Privacy policy

Privacy policy.

Last updated: 17 April 2026

Learning Brain is an evidence-grounded learning-design tool that connects to your AI assistant via the Model Context Protocol. This policy describes what data is collected, how it's used, how long it's kept, and who it's shared with.

Learning Brain is operated by Laurie Harrison as the data controller. Questions: info@learningbrain.ai.

The short version.

  • I collect only what's needed to authenticate your access and improve Learning Brain.
  • Your prompts, tool inputs, and tool outputs are not stored on the server. They pass through in-memory and are returned to your AI client. No logging of conversation content.
  • I log metadata about which tools are called (tool name, timestamp, status) to maintain reliability and identify quality gaps — never the substance of the call.
  • Your data is never sold. It's never shared for marketing. Only the infrastructure necessary to run Learning Brain is used.
  • You can delete your account and all associated data by emailing me.

1. Data collected

At signup

When you request access via the signup form at learningbrain.ai:

  • Email address
  • Name (optional)
  • Timestamp of signup

At OAuth authentication

When your AI client (Claude, Codex, ChatGPT, etc.) connects via OAuth:

  • OAuth client ID and registration metadata (which app / redirect URIs)
  • Access and refresh tokens (short-lived credentials issued to your AI client)
  • A record linking the authenticated client to your signup email

At API-key authentication

If you use the API-key path (for environments that block OAuth):

  • The lb_* API key linked to your email
  • Timestamps for creation and last use

During tool use

For each tool call, I log:

  • Tool name (e.g., arch_design_module)
  • Timestamp
  • Status (success, refused, pushback)
  • Release tier and substrate version
  • Number of source notes returned
  • Rubric name used (if any)
  • A random call ID (for internal deduplication)
  • The OAuth client identifier and your account email (so calls can be attributed to your account for support and access control)
  • The User-Agent header sent by your AI client (e.g., Claude/0.13.2 (Macintosh)) so I can tell which tool you used Learning Brain from. This is the same string every website you visit receives — I don't enrich or fingerprint beyond what your client sends.

I do not log:

  • The content of your prompts
  • The inputs you pass to the tool (learner context, course briefs, design drafts, etc.)
  • The outputs the tool returns (scaffolded prompts and source notes your AI sees)
  • The final content your AI produces from the scaffold

This is a deliberate design choice. Your design work stays between you and your AI client.

2. How the data is used

DataPurpose
Email, nameIssue access credentials; contact you about service updates or outages
OAuth tokens, API keysAuthenticate your requests to the MCP server
Tool-call metadataMonitor reliability; identify substrate-coverage gaps; detect abuse
User-Agent stringUnderstand which AI clients (Claude Desktop, ChatGPT, Codex, Cursor, etc.) people use Learning Brain from, so I can prioritise compatibility fixes

None of this data is used for advertising, profiling, or resale.

3. Legal basis

Under UK GDPR, the lawful basis is:

  • Contract performance for processing necessary to provide the tool you signed up for (auth, tool access).
  • Legitimate interest for minimal operational logging (tool-call metadata for service reliability).

4. Third parties

The following sub-processors are used:

ProviderPurposeLocation
Fly.ioApplication hosting and HTTPS terminationLondon (LHR)
GitHubPublic hosting of the Claude Code plugin repository (no user data)United States

Your data is never shared with any third party for marketing. Your AI client (Anthropic, OpenAI, etc.) sees the tool outputs Learning Brain returns, but your data is not transmitted to Anthropic or OpenAI independently — that communication is between you and the AI provider you chose.

5. Retention

  • Signup records — kept while your account is active. Deleted within 30 days of a deletion request.
  • OAuth tokens — access tokens expire within 1 hour; refresh tokens within 90 days of issuance.
  • API keys — kept while active. Revoked immediately on request; record deleted within 30 days.
  • Tool-call metadata — retained for up to 180 days for operational purposes, then aggregated or deleted.

6. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (right to erasure)
  • Restrict or object to processing
  • Export your data (portability)
  • Withdraw consent at any time

To exercise any of these, email info@learningbrain.ai. I'll respond within 30 days.

If you believe your data has been mishandled, you can complain to the UK Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority.

7. Security

  • All traffic to the Learning Brain MCP server is encrypted in transit (TLS 1.2+).
  • OAuth credentials and API keys are stored server-side in a protected database with access restricted to the service owner.
  • Passwords are not stored (OAuth relies on your AI client's authentication with its own provider).
  • I make reasonable efforts to protect your data but cannot guarantee absolute security.

To report a security issue responsibly, email info@learningbrain.ai with "Security" in the subject line.

8. International transfers

The servers are located in the UK (London region via Fly.io). If you access Learning Brain from outside the UK/EU, your data will be transferred to and processed in the UK under UK GDPR.

9. Cookies

The learningbrain.ai website uses no analytics cookies or third-party trackers. Session cookies are used only for the OAuth consent flow and are removed when you close your browser.

10. Children

Learning Brain is a professional tool and not directed at children under 16. I do not knowingly collect data from children.

11. Changes to this policy

Any material changes will be posted to this page with a revised "Last updated" date, and affected users notified by email where possible. Continued use after a change constitutes acceptance.

12. Contact

Laurie Harrison
Email: info@learningbrain.ai
Website: learningbrain.ai