Version: March 2024
The protection of personal data is an important concern for Brainloop Switzerland AG (“Brainloop Switzerland”) and its subsidiaries (each referred to as a “Brainloop Subsidiary”). We process your personal data exclusively in accordance with legal requirements, in particular the Swiss Federal Act on Data Protection (“DSG”) and the EU General Data Protection Regulation (“GDPR”) (if applicable) as amended from time to time (“Applicable Data Protection Law”).
Brainloop and its Brainloop Subsidiaries provide their business customers (each referred to as a “Customer”) with various server and software-based, virtual, and secure dataroom solutions for web-based document management, collaboration, and communication, and/or the organization and holding of meetings (each referred to as a “Service”) during the term of a corresponding user agreement. Depending on the Customer’s location and the ordered service, the Customer’s user agreement is directly with Brainloop Switzerland or a Brainloop Subsidiary (in particular the parent company Brainloop AG).
Under the contractual agreements, the respective Customer may designate natural persons as users who are granted access to the service ordered by the Customer (“Users” or “you”). The respective Service is provided to authorized Users for use as an SaaS offering via a defined web portal (“web portal”) and/or the desktop and/or mobile application (“app”) provided for this purpose in each case (together referred to as the “Brainloop Platform”).
This Privacy Statement and Cookie Policy applies exclusively to use of the following Service:
•Brainloop Secure Dataroom Services (BDRS)
when using the Swiss Platform (https://my.brainloop.ch/)
(hereinafter: “Brainloop Service“)
The Brainloop Platform for the Brainloop Service is provided by Brainloop Switzerland and its subcontractors and technically managed by Brainloop AG (in terms of administration, development and operation, customer support, platform/application management and service management).
If you access the Brainloop Secure Data Room Services via another country platform or use the Brainloop Services MeetingSuite and/or MeetingSuiteCONNECT, separate privacy notices apply, which you can access at https://www.brainloop.com/en-gb/privacy-notice/.
The Brainloop Service is provided to customers by the respective contracting Brainloop Subsidiary always in the context of commissioned processing; this ensures, in particular, that all personal customer data entered or transferred by users to the Brainloop Service in accordance with the Customer’s user agreement is processed exclusively on behalf of and in accordance with the Customer’s instructions. The details of such processing activities are set out in the respective contracts for commissioned processing concluded with the customers..
Independently of this, Brainloop Switzerland and Brainloop AG process certain data of Brainloop Service users as part of the technical provision of Brainloop Services in its role as (joint) controller. Below we explain what personal data Brainloop Switzerland and Brainloop AG collect and process from you as joint controllers when you use the Brainloop Service as a user, for what purposes and on what legal basis we process your data, to whom we may disclose your data and what rights you have with regard to the processing of your data. We also inform you which cookies are used when you use the Brainloop Service via the Brainloop Platform and how you can adjust the settings for use of cookies according to your personal preferences.
The current version of this Privacy Notice and Cookie Policy can be found at https://www.brainloop.com/en-gb/privacy-notice/.
This Privacy Statement and Cookie Policy supplements the Terms of Use for using Brainloop Services (“Terms of Use”), which form an integral part of the contract with the User for use of the Brainloop Service.
1. Who is responsible for processing my data and how can I contact Brainloop ?
With regard to the processing of your personal data Brainloop Switzerland and Brainloop AG are jointly responsible for the processing of your personal data (joint controller) under data protection law within the meaning of Art. 26 GDPR. You can reach the Brainloop Subsidiaries at any time using the contact information below:
Brainloop Switzerland AG
Gotthardstrasse 30, 6300 Zug, Switzerland
Tel.: +41 41 710 39 71
Email: legal@brainloop.com
Brainloop AG
Theatinerstrasse 12, 80333 Munich, Germany
Tel.: +49 89 444 699 0
Email: legal@brainloop.com
You can contact Brainloop’s data protection officer at any time using the following contact details:
Email: dpo@brainloop.com
2. Which of my data will be processed? For what purposes and on what legal basis is the data processed?
2.1 Registration and user account
To be able to use the Brainloop Service, you must register for the Brainloop Service online via the Brainloop Platform and create a user account. Access is by invitation only.
For the purpose of registration and provision of the user account and your service profile, Brainloop Switzerland and Brainloop AG collect and process certain user account and profile data which the user discloses when registering and managing the user account or which Brainloop Switzerland and/or Brainloop AG receives from the Customer, such as name, title, email address, cellphone number, individual user account settings, authentication and access data (e.g., user ID, password) (“User Account Data”). If you use the Brainloop Service via the apps provided by Brainloop AG, certain User Account Data (access data) required for authentication and linking of the account will also be stored locally on your device. App users are also asked to create an access code (PIN) to ensure secure access to the respective Brainloop Service. This data is stored locally on the respective device in encrypted form.
Brainloop Switzerland and Brainloop AG process any User Account Data for purposes of technical and administrative account management (in particular, registration, creation, administration, and provision of the user account and service profile) and for purposes of operation and security of the Brainloop Service (in particular, ensuring authentication and login processes, providing access to the Brainloop Service via the Brainloop Platform).
Brainloop Switzerland and Brainloop AG base the processing of your User Account Data for the above purposes on the necessity of processing (i) to fulfil the contract with you on the basis of the Terms of Use or to carry out pre-contractual measures in this regard, insofar as the contractual relationship exists with the respective Brainloop Subsidiary, and (ii) to safeguard the legitimate interests of the Brainloop Subsidiary in the effective and secure provision of the Brainloop Service and the fulfilment of contractual obligations towards customers and users
2.2 Use of the Brainloop Service and Brainloop Support
In addition, Brainloop Switzerland and Brainloop AG process further personal data of the User collected in the course of use of the Brainloop Services via the respective web portal and/or the respective apps (“User Data”), including:
- Usage data (e.g., user ID, IP address, security-related queries, document ID, usage activity history, e.g., modification, retrieval, or sending of a document or folder), and
- Diagnostic and maintenance data (e.g., log files containing usage data and other diagnostic data, such as document size, format, protection, user’s device software and browser software, technical faults, etc.).
If you use the Brainloop Service via the apps provided by Brainloop AG, certain data is stored locally on your end device in encrypted form in order to enable access to the Brainloop Service via the respective app and, if necessary, local editing of documents and processes. In addition to certain User Account Data (see Section 2.1), this also includes limited User Data, such as user ID, tokens, information on the assignment and synchronization of the respective Brainloop Platform, and app usage log files. The data can only be accessed via the user-defined access code (PIN). The data is processed to the extent necessary to provide secure access to the Brainloop Service and, if applicable, synchronization of the local offering via corresponding interfaces.
Where Users use the support provided by Brainloop Switzerland and/or Brainloop AG, Brainloop Switzerland and Brainloop AG also receive certain support data provided by a User in connection with a support request or collected by Brainloop Switzerland and/or Brainloop AG on behalf of the Customer concerned via the Brainloop Service, including any identification data of the ticket requester, data of the ticket requester (time/date and form of request), problem description, screenshots and service usage data, as well as diagnostic and maintenance data (to the extent relevant for processing the support request) (“Support Data”). Support Data can also include User Data. If you use Brainloop’s Customer Service Portal (available at https://support.brainloop.com), including any support requests made to Customer Support via telephone or email, the specific Privacy Notice for use of the Customer Service Portal also applies.
In general, any User Data and Support Data will be processed exclusively as a processor on behalf of and in accordance with the instructions of the respective Customer who has ordered the Brainloop Service used by the User. However, Brainloop Switzerland and/or Brainloop AG process – in addition to User Account Data (in this respect see Section 2.1 above) – to a limited extent also User Data and Support Data as (joint) controller for its own legitimate business purposes to the extent necessary for:
- internal analysis, statistics and reporting
- general technical operation, ensuring the functionality and maintenance of the Brainloop Services, including error analysis and troubleshooting
- overall security of the Brainloop Services, including data security and cybersecurity, and
- product research and development.
For these purposes, it is necessary, to a limited extent, for Brainloop Switzerland and/or Brainloop AG to store, retain, analyze, and process information about the use of Brainloop Services across multiple customers and users, including relevant information derived from User Account Data, User Data (usage data, diagnostic and maintenance data), and Support Data. Insofar as personal data is contained in the relevant data records, it is anonymised as early as possible and only processed in aggregated and anonymised form, insofar as this is technically feasible and sufficient for the respective purposes.
Brainloop Switzerland and Brainloop AG base the processing of your personal data for the above purposes on the necessity of the processing (i) to perform the contract with you based on the Terms of Use, to the extent the contractual relationship exists with the respective Brainloop Subsidiary, and (ii) to safeguard the legitimate interests of the Brainloop Subsidiary in fulfilling their contractual obligations towards Customers and Users, ensuring the functionality and security of the Brainloop Services and optimising and improving the Brainloop products and services.
If users use Brainloop Support, Brainloop Switzerland and/or Brainloop AG will also store and process certain Support Data in its role as controller for the purposes of its legitimate interests in (i) demonstrating compliance with legal and operational requirements, including in the context of any certification procedures, (ii) optimising customer support, and (iii) asserting, exercising and defending legal claims.
2.3 Use of the Brainloop Authenticator App
Brainloop AG offers you the possibility of 2-factor authentication by means of a security code when accessing your user account for the respective Brainloop Service. For this purpose, you can use the Authenticator App provided by Brainloop AG whereby you can link your user account to your device to receive the security code in the form of a time-based one-time password.
If you use the Brainloop Authenticator App, Brainloop AG processes your email address and user ID stored for use of the Brainloop Service as well as the generated one-time password, insofar as this is necessary to link your device with your user account and to provide services for authentication. For this purpose, the information is stored locally on your device to enable communication with the Brainloop server as part of the respective authentication process.
Brainloop AG bases the processing of your personal data for these purposes on the necessity of the processing (i) to perform the contract with you based on the Terms of Use, if concluded with Brainloop AG, and (ii) to protect the legitimate interests in the fulfilment of Brainloop Switzerland’s and/or Brainloop AG’s contractual obligations towards customers and users and to ensure the functionality and security of the Brainloop Services.
2.4 Legal obligations and legal rights
In addition, Brainloop Switzerland and Brainloop AG process personal data of the user, including User Account Data, User Data and Support Data, insofar as this is necessary to ensure and document compliance with legal obligations and to assert, exercise and defend legal claims.
3. Am I obliged to provide my data?
In general, you are neither legally nor contractually obliged to provide your data to Brainloop Switzerland and/or Brainloop AG. However, if you do not provide us with certain data, you may not be able to use the Brainloop Service, or you may be able to use it only to a limited extent.
4. Who will my data be shared with?
As a matter of principle, Brainloop Switzerland and/or Brainloop AG only pass your data to third parties if this is necessary to provide the Brainloop Service or if we are legally obliged to do so.
In addition, Brainloop Switzerland and Brainloop AG use external service providers to support the operation of the Brainloop Service and/or to provide the services offered to you. In particular, we use technical service providers to store and manage your data and to operate the offered functionalities from a technical point of view (i.e. in particular hosting service providers, IT service providers). In addition, we use external SMS providers to enable you to use 2-factor authentication and to receive service-related text messages (e.g. notification function) as part of the provision of the Brainloop service via the Brainloop Platform.
All service providers work exclusively on behalf of the respective Brainloop Subsidiary and are obliged to take all necessary technical and organisational measures to protect your personal data in accordance with the requirements of data protection laws. Our service providers are not permitted to pass on your data to third parties or use it for other purposes.
Otherwise, your data will not be passed on to third parties without your prior consent, unless this is necessary for the exercise, assertion or defence of our legal claims or the respective Brainloop Subsidiary is legally obliged to do so. This may be the case, for example, if we are obliged to co-operate with the security authorities in connection with legal investigations.
5. Where will my data be stored? Will my data also be transferred to and/or processed in countries outside the European Union?
Your personal data will be stored and processed by Brainloop Switzerland and Brainloop AG exclusively in Switzerland and Germany.
However, depending on your use of the Brainloop Service, we may occasionally use technical service providers as SMS providers that are located outside the EU and the contracting states of the European Economic Area (“EEA”), including the United Kingdom and the USA. The SMS providers receive limited access to your data (mobile phone number, One Time PIN, message), to the extent that this is necessary in the respective individual case to technically enable and process the sending of the text messages requested by you (within the scope of the 2-factor authentication and notification function).
The data protection laws of countries outside Switzerland and the EU/EEA (such as the United States) may not ensure a level of data protection that is judged adequate by the European Commission. In particular, companies in these countries may be obliged to hand over personal data to security agencies without the data subjects having adequate legal protection. Brainloop Switzerland and Brainloop AG have taken appropriate steps, including by entering into contracts based on the EU Standard Contractual Clauses, to ensure that any service providers processing your data provide appropriate safeguards to adequately protect your personal data. In addition, we base the transfer of your data on the necessity of performing the contract concluded with you or the contract concluded in your interest with our SMS providers.
The data protection laws in the United Kingdom have been assessed as adequate by the European Commission.
To learn more about the recipients of your personal data and to obtain a copy of the safeguards and measures we have implemented, please contact Brainloop Switzerland and/or Brainloop AG using the contact information given in Section 1 of this Privacy Notice.
6. How long will my data be stored?
Unless otherwise stipulated in this Privacy Statement, your data will only be stored by Brainloop Switzerland and Brainloop AG for as long as is necessary for the respective purpose for which we collect and process your data.
The following categories of data are retained as follows:
– User Account Data: Brainloop Switzerland and Brainloop AG generally store any User Account Data for as long as is necessary to provide the user account and for your use of the Brainloop Services. Your data will be deleted again (i) if your User Account is deleted (for example, as a result of a deletion request), or (ii) if you are no longer an authorized user of a Brainloop Service for any existing customer (and no relevant dataroom activity history is stored by you for any existing customer) and you have been inactive for a period of more than six (6) months.
– User Data: Any User Data that Brainloop Switzerland and/or Brainloop AG process in its role as controller will only be processed and stored in personal form for as long as it is necessary for the purposes listed in Section 2.2. The data is usually anonymized as early as possible, and then retained only in aggregated and anonymized form.
– Brainloop Authenticator App: The data stored in the Brainloop Authenticator App is deleted as soon as you uninstall the app from your device.
– Support Data: Any Support Data that Brainloop Switzerland and/or Brainloop AG process in its role as joint controller will be retained – to the extent necessary for the purposes set forth in Section 2.2 – for a maximum period of three (3) years, after which it will be deleted.
After the relevant storage period has expired, your data will be deleted in accordance with our general deletion routines, unless legal storage obligations (in particular due to commercial and tax law requirements, insofar as necessary for the handling of our contract with customers) conflict with this or longer storage is necessary in a specific individual case to protect the legitimate interests of Brainloop Switzerland and Brainloop AG (interest in the fulfillment of our legal obligations as well as the necessity of processing for the assertion, exercise, or defense of legal claims).
7. Are cookies deployed when the Brainloop Platform is used?
7.1 What are cookies and what are they used for?
Brainloop Switzerland and Brainloop AG deploy “cookies” when the Brainloop Service is used via the Brainloop Platform. Cookies are small text files stored in the memory of your device via your browser. Cookies store certain information (such as your page settings) that is sent back to us by your browser when you access the Brainloop Platform (depending on how long the cookie is stored).
The cookies we use are stored on your device either temporarily for the duration of a session (“session cookies“) or for a longer period beyond the duration of your session (“permanent cookies“). Session cookies are automatically deleted at the end of your visit (i.e., when you end your session and close your browser/app). Permanent cookies remain stored on your device until the storage period of the cookies expires or you delete them yourself. The functional duration of the cookies we use is indicated in the summary table in Section 7.2 below.
Most of the cookies we use are set by us (“first-party cookies“). In addition, third-party cookies may be stored on your device if this is necessary to integrate services of external partners into the Brainloop Services (“third-party cookies“). You can see from the overview in Section 7.2 below whether the cookies used in the context of the Brainloop Services are set by us or by a third-party provider.
Cookies have various functions. The cookies we use are all technically necessary for the operation of the Brainloop Platform and the provision of Brainloop Services and their functionalities (“necessary cookies“) (e.g., page navigation, storage of page and language settings, storage of your cookie settings). To the extent that these cookies allow conclusions to be drawn about your person, Brainloop Switzerland and Brainloop AG base the lawfulness of the processing of this data on the necessity of the processing (i) for the performance of the contract with you on the basis of the Terms of Use, insofar as the contractual relationship exists with the respective Brainloop Subsidiary, and (ii) to safeguard the legitimate interests of Brainloop Switzerland and Brainloop AG (effective and secure provision of the functionalities and services via our Brainloop Platform).
7.2 Cookie overview
We only use necessary cookies within the scope of the Brainloop Secure Data Room Services. These are exclusively first-party cookies, which are described in more detail in the following table.
Use of the web portal
| Cookie name | Functional duration | Purpose and description |
|---|---|---|
| [BDRS-farmname]_[UserID]_session | Deleted after closing the browser or 60 minutes of inactivity Session cookie | This cookie is used to validate the authentication of the current session with the server. |
| [BDRS-farmname]_[UserID]_daily | 1 day Permanent cookie | This cookie is used to validate the authentication of the current session with the server (depending on the authentication requirements according to the settings of the customer administrator) |
| [BDRS-farmname]_[UserID]_weekly | 1 week Permanent cookie | This cookie is used to validate the authentication of the current session with the server (depending on the authentication requirements according to the settings of the customer administrator) |
| [bdrs-farmname]_0_system | 6 months Permanent cookie | This cookie is used to store the system-wide permanent settings (e.g., language settings). |
| [bdrs-farmname]_webdav_session | 60 minutes after last save/edit Permanent cookie | This cookie enables access to the WebDAV / Adobe RMS server to allow reading and editing of documents via Internet Explorer / Microsoft Edge. |
| [BDRS_farmname]_cookie_check | 1 month Permanent cookie | This cookie is used for performance reasons and to determine whether your browser settings allow the necessary cookies to be stored and whether the cookies required for operation have been created correctly |
| apilogintoken | Deleted after the session timeout time has expired (60 minutes by default) Permanent cookie | The API token is needed to authenticate an API3 client (e.g. Secure Client) against the BDRS server and allows access to the SAML server |
| Brainloop_SessionId | Deleted after closing the browser or 60 minutes of inactivity Session cookie | Validation of the current session |
| AccessDeniedDetected_cookie | Deleted after closing the browser or 60 minutes of inactivity Session cookie | Used to record any access denials, in order to identify and address any errors. |
| DAV_CONN_TEST | 4 hours Permanent cookie | This cookie is used for a connection test with the WebDAV server |
| DAV_CONN_ANSWER | 4 hours Permanent cookie | This cookie is used for a connection test with the WebDAV server |
| ADOBE_REVIEW | Lifetime configurable standard:10080 minutes Permanent cookie | This cookie is used for authentication with the AEM server |
| Bluioldrequestid | 1 day Permanent cookie | This cookie is used to load UI elements |
| ASP.net__SessionId | Deleted after closing the browser or 1 year of inactivity Session cookie | Used to ensure a secure session (i.e., authentication of the user for the customer’s BDRS offer). |
| __RequestVerificationToken | Deleted after closing the browser or 1 year of inactivity Session cookie | This cookie is used to protect against CSRF attacks. |
Use of the mobile app (Secure Client)
| Cookie name | Functional duration | Purpose and description |
|---|---|---|
| apilogintoken | Deleted after the login process is completed or after the app is closed Session cookie | This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client. |
| ASP.net__SessionId | Deleted after the login process is completed or after the app is closed Session cookie | This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client. |
| [bdrs-farmname]_0_system | Deleted after the login process is completed or after the app is closed Session cookie | This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client. |
| [BDRS_farmname]_cookie_check | Deleted after the login process is completed or after the app is closed Session cookie | This cookie is used for authentication with the server. |
| Brainloop_SessionId | Deleted after the login process is completed or after the app is closed Session cookie | This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client. |
| Bluioldrequestid | Deleted after the login process is completed or after the app is closed Session cookie | This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client. |
| MSISAuth SamlSession MSISAuthenticated MSISLoopDetectionCookie MSISSamlRequest | Cookies are deleted after the login process is completed or after the app is closed Session cookie | The SAML login cookies allow access to the SAML server. |
7.3 Cookie settings
You can set your browser so that you are informed when cookies are set and only allow cookies in individual cases, decline the acceptance of cookies in certain cases or in general, and enable the automatic deletion of cookies when the browser is closed. When cookies are disabled, the functionality of access to the Brainloop Service may be limited.
8. What rights do I have as a data subject and how can I exercise them?
By law you have the right:
– to request information about processed personal data concerning you and a copy of this data (right of access)
– to request the rectification of inaccurate data and, taking into account the purposes of the processing, the completion of incomplete data (right to rectification); please let us know if your data and, if applicable, which of your data that we store have changed so that we can correct or update the corresponding data.
– to request the deletion of your data if there are legitimate grounds for doing so (right to erasure)
– to request the restriction of the processing of your data, provided that the legal requirements are met (right to restriction of processing)
– if the legal requirements are met, to receive the data provided by you in a structured, commonly used, and machine-readable format, and to transfer this data to another controller or, if technically feasible, to have it transferred by us (right to data portability), and
– not to be subject to a decision based solely on automated processing, where the legal requirements for this are not met. Brainloop does not use automated decision-making processes.
You also have the right to object to processing of your data that is carried out to protect the legitimate interests of Brainloop Switzerland, Brainloop AG, or third parties on grounds relating to your particular situation, in accordance with the statutory provisions (right to object).
Where the processing of your data is based on consent, you have the right to withdraw your consent at any time without this affecting the lawfulness of the processing of your data carried out on the basis of the consent up to the time it is withdrawn.
To exercise your rights or to withdraw any consent you have given, please contact Brainloop using the contact details given in Section 1. You may assert your rights with regard to the processing of personal data within the scope of the joint controllership of Brainloop Switzerland and Brainloop AG with and against each of the individual controllers (i.e., each of the two Brainloop Subisdiaries). To effectively exercise your rights, we recommend that you contact the central point of contact at Brainloop AG using the contact details listed in section 1.
Further information on joint controllership and the essence of the agreement between Brainloop Switzerland and Brainloop AG in this regard is available upon request at any time.
In addition, without prejudice to any other legal remedies, you have the right to lodge a complaint with a supervisory authority or the Swiss Federal Data Protection and Information Commissioner (FDPIC) at any time.