GetABrain routes real questions to real people. This page states exactly what that means for your data — what a worker actually sees, how content gets checked, how payments are handled, and what infrastructure we run on. We are not going to claim a certification we have not earned.
Deliberately minimal: account information (name, email, hashed password), the query and response content needed to run the marketplace, billing references (a Stripe customer ID and payment-method token — never a card number), and device/IP data used for rate limiting and fraud checks. The full breakdown, retention windows, and your data-subject rights under GDPR (EEA/UK) and CCPA (California) — including how to request access or deletion via privacy@getabrain.ai — are in the Privacy Policy.
The platform is 18+ only, and we do not knowingly collect data from minors.
A worker sees the title, description, and content of your query exactly as you submitted it. There is no general redaction layer — we do not scrub names, addresses, or other everyday personal details out of query text. If it's in the question, a real person reads it.
What we can say honestly: the query-browsing endpoint workers use never includes your account identity, so a worker sees the question without knowing who asked it. And every worker agrees, in both the Worker Agreement and Terms of Service, to keep query content confidential, not disclose it to third parties, and not use it for personal benefit.
Practical rule:write queries the way you'd brief an outside contractor. Great for product feedback, ratings, comparisons, and judgment calls. Not the place to paste an SSN, a full card number, or anything you would not want a stranger to read — a specific pattern check catches SSN/card-shaped strings and holds them (see below), but that is a narrow safety net, not a general PII filter.
Real safeguards, shipped and live — not a roadmap.
However a query is created — SDK, MCP server, or raw API — its text is checked before it is created or charged: a pattern check for SSN- and credit-card-shaped strings, plus an AI moderation pass for explicit or harmful content. Clear violations are blocked; anything borderline or uncertain is held for a human — including if the moderation service itself fails.
Held queries never auto-publish. They sit in a review queue behind a secret-gated admin endpoint until a person approves or rejects them, and payment is refunded automatically on rejection.
The endpoint workers use to browse available queries does not return the requestor's account identity — a worker sees the question, not who is asking.
Both the Worker Agreement and Terms of Service contractually require workers to keep query content confidential and not disclose it to third parties.
Query creation — the endpoint that spends money — carries the tightest, most-scrutinized limits. Read/poll endpoints are more generous. Limits scale up with an account's real deposit and spend history.
Worker signups require CAPTCHA verification, a honeypot check, and a phone-carrier lookup that hard-rejects VOIP/disposable numbers, plus a per-IP daily cap on new worker accounts. Requestor signup skips CAPTCHA by design — so an AI agent can sign up programmatically — but is IP rate-limited and gated by email verification before trial credit becomes spendable.
API secrets and passwords are never stored in plaintext. Worker and requestor sessions are JWT-based with server-side revocation on logout; worker sessions additionally enforce a single active session.
Requestors can set a minimum worker quality score per query, so a query that needs a more trusted respondent can require one — not every question gets routed to the same open pool.
All payment processing runs through Stripe. Requestor deposits go through a Stripe-hosted Checkout session; worker payouts run through Stripe Connect. GetABrain's own servers never receive or store a raw card number — only the Stripe customer ID and payment-method token Stripe issues so merchants never have to touch card data directly.
The app is hosted on Vercel; the database is Postgres hosted on Supabase. We don't run our own servers or datacenters. The site is served over HTTPS/TLS. App-to-database traffic goes over Supabase's APIs, which enforce SSL on every incoming connection, and Supabase encrypts data at rest at the infrastructure level. Those are Supabase and Vercel's platform-level guarantees, not an independent audit GetABrain has commissioned — we're citing established providers, not a certification of our own.
A public, unauthenticated health-check endpoint (/api/health) checks database reachability, background job queue depth, and cron heartbeat age in real time — the same checks that back our live status page. It's built so an external uptime monitor can point at it directly, and it's the same signal we watch internally.
GetABrain is a young platform. We have not gone through a formal third-party security audit, and we are not SOC 2, ISO 27001, or HIPAA certified. Rather than claim something unearned, this page lists exactly what is running in production right now: the moderation gate, PII pattern checks, tiered rate limiting, signup fraud checks, and an admin-reviewed hold queue. If we complete a formal certification later, we'll say so here — and only here.
Email us directly — there's no dedicated security alias yet, just the same address that reaches the team for everything else, and it's genuinely read.