | Business email and collaboration; receipt of emails sent to [email protected] | US — transfer under EU-US Data Privacy Framework |
| Google Analytics | Website statistics for ebrain.ai; only active after consent via the cookie banner | US — transfer under EU-US Data Privacy Framework |
| Overheid.io | Automated retrieval of Chamber of Commerce and company data for account registration and billing | Netherlands (EU) |
| WhatsApp Cloud API (Meta Platforms Ireland Limited) | Inbound communication via WhatsApp between users and eBrain | EU contracting entity (Ireland); controlling entity Meta Platforms Inc. in the US — transfer under EU-US Data Privacy Framework and SCCs |
| Cloudflare | CDN, edge security and infrastructure logs for ebrain.ai and app.ebrain.ai | EU edge locations typically serve EU user traffic; certain operational metadata may also be processed at Cloudflare's core data centers. Cloudflare is verified compliant with the EU Cloud Code of Conduct (verification ID 2023LVL02SCOPE4316). Transfers under EU-US Data Privacy Framework and SCCs |
7.2 Sub-processors where eBrain acts as processor (on behalf of the customer organization)
| Sub-processor | Role | Location / transfer mechanism |
|---|---|---|
| Neon | Primary application database (PostgreSQL) | EU region; encryption at rest (AES-256) |
| Cloudflare R2 | Object storage for uploaded files and documents | Configured with EU jurisdictional restriction (jurisdiction=eu): files are guaranteed to be stored in EU data centers. Encryption at rest (AES-256-GCM) |
| Hetzner | Server hosting for self-hosted platform components | Germany (EU) |
| OpenAI | AI inference (LLM); contractually excluded from training on customer data, with zero-data-retention | US — transfer under Standard Contractual Clauses (SCCs); EU contracting entity: OpenAI Ireland Limited |
| Nebius | AI inference (private compute) — in transition | Netherlands (EU) |
| Cleverbase | Qualified identification and signing under eIDAS (QTSP) | Netherlands (EU) |
| Google (OAuth integrations) | Access to user-authorized Gmail, Calendar and Drive data — only on the user's request | US — transfer under EU-US Data Privacy Framework; see section 9 |
Our sub-processor list may change over time. We will notify customer organizations of material changes at least 30 days in advance.
7.3 Transfer in connection with a merger, acquisition or reorganization
In the event of a merger, acquisition, reorganization, bankruptcy or (partial) sale of our business, personal data may be transferred to the acquiring party as part of that transaction. In such a case we will take reasonable steps to ensure that the acquiring party handles the data in a manner consistent with this Privacy Policy, and we will inform data subjects in advance where reasonably possible.
8. International data transfers
Some of our sub-processors are established outside the European Economic Area (EEA), notably in the United States and the United Kingdom. For these transfers we apply an appropriate transfer mechanism:
- United Kingdom: transfer on the basis of the European Commission's adequacy decision (June 2021, renewed in 2025).
- United States: transfer on the basis of the EU-US Data Privacy Framework (DPF) for DPF-certified sub-processors, and additionally on the basis of Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision (EU) 2021/914), supplemented where applicable with a transfer impact assessment.
On request we will provide further information about the specific transfer mechanism applicable per sub-processor. Please email [email protected].
9. Third-party service integrations
Our platform can, at the user's request, be connected to external services such as Google Workspace, mail servers, calendar applications or business software. These connections operate on the basis of the user's explicit consent via OAuth or via the Model Context Protocol (MCP).
9.1 General principles
- We receive only the data for which you have granted consent via the specific OAuth scopes or MCP connection.
- We use this data solely to perform the function you have invoked within the platform.
- We do not share this data with third parties beyond the sub-processors listed in section 7.
- We do not use this data to train or improve AI models.
9.2 Google services (Gmail, Calendar, Drive)
When you connect your Google account to eBrain we request access to specific OAuth scopes for the features you have chosen:
| Scope | Feature within eBrain | Use |
|---|---|---|
auth/calendar | Calendar management | Viewing, creating, editing and deleting Calendar events, including Google Meet conferences; bidirectional sync via syncTokens |
auth/gmail.modify | Email management | Reading, marking as read, label management and trashing of messages |
auth/gmail.compose | Email composition | Creating and sending drafts and messages (optionally drafted by the AI assistant at the user's request) |
auth/drive.readonly | AI search across Drive content | Reading Drive files so the AI assistant can answer questions over your documents |
The integration is stateless: content received from the Google API is held only in memory during your request and is not persisted in our databases, caches or backups. We retain only lightweight synchronization identifiers (syncTokens and historyIds) necessary for incremental fetch.
Limited Use (Google API Services User Data Policy). eBrain's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. eBrain does not use Google user data to develop, improve, or train generalized or non-personalized AI/ML models.
9.3 Other connectors
We may also offer connections to other services — such as HubSpot — via the Model Context Protocol (MCP). For every connection you create, the general principles in section 9.1 apply: only what you authorize through the connection, only for the function you invoke, no training, no unintended disclosure.
10. How long do we retain your data?
We retain personal data no longer than necessary for the purpose for which it was collected, unless a statutory retention period requires otherwise.
| Category | Retention period |
|---|---|
| Newsletter subscription | Until you unsubscribe; permanently deleted within 30 days of unsubscription |
| Contact and support correspondence | Up to 2 years after the most recent contact |
| Job application data | Up to 4 weeks after completion of the procedure; with explicit consent, up to 1 year for future vacancies |
| Platform account data | For the duration of the contract; primary systems wiped within 30 days after termination; backups expire on a rolling schedule, typically within 90 days |
| Content processed through the platform | Under the control of the customer organization; primary systems wiped within 30 days after termination of the contract; backups expire on a rolling schedule, typically within 90 days |
| Invoice and accounting data | 7 years (statutory retention period under Dutch General State Taxes Act Art. 52) |
| Security and audit logs | 12 months; anonymized or deleted thereafter |
Deletion following a request or contract termination. When you invoke your right to erasure, or when a customer organization terminates its contract, we wipe the relevant personal data from our primary systems within 30 days. Backups that still contain the data expire on a rolling schedule and typically lapse within 90 days; during that period the data is not actively used or made accessible. Exceptions apply only insofar as statutory retention obligations (such as the tax retention obligation for invoice data) require otherwise.
11. Security of your data
We have implemented appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, unauthorized alteration or disclosure. Our measures align with the ISO 27001:2022 standard and are documented in our Information Security Management System (ISMS). Key measures include:
- Encryption at rest: industry-standard symmetric encryption for primary databases and object storage, with additional encryption for highly sensitive fields such as integration credentials and signing tokens.
- Encryption in transit: TLS for all external traffic between users, the platform and sub-processors.
- Access control: least-privilege and need-to-know principles; multi-factor authentication for eBrain personnel; periodic review of access rights.
- Secure software development: segregated development, test, acceptance and production environments; mandatory peer review; automated code analysis; periodic penetration testing of publicly facing applications.
- Incident management: documented procedures for identifying, reporting and handling security incidents; notification to the Dutch Data Protection Authority within 72 hours where GDPR requires.
The measures described above represent our current approach and may evolve in line with technical developments, risk assessments and best practices.
12. Cookies and similar technologies
We use cookies and similar technologies on ebrain.ai and app.ebrain.ai. Pursuant to Article 11.7a of the Dutch Telecommunications Act, we request your prior consent for non-functional cookies via a cookie banner. The banner allows you to consent or withhold consent per category, and you can change or withdraw your choices at any time via the same banner.
We use three categories:
- Functional and strictly necessary cookies (no consent required). Session cookies (HttpOnly, Secure, SameSite) for authentication, CSRF cookies, cookies set by our identity provider Auth0 as part of the login process, and technical cookies and logs from our infrastructure provider Cloudflare for security and reliable operation of the site.
- Analytics cookies (consent required). On
ebrain.aiwe use Google Analytics to obtain anonymized insight into website usage (such as visitor numbers, popular pages and traffic sources). These cookies are only placed after you have given consent via the cookie banner. - Marketing and retargeting cookies (consent required). On
ebrain.aiwe may deploy retargeting pixels and advertising cookies from advertising platforms to show relevant eBrain advertisements on other websites. These cookies are only placed after explicit consent via the cookie banner.
An up-to-date overview of the specific cookies, their duration and providers is available through the cookie banner. On app.ebrain.ai we use only functional cookies; no cookie consent is required for the platform.
13. Your rights under the GDPR
You have the following rights with respect to your personal data:
- Right of access — to obtain confirmation of which data we process about you.
- Right to rectification — to have inaccurate data corrected.
- Right to erasure ("right to be forgotten") — to have your data deleted, subject to statutory retention obligations.
- Right to restriction — to have processing restricted in certain situations.
- Right to data portability — to receive your data in a structured, commonly used and machine-readable format.
- Right to object — to object to processing based on legitimate interest.
- Right to withdraw consent — for processing based on consent (such as the newsletter), at any time, without affecting the lawfulness of prior processing.
- Right not to be subject to a decision based solely on automated processing (Article 22 GDPR) — see section 6.
Please send any request to exercise these rights to [email protected]. We will respond within one month, extendable by two months in special circumstances pursuant to Article 12(3) GDPR. To verify your identity we may request additional information.
Does eBrain process your data in its role as processor on behalf of a customer organization? Then please address your request to that customer organization first; we will support the customer organization in handling it.
14. Complaints
If you have a complaint about how we handle your personal data, please first contact us at [email protected] — we would like the opportunity to resolve it with you directly.
You also have the right at any time to lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens Postbus 93374 2509 AJ Den Haag, Netherlands Website: autoriteitpersoonsgegevens.nl Phone: (+31) (0)70 888 85 00
15. Children
Our platform and services are intended for business use and are not directed to persons under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at [email protected] and we will delete that data.
16. Changes to this Privacy Policy
We may amend this Privacy Policy from time to time — for example when we expand our services, add a new sub-processor, or when developments in law or regulation require. The most current version is always available at ebrain.ai/en/privacy-policy. For material changes we will inform active users by email.
The "Last updated" date at the top of this policy indicates when the current version was published. Earlier versions are available on request via [email protected].
17. Contact
Do you have questions about this Privacy Policy, about how we handle personal data, or would you like to submit a request regarding your rights?
The eBrain Group B.V.
H.J.E. Wenckebachweg 230
1096 AS Amsterdam, Netherlands
Email: [email protected]
KvK: 96714239
— End of Privacy Policy —