Privacy Policy

1. Controller

23Brain AI UG (haftungsbeschränkt)
Registered office: Frankfurt am Main, Germany
Email: support@23brain.app

2. General Information on Processing

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable German data protection law (BDSG). We only process data to the extent necessary to provide and improve our app and services.

3. Data We Process and Purposes

3.1 Account Data

• Name
• Email address
• Device ID (for push notifications)

Purpose: Account creation, login management, communication and notifications.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.2 Activity and Learning Data

• Quiz and learning results
• Summaries and user-uploaded content
• Usage statistics (e.g., number of quizzes, days active)

Purpose: Personalization, progress tracking, product improvement.
Legal basis: Art. 6(1)(b) and (f) GDPR (contract and legitimate interests).

3.3 Uploaded Content

You may upload videos, images, texts and documents. Such content is processed only within your account for analysis and summarization.
Legal basis: Art. 6(1)(b) GDPR.

3.4 Logs and Device Data

• IP address (anonymized where possible)
• Device type, operating system, app version, timestamps

Purpose: Ensuring technical operation and security.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests).

3.5 Crash Reports (Crashlytics)

We use Google Crashlytics (Google Ireland Limited, Dublin, Ireland) to analyze app crashes. Crashlytics processes technical information (e.g., app version, device type, error logs).
Purpose: App stability and troubleshooting.
Legal basis: Art. 6(1)(f) GDPR.

4. Processors & Third Parties

We engage carefully selected processors to operate our app. Personal data is shared only to the extent necessary.

4.1 Infrastructure & Hosting

• Supabase (Auth & database) – Supabase Inc., USA
• AWS (Hosting & batch processing) – Amazon Web Services EMEA SARL, Luxembourg
• Vercel (Deployment) – Vercel Inc., USA
• Inngest (Background jobs & notifications) – Inngest, Inc., USA

4.2 AI & Content Processing

• OpenRouter (Access to AI models) – OpenPipe, Inc., USA
• DeepInfra (LLM execution) – DeepInfra, Inc., USA
• Pinecone (Vector database) – Pinecone Systems, Inc., USA

Purpose: Text analysis, content generation, and semantic search.
Legal basis: Art. 6(1)(b) and (f) GDPR.

4.3 Analytics & Monetization

• Mixpanel – Mixpanel Inc., USA
  Pseudonymized app interactions (e.g., clicks, session length, feature usage).
  Product analytics and UX improvement.
  Art. 6(1)(f) GDPR (legitimate interests).
• RevenueCat – RevenueCat, Inc., USA
  Transaction and subscription data (e.g., App Store / Play Store purchases).
  Managing and validating in-app purchases.
  Art. 6(1)(b) GDPR (contract).
• IPRoyal – IPRoyal Ltd., Lithuania
  Proxy service to access public web content and captions; no personal data is processed through this service.
  Retrieval and analysis of online content.
  Art. 6(1)(f) GDPR (legitimate interests).

4.4 Data Protection Safeguards

We have Data Processing Agreements (Art. 28 GDPR) in place with all processors. Transfers to third countries (e.g., the USA) rely on the EU Standard Contractual Clauses (Art. 46 GDPR) where required.

5. Storage and Deletion

We delete personal data when the purpose ceases to apply or when you delete your account. Deleting your account removes all associated data (profile information, learning progress, uploaded content) permanently.

6. Your Rights under the GDPR

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)

To exercise your rights, contact us at support@23brain.app.

7. Minors

The app may be used by individuals under 16. We currently do not apply specific processing rules for minors under Art. 8 GDPR. Parents and guardians should supervise usage.

8. Data Security

We use up-to-date technical and organizational security measures (e.g., HTTPS, access controls, encryption) to protect data from loss, misuse, and unauthorized access.

9. Changes to this Policy

We may update this Privacy Policy if our app or legal requirements change. The current version is always available in the app or on our official website.