Skip to content

Legal

Privacy Policy

What data OpenBase processes, which subprocessors we use, and your rights under GDPR.

Last updated: May 24, 2026

1. Controller

The Nexus Collective GmbH ("we", "us", "our"), Poststraße 14-16, 20354 Hamburg, Germany, is the controller responsible for the processing of your personal data when you use OpenBase (getopenbase.ai).

Registered at Amtsgericht Hamburg under HRB 196591. VAT identification number: DE459881075.

Contact: [email protected]

2. Data We Collect

When you use OpenBase, we process the following categories of personal data:

  • Account data: Name, email address, and profile picture provided by your SSO provider (Google Workspace or Microsoft Entra ID).
  • Organization data: Your email domain is used to automatically associate you with your organization's workspace.
  • Usage data: AI model usage, token counts, and costs associated with your account for billing and analytics purposes.
  • Conversation data: Messages you send and receive within OpenBase, including AI-generated responses.
  • Technical data: IP address, browser type, and access timestamps for security and operational purposes.

3. Purpose and Legal Basis

  • Contract performance (Art. 6(1)(b) GDPR): Processing account and conversation data to provide the OpenBase service.
  • Legitimate interest (Art. 6(1)(f) GDPR): Usage analytics, security monitoring, and service improvement.
  • Legal obligation (Art. 6(1)(c) GDPR): Retaining billing records as required by tax and commercial law.

4. Third-Party Processors

We use the following third-party services to operate OpenBase:

  • DigitalOcean (Frankfurt, Germany) — Application hosting and managed PostgreSQL.
  • Cloudflare — CDN, file storage (R2, EU region), and DDoS protection.
  • OpenRouter / AI model providers — AI inference. Conversation content is sent to the selected AI model provider. No training on your data.
  • Stripe — Payment processing and subscription management.
  • Resend — Transactional email delivery.
  • Sentry — Error monitoring (no PII is logged).

All processors are bound by data processing agreements (DPAs) and appropriate safeguards under GDPR.

5. Data Retention

  • Active workspaces: Account and conversation data is retained for the duration of your active subscription.
  • Paused workspaces (paused): When a payment is overdue, the workspace is moved to read-only. Data is preserved unchanged until the subscription is reactivated or cancelled.
  • Cancelled workspaces (cancelled): After an explicit cancellation, all workspace data is fully deleted within 30 days.
  • Billing records: Retained for 10 years as required by German commercial and tax law.
  • Server logs: Automatically purged after 90 days.

6. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request deletion of your data
  • Restrict or object to processing
  • Data portability
  • Lodge a complaint with a supervisory authority

To exercise your rights, contact [email protected].

7. Cookies

OpenBase uses only strictly necessary cookies for authentication and session management. We do not use advertising or tracking cookies. No cookie consent banner is required under GDPR for strictly necessary cookies.

8. AI Model Usage

When you use AI features in OpenBase, your conversation content is sent to third-party AI model providers via OpenRouter. These providers process your input solely to generate a response and do not use your data for model training. Admins can restrict allowed models and providers per workspace; in EU mode, routing is restricted to providers with opt-out of training data.

9. Google API Services — User Data

OpenBase offers optional integrations with Google services (Gmail, Google Calendar, Google Drive, Google Contacts, Google Tasks, and Google Workspace Directory). These integrations are entirely opt-in. You connect your Google account explicitly and can revoke access at any time.

Limited Use Disclosure

OpenBase's use and transfer of information received from Google APIs to any other application adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we:

  • Only use Google user data to provide and improve the features you explicitly request within OpenBase.
  • Do not transfer Google user data to third parties except as necessary to provide the requested features, or as required by law.
  • Do not use Google user data for advertising purposes.
  • Do not allow humans to read Google user data unless you have given explicit permission, it is necessary for security purposes, or we are required by law.

What Google Data We Access and Why

Gmail (gmail.modify, gmail.send) — We read email metadata (sender, subject, date), message snippets, and full message content to allow the AI assistant to search your inbox, summarize threads, and draft replies on your behalf. We send emails only after you have explicitly reviewed and approved the draft. We do not store email content permanently — it is processed in memory to generate the AI response and discarded immediately after.

Google Calendar (calendar.readonly, calendar.events) — We read your calendar events to help the AI assistant check your availability, summarize your schedule, and prepare for meetings. When you request it, we create or update calendar events on your behalf. Event data is processed in memory and not stored permanently beyond the metadata needed to confirm the operation succeeded.

Google Drive (drive.readonly, drive) — We access your Drive files to allow the AI assistant to search, read, and summarize documents. When you explicitly request it, we create or update documents in your Drive (e.g., saving a report or meeting summary). File content is processed in memory to generate the AI response and is not stored on our servers.

Google Contacts (contacts.readonly) — We read your contact list to help the AI assistant identify people you mention by name, look up email addresses, and provide context about your professional network. Contact data is not stored permanently.

Google Tasks (tasks) — We read and create tasks in Google Tasks to allow the AI assistant to manage your to-do lists, mark items complete, and create new tasks when you request it.

Google Workspace Directory (admin.directory.user.readonly) — For Google Workspace accounts, we may read the organizational directory to help the AI assistant identify colleagues, understand the org structure, and route requests to the right people. This data is not stored permanently.

Data Storage and Security

OAuth access tokens and refresh tokens for Google services are encrypted at rest using AES-256-GCM and stored securely in our database. Token data is never logged. The content of your Google data (emails, documents, calendar events, contacts) is processed in memory only and is never stored permanently on our servers. We access your Google data solely to fulfill your in-session requests through the AI assistant.

Revoking Access

You can disconnect any Google integration at any time from the OpenBase Connectors settings. This immediately deletes your stored OAuth tokens. You can also revoke access directly via your Google Account permissions page.

10. Changes

We may update this privacy policy from time to time. Material changes will be communicated via the application or email. Continued use of OpenBase after changes constitutes acceptance.