← Back to home

Privacy Policy — Brain by AIVM

Controller / Provider: ChainGPT AI S.A., a company incorporated in the Republic of Panama ("AIVM", "we").

Effective date: 20 June 2026.

Last updated: 20 June 2026.

For Customer Content, your organization is the data controller and AIVM acts as a processor under your

instructions and our Data Processing Addendum (DPA). This Policy describes our processing.

1. What we process

Account & member data. Organization name, member email, name, role, department, and access

policies that your administrators enter; authentication identifiers from your SSO/directory.

Customer Content. Documents you upload and data from sources you connect (e.g. Slack, GitHub, Box,

Confluence, Salesforce, Telegram), plus the answers synthesized from them. We process this only to

provide the Service.

Governed-event audit ledger. For every governed query, write, and admin action we record metadata —

actor, role, decision (allow/deny), the domains touched, source and answer cryptographic digests,

the model used, and token counts. The tamper-evident audit hash-chain binds only these digests and

metadata. The answer body is never stored (only its digest). The text of a query may be retained

as a display-only field so your administrators can see what was asked in the audit log; it is excluded

from the integrity hash-chain and can be redacted on request (for example, to honor an erasure request)

without breaking verification. Tenants who prefer not to retain query text at all can enable

digest-only mode, which stores only the query digest.

Operational telemetry. Rate-limiting counters, error logs, and (when you enable it) OpenTelemetry

traces. Traces carry governance and usage attributes (decision, model, token counts) and **never carry

content**.

Secrets. Invite tokens and agent keys are stored only as salted hashes; connector credentials are

stored to maintain the connection you configured.

2. How we use it

To operate, secure, and support the Service: ingest and index your sources; enforce access governance

and tenant isolation; synthesize answers from authorized content; maintain the audit trail; rate-limit

and protect against abuse; diagnose and improve reliability. **We do not sell your data, and we do not

use your Customer Content to train foundation models.**

3. The model that answers

You choose the model that synthesizes answers: a deterministic offline mode (no third-party call), a

hosted model, or your own endpoint. When a hosted model is used, the authorized content for that query

is sent to that provider to generate the answer. The default hosted provider is Anthropic (the

Claude models); Anthropic does not train its models on data submitted through its API and processes it

under its commercial terms.

4. Sub-processors

We use the following sub-processors to deliver the Service.

| Sub-processor | Purpose | Data |

|---|---|---|

| Render (US / Oregon) | Application hosting, managed Postgres + Redis | Account data, Customer Content, audit ledger (per-tenant isolated) |

| WorkOS | SSO / directory authentication | Member identifiers |

| Anthropic | Answer synthesis (default hosted model) | The authorized content for a given query |

| Resend | Invite + notification email delivery | Member email |

| Connector platforms you connect (Slack, GitHub, Box, Confluence, Salesforce, Telegram, …) | Sources you authorize | The content you authorize us to pull |

A current list is available on request and updated before adding a new sub-processor that processes

Customer Content.

5. Security

Per-Tenant isolation enforced at the database layer (row-level security under a non-superuser role);

secrets hashed at rest; encryption in transit; content-blind audit ledger; least-privilege access

governance applied to every query. Details in our security documentation. No system is perfectly secure.

6. Retention

Account and member data: for the life of your account. Customer Content: until you delete it or your

account terminates, then deleted within 30 days except where law requires retention. Audit ledger

(digests + metadata, no content): retained for 12 months to preserve the integrity of the trail.

Operational logs: 90 days.

7. International transfers

The Service is hosted in the United States (Render, Oregon region). Where personal data is transferred

internationally, for example from the EU or UK to the United States, we rely on appropriate safeguards such

as the Standard Contractual Clauses, and our sub-processors maintain their own transfer mechanisms. Customers

who require a specific data-hosting region should contact us before onboarding.

8. Your rights

Depending on your jurisdiction you may have rights to access, correct, delete, port, or restrict

processing of personal data. For Customer Content, direct requests to your organization (the

controller); we assist controllers in fulfilling them. Contact privacy@chaingpt.org.

9. Children

The Service is for organizations and not directed to children. We do not knowingly process children's

data.

10. Changes

We may update this Policy; material changes will be notified. Continued use after the effective date

constitutes acceptance.

11. Contact

ChainGPT AI S.A., Republic of Panama. Email: privacy@chaingpt.org.