Privacy Policy

Husband, Father, Leader, Organizer, Engineer

Privacy Policy

Last updated: May 13, 2026

This Privacy Policy describes how OpenBrain (“the App”), a personal productivity tool developed by David Chang (“I”, “me”, “my”), handles information accessed through Google APIs and other connected services. OpenBrain is published at https://github.com/davidianstyle/openbrain and the policy page is hosted at https://davidchang.dev/privacy-policy/.

About OpenBrain

OpenBrain is an open-source, self-hosted personal “AI Chief of Staff” that runs entirely on the user’s own computer. It connects to the user’s own Google account (and optionally Slack, Asana, and Fathom accounts) via locally-installed Model Context Protocol (MCP) servers, and uses Claude Code (from Anthropic) as the local agent that reads and acts on that data inside an Obsidian vault on the user’s filesystem.

There is no OpenBrain server, no OpenBrain database, and no OpenBrain backend. Each user installs and operates their own copy.

Information OpenBrain accesses

When a user authorizes OpenBrain with their Google account, the App requests the following OAuth scopes so the user can ask Claude Code to operate on their own data:

ScopePurpose
gmail.modifyRead inbox for triage briefings; create drafts and apply labels at the user’s explicit request. OpenBrain does not automatically send mail.
calendarRead and create calendar events for the user’s daily briefing and meeting scheduling.
meetings.space.readonlyRead Google Meet conference metadata to attach to meeting notes.
drive, documents, spreadsheets, presentationsRead and write files in Google Drive, Docs, Sheets, and Slides at the user’s request (e.g., creating a meeting recap doc, updating a tracker sheet).

OpenBrain only accesses the user’s own data, only the items the user asks Claude Code to operate on in a given session, and only while the user is interacting with the App.

How information is used

Google user data accessed by OpenBrain is used solely to provide the features the user requests in their own Claude Code session — for example, summarizing the user’s own inbox, drafting a reply, or writing a meeting note into the user’s Obsidian vault.

OpenBrain:

  • Does not sell user data.
  • Does not share user data with third parties for advertising or marketing.
  • Does not use Google user data to train generalized AI/ML models.
  • Does not allow humans to read Google user data, except: (a) with the user’s explicit consent, (b) for security purposes (e.g., investigating abuse), or (c) to comply with applicable law.

Third-party processors

OpenBrain runs locally, but the content the user asks Claude Code to act on is processed by the following services, which the user has independently authorized:

  • Anthropic — Claude Code sends the user’s prompts and the relevant retrieved content (e.g., email snippets the user is asking about) to Anthropic’s API in order to generate a response. Anthropic’s data handling is governed by Anthropic’s own policies: https://www.anthropic.com/legal/privacy and https://www.anthropic.com/legal/commercial-terms.
  • Google — the source of the data, governed by the user’s own Google account terms.

No other processors receive Google user data from OpenBrain.

Storage and retention

  • OAuth tokens (refresh tokens, access tokens, client credentials) are stored on the user’s own machine in ~/.config/openbrain/ and are never transmitted off the user’s machine except to Google’s own token endpoints.
  • Google user data fetched at runtime is held in memory for the duration of the Claude Code session. Anything the user explicitly tells Claude Code to save (e.g., a meeting note, a person profile) is written to the user’s local Obsidian vault at ~/Code/openbrain/ and synced to the user’s own private git remote, if they have configured one.
  • The user may revoke OpenBrain’s access at any time at https://myaccount.google.com/permissions, which immediately ends the App’s ability to fetch new Google data.
  • The user may delete all locally-stored OpenBrain data at any time by deleting the ~/.config/openbrain/ and ~/Code/openbrain/ directories.

Google API Services User Data Policy

OpenBrain’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Security

OpenBrain runs entirely on the user’s own machine and inherits the security posture of that machine. OAuth tokens are stored in ~/.config/openbrain/ with standard filesystem permissions. The user is responsible for the physical and account-level security of the device on which OpenBrain is installed.

Children

OpenBrain is not directed to children under 13, and I do not knowingly collect personal information from children.

Changes

I may update this Privacy Policy from time to time. The “Last updated” date above reflects the most recent revision. Material changes will be noted in the project repository.

Contact

Questions about this Privacy Policy can be sent to email@davidchang.dev.

©  2026 David Chang. Privacy Policy | Terms of Service