Privacy Policy
Parent Second Brain · Last updated 4 July 2026
Who we are
Parent Second Brain ("we", "us") is operated by Real Return Media. It turns school and sports emails into a shared family calendar and to-do list. For anything in this policy, contact dan@realreturnmedia.com.
What we collect
Your account details (email address, display name). Family information you add: family name, children's first names, schools, activities and term dates. Emails you forward to your family's intake address, or that we read from a mailbox you explicitly connect, together with their attachments. Billing status from our payment provider — we never see or store card numbers. Basic technical logs (IP address, timestamps) needed to run and secure the service.
Children's information
The service stores information aboutyour children that you choose to add or forward (names, schools, schedules) so it can organise your family admin. Children do not have accounts, we do not collect information from children directly, and we never use children's information for advertising or sell it to anyone.
Gmail and Outlook access (Google API Limited Use)
If you connect Gmail or Outlook, we request read-onlymailbox access and use it solely to find school/activity emails for your family dashboard. OAuth tokens are encrypted (AES-256-GCM) before being stored and are deleted when you disconnect the account. Parent Second Brain's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We never use Gmail data for advertising, never sell it, and no humans read it except with your permission, for security, or to comply with law.
How we process it
Forwarded emails and attachments are processed by AI models (Anthropic and OpenAI APIs) to extract events, tasks and dates. These providers process the content to provide the service and do not use it to train their models under our API terms. Extracted items are shown to you for approval before they become part of your family's calendar and tasks.
Where it lives and who helps us run it
Data is stored in Supabase (PostgreSQL and file storage, hosted in the EU — Frankfurt) with row-level security so each family can only see its own records; attachments live in a private bucket. The app runs on Vercel. Transactional email is sent via Resend. Payments are handled by Paystack. Mailbox connections use Google and Microsoft APIs. These subprocessors receive only what they need to perform their function.
Your rights (POPIA / GDPR)
You can access, correct or delete your information at any time — most of it directly in the app. Deleting a record deletes it from the live database; deleting your family or account removes the family's data. For a full export or account deletion, email us and we'll complete it within 30 days. South African users have these rights under POPIA; EU users under the GDPR. You may also complain to your local data protection authority (in South Africa, the Information Regulator).
Retention and security
We keep your data while your account is active and delete it on request or account closure, except minimal records we must keep for legal or accounting reasons. Encrypted database backups are kept for 30 days. All traffic is over HTTPS; sensitive tokens are encrypted at rest; destructive actions always require confirmation.
What we don't do
No advertising, no selling or renting data, no tracking you across other sites, no using your family's information for anything other than running Parent Second Brain.
Changes
If we make material changes to this policy we'll notify you by email or in the app before they take effect.