← Back to home

Privacy Policy

Last updated: March 2026

1. Controller

The controller responsible for the processing of personal data within the meaning of the GDPR is:

Philipp Brosig (FIL)
Bahnhofstr. 11
27383 Scheeßel
Germany
Email: fil@secbrain.io

2. Overview of Data Processing

SecBrain is a productivity platform for personal organization. We process personal data only to the extent necessary to operate the platform and provide the agreed services. Data is never shared with third parties for advertising purposes.

3. Hosting

SecBrain's infrastructure is hosted entirely on servers of Hetzner Online GmbH (Germany). All data is stored and processed exclusively within the European Union. A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place with Hetzner.

4. Registration and User Account

Using SecBrain requires registration with an email address and password. Passwords are stored exclusively as secure hashes — they are never accessible in plain text, neither by us nor by anyone else.

The authentication system uses session tokens and CSRF tokens to ensure session security. These are managed server-side and invalidated upon logout.

Legal basis: Art. 6(1)(b) GDPR (performance of contract)

5. User Data in the App

SecBrain stores the content you actively create within the application. Depending on your usage, this may include:

  • Tasks, projects, sprints, and goals
  • Activities, areas, and ideas
  • Contacts, persons, companies, and customers
  • Events and appointments
  • Objects, animals, and other entries
  • Diary entries, reports, and notes
  • Issues and problems

This data belongs to you. It is processed solely for the purpose of operating your personal workspace and is not analyzed, sold, or shared with third parties.

Diary entries and reports may contain sensitive personal information. We recommend not entering data whose loss or unauthorized access could harm you — and to create regular backups of your data.

Legal basis: Art. 6(1)(b) GDPR (performance of contract)

6. Email Communication

SecBrain sends system-required emails via our own SMTP server — such as registration confirmation or password reset links. Only the data necessary for delivery (email address, timestamp) is processed. No marketing emails are sent without your explicit consent.

Legal basis: Art. 6(1)(b) GDPR (performance of contract)

7. Web Analytics with Umami

To improve our website, we use Umami — a privacy-friendly analytics tool hosted on our own servers at Hetzner. No data is transmitted to external services.

Umami collects anonymized usage data such as pages visited, time spent, and browser type. IP addresses are neither stored nor shared. No cookies are set for analytics purposes, and no cross-device profiles are created.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving our website)

8. Cookies and Local Storage

SecBrain uses technically necessary cookies and browser storage (LocalStorage/SessionStorage) to maintain your session and keep the app functional. These cannot be disabled as they are essential to the platform's operation. No tracking or advertising cookies are used.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating the platform)

9. Sharing Data with Third Parties

We do not share your personal data with third parties unless required by law or you have given explicit consent. The only exception is Hetzner as our hosting provider under the existing data processing agreement.

10. Data Deletion and Retention

You can request deletion of your account at any time by emailing fil@secbrain.io. Following deletion, all personal data associated with your account will be irreversibly removed within 30 days, unless statutory retention obligations apply.

During the beta phase, there is no guarantee of permanent data persistence. We recommend creating regular backups of your data.

11. Your Rights

You have the following rights regarding your personal data:

  • Access (Art. 15 GDPR): You can find out what data we store about you.
  • Rectification (Art. 16 GDPR): You can have inaccurate data corrected.
  • Erasure (Art. 17 GDPR): You can request deletion of your data.
  • Restriction (Art. 18 GDPR): You can request that processing be restricted.
  • Data portability (Art. 20 GDPR): You can receive your data in a common format.
  • Objection (Art. 21 GDPR): You can object to processing based on legitimate interests.

To exercise these rights, please contact: fil@secbrain.io

You also have the right to lodge a complaint with a data protection authority. The competent supervisory authority for Lower Saxony is the State Commissioner for Data Protection of Lower Saxony (Landesbeauftragter für den Datenschutz Niedersachsen).

12. Data Security

We implement technical and organizational measures to protect your data against unauthorized access, loss, or misuse. All transmission between your browser and our servers is encrypted via HTTPS. Passwords are stored exclusively as secure hashes.

All user-related data is encrypted both in transit and at rest. This applies to all content stored in SecBrain — from tasks and notes to diary entries and contacts.

13. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy as needed — for example, when features change or legal requirements evolve. The current version is always available at /privacy. For material changes, we will notify you by email.