Try For Free

Privacy Policy For Sbl.so

Effective Date: 14th February, 2026
Last Updated: 14th February, 2026

Introduction

Welcome to Second Brain Labs. This Privacy Policy explains how we collect, use, share, and protect your personal information when you visit our website at https://sbl.so/ or use our products and services (we’ll call all of this the “Service“). We believe in being transparent about data, and we want you to understand what information we collect and why.

This policy applies to everyone who uses our Service, no matter where you are in the world. If you live in certain places, additional rules apply to give you extra protection. For example, if you’re in India, the Digital Personal Data Protection Act 2023 and Rules 2025 (DPDP) apply. If you’re in the European Economic Area, United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) applies. And if you’re in California, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you specific rights. Wherever the local law is stricter than this policy, we follow the stricter rule.

  1. Information we collect

We collect information about you in three main ways: when you give it to us directly, when we collect it automatically as you use the Service, and when we receive it from other sources.

  1. Information you give us directly: When you create an account, sign up for a subscription, contact our support team, or otherwise interact with us, you might give us information like your name, email address, phone number, company name, job title, and billing details. If you pay for a subscription, we collect limited payment information, though most payment details are handled securely by our payment processors. You might also give us information when you respond to surveys, leave feedback, write a testimonial, or register for an event or webinar. And of course, when you use the Service, you create and upload content, such as project data, notes, files, or configurations and we store that content so we can provide the Service to you.

You decide what information to share with us. Some information is necessary for the Service to work (like your email address to create an account), but other information is optional.

  1. Information we collect automatically: When you use our Service, we automatically collect certain technical information to help us understand how the Service is being used and to keep it running smoothly. This includes details about your device and how you use the Service, your IP address, browser type, operating system, device identifiers, the pages you view, the features you use, and the time you spend on different parts of the Service. We also collect log and diagnostic data, such as app performance metrics and error reports, which help us troubleshoot issues and improve reliability. We can approximate your location based on your IP address, which helps us understand where our users are and comply with regional legal requirements.

We also use cookies and similar tracking technologies. These are small files stored on your device that help us remember your preferences, keep you signed in, understand how you interact with the Service, and show you relevant content or advertisements. You can control cookies through the banner that appears when you first visit our site and through your browser settings, though turning off some cookies may affect how well the Service works. For more details, please see our Cookie Policy.

  1. Information we receive from others: Sometimes we receive information about you from third parties. For example, if you sign up for our Service through a business partner or reseller, they may share your contact information with us. If you register for an event we co-host with a marketing partner, we may receive your registration details. We also collect information from publicly available sources, such as your professional profile on LinkedIn or information in business directories, to keep our records accurate and up to date. We may use data enrichment services that provide business contact and company information. And if you connect third-party tools to your account such as a CRM system or a communication platform we receive data from those tools based on the permissions you grant.
  1. How we use your information
  1. We use the personal information we collect for several purposes, and the legal basis for this processing depends on your location and the specific activity. Generally, we process your data to perform our contract with you, to pursue legitimate business interests (as long as those interests don’t override your rights), to comply with legal obligations, or based on your consent where required by law.
  1. To provide and maintain the Service: The most important reason we use your information is to deliver the Service to you. We use your information to create and manage your account, provide the features you’ve signed up for, personalize your experience, process orders and subscriptions, handle payments, and provide customer support when you need help. We also use your contact information to send you important service-related messages things like security alerts, billing notices, or updates to our terms and policies. Without this information, we wouldn’t be able to provide the Service.
  1. To improve our products: We analyze how people use the Service to make it better. We look at which features are popular, how they perform, where people run into problems, and where we can make improvements. This helps us fix bugs, optimize performance, develop new features and tools, build new integrations, and generate aggregated reports and statistics that help us understand trends (these reports don’t identify individual users). All of this analysis helps us build a better product for everyone.
  1. AI and machine learning: We may use your usage data and, in some cases, your content to develop and improve AI-powered features within the Service. For example, we might use this data to train models that power recommendations, automation, content suggestions, or predictive features. We take your privacy seriously in this context. We limit the data used to what’s necessary for the feature, and we delete prompts and AI-generated responses once the request is processed (where technically feasible). If we work with third-party AI providers, we require them to follow strict contractual rules, including a prohibition on using your data to train their own general-purpose models. We also offer clear controls within the product so you can choose whether certain AI features can access your workspace data. We do not sell your personal data to third parties to train generic AI models.
  1. To communicate with you: We use your contact information to stay in touch. Some of these communications are transactional and necessary for the Service like password reset emails, security alerts, or billing confirmations. Other communications are more promotional or informational, such as product updates, feature announcements, educational content, invitations to participate in research or surveys, and marketing emails. Where the law requires it (for example, in the EU or certain other regions), we’ll ask for your consent before sending marketing communications. You can opt out of marketing emails at any time, though we’ll still need to send you important transactional messages related to your account.
  1. To protect our Service and comply with the law: We use your information to keep the Service safe and secure and to meet our legal obligations. This includes detecting, investigating, and preventing fraud, abuse, and security incidents. We use information to enforce our Terms of Use and other agreements, to respond to lawful requests from law enforcement or regulators, and to maintain records needed for audits, tax filings, and compliance with applicable laws.
  1. Legal bases for processing (EEA, UK, Switzerland)

If you’re located in the European Economic Area, United Kingdom, or Switzerland, the GDPR requires us to have a valid legal basis for processing your personal data. Here are the legal bases we rely on:

  1. Performance of a contract: Most of the time, we process your data because it’s necessary to provide the Service you signed up for. For example, we need your email address to create your account, and we need billing information to process your subscription payment.
  1. Legitimate interests: We sometimes process data based on our legitimate business interests, as long as those interests don’t override your fundamental rights and freedoms. For example, we have a legitimate interest in improving the Service, preventing fraud, securing our systems, and communicating relevant updates to our users.
  1. Legal obligations: We process some data because we’re legally required to for example, to comply with tax and accounting laws, to respond to valid legal requests, or to meet regulatory requirements.
  2. Consent: In some cases, we ask for your consent before processing your data, such as for certain marketing activities, cookies, or where local law specifically requires consent. You can always withdraw your consent, and doing so won’t affect any processing that happened before you withdrew it.
  1. How we share information
  1. We do not sell your personal information. However, we do share it with others in limited circumstances to operate the Service, comply with the law, and for other legitimate purposes.
  1. Service providers: We work with trusted third-party companies that help us run the Service. These include cloud hosting and storage providers, payment processors, email and communication platforms, analytics and monitoring tools, customer support software, and security and fraud prevention services. These service providers can only use your information to provide services to us, and they’re contractually required to protect your data and follow our instructions.
  1. Business partners and affiliates: We may share your information with other companies in our corporate group (our affiliates) where necessary to operate the Service. If you choose to connect a third-party integration to your account, we’ll share information with that integration partner as needed to make the connection work. We may also share information with co-marketing partners when you register for joint events or content, but we’ll let you know when this happens and, where required by law, we’ll ask for your consent first.
  1. Advertising and analytics partners: We may allow third-party advertising and analytics companies to collect information about your use of our website through cookies and similar technologies. They use this information to measure and report on the performance of advertising campaigns and to show you ads that are more relevant to your interests. If you don’t want your information used this way, you can opt out using our cookie banner, the “Your Privacy Choices” link on our site (if you’re in California), and through industry opt-out tools like those provided by the Digital Advertising Alliance.
  1. Legal and safety reasons: We may disclose your information if we believe it’s reasonably necessary to comply with a law, regulation, legal process, or government request. We may also disclose information to protect the rights, property, or safety of Second Brain Labs (“SBL”), our users, or the public, or to enforce our agreements and resolve disputes.
  1. Business changes: If we’re involved in a merger, acquisition, financing, restructuring, or sale of all or part of our business, your information may be transferred to the acquiring or successor entity as part of that transaction. We’ll continue to protect your information and give you notice as required by law.
  1. Aggregated or de-identified data: We may share aggregated statistics or de-identified information that can’t reasonably be used to identify you for example, reports about overall usage trends or anonymized research data.
  1. International data transfers
  1. We operate a global service, which means your personal information may be stored and processed in countries other than the one where you live, including the United States. Different countries have different data protection laws, and some may not offer the same level of protection as your home country. When we transfer personal data internationally, we use appropriate safeguards to protect it.
  1. EU-U.S. Data Privacy Framework: For data transferred from the European Economic Area, United Kingdom, and Switzerland to the United States, we rely on our certification under the EU-U.S. Data Privacy Framework (DPF), including the UK Extension and the Swiss-U.S. DPF. These frameworks were established by the U.S. Department of Commerce and the European Commission to provide a legal mechanism for transatlantic data transfers. In September 2025, the European General Court confirmed the validity of the DPF, ruling that it provides protection essentially equivalent to the GDPR. You can learn more about the DPF and view our certification at the Data Privacy Framework website.
  1. Standard Contractual Clauses. For transfers from the EEA or Switzerland to countries that haven’t received an adequacy decision from the European Commission, we use Standard Contractual Clauses (SCCs) approved by the European Commission. These are standard contract terms that provide legal safeguards for international data transfers.
  1. UK International Data Transfer Agreement. For transfers from the United Kingdom, we use the UK International Data Transfer Agreement (IDTA) or rely on the European Commission’s adequacy decision for the UK, which was renewed in December 2025 and is valid until December 27, 2031.
  1. Other adequacy decisions: Where applicable, we rely on adequacy decisions issued by the European Commission, which recognize certain countries as providing an adequate level of data protection.

If you’d like more information about the safeguards we use for a particular transfer, please contact us using the details at the end of this policy.

  1. Data retention

We keep your personal information only for as long as we need it to fulfill the purposes described in this policy, or as required by law.

  1. Account data: We keep information associated with your account while your account is active. After you close your account, we typically retain basic account information for a short period (for example, 90 days) in case you want to reactivate your account or need access to your data or billing records.
  1. Transaction and billing records: We generally keep transaction and billing records for up to seven years. This is often required by tax and accounting laws.
  1. Marketing data: We keep marketing-related data until you opt out or for a reasonable period after your last interaction with us (typically around three years). If you unsubscribe from marketing emails, we’ll stop sending them but will keep a record of your opt-out preference so we don’t accidentally contact you again.
  1. Logs and security records: We retain website logs, security logs, and other system records for periods necessary to maintain security and comply with legal requirements. This typically ranges from 12 to 60 months, depending on the type of log and applicable regulations.

When we no longer need your data, we either securely delete it or anonymize it so it can no longer be linked to you. Sometimes technical limitations mean we can’t delete data immediately, in which case we isolate it from active systems and delete it as soon as possible.

  1. Additional rules for India (DPDP): If you’re in India, the Digital Personal Data Protection Act 2023 and Rules 2025 give you additional protections. We’re required to erase your personal data when the purpose for which we collected it is complete, or when you withdraw your consent, unless we have a legal obligation to keep it (for example, for tax or accounting purposes). We’ll provide reasonable notice before erasing your data where the law requires it. We also can’t keep your personal data longer than necessary, though we do retain certain security and audit logs for at least one year to help detect breaches and conduct forensic investigations. If we want to use your data for a new purpose that’s materially different from the original purpose, we’ll ask for fresh consent.
  1. Security

We take the security of your personal information seriously and use a combination of technical, physical, and organizational measures to protect it.

  1. Technical safeguards: We encrypt data both in transit (when it’s moving between your device and our servers, using protocols like HTTPS and TLS) and at rest (when it’s stored in our systems). We use strict access controls, including role-based permissions and multi-factor authentication, to ensure that only authorized personnel can access your data, and we follow the principle of least privilege (people only get access to what they need to do their jobs). We protect our network with firewalls and intrusion detection and prevention systems, and we segment our infrastructure to limit the impact of any potential breach.
  1. Monitoring and response: We continuously monitor our systems for security threats, maintain detailed logs, and use automated alerts to detect suspicious activity. We conduct regular security reviews, vulnerability assessments, and third-party penetration testing to identify and fix weaknesses. Our team receives mandatory security and privacy training, and everyone who works with personal data is subject to confidentiality obligations. We have documented incident response procedures, so if something does go wrong, we can respond quickly and effectively.
  1. Breach notification: If we discover a security incident that affects your personal data and is likely to result in harm, we’ll investigate promptly and notify you without undue delay. If you’re in India, we’ll notify the Data Protection Board of India within 72 hours as required by the DPDP Act. If you’re in the EEA or UK, we’ll notify the relevant supervisory authority within 72 hours as required by the GDPR.

No system is completely secure, and we can’t guarantee that unauthorized access, hacking, data loss, or other breaches will never occur. You use the Service at your own risk, and you’re responsible for keeping your account credentials confidential.

  1. Your rights and choices

Your rights depend on where you live, but wherever you are, we want to give you meaningful control over your personal information.

  1. General choices: You can access and update most of your account information directly in your account settings. You can change your communication preferences and unsubscribe from marketing emails at any time. You can control cookies through our cookie banner and your browser settings. And you can disconnect third-party integrations from your account whenever you like.
  1. Rights for India residents (DPDP): If you’re in India, the DPDP Act 2023 and Rules 2025 give you specific rights. You have the right to know what personal data we’re processing about you, why we’re processing it, and who we’re sharing it with. You can ask us to correct inaccurate or incomplete data. You can request that we delete or anonymize your data when the purpose is complete or you withdraw consent (subject to any legal obligations we have to retain it). You have the right to raise complaints with our Grievance Officer or Data Protection Officer if you’re not happy with how we handle your data. You can nominate another person to exercise your rights on your behalf if you die or become unable to act. And you can withdraw your consent as easily as you gave it though withdrawing consent won’t affect any processing that happened before you withdrew it.

We aim to respond to requests from India residents within 90 days. If we can’t fulfill your request, we’ll explain why. If you’re not satisfied with our response, you can escalate the matter to the Data Protection Board of India, and if needed, you can appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

  1. Rights for EEA, UK, and Swiss residents (GDPR): If you’re in the European Economic Area, United Kingdom, or Switzerland, the GDPR gives you several rights. You have the right to access your personal data and find out what we’re doing with it. You can ask us to correct inaccurate data. You can request deletion in certain situations (for example, if the data is no longer necessary for the purpose we collected it, or if you withdraw consent and we have no other legal basis to process it). You can object to processing based on legitimate interests or for direct marketing purposes. You can request that we restrict processing in certain circumstances. You have the right to receive your data in a portable format and, where technically feasible, to have it transmitted directly to another controller. You can withdraw consent at any time where we rely on consent as the legal basis. And you have the right to lodge a complaint with your local data protection authority if you believe we’ve violated your rights.

Contact details for data protection authorities in the EEA are available on the European Data Protection Board’s website.

  1. Rights for California residents (CCPA/CPRA): If you live in California, you have rights under the CCPA and CPRA. You can ask us to tell you what personal information we’ve collected about you in the last 12 months, where we got it, why we collected it, and who we shared it with. You can request a copy of specific pieces of personal information we hold about you. You can ask us to delete your personal information, subject to certain exceptions (for example, if we need it to complete a transaction or comply with a legal obligation). You can ask us to correct inaccurate information. You can opt out of the “sale” or “sharing” of your personal information for cross-context behavioral advertising. You can limit our use of sensitive personal information where applicable. And you have the right to not be discriminated against for exercising any of these rights. In practice, most of these protections are also provided through the GDPR rights we describe above, so the level of protection is broadly consistent.

We don’t sell your personal information for money. However, some of our advertising and analytics practices may be considered “sharing” under California law. You can opt out using the “Your Privacy Choices” link on our site and through our cookie controls.

  1. How to exercise your rights: To exercise any of these rights, you can email us at [email protected], write to us at the address provided at the end of this policy. We may need to verify your identity before we can process your request to make sure we’re giving information to the right person. You can authorize someone to make a request on your behalf, though we may ask for proof of that authorization. We’ll respond within the timeframes required by law, which is typically 30 to 90 days depending on your jurisdiction.
  1. Children’s privacy

Our Service is not intended for children under the age of 16, and we do not knowingly collect personal information from children. If you’re a parent or guardian and you believe your child has given us personal information, please contact us so we can delete it, unless we’re legally required to keep it for some reason.

  1. Third-party websites and services
  1. Our Service may contain links to websites, applications, or services operated by third parties that we don’t own or control. This Privacy Policy doesn’t apply to those third parties. We’re not responsible for their content, privacy practices, or terms of use. We encourage you to read their privacy policies before you use their services or share information with them.
  1. If you connect a third-party integration to your account (for example, a CRM tool, a project management platform, or a communication service), you’re authorizing that third party to access certain information from your account. The information you allow them to access will be handled according to their privacy policy, not ours. Make sure you review and understand what data they’ll access and how they’ll use it before you connect an integration.
  1. Email and anti-spam
  1. We want our emails to be helpful, not annoying. You can always unsubscribe from marketing emails by clicking the unsubscribe link in any message we send you, or by adjusting your communication preferences in your account settings. You can also contact us directly if you’d like to change your preferences or have any questions.
  1. We take spam seriously and require everyone who sends emails through our Service to comply with applicable anti-spam laws, including CAN-SPAM (United States), CASL (Canada), and GDPR (Europe). This means emails must have accurate sender information and subject lines, they must include a working unsubscribe link, and opt-out requests must be honored promptly (within 10 business days).
  2. If you receive an email sent through our Service by one of our customers and you want to unsubscribe, please use the unsubscribe link in that email or contact the sender directly. We generally can’t unsubscribe you from emails sent by our customers, since they control those communications.
  1. Changes to this policy
  1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we’ll update the “Last Updated” date at the top of this policy and post the updated version on our website. If we make material changes that significantly affect your rights or how we use your information, we’ll provide additional notice, for example, by sending you an email, displaying a prominent notice when you log in, or providing an in-product notification. In some cases, we may ask for your consent to the changes if required by law.
  1. If you continue to use the Service after the changes take effect, you’re agreeing to the updated policy. If you don’t agree with the changes, you should stop using the Service.

We encourage you to review this policy periodically so you stay informed about how we’re protecting your information.

  1. How to contact us
  1. If you have questions, concerns, or requests about this Privacy Policy or how we handle your personal information, we’re here to help.

Second Brain Labs (“SBL”)
Attention: Data Protection Officer / Privacy Team
Loknath Colony, North Dinajpur, 

Islampur, West Bengal, 733202,
India

Email: [email protected]

  1. For residents of India: If you’re in India and have a concern related to the DPDP Act, you can contact our Grievance Officer at [email protected]. We aim to respond within 90 days. If your concern isn’t resolved to your satisfaction, you can escalate the matter to the Data Protection Board of India (details will be available once the Board is operational) or file an appeal with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
  1. For residents of the EEA, UK, and Switzerland: If you’re in the European Economic Area, United Kingdom, or Switzerland and you have concerns about how we handle your data, you can contact your local data protection authority. You can find contact details for data protection authorities in the EEA at the European Data Protection Board’s website (https://edpb.europa.eu/about-edpb/about-edpb/members_en), for the UK at the Information Commissioner’s Office website (https://ico.org.uk/), and for Switzerland at the Federal Data Protection and Information Commissioner’s website (https://www.edoeb.admin.ch/).

You can also contact our representatives in the EU and UK:


EU Representative: Shubham Kumar, [email protected]


UK Representative: Shubham Kumar, [email protected]

  1. For Data Privacy Framework inquiries: If you have questions or complaints related to our Data Privacy Framework certification, please email us at [email protected]. If your concern is not resolved through direct contact with us, you may contact the relevant data protection authority or independent dispute resolution provider as described in the DPF Principles. Under certain conditions, you may also invoke binding arbitration.

Thank you for trusting us with your information.

Read more about our Terms of Use

Scroll to Top