Privacy Policy | Olbrain

Two roles, two kinds of data

We handle data in two distinct capacities, and the rules differ:

As a data fiduciary (controller)

For data you give us directly — through this website, by email, or when an account is created on Olbrain Studio — Olbrain Labs Private Limited is the data fiduciary under India's Digital Personal Data Protection Act, 2023 (and the data controller under equivalent foreign laws). This policy governs that data.

As a data processor

When an enterprise runs agents on Olbrain Studio, the data flowing through those agents — including the enterprise's own customer data — is processed by Olbrain on the enterprise's behalf and under its instructions. That processing is governed by the customer agreement and Data Processing Agreement signed with the enterprise, not by this website policy. It is protected by tenant isolation, per-tenant key management, and PII tokenization, as described on our Trust & Security page.

What we collect

Contact data — name, work email, organization, and the content of your message when you write to us or request information.
Account data — name, work email, role, and authentication identifiers when an account is provisioned on Olbrain Studio or admin.olbrain.com.
Usage and technical data — standard server logs (IP address, browser type, pages visited, timestamps) used for security and to keep the site working.

We do not collect more than we need, and we do not buy, sell, or trade personal data.

How we use it

To provide and operate the website and the Olbrain Studio platform.
To respond to enquiries and provide support.
To secure our systems — detecting abuse, investigating incidents, maintaining audit trails.
To meet legal and regulatory obligations.

We do not use customer or enterprise data to train base models, fine-tunes, or evaluations. This is a contractual and architectural commitment, stated identically on our Trust & Security page. Any platform improvement work uses aggregated, de-identified telemetry only.

Where data lives

Olbrain customer data is stored and processed in India — Google Cloud, Mumbai region (asia-south1). Payloads sent to third-party language models pass through our PII tokenizer sidecar first, so detected PII spans are replaced with ciphertext tokens before any model call; the sub-processor inventory documenting these flows is being formalized (status on the Trust page) and will be made available to customers under their agreements. Website analytics and email infrastructure may involve standard international service providers; no enterprise workflow data flows through them.

Your rights under the DPDP Act, 2023

If you are a data principal in India, you have the right to:

Access — a summary of the personal data we hold about you and how it has been processed.
Correction and erasure — have inaccurate data corrected and data that is no longer needed erased.
Grievance redressal — raise a complaint with us and, if unresolved, escalate to the Data Protection Board of India.
Nomination — nominate another person to exercise these rights on your behalf.

To exercise any of these rights, write to privacy@olbrain.com. We respond within the timelines prescribed under applicable law.

Visitors from other jurisdictions

If you are in the European Economic Area or the United Kingdom, you have equivalent rights under the GDPR/UK GDPR — including access, rectification, erasure, restriction, portability, and objection — and the right to lodge a complaint with your supervisory authority. If you are a California resident, you have the rights provided by the CCPA/CPRA, including the right to know, delete, and correct; we do not sell or share personal information as those terms are defined there. The contact for all such requests is the same: privacy@olbrain.com.

Retention

We keep personal data only as long as needed for the purposes above or as required by law. Contact enquiries are retained while the conversation is live and for a reasonable period after. Account data is retained for the life of the customer relationship. Enterprise workflow data is retained and deleted per the customer agreement — including deletion on contract termination, with a certification process being formalized (status on the Trust page).

Security

Our security posture — encryption, tenant isolation, key management, access control, PII architecture, and the current status of our SOC 2 and ISO 27001 programs — is documented in detail and kept honestly status-labelled on the Trust & Security page. We err toward stating the true stage of every control.

Cookies

This website uses only what is necessary for it to function and for basic, privacy-respecting analytics. We do not run advertising trackers or cross-site profiling.

Changes to this policy

When we change this policy, we update the date at the top of this page. Material changes affecting customer data are communicated to customers directly under their agreements.

Contact & grievance

Olbrain Labs Private Limited
825-26, Emaar Emerald Plaza, Sector 65,
Gurugram, Haryana — 122102, India
CIN: U62013HR2024PTC123898

Privacy and data-protection requests, including grievances under the DPDP Act: privacy@olbrain.com
General enquiries: hello@olbrain.com

This policy is governed by the laws of India; courts at Gurugram, Haryana have jurisdiction.