Privacy Policy

Effective April 23, 2026. The short version: we collect the least we can, store it on our own servers, and never sell or share your data. Everything below is the full version.

Who we are

Second Brain OS is operated by Headwater Community LLC. Questions about this policy or your data can be sent to hello@secondbrainos.co.

What we collect

When you buy

• Email address — used to send you your course access link and to identify you on future sign-ins.
• Payment information — collected and processed entirely by Stripe. We never see or store your card number. We receive a transaction confirmation containing your email, amount paid, country, and (optionally) your name, which we keep for accounting and support.

When you sign in

• Email address — submitted by you to receive a magic sign-in link.
• IP address — retained for up to 1 hour to enforce rate limits. After that it is discarded.
• Session cookie — a single sbos_access cookie set after you click your sign-in link. It is HttpOnly, Secure, SameSite=Lax, valid for 90 days, and contains no personal data other than an opaque session identifier.

When you use the demo or FAQ bot on the landing page

• The text you paste into the demo is sent once to Anthropic's API for processing, then discarded. It is never written to our database, never logged to disk, and never used to train anything.
• Your question to the FAQ bot is sent once to Anthropic's API, then discarded on the same terms.
• IP address is retained for up to 1 hour to enforce rate limits, then discarded.

Analytics

We use Plausible Analytics, which is cookieless, GDPR-compliant, and does not collect personal data or cross-site tracking. It records anonymous page views and button clicks only.

Where your data lives

• Your email as a buyer → stored in Upstash Redis (US region) so we can issue you sign-in links.
• Your session tokens → stored in Upstash Redis. These are random strings tied to your email and expire after 90 days.
• Your email address for transactional messages (welcome link, sign-in link) → sent via Resend.
• Payment records → Stripe retains these per their own policy.

We do not maintain a marketing email list. We will never send you promotional email unless you separately subscribe to a newsletter.

What we do not collect

• We do not collect or store your actual notes, journal entries, or wiki files. The course content teaches you to run an LLM against your own notes on your own machine. Your notes stay on your device.
• We do not track you across other websites.
• We do not sell your data to anyone.
• We do not share your data with third parties except as required to operate the service (Stripe for payments, Resend for email, Upstash for storage, Anthropic for the demo).

Cookies

We use exactly one cookie: sbos_access, set after you sign in. It identifies your session for 90 days. It is HttpOnly (not readable by JavaScript), Secure (only sent over HTTPS), and SameSite=Lax. You can clear it at any time by signing out or by clearing your browser cookies. We do not use tracking or advertising cookies.

Your rights

You can, at any time:

• Request a copy of the personal data we hold about you (email + purchase record).
• Request deletion of your personal data. Note: once deleted, you lose course access. If you are within the 7-day refund window, we recommend requesting a refund first and then deletion.
• Sign out by visiting /logout, which clears your session cookie on that device.

To exercise any of these, email hello@secondbrainos.co. We respond within 7 days.

Data retention

• Buyer email: retained for as long as you hold lifetime access, or until you request deletion.
• Session cookies / tokens: 90 days, then automatically expire.
• Setup tokens (from the welcome or sign-in email): 14 days, then automatically expire.
• IP addresses used for rate limiting: up to 1 hour.
• Demo / FAQ text submissions: discarded immediately after the single API call.
• Payment records: retained per Stripe's own policy (typically 7 years, for tax and compliance reasons).

Children

Second Brain OS is not directed at anyone under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, email us and we will delete it.

International users

Data is stored on servers located in the United States. By using the service, you consent to the transfer of your data to the United States. If you are in the EU/UK and wish to invoke any rights under GDPR (access, rectification, erasure, portability), email us.

Changes to this policy

We will update this page when practices change and update the effective date at the top. Continued use of the service after a material change constitutes acceptance. For existing buyers, we will send an email when material changes occur.

Contact

hello@secondbrainos.co