Privacy Policy

All the features your business needs, and your users love

1. GENERAL ASPECTS

The Owner collects some Personal Data from its Users.

The purpose of this Policy is to detail how we, the Owner, with the identification details mentioned in this Policy, process, as a controller, your Personal Data, when you, as a User, access, browse through and use in any other way the Product. In some cases, the Policy also refers to Personal Data belonging to the respondent of a User survey, which may be made available to you while using the Product.

This document contains a section dedicated to Users in Singapore and their privacy rights.

This document contains a section dedicated to Users in Switzerland and their privacy rights.

This document contains a section dedicated to Users in Brazil and their privacy rights.

This document contains a section dedicated to Users residing in the State of California (USA) and their privacy rights.

This document contains a section dedicated to Users residing in the State of Virginia (USA) and their privacy rights.

This document contains a section dedicated to Users residing in the State of Colorado (USA) and their privacy rights.

This document contains a section dedicated to Users residing in the State of Connecticut (USA) and their privacy rights.

This document contains a section dedicated to Users residing in the State of Utah (USA) and their privacy rights.

‍

Owner and Data Controller

Brainactive Pte Ltd (UEN: 202322763Z), a company duly incorporated and existing pursuant to the laws of Singapore, with its registered office at 30 Petain Road, Singapore 208099 (“Brainactive”)

Owner contact email for purposes of this document: privacy@brainactive.ai

‍

Types of Data collected, in general

Among the types of Personal Data that the Owner processes, by itself or through third parties (considered as Processors), there are:

first name; last name; phone number (all belonging to the individual creating the User account);
company name the individual creating the account is working for or representing;
email address (to the extent this e-mail address belongs to an individual working for the User);
User content (to the extent such content contains Personal Data);
Usage Data, which may also include information related to the respondents filling in a form you create as a User;
unique device identifiers for advertising (Google Advertiser ID or IDFA, for example);
Universally unique identifier (UUID).

Complete details on each type of Personal Data collected are provided in the dedicated sections of this Policy or by specific explanation texts displayed in the Product prior to Data processing taking place.

Personal Data may be freely provided by the User, or, in case of certain Usage Data, collected automatically when the User is using the Product, depending on the type of use employed by the User.

Unless specified otherwise in the Product or these Terms, all Data requested by the Owner is mandatory and failure to provide this Data may make it impossible for the Owner to provide the Product. In cases where the Owner specifically states in these Terms, or signals in the Product that some Data is not mandatory, Users are free to not communicate this Data without consequences to the availability or the functioning of the Product. Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner using the contact details mentioned in this Policy.

Any use of Cookies – or of other tracking tools — by the Owner or by the owners of third-party services used by the Owner in the Product, serves the purpose of providing the Product functionality requested by the User, in addition to any other purposes described in the present document and in the Cookie Policy available here.

Users are exclusively responsible for any third-party Personal Data obtained, published or shared through the Product, including for any Personal Data (including Usage Data) that belongs to survey respondents and which the User gains access to as a result of a survey run through the Product.

‍

Security of processing

The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.

The Data processing is carried out using computers and/or IT-enabled tools, following organizational procedures and modes strictly related to the purposes indicated. The Data is accessible to certain types of persons in charge part of the Owner’s team, involved with the operation of the Product (such as but not limited to administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) which either act as Data Processors in relation to the Owner or process Data based on their own requirements as controllers. The updated list of these parties or of the categories of parties processing Data as Data Processors may be requested from the Owner at any time, and is also available in this document.

‍

Automated processing of Personal Data

Personal Data will not be processed in order to generate decisions based solely on automatic processing that would produce legal effects on the User or affect the User to a significant extent, within the meaning of art. 22 para. (1) GDPR.

‍

Transfer of Data

Depending on the User's location, data transfers may involve transferring the User's Data to a country other than their own. To find out more about the Data Processors we use in order to provide the Product, Users can check the section of this document containing details about the processing of Personal Data.

Data Processors may be located within the European Union and/or the European Economic Area as well as beyond, including in countries that are not recognized as ensuring an adequate level of protection, in which case the transfer of Personal Data is only carried out if there are appropriate safeguards, in accordance with applicable law (such as standard contractual clauses issued by the European Commission), with the Owner employing best efforts to ensure Personal Data is kept in the European Union and/or the European Economic Area, to the extent possible. You may request a list of recipients in third countries, as well as a copy of the agreed provisions ensuring an adequate level of protection of your Personal Data.

‍

Retention time

Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligation or based on the Users’ consent. For more details about the duration of processing of each type of Personal Data collected, Users can check the section containing details about the processing of Personal Data.

‍

Purposes of processing

The Data is collected to allow the Owner to provide the Product, comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, and more. For specific information about the Personal Data used for each purpose, the User may refer to the section “Detailed information on the processing of Personal Data”.

‍

Duration of processing

Unless specified otherwise in this document, Personal Data shall be processed for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligations of the Owner or based on the duration of the Users’ consent.

Therefore:

Personal Data processed for purposes related to the performance of a contract between the Owner and the User shall be processed until such contract has been fully performed.
Personal Data processed for the purposes of the Owner’s legitimate interests shall be processed as long as needed to fulfil such purposes. Users may find specific information regarding the legitimate interests pursued by the Owner within the relevant sections of this document or by contacting the Owner.
Personal Data processed based on the User’s consent shall be processed until the User withdraws their consent.
Personal Data processed based on the Owner’s legal obligation shall be processed until the legal obligation is met or becomes void.

Once the processing period expires, Personal Data shall be deleted. Therefore, the User’s right of access, the right to erasure, the right to rectification and the right to data portability (as described in the relevant section of this Policy) cannot be enforced after expiration of the processing period.

‍

The rights of Users based on the General Data Protection Regulation (GDPR)

Users may exercise certain rights regarding their Data processed by the Owner.

In particular, Users have the right to do the following, to the extent permitted by law:

Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent.
Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
Restrict the processing of their Data. Users have the right to restrict the processing of their Data. In this case, the Owner will not process their Data in ways which the User requests be restricted.
Have their Personal Data deleted or otherwise removed. Users have the right to obtain the erasure of their Data from the Owner.
Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance.
Lodge a complaint. Users have the right to bring a claim before their competent data protection authority

‍‍

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. Such requests are free of charge and will be answered by the Owner as early as possible and always within one month, providing Users with the information required by law. Any rectification or erasure of Personal Data or restriction of processing will be communicated by the Owner to each recipient (including Data Processors), if any, to whom the Personal Data has been disclosed unless this proves impossible or involves disproportionate effort.

‍

Legal action

The User's Personal Data which is processed based on the Owner’s legitimate interest of defending its rights, may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of the Product or the related Services.
The User declares to be aware that the Owner may be required to reveal their Personal Data upon request of public authorities.]

‍

Data breach notification

In the event of a data breach that is likely to result in a risk to the rights and freedoms of Users, the Owner shall notify the competent data protection authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the data breach is unlikely to result in a risk to the rights and freedoms of Users. When the notification to the data protection authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Furthermore, when the data breach is likely to result in a high risk to the rights and freedoms of Users, the Owner shall communicate the data breach to the affected Users without undue delay. Such communication to Users shall describe in clear and plain language the nature of the data breach, the categories and approximate number of data subjects and data records concerned, the likely consequences of the data breach, and the measures taken or proposed to be taken by the Owner to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Notwithstanding the foregoing, communication to the affected Users shall not be required if any of the following conditions are met:

- Brainactive has implemented appropriate technical and organizational protection measures, and those measures were applied to the data affected by the data breach, in particular those that render the data unintelligible to any person who is not authorized to access it, such as encryption;

- Brainactive has taken subsequent measures which ensure that the high risk to the rights and freedoms of Users is no longer likely to materialize;

- It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the Users are informed in an equally effective manner.

Any User who becomes aware of a data breach is encouraged to contact Brainactive immediately using the contact details mentioned in this Policy.

‍

Additional information related to this policy

More details concerning the collection or processing of Personal Data may be requested from the Owner at any time. Please see the contact information at the beginning of this document.

‍

Changes to this privacy policy

The Owner reserves the right to make changes to this privacy policy at any time by notifying its Users on this page and possibly within the Product and/or - as far as technically and legally feasible - sending a notice to Users via any contact information available to the Owner. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.

Should the changes affect processing activities performed on the basis of the User’s consent, the Owner shall collect new consent from the User, where required

‍

2. DETAILED INFORMATION ON THE PROCESSING OF PERSONAL DATA
‍

Personal Data is collected for the following purposes and using the following services:

Access to User’s third-party accounts (e.g. Google)

This functionality allows the Owner to access Data from your account held with a third-party service and perform actions with it.
These services are not activated automatically, but require explicit authorization by the User.

Google permissions asked when using the Product via the Google log-in button

The Owner may ask for some Google permissions allowing it to perform actions with the User's Google account and to retrieve information, including Personal Data, from it.

For more information about the permissions requested whenever you sign up or sign in the Product using your Google account, refer to the Google privacy policy available here

Purpose of processing: to allow you to sign-in the Product using your existing accounts in other software platforms, for easier access

Processing legal grounds: executing the agreement you and the Owner are a part of

Duration of processing: for as long as you have an active User account and an additional one (1) month after your account is terminated

Personal Data processed: User’s e-mail address, first name and last name

‍

Advertising

This functionality allows the Owner to use Data for advertising communication purposes.
Some of the services listed below may use Trackers to identify Users or they may use the behavioral retargeting technique, i.e. displaying ads tailored to the User’s interests and behavior, including those detected outside the Product, when the User uses the internet. For more information, please check the privacy policies of the relevant services listed below.
Services of this kind usually offer the possibility to opt out of such tracking.

Purpose of processing: to better understand how you use the Product, in order for us to improve it

Processing legal grounds: our legitimate interest

Duration of processing: as long as you have an active User account

‍

Analytics

This functionality enables the Owner to monitor and analyze the User’s web traffic in the Product and can be used to keep track of User behavior.

Data processors used:

Google Analytics 4 is a web analysis service provided by Google Ireland Limited (“Google”). The Owner uses some Data collected to track and examine the use of the Product with the help of Google Analytics 4.

This Data relates to the behaviour of any individual that uses the User account to log in and use the Product, although the Owner does not distinguish between and identifying different individuals using the Product through the same User account.In Google Analytics 4, IP addresses are used at collection time and then discarded before Data is logged in any data center or server. Users can learn more by consulting Google’s official documentation.

Personal Data processed: number of Users; session statistics; Trackers; Usage Data.

Place of processing: Ireland – Privacy Policy – Opt Out.

Processing legal grounds: our legitimate interest

Duration of processing: as long as you have an active User account

‍

Creating a survey

This functionality allows us to provide you with the tools required for you to obtain a survey in the Product.

Purpose of processing: to provide you with the capabilities to create a survey using the Product

Processing legal grounds: executing the agreement you and the Owner are a part of

Duration of processing: for as long as you have an active User account and an additional one (1) month after your account is terminated, and to the extent the survey you created is still available in your User account (i.e. you have not deleted it or we have not decided to eliminate it based on our rights under the Terms & Conditions available here).

Data Processors used:

Typeform SL, provider of the Typeform software solution, which is a form generation tool which we integrate in the Product to help you organise the surveys you generate easier. Details about how Typeform processes Personal Data that belongs to you can be found here
OpenAI Ireland Limited, provider of the OpenAI software solution, which is a generative AI tool which we integrate in the Product to help you generate surveys easier with the use of artificial intelligence. Details about how OpenAI processes Personal Data that belongs to you can be found here

Personal Data processed: the Personal Data you choose to include in the questions you add (or request the OpenAI tool to generate, as the case may be) to the survey and the Personal Data that survey respondents choose to add in their responses. We do not process in any way the survey respondents’ responses outside of storing them for access by you in your User account.

‍

Conducting a survey

This functionality allows us to provide you with the relevant survey respondents that can answer your survey.

Purpose of processing: to provide you with the capabilities to conduct a survey using the Product

Processing legal grounds: executing the agreement you and the Owner are a part of

Duration of processing: for as long as you have an active User account and an additional one (1) month after your account is terminated, and to the extent a survey to which you received responses is still available in your User account (i.e. you have not deleted it or we have not decided to eliminate it based on our rights under the Terms & Conditions available here).

Data Processors used:

CINT AB, provider of the CINT software solution, which holds databases of relevant survey respondents, which CINT queries for us based on your survey, and defines feasibility of the survey, as well as provides a price you need to pay in order to run your survey through the survey respondents they identified as relevant.

Personal Data processed: the Personal Data you choose to include in your survey and the Personal Data that survey respondents choose to add in their responses. We do not process in any way the survey respondents’ responses outside of storing them for access by you in your User account.

‍

Contacting the User

This functionality allows us to provide you with the relevant answers for your queries in the Product.

By filling in the contact form available in the Product with their Data, the User authorizes the Owner to use these details to reply to requests for information, quotes or any other kind of request as indicated by the User in the form.

Purpose of processing: to provide you with the relevant answers to your queries about the Product

Processing legal grounds: executing the agreement you and the Owner are a part of

Duration of processing: for as long as you have an active User account and an additional one (1) month after your account is terminated

Personal Data processed: as indicated in the contact form

‍

Hosting and backend infrastructure, traffic optimization and distribution

This functionality has the purpose of hosting Data and files that enable the Product to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of the Product.

Some services among those listed below, if any, may work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.

‍

Google Cloud (Google Cloud EMEA Ltd)

Google Cloud is a hosting and backend service provided by Google Cloud EMEA Ltd

Purpose of processing: to run the Product in the version the User has access to, based on these Terms and, if applicable, any payment made to the Owner

Processing legal grounds: executing the agreement you and the Owner are a part of

Duration of processing: for as long as you have an active User account and an additional one (1) month after your account is terminated

Personal Data processed: various types of Data as specified in the privacy policy of the Google Cloud service, available here.

Category of personal information collected according to the CCPA: identifiers.

‍

Interaction with live chat platforms or automated chat platforms

This functionality allows us to provide you with the possibility to interact with third-party live chat platforms or automated chat platforms, directly from the pages of the Product, in order to learn information about the Product, contact and be contacted by the Owner‘s support service.

Purpose of processing: to provide you with answers to your queries about the Product

Processing legal grounds: executing the agreement you and the Owner are a part of

Duration of processing: for as long as you have an active User account and an additional one (1) month after your account is terminated

Data Processors used:

Intercom R&D Unlimited Company, provider of the Intercom software solution, which is a customer support service that the Owner is using to interact with Users via the Product.

‍

Personal Data processed: the Personal Data you choose to include in your query, which is stored as data logs of our conversations. We may also collect browsing and Usage Data in the pages where it is installed, even if the Users do not actively use the service.

Category of personal information collected according to the CCPA: identifiers; commercial information; internet or other electronic network activity information; inferences drawn from other personal information.

‍

Paying for the Product or for different functionalities of it

This functionality allows Users to add their relevant details in order to pay for and receive a payment proof related to a purchase they make in the Product.

Purpose of processing: to provide you with the relevant paid Product functionality or version you request

Processing legal grounds: executing the agreement you and the Owner are a part of

Duration of processing: for as long as you have an active paid Product functionality or version you request

Data Processors used:

Stripe Payments Europe, Limited, provider of the Stripe software solution, which is a payment processing service that the Owner is using to interact with Users via the Product. Details about how Stripe processes Personal Data that belongs to you can be found here

Personal Data processed: details related to the bank card used for payment. This is not stored with the Owner, but directly with the Data Processor. We only receive information about whether payments have been validly performed or not, and the Personal Data (if available) of the User making the payment.

Category of personal information collected according to the CCPA: identifiers;

‍

Managing support and contact requests

This functionality allows the Owner to manage support and contact requests received via email or by other means, such as the contact form. Part of this support is provided through Intercom (see the relevant section of this Policy for more details).

In other cases, support may be provided directly via the User’s e-mail address or the User’s phone number (available in the User account or made available after a specific request made by the Owner to this extent).

Purpose of processing: to enable you to use the Product according to its destination and your intended use of it

Processing legal grounds: executing the agreement you and the Owner are a part of

Duration of processing: for as long as you have an active User account and an additional period of time considered sufficient by the Owner to defend their rights if there is a reasonable expectation that the support request and conversation related to it might lead to a dispute between the Owner and the User

Personal Data processed: User’s e-mail address and phone number.

Category of personal information collected according to the CCPA: identifiers; internet or other electronic network activity information.

‍

Marketing communications

This functionality allows the Owner to send e-mail messages with commercial offers, promotions and updates to Users who have consent to receive them. Part of this support is provided through Intercom (see the relevant section of this Policy for more details).

‍

Purpose of processing: to communicate information about different commercial campaigns the Owner is running

Processing legal grounds: the User’s consent

Duration of processing: as long as the User’s consent remains valid

Data Processors used:

[x], provider of the Sendgrid software solution, which allows us to send commercial e-mail messages to you. Details about how Sendgrid processes Personal Data that belongs to you can be found here

‍

Registration and authentication provided directly by the Owner, through its own systems

By registering or authenticating, Users allow the Owner to identify them and give them access to the Product. The Personal Data is collected and stored for registration or identification purposes only, in order to provide the Product and/or support related to it, to the relevant User.

The User registers by filling out the registration / authentication form and providing the Personal Data directly to the Owner, in the account registration / authentication form

Purpose of processing: to provide you with access to the Product

Processing legal grounds: executing the agreement you and the Owner are a part of

Duration of processing: for as long as you have an active User account and an additional one (1) month after your account is terminated

Personal Data processed: the Data requested in the form when a User intends to register / authenticate with an account

Category of personal information collected according to the CCPA: identifiers;

‍

Tag Management

This functionality helps the Owner to manage certain pieces of software code inserted in the Product in order to monitor your activity in the Product, in a centralized fashion. This results in the Users' Data flowing through these services, potentially resulting in the retention of this Data.

Purpose of processing: Tracking a User’s activity in the Product

Processing legal grounds: the User’s consent

Duration of processing: as long as the User’s consent remains valid

Data Processors used:

Google Ireland Limited, provider of the Google Tag Manager software solution, which is a tag management service. Details about how Google processes Personal Data that belongs to you can be found here

Personal Data processed: Trackers; Usage Data

Category of personal information collected according to the CCPA: internet or other electronic network activity information.

‍

User database management and messaging the User based on User account activity

This type of service allows the Owner to build user profiles by starting from the information that the User provides in the Product, as well as to track User activities through analytics features such as Google Analytics (see more details in the relevant section of this Policy. This Personal Data may also be matched with publicly available information about the User (such as social networks' profiles, to the extent the Owner may identify the User based on the Personal Data available) and used for purposes which will be described in this Policy, when this use case is applicable.
Some of these services may also enable the sending of specific messages to the User, such as emails based on specific actions performed by the User in the Product.

‍

Intercom

Intercom is a User database management service provided by Intercom R&D Unlimited Company.
Intercom can also be used as a medium for communications, either through email, or through messages within the Product Intercom may use Trackers to recognize and track Users behavior.

Personal Data processed: Data communicated while using the service; email address; Trackers; Universally unique identifier (UUID); Usage Data; various types of Data as specified in the privacy policy of the service.

Place of processing: Ireland – Privacy Policy;.

Category of personal information collected according to the CCPA: identifiers; internet or other electronic network activity information.

‍

Information on opting out of interest-based advertising

In addition to any opt-out feature provided by any of the services listed in this document, Users may learn more on how to generally opt out of interest-based advertising within the dedicated section of the Cookie Policy.

The Product uses Trackers. To learn more about Tracker usage, Users may consult the Cookie Policy.

‍

Further information for Users in Singapore

‍

Data protection notice

This Data Protection Notice (“Notice”) sets out the basis which the Brainactive Group of Companies (“we”, “us”, or “our”) may collect, use, disclose or otherwise process personal data of our customers in accordance with the Personal Data Protection Act (“PDPA”). This Notice applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose or process personal data for our purposes.

Personal data

1. As used in this Notice:

“customer” means an individual who (a) has contacted us through any means to find out more about any goods or services we provide, or (b) may, or has, entered into a contract with us for the supply of any goods or services by us; and

“personal data” means data, whether true or not, about a customer who can be identified: (a) from that data; or (b) from that data and other information to which we have or are likely to have access.

2. Depending on the nature of your interaction with us, some examples of personal data which we may collect from you may include but not be limited to name, residential address, email address, telephone number, nationality, gender and date of birth.

3. Other terms used in this Notice shall have the meanings given to them in the PDPA (where the context so permits).

Collection, use and disclosure of personal data

4. We generally do not collect your personal data unless (a) it is provided to us voluntarily by you directly or via a third party who has been duly authorised by you to disclose your personal data to us (your “authorised representative”) after (i) you (or your authorised representative) have been notified of the purposes for which the data is collected, and (ii) you (or your authorised representative) have provided written consent to the collection and usage of your personal data for those purposes, or (b) collection and use of personal data without consent is permitted or required by the PDPA or other laws. We shall seek your consent before collecting any additional personal data and before using your personal data for a purpose which has not been notified to you (except where permitted or authorised by law).

5. We may collect and use your personal data for any or all of the purposes which may include but not be limited to the following:

(a) performing obligations in the course of or in connection with our provision of the goods and/or services requested by you;

(b) verifying your identity;

(d) managing your relationship with us;

(e) processing payment or credit transactions;

(f) complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority;

(g) any other purposes for which you have provided the information;

(h) transmitting to any unaffiliated third parties including our third party service providers and agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad, for the aforementioned purposes; and

(i) any other incidental business purposes related to or in connection with the above.

6. We may disclose your personal data:

(a) where such disclosure is required for performing obligations in the course of or in connection with our provision of the goods and services requested by you; or

(b) to third party service providers, agents and other organisations we have engaged to perform any of the functions with reference to the above mentioned purposes.

7. The purposes listed in the above clauses may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter(including, where applicable, a period to enable us to enforce our rights under a contract with you).

Withdrawing your consent

8. The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time it is being withdrawn by you inwriting. You may withdraw consent and request us to stop collecting, using and/or disclosing your personal data for any or all of the purposes listed above by submitting your request in writing or via email to our Data Protection Officer at the contact details provided below.

9. Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within twenty-two (22) business days of receiving it.

10. Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our goods or services to you and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us inwriting in the manner described in clause 8 above.

11. Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws.

Access to and correction of personal data

12. If you wish to make (a) an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data, or (b) a correction request to correct or update any of your personal data which we hold about you, you may submit your request in writing or via email to our Data Protection Officer at the contact details provided below.

13. Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.

14. We will respond to your request as soon as reasonably possible. In general, our response will be within twenty-two (22) business days. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).

Protection of personal data

15. To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures which may include but not be limited to minimised collection of personal data, authentication and access controls (such as good password practices, need-to-basis for data disclosure, etc.), encryption of data, data anonymisation, and web security measures against risks.

16. You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.

Accuracy of personal data

17. We generally rely on personal data provided by you (or your authorised representative). In order to ensure that your personal data is current, complete and accurate, please update us if there are changes to your personal data by informing our Data Protection Officer inwriting or via email at the contact details provided below.

Retention of personal data

18. We may retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws.

19. We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the personal data was collected, and is no longer necessary for legal or business purposes.

Transfers of personal data outside of Singapore

20. We generally do not transfer your personal data to countries outside of Singapore. However, if we do so, we will obtain your consent for the transfer to be made and we will take steps to ensure that your personal data continues to receive a standard of protection that is at least comparable to that provided under the PDPA.

Data protection officer

21. You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request, in the following manner:

Contact No. : +40745183470

Email Address : privacy@brainactive.ai

Effect of notice and changes to notice

22. This Notice applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.

23. We may revise this Notice from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date on which this Notice was last updated. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.

Effective date : 26/08/2024
Last updated : 26/08/2024

‍

Further information for Users in Switzerland

This section applies to Users in Switzerland, and, for such Users, supersedes any other possibly divergent or conflicting information contained in the privacy policy.

Further details regarding the categories of Data processed, the purposes of processing, the categories of recipients of the personal data, if any, the retention period and further information about Personal Data can be found in the section titled “Detailed information on the processing of Personal Data” within this document.

The rights of Users according to the Swiss Federal Act on Data Protection

Users may exercise certain rights regarding their Data within the limits of law, including the following:

right of access to Personal Data;
right to object to the processing of their Personal Data (which also allows Users to demand that processing of Personal Data be restricted, Personal Data be deleted or destroyed, specific disclosures of Personal Data to third parties be prohibited);
right to receive their Personal Data and have it transferred to another controller (data portability);
right to ask for incorrect Personal Data to be corrected.

How to exercise these rights

‍

Further information for Users in Brazil

This section of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the entity running www.brainactive.ai and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as “we”, “us”, “our”).
This section applies to all Users in Brazil (Users are referred to below, simply as “you”, “your”, “yours”), according to the "Lei Geral de Proteção de Dados" (the "LGPD"), and for such Users, it supersedes any other possibly divergent or conflicting information contained in the privacy policy.
This part of the document uses the term “personal information“ as it is defined in the LGPD.

The grounds on which we process your personal information

We can process your personal information solely if we have a legal basis for such processing. Legal bases are as follows:

your consent to the relevant processing activities;
compliance with a legal or regulatory obligation that lies with us;
the carrying out of public policies provided in laws or regulations or based on contracts, agreements and similar legal instruments;
studies conducted by research entities, preferably carried out on anonymized personal information;
the carrying out of a contract and its preliminary procedures, in cases where you are a party to said contract;
the exercising of our rights in judicial, administrative or arbitration procedures;
protection or physical safety of yourself or a third party;
the protection of health – in procedures carried out by health entities or professionals;
our legitimate interests, provided that your fundamental rights and liberties do not prevail over such interests; and
credit protection.

To find out more about the legal bases, you can contact us at any time using the contact details provided in this document.

‍

Categories of personal information processed

To find out what categories of your personal information are processed, you can read the section titled “Detailed information on the processing of Personal Data” within this document.

‍

Why we process your personal information

To find out why we process your personal information, you can read the sections titled “Detailed information on the processing of Personal Data” and “The purposes of processing” within this document.

‍

Your Brazilian privacy rights, how to file a request and our response to your requests

‍

Your Brazilian privacy rights

You have the right to:

obtain confirmation of the existence of processing activities on your personal information;
access to your personal information;
have incomplete, inaccurate or outdated personal information rectified;
obtain the anonymization, blocking or elimination of your unnecessary or excessive personal information, or of information that is not being processed in compliance with the LGPD;
obtain information on the possibility to provide or deny your consent and the consequences thereof;
obtain information about the third parties with whom we share your personal information;
obtain, upon your express request, the portability of your personal information (except for anonymized information) to another service or product provider, provided that our commercial and industrial secrets are safeguarded;
obtain the deletion of your personal information being processed if the processing was based upon your consent, unless one or more exceptions provided for in art. 16 of the LGPD apply;
revoke your consent at any time;
lodge a complaint related to your personal information with the ANPD (the National Data Protection Authority) or with consumer protection bodies;
oppose a processing activity in cases where the processing is not carried out in compliance with the provisions of the law;
request clear and adequate information regarding the criteria and procedures used for an automated decision; and
request the review of decisions made solely on the basis of the automated processing of your personal information, which affect your interests. These include decisions to define your personal, professional, consumer and credit profile, or aspects of your personality.

You will never be discriminated against, or otherwise suffer any sort of detriment, if you exercise your rights.

‍

How to file your request

You can file your express request to exercise your rights free from any charge, at any time, by using the contact details provided in this document, or via your legal representative.

‍

How and when we will respond to your request

We will strive to promptly respond to your requests.
In any case, should it be impossible for us to do so, we’ll make sure to communicate to you the factual or legal reasons that prevent us from immediately, or otherwise ever, complying with your requests. In cases where we are not processing your personal information, we will indicate to you the physical or legal person to whom you should address your requests, if we are in the position to do so.

In the event that you file an access or personal information processing confirmation request, please make sure that you specify whether you’d like your personal information to be delivered in electronic or printed form.
You will also need to let us know whether you want us to answer your request immediately, in which case we will answer in a simplified fashion, or if you need a complete disclosure instead.
In the latter case, we’ll respond within 15 days from the time of your request, providing you with all the information on the origin of your personal information, confirmation on whether or not records exist, any criteria used for the processing and the purposes of the processing, while safeguarding our commercial and industrial secrets.

In the event that you file a rectification, deletion, anonymization or personal information blocking request, we will make sure to immediately communicate your request to other parties with whom we have shared your personal information in order to enable such third parties to also comply with your request — except in cases where such communication is proven impossible or involves disproportionate effort on our side.

‍

Transfer of personal information outside of Brazil permitted by the law

We are allowed to transfer your personal information outside of the Brazilian territory in the following cases:

when the transfer is necessary for international legal cooperation between public intelligence, investigation and prosecution bodies, according to the legal means provided by the international law;
when the transfer is necessary to protect your life or physical security or those of a third party;
when the transfer is authorized by the ANPD;
when the transfer results from a commitment undertaken in an international cooperation agreement;
when the transfer is necessary for the execution of a public policy or legal attribution of public service;
when the transfer is necessary for compliance with a legal or regulatory obligation, the carrying out of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures.

‍

Further information for users residing in the State of California, USA

This section of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the business running www.brainactive.ai and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as “we”, “us”, “our”).

This section applies to all Users (Users are referred to below, simply as “you”, “your”, “yours”), who are consumers residing in the state of California, United States of America, according to the "California Consumer Privacy Act of 2018" (the "CCPA"), as updated by the "California Privacy Rights Act" (the "CPRA") and subsequent regulations. For such consumers, this section supersedes any other possibly divergent or conflicting information contained in the privacy policy.

This part of the document uses the terms “personal information” (and “sensitive personal information”) as defined in the California Consumer Privacy Act (CCPA).

‍

Notice at collection

Categories of personal information collected, used, sold, or shared

In this section we summarize the categories of personal information that we've collected, used, sold, or shared and the purposes thereof. You can read about these activities in detail in the section titled “Detailed information on the processing of Personal Data” within this document.

‍

Information we collect: the categories of personal information we collect

We have collected the following categories of personal information about you: identifiers, personal information, commercial information, biometric information, internet or other electronic network activity information, geolocation data, audio, electronic, visual, thermal, olfactory, or similar information, employment related information, education information and inferences drawn from other personal information.

We have collected the following categories of sensitive personal information: VAT Number, Tax ID, username, password, VAT Number, Tax ID, Social Security number (SSN), username, Family Members and Relationship Status, Friends' Religious and Political Views, Religious and Political Views, Text Messaging, Fitness Actions, username, contents of the email or message, username, payment info, username, financial information and credit card number

We will not collect additional categories of personal information without notifying you.

‍

Your right to limit the use or disclosure of your sensitive personal information and how you can exercise it

You have the right to request that we limit the use or disclosure of your sensitive personal information to only that which is necessary to perform the services or provide the goods, as is reasonably expected by an average consumer.

We can also use your sensitive personal information to perform specific purposes set forth by the law (such as, including but not limited to, helping to ensure security and integrity; undertaking activities to verify or maintain the quality or safety of our service) and as authorized by the relevant regulations.

Outside of the aforementioned specific purposes, you have the right to freely request, at any time, that we do not use or disclose your sensitive personal information. This means that whenever you ask us to stop using your sensitive personal information, we will abide by your request and we will instruct our service providers and contractors to do the same.

To fully exercise your right to limit the use or disclosure of your sensitive personal information you can contact us at any time, using the contact details provided in this document.

For a simplified method you can also use the privacy choices link provided on www.brainactive.ai.

We use any personal information collected from you in connection with the submission of your request solely for the purposes of complying with the request.

Once you have exercised this right, we are required to wait at least 12 months before asking whether you have changed your mind.

‍

What are the purposes for which we use your personal information?

We may use your personal information to allow the operational functioning of www.brainactive.ai and features thereof (“business purposes”). In such cases, your personal information will be processed in a fashion necessary and proportionate to the business purpose for which it was collected, and strictly within the limits of compatible operational purposes.

We may also use your personal information for other reasons such as for commercial purposes (as indicated within the section “Detailed information on the processing of Personal Data” within this document), as well as for complying with the law and defending our rights before the competent authorities where our rights and interests are threatened or we suffer an actual damage.

We won’t process your information for unexpected purposes, or for purposes incompatible with the purposes originally disclosed, without your consent.

‍

How long do we keep your personal information?

Unless stated otherwise inside the “Detailed information on the processing of Personal Data” section, we will not retain your personal information for longer than is reasonably necessary for the purpose(s) they have been collected for.

‍

How we collect information: what are the sources of the personal information we collect?

We collect the above-mentioned categories of personal information, either directly or indirectly, from you when you use www.brainactive.ai.

For example, you directly provide your personal information when you submit requests via any forms on www.brainactive.ai. You also provide personal information indirectly when you navigate www.brainactive.ai, as personal information about you is automatically observed and collected.

Finally, we may collect your personal information from third parties that work with us in connection with the Service or with the functioning of this Application and features thereof.

‍

How we use the information we collect: disclosing of your personal information with third parties for a business purpose

For our purposes, the word “third party” means a person who is not any of the following: a service provider or a contractor, as defined by the CCPA.

We disclose your personal information with the third parties listed in detail in the section titled “Detailed information on the processing of Personal Data” within this document. These third parties are grouped and categorized in accordance with the different purposes of processing.

‍

Sale or sharing of your personal information

For our purposes, the word “sale” means any “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic means, a consumer's personal information by the business to a third party, for monetary or other valuable consideration”, as defined by the CCPA.

This means that, for example, a sale can happen whenever an application runs ads, or makes statistical analyses on the traffic or views, or simply because it uses tools such as social network plugins and the like.

For our purposes, the word “sharing” means any “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged”, as defined by the CCPA.
Please note that the exchange of personal information with a service provider pursuant to a written contract that meets the requirements set by the CCPA, does not constitute a sale or sharing of your personal information.

‍

Your right to opt out of the sale or sharing of your personal information and how you can exercise it

We sell or share your personal information with the third parties listed in detail in the section titled “Detailed information on the processing of Personal Data” within this document. These third parties are grouped and categorized in accordance with the different purposes of processing.

You have the right to opt out of the sale or sharing of your personal information. This means that whenever you request us to stop selling or sharing your personal information, we will abide by your request.
Such requests can be made freely, at any time, without submitting any verifiable request.
To fully exercise your right to opt out, you can contact us at any time using the contact details provided in this document.
For a simplified opt-out method you can also use the privacy choices link provided on www.brainactive.ai.

If you want to submit requests to opt out of the sale or sharing of personal information via a user-enabled global privacy control, like the Global Privacy Control (“GPC”), you are free to do so and we will abide by such request in a frictionless manner (as defined in the CPRA regulations). The GPC consists of a setting or extension in the browser or mobile device and acts as a mechanism that websites can use to indicate they support the GPC signal. If you want to use GPC, you can download and enable it via a participating browser or browser extension. More information about downloading GPC is available here.

We use any personal information collected from you in connection with the submission of your opt-out request solely for the purposes of complying with the opt-out request.

Once you have opted out, we are required to wait at least 12 months before asking whether you have changed your mind.

‍

Your privacy rights under the California Consumer Privacy Act and how to exercise them

The right to access personal information: the right to know and to portability

You have the right to request that we disclose to you:

the categories of personal information that we collect about you;
the sources from which the personal information is collected;
the purposes for which we use your information;
to whom we disclose such information;
the specific pieces of personal information we have collected about you.

You also have the right to know what personal information is sold or shared and to whom. In particular, you have the right to request two separate lists from us where we disclose:

the categories of personal information that we sold or shared about you and the categories of third parties to whom the personal information was sold or shared;
the categories of personal information that we disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.

The disclosure described above will be limited to the personal information collected or used over the past 12 months.

If we deliver our response electronically, the information enclosed will be "portable", i.e. delivered in an easily usable format to enable you to transmit the information to another entity without hindrance — provided that this is technically feasible.

‍

The right to request the deletion of your personal information

You have the right to request that we delete any of your personal information, subject to exceptions set forth by the law (such as, including but not limited to, where the information is used to identify and repair errors on www.brainactive.ai, to detect security incidents and protect against fraudulent or illegal activities, to exercise certain rights etc.).

If no legal exception applies, as a result of exercising your right, we will delete your personal information and notify any of our service providers and all third parties to whom we have sold or shared the personal information to do so — provided that this is technically feasible and doesn’t involve disproportionate effort.

‍

The right to correct inaccurate personal information

You have the right to request that we correct any inaccurate personal information we maintain about you, taking into account the nature of the personal information and the purposes of the processing of the personal information.

‍

The right to opt out of sale or sharing of personal information and to limit the use of your sensitive personal information

You have the right to opt out of the sale or sharing of your personal information. You also have the right to request that we limit our use or disclosure of your sensitive personal information.

‍

The right of no retaliation following opt-out or exercise of other rights (the right to non-discrimination)

We will not discriminate against you for exercising your rights under the CCPA. This means that we will not discriminate against you, including, but not limited to, by denying goods or services, charging you a different price, or providing a different level or quality of goods or services just because you exercised your consumer privacy rights.

However, if you refuse to provide your personal information to us or ask us to delete or stop selling your personal information, and that personal information or sale is necessary for us to provide you with goods or services, we may not be able to complete that transaction.

To the extent permitted by the law, we may offer you promotions, discounts, and other deals in exchange for collecting, keeping, or selling your personal information, provided that the financial incentive offered is reasonably related to the value of your personal information.

‍

How to exercise your rights

To exercise the rights described above, you need to submit your verifiable request to us by contacting us via the details provided in this document.

For us to respond to your request, it’s necessary that we know who you are. Therefore, you can only exercise the above rights by making a verifiable request which must:

provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative;
describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We will not respond to any request if we are unable to verify your identity and therefore confirm the personal information in our possession actually relates to you.

Making a verifiable consumer request does not require you to create an account with us. We will use any personal information collected from you in connection with the verification of your request solely for the purposes of verification and shall not further disclose the personal information, retain it longer than necessary for purposes of verification, or use it for unrelated purposes.

If you cannot personally submit a verifiable request, you can authorize a person registered with the California Secretary of State to act on your behalf.

If you are an adult, you can make a verifiable request on behalf of a child under your parental authority.

You can submit a maximum number of 2 requests over a period of 12 months.

‍

How and when we are expected to handle your request

We will confirm receipt of your verifiable request within 10 days and provide information about how we will process your request.

We will respond to your request within 45 days of its receipt. Should we need more time, we will explain to you the reasons why, and how much more time we need. In this regard, please note that we may take up to 90 days to fulfill your request.

Our disclosure(s) will cover the preceding 12-month period. Only with regard to personal information collected on or after January 1, 2022, you have the right to request that we disclose information beyond the 12-month period, and we will provide them to you unless doing so proves impossible or would involve a disproportionate effort.

Should we deny your request, we will explain you the reasons behind our denial.

We do not charge a fee to process or respond to your verifiable request unless such request is manifestly unfounded or excessive. In such cases, we may charge a reasonable fee, or refuse to act on the request. In either case, we will communicate our choices and explain the reasons behind it.

‍

Further information for users residing in the State of Virginia, USA

This section of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the controller running this Application and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as “we”, “us”, “our”).

This section applies to all Users (Users are referred to below, simply as “you”, “your”, “yours”), who are consumers residing in the Commonwealth of Virginia, according to the “Virginia Consumer Data Protection Act" (the "VCDPA"), and, for such consumers, it supersedes any other possibly divergent or conflicting information contained in the privacy policy.

This part of the document uses the terms “personal data” (and “sensitive data”) as defined in the VCDPA.

‍

Categories of personal data processed

In this section, we summarize the categories of personal data that we've processed and the purposes thereof. You can read about these activities in detail in the section titled “Detailed information on the processing of Persona Data” within this document.

‍

Categories of personal data we collect

We have collected the following categories of personal data: identifiers, commercial information, biometric information, internet information, geolocation data, sensorial information, employment related information and inferred information

With your consent, we collect the following categories of sensitive data: VAT Number, Tax ID, VAT Number, Tax ID, Social Security number (SSN), Family Members and Relationship Status, Friends' Religious and Political Views, Religious and Political Views and Fitness Actions

You can freely give, deny or withdraw your consent for the processing of sensitive data at any time using the contact details provided in this document or via the privacy choices link provided on www.brainactive.ai.

Please note that certain exceptions set forth in the VCDPA may apply, such as, but not limited to, when the collection and processing of sensitive data is necessary for the provision of a product or service specifically requested by you.

We will not collect additional categories of personal data without notifying you.

‍

Why we process your personal data

To find out why we process your personal data, you can read the sections titled “Detailed information on the processing of Personal Data” and “The purposes of processing” within this document.

We won’t process your information for unexpected purposes, or for purposes incompatible with the purposes originally disclosed, without your consent.
You can freely give, deny, or withdraw such consent at any time using the contact details provided in this document.

‍

How we use the data we collect: sharing of your personal data with third parties

We share your personal data with the third parties listed in detail in the section titled “Detailed information on the processing of Personal Data” within this document. These third parties are grouped and categorized in accordance with the different purposes of processing.
For our purposes, the word "third party" means "a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller" as defined by the VCDPA.

‍

Sale of your personal data

For our purposes, the word “sale” means any “exchange of personal data for monetary consideration by us to a third party“ as defined by the VCDPA.
Please note that according to the VCDPA, the disclosure of personal data to a processor that processes personal data on behalf of a controller does not constitute a sale. In addition, other specific exceptions set forth in the VCDPA may apply, such as, but not limited to, the disclosure of personal data to a third party for the provision of a product or service requested by you.
As specified in the “Detailed information on the processing of Personal Data” section of this document, our use of your personal information may be considered a sale under VCDPA.

‍

Your right to opt out of the sale of your personal data and how you can exercise it

You have the right to opt out of the sale of your personal data. This means that whenever you request us to stop selling your data, we will abide by your request. To fully exercise your right to opt out you can contact us at any time using the contact details provided in this document.

We use any personal data collected from you in connection with the submission of your opt-out request solely for the purpose of complying with the request.

‍

Processing of your personal data for targeted advertising

For our purposes, the word "targeted advertising" means "displaying advertisements to you where the advertisement is selected based on personal data obtained from your activities over time and across nonaffiliated websites or online applications to predict your preferences or interests" as defined by the VCDPA.

Please note that according to the VCDPA, targeted advertising does not include: “advertisements based on activities within a controller's own websites or online applications; advertisements based on the context of a consumer's current search query, visit to a website or online application; advertisements directed to a consumer in response to the consumer's request for information or feedback; or processing personal data solely for measuring or reporting advertising performance, reach, or frequency”.

To find out more details on the processing of your personal data for targeted advertising purposes, you can read the section titled “Detailed information on the processing of Personal Data” within this document.

‍

Your right to opt out of the processing of your personal data for targeted advertising and how you can exercise it

You have the right to opt out of the processing of your personal data for targeted advertising. This means that whenever you ask us to stop processing your data for targeted advertising, we will abide by your request. To fully exercise your right to opt out you can contact us at any time, using the contact details provided in this document.

We use any personal data collected from you in connection with the submission of your opt-out request solely for the purposes of complying with the opt-out request.

‍

Your privacy rights under the Virginia Consumer Data Protection Act and how to exercise them

You may exercise certain rights regarding your data processed by us. In particular, you have the right to do the following:

access personal data: the right to know. You have the right to request that we confirm whether or not we are processing your personal data. You also have the right to access such personal data.
correct inaccurate personal data. You have the right to request that we correct any inaccurate personal data we maintain about you, taking into account the nature of the personal data and the purposes of the processing of the personal data.
request the deletion of your personal data. You have the right to request that we delete any of your personal data.
obtain a copy of your personal data. We will provide your personal data in a portable and usable format that allows you to transfer data easily to another entity — provided that this is technically feasible.
opt out of the processing of your personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
non-discrimination. We will not discriminate against you for exercising your rights under the VCDPA. This means that we will not, among other things, deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your consumer privacy rights. However, if you refuse to provide your personal data to us or ask us to delete or stop selling your personal data, and that personal data or sale is necessary for us to provide you with goods or services, we may not be able to complete that transaction. To the extent permitted by the law, we may offer a different price, rate, level, quality, or selection of goods or services to you, including offering goods or services for no fee, if you have exercised your right to opt out, or our offer is related to your voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

‍

How to exercise your rights

To exercise the rights described above, you need to submit your request to us by contacting us via the contact details provided in this document.

For us to respond to your request, we need to know who you are.

We will not respond to any request if we are unable to verify your identity using commercially reasonable efforts and therefore confirm that the personal data in our possession actually relate to you. In such cases, we may request that you provide additional information which is reasonably necessary to authenticate you and your request.

Making a consumer request does not require you to create an account with us. However, we may require you to use your existing account. We will use any personal data collected from you in connection with your request solely for the purposes of authentication, without further disclosing the personal data, retaining it longer than necessary for purposes of authentication, or using it for unrelated purposes.

If you are an adult, you can make a request on behalf of a child under your parental authority.

‍

How and when we are expected to handle your request

We will respond to your request without undue delay, but in all cases and at the latest within 45 days of its receipt. Should we need more time, we will explain to you the reasons why, and how much more time we need. In this regard, please note that we may take up to 90 days to fulfill your request.

Should we deny your request, we will explain to you the reasons behind our denial without undue delay, but in all cases and at the latest within 45 days of receipt of the request. It is your right to appeal such decision by submitting a request to us via the details provided in this document. Within 60 days of receipt of the appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied you may contact the Attorney General to submit a complaint.

We do not charge a fee to respond to your request, for up to two requests per year. If your request is manifestly unfounded, excessive or repetitive, we may charge a reasonable fee or refuse to act on the request. In either case, we will communicate our choices and explain the reasons behind them.

‍

Further information for users residing in the State of Colorado, USA

This section of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the controller running www.brainactive.ai and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as “we”, “us”, “our”).

This section applies to all Users (Users are referred to below, simply as “you”, “your”, “yours”), who are consumers residing in the State of Colorado, according to the “Colorado Privacy Act" (the "CPA"), and, for such consumers, it supersedes any other possibly divergent or conflicting information contained in the privacy policy.

This part of the document uses the terms “personal data” (and “sensitive data”) as defined in the CPA.

‍

Categories of personal data processed

‍

Categories of personal data we collect

With your consent, we collect the following categories of sensitive data: VAT Number, Tax ID, VAT Number, Tax ID, Social Security number (SSN), Family Members and Relationship Status, Friends' Religious and Political Views, Religious and Political Views and Fitness Actions

You can freely give, deny or withdraw your consent for the processing of sensitive data at any time using the contact details provided in this document or via the privacy choices link provided on www.brainactive.ai.

Please note that certain exceptions set forth in the CPA may apply, such as, but not limited to, when the collection and processing of sensitive data is necessary for the provision of a product or service specifically requested by you.

We will not collect additional categories of personal data without notifying you.

‍

Why we process your personal data

‍

How we use the data we collect: sharing of your personal data with third parties

For our purposes, the word "third party" means "a person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or the controller." as defined by the CPA.

‍

Sale of your personal data

As specified in the “Detailed information on the processing of Personal Data” section of this document, our use of your personal data may be considered a sale under the CPA.

For our purposes, the word "sale", "sell", or "sold" means "the exchange of personal data for monetary or other valuable consideration by a controller to a third party" as defined by the CPA.

Please note that according to the CPA, the disclosure of personal data to a processor that processes personal data on behalf of a controller does not constitute a sale. In addition, other specific exceptions set forth in the CPA may apply, such as, but not limited to, the disclosure of personal data to a third party for the provision of a product or service requested by you.

‍

Your right to opt out of the sale of your personal data and how you can exercise it

You have the right to opt out of the sale of your personal data. This means that whenever you request us to stop selling your data, we will abide by your request.

To fully exercise your right to opt out you can contact us at any time, using the contact details provided in this document.

For a simplified opt-out method you can also use the privacy choices link provided on www.brainactive.ai.

We use any personal data collected from you in connection with the submission of your opt-out request solely for the purpose of complying with the request.

‍

Processing of your personal data for targeted advertising

As specified in the “Detailed information on the processing of Personal Data” section of this document, we may use your personal data for targeted advertising purposes.

For our purposes, the word "targeted advertising" means "displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer's activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests" as defined by CPA.

Please note that according to the CPA, targeted advertising does not include: “advertisements directed to a consumer in response to the consumer's request for information or feedback; advertisements based on activities within a controller's own websites or online applications or any affiliated website or online application; advertisements based on the context of a consumer's current search query, visit to an internet web site or online application; or processing personal data solely to measure or report advertising frequency, performance or reach”.

‍

Your right to opt out of the processing of your personal data for targeted advertising and how you can exercise it

To fully exercise your right to opt out you can contact us at any time, using the contact details provided in this document.

For a simplified opt-out method you can also use the privacy choices link provided on www.brainactive.ai.

We use any personal data collected from you in connection with the submission of your opt-out request solely for the purposes of complying with the opt-out request.

‍

Universal opt-out mechanism: Global privacy control

If you want to submit requests to opt-out of the sale of personal data or the targeted advertising via a user-enabled global privacy control, like the Global Privacy Control (“GPC”), you are free to do so and we will abide by such request. The GPC consists of a setting or extension in the browser or mobile device and acts as a mechanism that websites can use to indicate they support the GPC signal. If you want to use GPC, you can download and enable it via a participating browser or browser extension. More information about downloading GPC is available here.

‍

Your privacy rights under the Colorado Privacy Act and how to exercise them

You may exercise certain rights regarding your data processed by us. In particular, you have the right to do the following:

opt out of the processing of your personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
access personal data. You have the right to request that we confirm whether or not we are processing your personal data. You also have the right to access such personal data.
correct inaccurate personal data. You have the right to request that we correct any inaccurate personal data we maintain about you, taking into account the nature of the personal data and the purposes of the processing of the personal data.
request the deletion of your personal data. You have the right to request that we delete any of your personal data.
obtain a copy of your personal data. We will provide your personal data in a portable and usable format that allows you to transfer data easily to another entity – provided that this is technically feasible.

In any case, we will not increase the cost of, or decrease the availability of, a product or service, based solely on the exercise of any of your rights and unrelated to the feasibility or the value of a service. However, to the extent permitted by the law, we may offer a different price, rate, level, quality, or selection of goods or services to you, including offering goods or services for no fee, if our offer is related to your voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

‍

How to exercise your rights

To exercise the rights described above, you need to submit your request to us by contacting us via the contact details provided in this document.

For us to respond to your request, we need to know who you are and which right you wish to exercise.

If you are an adult, you can make a request on behalf of a child under your parental authority.

‍

How and when we are expected to handle your request

Should we deny your request, we will explain to you the reasons behind our denial without undue delay, but in all cases and at the latest within 45 days of receipt of the request. It is your right to appeal such decision by submitting a request to us via the details provided in this document. Within 45 days of receipt of the appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied you may contact the Attorney General to submit a complaint.

We do not charge a fee to respond to your request, for up to two requests per year.

‍

Further information for users residing in the State of Connecticut, USA

This section applies o all Users (Users are referred to below, simply as “you”, “your”, “yours”), who are consumers residing in the State of Connecticut, according to “An Act Concerning Personal Data Privacy and Online Monitoring " (also known as "The Connecticut Data Privacy Act" or the “CTDPA"), and, for such consumers, it supersedes any other possibly divergent or conflicting information contained in the privacy policy.

This part of the document uses the terms “personal data” (and “sensitive data”) as defined in the CTDPA.

‍

Categories of personal data processed

‍

Categories of personal data we collect

With your consent, we collect the following categories of sensitive data: VAT Number, Tax ID, VAT Number, Tax ID, Social Security number (SSN), Family Members and Relationship Status, Friends' Religious and Political Views, Religious and Political Views and Fitness Actions

You can freely give, deny or withdraw your consent for the processing of sensitive data at any time using the contact details provided in this document or via the privacy choices link provided on www.brainactive.ai. In the event of withdrawal, we will stop processing the relevant data as soon as possible, but no later than 15 days after receiving your withdrawal request.

Please note that certain exceptions set forth in the CTDPA may apply, such as, but not limited to, when the collection and processing of sensitive data is necessary for the provision of a product or service specifically requested by you.

We will not collect additional categories of personal data without notifying you.

‍

Why we process your personal data

‍

How we use the data we collect: sharing of your personal data with third parties

‍

Sale of your personal data

As specified in the “Detailed information on the processing of Personal Data” section of this document, our use of your personal data may be considered a sale under the CTDPA.

For our purposes, the word "sale", "sell", or "sold" means "the exchange of personal data for monetary or other valuable consideration by a controller to a third party" as defined by the CTDPA.

Please note that according to the CTDPA, the disclosure of personal data to a processor that processes personal data on behalf of a controller does not constitute a sale. In addition, other specific exceptions set forth in the CTDPA may apply, such as, but not limited to, the disclosure of personal data to a third party for the provision of a product or service requested by you.

‍

Your right to opt out of the sale of your personal data and how you can exercise it

You have the right to opt out of the sale of your personal data. This means that whenever you request us to stop selling your data, we will abide by your request.

To fully exercise your right to opt out you can contact us at any time, using the contact details provided in this document.

For a simplified opt-out method you can also use the privacy choices link provided on www.brainactive.ai.

We use any personal data collected from you in connection with the submission of your opt-out request solely for the purpose of complying with the request.

‍

Processing of your personal data for targeted advertising

As specified in the “Detailed information on the processing of Personal Data” section of this document, we may use your personal data for targeted advertising purposes.

For our purposes, the word "targeted advertising" means "displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer's activities across non affiliated websites, applications, or online services to predict consumer preferences or interests" as defined by CTDPA.

Please note that according to the CTDPA, targeted advertising does not include: “advertisements based on activities within a controller's own web sites or online applications; advertisements based on the context of a consumer's current search query, visit to an internet web site or online application; advertisements directed to a consumer in response to the consumer's request for information or feedback; or processing personal data solely to measure or report advertising frequency, performance or reach”.

‍

Your right to opt out of the processing of your personal data for targeted advertising and how you can exercise it

To fully exercise your right to opt out you can contact us at any time, using the contact details provided in this document.

For a simplified opt-out method you can also use the privacy choices link provided on www.brainactive.ai.

We use any personal data collected from you in connection with the submission of your opt-out request solely for the purposes of complying with the opt-out request.

‍

Universal opt-out mechanism: Global privacy control

‍

Your privacy rights under the Connecticut Data Privacy Act and how to exercise them

You may exercise certain rights regarding your data processed by us. In particular, you have the right to do the following:

access personal data. You have the right to request that we confirm whether or not we are processing your personal data. You also have the right to access such personal data.
correct inaccurate personal data. You have the right to request that we correct any inaccurate personal data we maintain about you, taking into account the nature of the personal data and the purposes of the processing of the personal data.
request the deletion of your personal data. You have the right to request that we delete any of your personal data.
obtain a copy of your personal data. We will provide your personal data in a portable and usable format that allows you to transfer data easily to another entity – provided that this is technically feasible.
opt out of the processing of your personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

‍

How to exercise your rights

To exercise the rights described above, you need to submit your request to us by contacting us via the contact details provided in this document.

For us to respond to your request, we need to know who you are and which right you wish to exercise.

If you are an adult, you can make a request on behalf of a child under your parental authority.

‍

How and when we are expected to handle your request

Should we deny your request, we will explain to you the reasons behind our denial without undue delay, but in all cases and at the latest within 45 days of receipt of the request. It is your right to appeal such decision by submitting a request to us via the details provided in this document. Within 45 days of receipt of the appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may contact the Attorney General to submit a complaint.

We do not charge a fee to respond to your request, for up to one request per year.

‍

Further information for users residing in the State of Utah, USA

This section applies to all Users (Users are referred to below, simply as “you”, “your”, “yours”), who are consumers residing in the State of Utah, according to the “Consumer Privacy Act" (the “UCPA"), and, for such consumers, it supersedes any other possibly divergent or conflicting information contained in the privacy policy.

This part of the document uses the terms “personal data” (and “sensitive data”) as defined in the UCPA.

‍

Categories of personal data processed

‍

Categories of personal data we collect

With your consent, we collect the following categories of sensitive data: VAT Number, Tax ID, VAT Number, Tax ID, Social Security number (SSN), Family Members and Relationship Status, Friends' Religious and Political Views, Religious and Political Views and Fitness Actions

You can freely give, deny or withdraw your consent for the processing of sensitive data at any time using the contact details provided in this document or via the privacy choices link provided on www.brainactive.ai.

Please note that certain exceptions set forth in the UCPA may apply, such as, but not limited to, when the collection and processing of sensitive data is necessary for the provision of a product or service specifically requested by you.

We will not collect additional categories of personal data without notifying you.

‍

Why we process your personal data

‍

How we use the data we collect: sharing of your personal data with third parties

For our purposes, the word "third party" means "a person other than: the consumer, controller, or processor; or an affiliate or contractor of the controller or the processor" as defined by the UCPA.

‍

Sale of your personal data

As specified in the “Detailed information on the processing of Personal Data” section of this document, our use of your personal data may be considered a sale under the UCPA.

For our purposes, the word "sale", "sell", or "sold" means "the exchange of personal data for monetary or other valuable consideration by a controller to a third party" as defined by the UCPA.

Please note that according to the UCPA, the disclosure of personal data to a processor that processes personal data on behalf of a controller does not constitute a sale. In addition, other specific exceptions set forth in the UCPA may apply, such as, but not limited to, the disclosure of personal data to a third party for the provision of a product or service requested by you.

‍

Your right to opt out of the sale of your personal data and how you can exercise it

You have the right to opt out of the sale of your personal data. This means that whenever you request us to stop selling your data, we will abide by your request.

To fully exercise your right to opt out you can contact us at any time, using the contact details provided in this document.

For a simplified opt-out method you can also use the privacy choices link provided on www.brainactive.ai.

We use any personal data collected from you in connection with the submission of your opt-out request solely for the purpose of complying with the request.

‍

Processing of your personal data for targeted advertising

As specified in the “Detailed information on the processing of Personal Data” section of this document, we may use your personal data for targeted advertising purposes.

For our purposes, the word "targeted advertising" means "displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer's activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests" as defined by UCPA.

Please note that according to the UCPA, targeted advertising does not include: “advertisements based on activities within a controller's own websites or online applications or any affiliated website or online application; advertisements based on the context of a consumer's current search query, visit to an web site or online application; advertisements directed to a consumer in response to the consumer's request for information, product, a service or feedback; or processing personal data solely to measure or report advertising performance, reach or frequency.”

‍

Your right to opt out of the processing of your personal data for targeted advertising and how you can exercise it

To fully exercise your right to opt out you can contact us at any time, using the contact details provided in this document.

For a simplified opt-out method you can also use the privacy choices link provided on www.brainactive.ai.

We use any personal data collected from you in connection with the submission of your opt-out request solely for the purposes of complying with the opt-out request.

‍

Your privacy rights under the Utah Consumer Privacy Act and how to exercise them

You may exercise certain rights regarding your data processed by us. In particular, you have the right to do the following:

access personal data. You have the right to request that we confirm whether or not we are processing your personal data. You also have the right to access such personal data.
request the deletion of your personal data. You have the right to request that we delete any of your personal data.
obtain a copy of your personal data. We will provide your personal data in a portable and usable format that allows you to transfer data easily to another entity – provided that this is technically feasible.
opt out of the processing of your personal data for the purposes of targeted advertising or the sale of personal data.

‍

How to exercise your rights

To exercise the rights described above, you need to submit your request to us by contacting us via the contact details provided in this document.

For us to respond to your request, we need to know who you are and which right you wish to exercise.

If you are an adult, you can make a request on behalf of a child under your parental authority.

‍

How and when we are expected to handle your request

Should we deny your request, we will explain to you the reasons behind our denial without undue delay, but in all cases and at the latest within 45 days of receipt of the request.

We do not charge a fee to respond to your request, for up to one request per year.

‍

DEFINITIONS

Personal Data (or Data)

Any information that, directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person. Unless otherwise expressly indicated in this Policy, Personal Data refers to the User’s Personal Data

‍

Usage Data

Information about a User collected automatically through the Product (or third-party services employed in the Product, as listed in this document), which can include: the IP addresses or domain names of the computers utilized by the Users who use the Product, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin for the request, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Product) and the details about the path followed within the Product with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.

‍

User

has the meaning given in the Terms & Conditions available here, and unless otherwise provided in this Policy, is the Data Subject.

‍

Data Subject

The natural person to whom the Personal Data refers.

‍

Data Processor (or Processor)

The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this Policy.

‍

Data Controller (or Owner)

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of the Product. The Data Controller, unless otherwise specified in this Policy, is the Owner.

‍

Product

has the meaning given in the Terms & Conditions available here.

‍

Policy

is this privacy policy

‍

Services

has the meaning given in the Terms & Conditions available here.

‍

European Union (or EU)

Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

‍

Cookie

Cookies are Trackers consisting of small sets of data stored in the User's browser, and their use in the Product is reflected in the cookie policy available here.

‍

Tracker

Tracker indicates any technology - e.g Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting - that enables the tracking of Users, for example by accessing or storing information on the User’s device. This Policy specifies in which cases the Company is using Trackers.

Privacy Policy

1. GENERAL ASPECTS

2. DETAILED INFORMATION ON THE PROCESSING OF PERSONAL DATA‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

Further information for Users in Singapore

Further information for Users in Switzerland

Further information for Users in Brazil

Further information for users residing in the State of California, USA

Further information for users residing in the State of Virginia, USA

Further information for users residing in the State of Colorado, USA

Further information for users residing in the State of Connecticut, USA

Further information for users residing in the State of Utah, USA

‍

2. DETAILED INFORMATION ON THE PROCESSING OF PERSONAL DATA
‍