Version: February 2023
The protection of personal data is an important concern for Brainloop Austria GmbH (“Brainloop Austria”) and the other group companies of the Brainloop Group (each referred to as a “Brainloop Group Company”). The Brainloop Group Companies process your personal data exclusively in accordance with legal requirements, in particular the EU General Data Protection Regulation (“GDPR”).
Brainloop Austria and the other Brainloop Group Companies provide their business customers (each referred to as a “Customer”) with various server and software-based, virtual and secure dataroom solutions for web-based document management, collaboration and communication (each referred to as a “Service”) during the term of a corresponding user agreement. Depending on the Customer’s location and the ordered service, the Customer’s user agreement is directly with Brainloop Austria or another Brainloop Group Company (in particular the parent company Brainloop AG).
Under the contractual agreements, the respective Customer may designate natural persons as users who are granted access to the service ordered by the Customer (“Users” or “you”). The respective Service is provided to authorized Users for use as an SaaS offering via a defined web portal (“web portal”) and/or the desktop and/or mobile application (“app”) provided for this purpose in each case (together referred to as the “Brainloop Platform”).
This Privacy Notice and Cookie Policy applies exclusively to use of the following Services:
– Brainloop Secure Dataroom Services (BDRS)
when using the Austrian Platform (https://my.brainloop.at)
(hereinafter: “Brainloop Service”)
The Brainloop platform for the Brainloop Service is provided by Brainloop Austria and its subcontractors and is technically supported by Brainloop AG (with regard to administration, development and operation, customer support, platform/application management, and service management).
If you access the Brainloop Secure Dataroom Services (BDRS) via another country platform or use the Brainloop services MeetingSuite and/or MeetingSuiteCONNECT, separate privacy notices apply, which you can access at https://www.brainloop.com/en-gb/privacy-notice/.
The Brainloop Service is provided to customers by the respective Brainloop Group Company which concluded the agreement always in the context of commissioned processing; this ensures, in particular, that all personal customer data entered or transferred by users to the Brainloop Service in accordance with the Customer’s user agreement is processed exclusively on behalf of and in accordance with the Customer’s instructions. The details are as set forth in the respective contracts for commissioned processing concluded with Customers.
Independently of this, Brainloop Austria and Brainloop AG process certain data of Brainloop Service users as part of the technical provision of Brainloop Services in their role as (joint) controller. Below we explain which personal data Brainloop Austria and Brainloop AG, as joint controllers, collect from you as the user and process when you use the Brainloop Service, for what purposes and on what legal basis we process your data, who we may transfer your data to, and what rights you have in relation to the processing of your data. We also inform you which cookies are used when you use the Brainloop Service via the Brainloop Platform and how you can adjust the settings for use of cookies according to your personal preferences.
The current version of this Privacy Notice and Cookie Policy can be found at https://www.brainloop.com/en-gb/privacy-notice/.
This Privacy Notice and Cookie Policy supplements the Terms of Use for using Brainloop Services (“Terms of Use”), which form an integral part of the contract with the User for use of the Brainloop Service.
1.Who is responsible for processing my data and how can I contact the Brainloop Group Companies?
Brainloop Austria and Brainloop AG are responsible for the processing of your personal data under data protection law as joint controllers (within the meaning of Article 26 GDPR). You can reach the Brainloop Group Companies at any time using the contact information below:
Brainloop Austria GmbH,
Ausstellungsstraße 50 /C /2 OG,
1020 Vienna, Austria
Tel.: +49 89 444 699 0
Email: legal@brainloop.com
Brainloop AG
Theatinerstrasse 12, 80333 Munich, Germany
Tel.: +49 89 444 699 0
Email: legal@brainloop.com
You can contact Brainloop AG’s data protection officer at any time using the following contact details:
Email: dpo@brainloop.com
2. Which of my data will be processed? For what purposes and on what legal basis is the data processed?
2.1 Registration and user account
To be able to use the Brainloop Service, you must register for the Brainloop Service online via the Brainloop Platform and create a user account. Access is by invitation only.
For the purpose of registration and provision of the user account and your service profile, Brainloop Austria and Brainloop AG collect and process certain user account and profile data which the user discloses when registering and managing the user account or which Brainloop Austria and/or Brainloop AG receives from the Customer, such as name, title, email address, cellphone number, individual user account settings, authentication and access data (e.g., user ID, password), plus any other details such as telephone number, job title, company, street address, zip code, city, country, and signature (“User Account Data”). If you use the Brainloop Service via the apps provided by Brainloop AG, certain User Account Data (access data) required for authentication and linking of the account will also be stored locally on your device. App users are also asked to create an access code (PIN) to ensure secure access to the respective Brainloop Service. This data is stored locally on the respective device in encrypted form.
Brainloop Austria and Brainloop AG process any User Account Data for purposes of technical and administrative account management (in particular, registration, creation, administration, and provision of the user account and service profile) and for purposes of operation and security of the Brainloop Service (in particular, ensuring authentication and login processes, providing access to the Brainloop Service via the Brainloop Platform).
Brainloop Austria and Brainloop AG base the processing of your User Account Data for the above purposes on the necessity of processing (i) for the performance of the contract with you based on the Terms of Use or for carrying out pre-contractual measures in this regard (Art. 6 (1) b) GDPR) insofar as the contractual relationship exists with the respective Brainloop Group Company, and (ii) for the purposes of the legitimate interests of the Brainloop Group Companies in the effective and secure provision of the Brainloop Service and the fulfillment of our contractual obligations towards customers and users (Art. 6 (1) f) GDPR).
2.2 Use of the Brainloop Service and Brainloop Support
In addition, Brainloop Austria and Brainloop AG process further personal data of the User collected in the course of use of the Brainloop Services via the respective web portal and/or the respective apps (“User Data”), including:
– Usage data (e.g., user ID, IP address, security-related queries, document ID, usage activity history, e.g., modification, retrieval, or sending of a document or folder), and
– Diagnostic and maintenance data (e.g., log files containing usage data and other diagnostic data, such as document size, format, protection, user’s device software and browser software, technical faults, etc.).
If you use the Brainloop Service via the apps provided by Brainloop AG, certain data is stored locally on your end device in encrypted form in order to enable access to the Brainloop Service via the respective app and, if necessary, local editing of documents and processes. In addition to certain User Account Data (see Section 2.1), this also includes limited User Data, such as user ID, tokens, information on the assignment and synchronization of the respective Brainloop Platform, and app usage log files. The data can only be accessed via the user-defined access code (PIN). The data is processed to the extent necessary to provide secure access to the Brainloop Service and, if applicable, synchronization of the local offering via corresponding interfaces.
Where Users use the support provided by Brainloop Austria and/or Brainloop AG, Brainloop Austria and Brainloop AG also receive certain support data provided by a User in connection with a support request or collected by Brainloop Austria and/or Brainloop AG on behalf of the Customer concerned via the Brainloop Service, including any identification data of the ticket requester, data of the ticket requester (time/date and form of request), problem description, screenshots, and service usage data, as well as diagnostic and maintenance data (to the extent relevant for processing the support request) (“Support Data”). Support Data can also include User Data. If you use Brainloop AG’s Customer Service Portal (available at https://support.brainloop.com), including any support requests made to Customer Support via telephone or email, the specific Privacy Notice for use of the Customer Service Portal also applies.
Any User Data and Support Data are always processed exclusively by way of contract processing on behalf of and according to the instructions of the respective Customer who ordered the Brainloop Service used by the User. However, in addition to User Account Data (in this respect see Section 2.1 above), to a limited extent Brainloop Austria and/or Brainloop AG also process User Data and Support Data as (joint) controller for their own legitimate business purposes, to the extent necessary for:
– internal analysis, statistics and reporting
– general technical operation, ensuring the functionality and maintenance of the Brainloop Services, including error analysis and troubleshooting
– overall security of the Brainloop Services, including data security and cybersecurity, and
– product research and development.
For these purposes, it is necessary, to a limited extent, for Brainloop Austria and/or Brainloop AG to store, retain, analyze, and process information about the use of Brainloop Services across multiple customers and users, including relevant information derived from User Account Data, User Data (usage data, diagnostic and maintenance data), and Support Data. Insofar as personal data is contained in relevant records, these will be anonymized as soon as possible, to the extent technically practical and sufficient for the respective purposes, and processed only in aggregated and anonymized form.
Brainloop Austria and Brainloop AG base the processing of your personal data for the above purposes on the necessity of processing (i) for the performance of the contract with you based on the Terms of Use (Art. 6 (1) b) GDPR) insofar as the contractual relationship exists with the respective Brainloop Group Company, and (ii) for the purposes of the legitimate interests of the Brainloop Group Companies in fulfilling their contractual obligations towards customers and users, ensuring the functionality and security of the Brainloop Services and optimizing and improving Brainloop products and services (Art. 6 (1) f) GDPR).
Where Users use Brainloop Support, Brainloop Austria and/or Brainloop AG also store and process certain Support Data in their role as controller to protect their legitimate interests in (i) demonstrating compliance with legal and operational requirements, including under any certification procedures, (ii) optimizing customer support, and (iii) asserting, exercising and defending legal claims (Art. 6 (1) f) GDPR).
2.3 Use of the Brainloop Authenticator App
Brainloop AG offers you the possibility of 2-factor authentication by means of a security code when accessing your user account for the respective Brainloop Service. For this purpose, you can use the Authenticator App provided by Brainloop AG whereby you can link your user account to your device to receive the security code in the form of a time-based one-time password.
If you use the Brainloop Authenticator App, Brainloop AG processes your email address and user ID stored for use of the Brainloop Service as well as the generated one-time password, insofar as this is necessary to link your device with your user account and to provide services for authentication. For this purpose, the information is stored locally on your device to enable communication with the Brainloop server as part of the respective authentication process.
Brainloop AG bases the processing of your personal data for these purposes on the necessity of processing (i) for the performance of the contract with you based on the Terms of Use (Art. 6 (1) b) GDPR) insofar as it has been concluded with Brainloop AG, and (ii) for the purposes of its legitimate interests in fulfilling the contractual obligations of Brainloop Austria and/or Brainloop AG towards customers and users and ensuring the functionality and security of the Brainloop Services (Art. 6 (1) f) GDPR).
2.4 Legal obligations and legal rights
In addition, Brainloop Austria and Brainloop AG process personal data of the User, including User Account Data, User Data, and Support Data, to the extent necessary to ensure and document compliance with legal obligations and to assert, exercise, and defend legal claims (Art. 6 (1) c) and f) GDPR).
3. Am I obliged to provide my data?
In principle, you are neither legally nor contractually obliged to provide your data to Brainloop Austria and/or Brainloop AG. However, if you do not provide us with certain data, you may not be able to use the Brainloop Service, or you may be able to use it only to a limited extent.
4. Who will my data be shared with?
As a matter of principle, Brainloop Austria and Brainloop AG will only pass your data to third parties if this is necessary to provide the Brainloop Service or if we are legally obliged to do so.
Brainloop Austria and Brainloop AG also use external service providers to help them operate the Brainloop Service and/or provide the services offered to you. In particular, we engage technical service providers to store and manage your data and technically operate the offered functionalities (especially hosting service providers, IT service providers). We also use external SMS providers to enable you to use 2-factor authentication and receive service-related text messages (such as notification functions) in the context of the provision of the Brainloop Service via the Brainloop Platform.
All service providers act exclusively on behalf of the respective Brainloop Group Company and are obliged to take all necessary technical and organizational measures to protect your personal data in accordance with the requirements of data protection law. Our service providers are not permitted to disclose this information to third parties or use it for other purposes.
Otherwise, your data will not be disclosed to third parties without your prior consent, unless this is necessary for the exercise, assertion, or defense of our legal claims or the respective Brainloop Group Company is required to do so by law. This may be the case, for example, if we are required to cooperate with security agencies in connection with legal investigations.
5. Where will my data be stored? Will my data also be transferred to and/or processed in countries outside the European Union?
Your personal data will be stored and processed by Brainloop Austria and Brainloop AG exclusively within the European Union (“EU”).
However, depending on your use of the Brainloop Service, we may occasionally use technical service providers as SMS providers that are located outside the EU and the contracting states of the European Economic Area (“EEA”), including the United Kingdom and the USA. The SMS providers receive limited access to your data (mobile phone number, One Time PIN, message), to the extent that this is necessary in the respective individual case to technically enable and process the sending of the text messages requested by you (within the scope of the 2-factor authentication and notification function).
The data protection laws of countries outside the EU/EEA (such as the United States) may not ensure a level of data protection that is judged adequate by the European Commission. In particular, companies in these countries may be obliged to hand over personal data to security agencies without the data subjects having adequate legal protection. Brainloop Austria and Brainloop AG have taken appropriate steps, including by entering into contracts based on the EU Standard Contractual Clauses, to ensure that any service providers processing your data provide appropriate safeguards to adequately protect your personal data. In addition, we base the transfer of your data on the necessity of performing the contract concluded with you or the contract concluded in your interest with our SMS providers (Art. 49 (1) b) and c) GDPR).
The data protection laws in the United Kingdom have been assessed as adequate by the European Commission.
To learn more about the recipients of your personal data and to obtain a copy of the safeguards and measures we have implemented, please contact Brainloop Austria and/or Brainloop AG using the contact information given in Section 1 of this Privacy Notice.
6. How long will my data be stored?
Unless otherwise stipulated in this Privacy Notice, your data will only be stored by Brainloop Austria and Brainloop AG for as long as is necessary for the respective purpose for which we collect and process your data.
The following categories of data are retained as follows:
– User Account Data: Brainloop Austria and Brainloop AG generally store any User Account Data for as long as is necessary to provide the user account and for your use of the Brainloop Services. Your data will be deleted again (i) if your User Account is deleted (for example, as a result of a deletion request), or (ii) if you are no longer an authorized user of a Brainloop Service for any existing customer (and no relevant dataroom activity history is stored by you for any existing customer) and you have been inactive for a period of more than six (6) months.
– User Data: Any User Data that Brainloop Austria and/or Brainloop AG process in their role as controller will only be processed and stored in personal form for as long as it is necessary for the purposes listed in Section 2.2. The data is usually anonymized as early as possible, and then retained only in aggregated and anonymized form.
– Brainloop Authenticator App: The data stored in the Brainloop Authenticator App is deleted as soon as you uninstall the app from your device.
– Support Data: Any Support Data that Brainloop Austria and/or Brainloop AG process in their role as controller will be retained – to the extent necessary for the purposes set forth in Section 2.2 – for a maximum period of three (3) years, after which it will be deleted.
After the relevant storage period has expired, your data will be deleted in accordance with our general deletion routines, unless legal storage obligations (in particular due to commercial and tax law requirements, insofar as necessary for the handling of our contract with customers) conflict with this or longer storage is necessary in a specific individual case to protect the legitimate interests of Brainloop Austria and/or Brainloop AG (interest in the fulfillment of our legal obligations as well as the necessity of processing for the assertion, exercise, or defense of legal claims).
7. Are cookies deployed when the Brainloop Platform is used?
7.1 What are cookies and what are they used for?
Brainloop Austria and Brainloop AG deploy “cookies” when the Brainloop Service is used via the Brainloop Platform. Cookies are small text files stored in the memory of your device via your browser. Cookies store certain information (such as your page settings) that is sent back to us by your browser when you access the Brainloop platform (depending on how long the cookie is stored).
The cookies we use are stored on your device either temporarily for the duration of a session (“session cookies”) or for a longer period beyond the duration of your session (“permanent cookies”). Session cookies are automatically deleted at the end of your visit (i.e., when you end your session and close your browser/app). Permanent cookies remain stored on your device until the storage period of the cookies expires or you delete them yourself. The functional duration of the cookies we use is indicated in the summary table in Section 7.2 below.
Most of the cookies we use are set by us (“first-party cookies”). In addition, third-party cookies may be stored on your device if this is necessary to integrate services of external partners into the Brainloop Services (“third-party cookies”). You can see from the overview in Section 7.2 below whether the cookies used in the context of the Brainloop Services are set by us or by a third-party provider.
Cookies have various functions. The cookies we use are all those technically necessary (“necessary cookies”) for the operation of the Brainloop Platform or the provision of the Brainloop Services and their functionalities (e.g. page navigation, storage of page and language settings, storage of your cookie settings), pursuant to Section 25 (2) no. 2 of the German Telecommunications-Telemedia Data Protection Act (TTDSG), insofar as applicable. Where these cookies allow us to draw conclusions about your person, Brainloop Austria and Brainloop AG base the lawfulness of the processing of this data on the necessity of the processing (i) for the performance of the contract with you based on the Terms of Use (Art. 6 (1) b) GDPR) insofar as the contractual relationship exists with the respective Brainloop Group Company, and (ii) for the purposes of the legitimate interests of Brainloop Austria and Brainloop AG (effective and secure provision of the functionalities and services via our Brainloop Platform) (Art. 6 (1) f) GDPR).
7.2 Cookie overview
We only use necessary cookies within the scope of the Brainloop Secure Dataroom Services (BDRS). These are exclusively first-party cookies, which are described in more detail in the following table.
(a) Use of the web portal
| Cookie name | Functional duration | Purpose and description |
|---|---|---|
| [BDRS-farmname]_[UserID]_session | Deleted after closing the browser or 60 minutes of inactivity Session cookie | This cookie is used to validate the authentication of the current session with the server. |
| [BDRS-farmname]_[UserID]_daily | 1 day Permanent cookie | This cookie is used to validate the authentication of the current session with the server (depending on the authentication requirements according to the settings of the customer administrator) |
| [BDRS-farmname]_[UserID]_weekly | 1 week Permanent cookie | This cookie is used to validate the authentication of the current session with the server (depending on the authentication requirements according to the settings of the customer administrator) |
| [bdrs-farmname]_0_system | 6 months Permanent cookie | This cookie is used to store the system-wide permanent settings (e.g., language settings). |
| [bdrs-farmname]_webdav_session | 60 minutes after last save/edit Permanent cookie | This cookie enables access to the WebDAV / Adobe RMS server to allow reading and editing of documents via Internet Explorer / Microsoft Edge. |
| [BDRS_farmname]_cookie_check | 1 month Permanent cookie | This cookie is used for performance reasons and to determine whether your browser settings allow the necessary cookies to be stored and whether the cookies required for operation have been created correctly |
| apilogintoken | Deleted after the session timeout time has expired (60 minutes by default) Permanent cookie | The API token is needed to authenticate an API3 client (e.g. Secure Client) against the BDRS server and allows access to the SAML server |
| Brainloop_SessionId | Deleted after closing the browser or 60 minutes of inactivity Session cookie | Validation of the current session |
| AccessDeniedDetected_cookie | Deleted after closing the browser or 60 minutes of inactivity Session cookie | Used to record any access denials, in order to identify and address any errors. |
| DAV_CONN_TEST | 4 hours Permanent cookie | This cookie is used for a connection test with the WebDAV server |
| DAV_CONN_ANSWER | 4 hours Permanent cookie | This cookie is used for a connection test with the WebDAV server |
| ADOBE_REVIEW | Lifetime configurable standard:10080 minutes Permanent cookie | This cookie is used for authentication with the AEM server |
| Bluioldrequestid | 1 day Permanent cookie | This cookie is used to load UI elements |
| ASP.net__SessionId | Deleted after closing the browser or 1 year of inactivity Session cookie | Used to ensure a secure session (i.e., authentication of the user for the customer’s BDRS offer). |
| __RequestVerificationToken | Deleted after closing the browser or 1 year of inactivity Session cookie | This cookie is used to protect against CSRF attacks. |
(b) Use of the mobile app (Secure Client)
| Cookie name | Functional duration | Purpose and description |
|---|---|---|
| apilogintoken | Deleted after the login process is completed or after the app is closed Session cookie | This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client. |
| ASP.net__SessionId | Deleted after the login process is completed or after the app is closed Session cookie | This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client. |
| [bdrs-farmname]_0_system | Deleted after the login process is completed or after the app is closed Session cookie | This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client. |
| [BDRS_farmname]_cookie_check | Deleted after the login process is completed or after the app is closed Session cookie | This cookie is used for authentication with the server. |
| Brainloop_SessionId | Deleted after the login process is completed or after the app is closed Session cookie | This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client. |
| Bluioldrequestid | Deleted after the login process is completed or after the app is closed Session cookie | This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client. |
| MSISAuth SamlSession MSISAuthenticated MSISLoopDetectionCookie MSISSamlRequest | Cookies are deleted after the login process is completed or after the app is closed Session cookie | The SAML login cookies allow access to the SAML server. |
7.3 Cookie settings
You can set your browser so that you are informed when cookies are set and only allow cookies in individual cases, decline the acceptance of cookies in certain cases or in general, and enable the automatic deletion of cookies when the browser is closed. When cookies are disabled, the functionality of access to the Brainloop Service may be limited.
8. What rights do I have as a data subject and how can I exercise them?
By law you have the right:
– to request information about processed personal data concerning you and a copy of this data (right of access)
– to request the rectification of inaccurate data and, taking into account the purposes of the processing, the completion of incomplete data (right to rectification); please let us know if your data and, if applicable, which of your data that we store have changed so that we can correct or update the corresponding data.
– to request the deletion of your data if there are legitimate grounds for doing so (right to erasure)
– to request the restriction of the processing of your data, provided that the legal requirements are met (right to restriction of processing)
– if the legal requirements are met, to receive the data provided by you in a structured, commonly used, and machine-readable format, and to transfer this data to another controller or, if technically feasible, to have it transferred by us (right to data portability), and
– not to be subject to a decision based solely on automated processing, where the legal requirements for this are not met. Brainloop does not use automated decision-making processes.
You also have the right to object to processing of your data that is carried out to protect the legitimate interests of Brainloop Austria, Brainloop AG, or third parties on grounds relating to your particular situation, in accordance with the statutory provisions (right to object).
Where the processing of your data is based on consent, you have the right to withdraw your consent at any time without this affecting the lawfulness of the processing of your data carried out on the basis of the consent up to the time it is withdrawn.
To exercise your rights or to withdraw any consent you have given, please contact the respective Brainloop Group Company using the contact details given in Section 1. You may assert your rights with regard to the processing of personal data within the scope of the joint controllership of Brainloop Austria and Brainloop AG at and in relation to each of the aforementioned controllers (i.e. each of the two Brainloop Group Companies). To exercise your rights effectively, we recommend that you approach the central contact point at Brainloop AG using the contact details given in Section 1.
Further information about joint controllership and about the essential nature of the agreement in this regard between Brainloop Austria and Brainloop AG can be obtained at any time upon request.
You also have the right to file a complaint with a supervisory authority at any time, without prejudice to other legal remedies.