Privacy Policy
Last updated: May 14, 2026
Introduction
This Privacy Policy explains how SFT Brain collects, uses, discloses, retains, and protects information when you use the SFT Brain web app, mobile web app, Chrome extension, ChatGPT integration, and related APIs.
Please do not submit payment card data, government identifiers, protected health information, passwords, API keys, private credentials, or other highly sensitive information as flashcard content.
Information We Collect
Account and Authentication Data
- Email address, display name, profile picture, Google account identifier, Firebase user identifier, and email verification status
- Authentication tokens, refresh-token metadata, login timestamps, token expiration and revocation data, and API-token metadata
- ChatGPT/MCP OAuth connection data, including OAuth client metadata, redirect URIs, scopes, authorization codes, access tokens, refresh tokens where applicable, token expiration and revocation status, and connection status. SFT Brain does not ask users to provide passwords, API keys, MFA codes, or other authentication secrets through ChatGPT tools.
- Magic-link login email addresses and short-lived magic-link tokens
Learning Content and Study Data
- Flashcard questions, answers, tags, categories, decks, deck descriptions, source URLs, source text, selected text, page titles, domains, and ChatGPT conversation excerpts or export files that you explicitly choose to import
- Images, image URLs, audio files, generated image prompts, visual feedback, Mermaid diagrams, and saved HTML/CSS/JavaScript visualization widgets
- User answers, review history, scores, AI feedback, token usage, review timing, memory level, recall predictions, difficulty, stability, next-review dates, postponed dates, and archive state
- Sharing data such as share tokens, public or cloneable deck settings, ratings, import counts, clone counts, and reviewer progress on shared decks
Chrome Extension and Browser Data
When you use the Chrome extension, we process the page content you actively ask SFT Brain to use, including selected text, readable page text, page URL, title, domain, site name, byline, excerpt, publication time, and image metadata. The extension stores local state such as auth status, selected deck, settings, and generated draft cards in Chrome local storage.
Uploads, Media, Logs, and Security Data
- Uploaded image/audio files, original filenames, file type, file size, Cloudflare R2 object keys, public media URLs, and transcription text
- Request method, route, status code, response time, request IDs, user ID when authenticated, IP address, user agent, timestamps, audit-log entries, and error details
- Cookies, local storage, Capacitor Preferences, extension storage, and service-worker caches used for authentication, preferences, UI state, and performance
ChatGPT and MCP Tool Data
When you connect SFT Brain to ChatGPT, OpenAI may receive SFT Brain tool inputs and outputs needed to fulfill your request. Depending on the tool, that may include search queries, flashcard IDs, questions, answers, tags, image URLs, saved visualization content, user answers, scores, feedback, review counts, next-review dates, and aggregate study statistics.
Current SFT Brain tools can search and fetch flashcards, list recent or due cards, add or update flashcards, save HTML visualizations, record reviewed answers and AI feedback, and return learning statistics. We aim to return only information relevant to the tool request.
SFT Brain does not pull, reconstruct, or infer your full ChatGPT chat history. It processes only the specific snippets, files, fields, or resources that you or ChatGPT explicitly send to SFT Brain for a requested tool action.
| Tool or feature | Inputs processed | Outputs returned to ChatGPT |
|---|---|---|
search | Search query | Matching flashcard IDs, titles or questions, and SFT Brain URLs |
fetch | Flashcard or document ID | Full question, answer, URL, tags, and creation date |
add_flashcard | Question, answer, optional deck name, tags, and optional image URL | Confirmation plus card ID, tags, and deck placement if provided |
update_flashcard | Card ID and updated question, answer, tags, or image URL | Confirmation plus updated fields |
save_flashcard_visualization | Card ID and HTML/CSS/JavaScript widget content | Confirmation and stored widget size |
list_flashcards | Limit, search text, and tags | Flashcard IDs, questions, tags, creation dates, and a note that full answers can be fetched by ID |
get_recent_flashcards | Limit | Recent card IDs, questions, truncated answers, creation dates, and memory levels |
get_due_flashcards | Limit | Due card IDs, questions, truncated answers, memory levels, review counts, and next-review dates |
get_flashcard_statistics | No tool input | Aggregate counts, due-card counts, mastery or learning status, and memory distribution |
rate_flashcard_response | Card ID, user answer, score, and feedback generated in ChatGPT | Stored review result, score, feedback, memory level, review count, and next-review date |
How We Use Information
- Provide, authenticate, secure, and maintain SFT Brain accounts and ChatGPT/MCP connections
- Create, update, search, fetch, organize, share, clone, import, archive, delete, and review flashcards and decks
- Generate flashcards from selected text, webpages, ChatGPT conversation excerpts or export files you explicitly provide, uploaded media, or user prompts
- Evaluate answers, generate feedback, transcribe audio, generate images, search for relevant images, and create visual learning aids
- Calculate spaced-repetition schedules, memory strength, due cards, progress statistics, and learning analytics
- Sync data across the web app, mobile web app, Chrome extension, and ChatGPT integration
- Prevent abuse, debug errors, monitor reliability, enforce access controls, protect accounts, and comply with legal obligations
We do not sell personal information and we do not use your flashcard content for third-party advertising.
Categories of Recipients
- OpenAI and ChatGPT: Tool inputs and outputs, including flashcard content, tags, review metadata, and statistics when you use the ChatGPT integration; OpenAI may also process audio or AI requests where configured.
- Authentication and database providers: Supabase, Firebase, Google OAuth, or similar services used to authenticate users and store app data.
- AI model providers: DeepSeek, Google Gemini, Google Imagen, OpenAI, Qwen, and similar providers may process prompts, selected text, questions, answers, user answers, uploaded audio, image prompts, and generated learning content when you use AI features.
- Storage and hosting providers: Cloudflare R2 or compatible object storage for uploaded/generated media and hosting infrastructure used to run SFT Brain.
- Email providers: Resend or similar providers for magic links and service emails.
- Image and content search providers: Wikimedia, DuckDuckGo, Google Custom Search, Bing, Pexels, Unsplash, or similar services may receive image-search queries.
- Monitoring and security providers: Sentry or similar tools may receive error reports, breadcrumbs, traces, and diagnostic metadata when monitoring is enabled.
- Other users or the public: Shared cards and decks may be visible to people with access to a share link or public listing.
- Legal and safety recipients: We may disclose information when required by law, legal process, or to protect SFT Brain, users, or others.
Retention
- Account data, learning content, cards, decks, reviews, settings, and media are generally retained until you delete them or delete your account.
- Shared cards and decks remain available until you disable sharing, delete the shared item, or delete your account.
- ChatGPT OAuth access can be revoked. Authorization codes expire shortly after use. Access tokens and related token records are retained until expiration, revocation, account disconnection, or account deletion, except that security and audit records may be retained for up to 1 year.
- Magic-link tokens expire after approximately 15 minutes.
- Uploaded audio used for transcription is temporarily written for processing and then deleted from temporary server storage after transcription completes or fails, typically within 24 hours.
- Browser local storage, extension storage, cookies, and service-worker caches remain on your device until you sign out, clear them, uninstall the extension/app, or your browser removes them.
- Security logs, request logs, audit logs, and deletion records may be retained for up to 1 year where needed for security, fraud prevention, debugging, legal compliance, and service integrity.
- Backup copies may retain deleted account or content data for up to 90 days before they are overwritten or deleted.
Your Controls
- Choose what content to send to SFT Brain, including what ChatGPT conversations, webpage text, images, audio, or prompts you import or upload.
- Approve, decline, disconnect, or revoke ChatGPT connection and tool-use flows through ChatGPT, SFT Brain settings where available, or by contacting us.
- Create, edit, archive, unarchive, delete, share, unshare, or change sharing mode for flashcards and decks where those controls are available.
- Export your account data or delete your account from SFT Brain data controls where available.
- Clear local browser storage, cookies, service-worker caches, and Chrome extension storage from your browser or device.
- Contact us to request access, correction, deletion, export, or help with privacy choices.
Security
We use safeguards designed to protect information, including HTTPS in transit, access controls, authentication, token revocation, input validation, rate limiting, and provider-managed encryption where available. No online service can guarantee absolute security.
Children's Privacy
SFT Brain is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 provided personal information to SFT Brain, please contact us so we can take appropriate action.
Regional Privacy Rights
Depending on your location, you may have rights to access, correct, delete, export, object to, or restrict certain processing of your personal information. California residents may have rights to know, delete, correct, and opt out of sale or sharing as defined by applicable law. SFT Brain does not sell personal information.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the Last updated date and may provide additional notice through the app, website, email, or ChatGPT integration when appropriate.
Contact Us
- Company: NutriGuide LLC
- Address: 1572 Quebec Ct APT 4, Sunnyvale, CA 94087
- Email: congminqiu@sftbrain.com
- Privacy Email: privacy@sftbrain.com
- Website: https://sftbrain.com
By using SFT Brain, you acknowledge that you have read and understood this Privacy Policy.