Brainloop

Privacy Notice Platform Germany (my.brainloop.net)

Version: February 2023

 

The protection of personal data is an important concern for Brainloop AG (“Brainloop” or “we”) and its subsidiaries (each referred to as a “Brainloop Subsidiary”). We process your personal data exclusively in accordance with legal requirements, in particular the EU General Data Protection Regulation (“GDPR”) and the Federal Data Protection Act (“BDSG”).

Brainloop and its Brainloop subsidiaries provide their business customers (each referred to as a “Customer“) with various server and software-based, virtual and secure dataroom solutions for web-based document management, collaboration and communication (each referred to as a “Service”) during the term of a corresponding user agreement. Depending on the Customer’s location and the ordered service, the Customer’s user agreement is directly with Brainloop or a Brainloop subsidiary.

Under the contractual agreements, the respective Customer may designate natural persons as users who are granted access to the service ordered by the Customer (“Users” or “you”). The respective Service is provided to authorized Users for use as an SaaS offering via a defined web portal (“web portal”) and/or the desktop and/or mobile application (“app”) provided for this purpose in each case (together referred to as the “Brainloop Platform”). The German Brainloop platform is technically operated and provided by Brainloop AG and its subcontractors.

This Privacy Notice and Cookie Policy applies exclusively to use of the following Services:

– Brainloop Secure Dataroom Services (BDRS)  when using the German Platform (https://my.brainloop.net)  (hereinafter: “Brainloop Service”)

If you access the Brainloop Secure Dataroom Services (BDRS) via another country platform or use the Brainloop services MeetingSuite and/or MeetingSuiteCONNECT, separate privacy notices apply, which you can access at https://www.brainloop.com/en-gb/privacy-notice/.

The Brainloop Service is provided to customers by Brainloop or the respective Brainloop Subsidiary (where the latter concludes the user agreement with the Customer) always in the context of commissioned processing; this ensures, in particular, that all personal customer data entered or transferred by users to the Brainloop Service in accordance with the Customer’s user agreement is processed exclusively on behalf of and in accordance with the Customer’s instructions. The details are as set forth in the respective contracts for commissioned processing concluded with Customers.

Independently of this, Brainloop processes certain data of Brainloop Service users as part of the technical provision of Brainloop Services in its role as controller. Below we explain which personal data Brainloop, as controller, collects from you as user and processes when you use the Brainloop Service, for what purposes and on what legal basis we process your data, who we may transfer your data to and what rights you have in relation to the processing of your data. We also inform you which cookies are used when you use the Brainloop Service via the Brainloop Platform and how you can adjust the settings for use of cookies according to your personal preferences.

The current version of this Privacy Notice and Cookie Policy can be found at https://www.brainloop.com/en-gb/privacy-notice/.

This Privacy Notice and Cookie Policy supplements the Terms of Use for using Brainloop Services (“Terms of Use”), which form an integral part of the contract with the User for use of the Brainloop Service.

 

1. Who is responsible for processing my data and how can I contact Brainloop?

Brainloop is responsible for the processing of your personal data under data protection law as the controller within the meaning of the GDPR. You can reach Brainloop at any time using the contact information below:

Brainloop AG
Theatinerstrasse 12, 80333 Munich, Germany
Tel.: +49 89 444 699 0
Email: legal@brainloop.com

You can contact Brainloop’s data protection officer at any time using the following contact details:

Email: dpo@brainloop.com

 

2. Which of my data will be processed? For what purposes and on what legal basis is the data processed?

2.1 Registration and user account

To be able to use the Brainloop Service, you must register for the Brainloop Service online via the Brainloop Platform and create a user account. Access is by invitation only.

For the purpose of registration and provision of the user account and your service profile, Brainloop collects and processes certain user account and profile data which the user discloses to Brainloop when registering and managing the user account or which Brainloop receives from the Customer, such as name, title, email address, cellphone number, individual user account settings, authentication and access data (e.g., user ID, password), plus any other details such as telephone number, job title, company, street address, zip code, city, country, and signature (“User Account Data”). If you use the Brainloop Service via the apps provided by Brainloop, certain User Account Data (access data) required for authentication and linking of the account will also be stored locally on your device. App users are also asked to create an access code (PIN) to ensure secure access to the respective Brainloop Service. This data is stored locally on the respective device in encrypted form.

Brainloop processes any User Account Data for purposes of technical and administrative account management (in particular, registration, creation, administration, and provision of the user account and service profile) and for purposes of operation and security of the Brainloop Service (in particular, ensuring authentication and login processes, providing access to the Brainloop Service via the Brainloop Platform).

Brainloop bases the processing of your User Account Data for the above purposes on the necessity of processing (i) for the performance of the contract with you based on the Terms of Use or for carrying out pre-contractual measures in this regard (Art. 6 (1) b) GDPR) and (ii) for the purposes of our legitimate interests in the effective and secure provision of the Brainloop Service and the fulfillment of our contractual obligations towards customers and users (Art. 6 (1) f) GDPR).

2.2 Use of the Brainloop Service and Brainloop Support

In addition, Brainloop processes further personal data of the User collected in the course of use of the Brainloop Services via the respective web portal and/or the respective apps (“User Data”), including:

– Usage data (e.g., user ID, IP address, security-related queries, document ID, usage activity history, e.g., modification, retrieval, or sending of a document or folder), and

– Diagnostic and maintenance data (e.g., log files containing usage data and other diagnostic data, such as document size, format, protection, user’s device software and browser software, technical faults, etc.).

If you use the Brainloop Service via the apps provided by Brainloop, certain data is stored locally on your end device in encrypted form in order to enable access to the Brainloop Service via the respective app and, if necessary, local editing of documents and processes. In addition to certain User Account Data (see Section 2.1), this also includes limited User Data, such as user ID, tokens, information on the assignment and synchronization of the respective Brainloop Platform, and app usage log files. The data can only be accessed via the user-defined access code (PIN). The data is processed to the extent necessary to provide secure access to the Brainloop Service and, if applicable, synchronization of the local offering via corresponding interfaces.

Where Users use the support provided by Brainloop, Brainloop also receives certain support data provided by a User in connection with a support request or collected by Brainloop on behalf of the Customer concerned via the Brainloop Service, including any identification data of the ticket requester, data of the ticket requester (time/date and form of request), problem description, screenshots and service usage data, as well as diagnostic and maintenance data (to the extent relevant for processing the support request) (“Support Data”). Support Data can also include User Data. If you use Brainloop’s Customer Service Portal (available at https://support.brainloop.com), including any support requests made to Customer Support via telephone or email, the specific Privacy Notice for use of the Customer Service Portal also applies.

Brainloop always processes any User Data and Support Data exclusively as a processor on behalf of and according to the instructions of the respective Customer who ordered the Brainloop Service used by the User. However, in addition to User Account Data (in this respect see Section 2.1 above), to a limited extent Brainloop also processes User Data and Support Data as controller for Brainloop’s own legitimate business purposes, to the extent necessary for:

– internal analysis, statistics and reporting

– general technical operation, ensuring the functionality and maintenance of the Brainloop Services, including error analysis and troubleshooting

– overall security of the Brainloop Services, including data security and cybersecurity, and

– product research and development.

For these purposes, it is necessary, to a limited extent, for Brainloop to store, retain, analyze, and process information about the use of Brainloop Services across multiple customers and users, including relevant information derived from User Account Data, User Data (usage data, diagnostic and maintenance data), and Support Data. Insofar as personal data is contained in relevant records, Brainloop will anonymize it as soon as possible, to the extent technically practical and sufficient for the respective purposes, and process it only in aggregated and anonymized form.

Brainloop bases the processing of your personal data for the above purposes on the necessity of processing (i) for the performance of the contract with you based on the Terms of Use (Art. 6 (1) b) GDPR) and (ii) for the purposes of our legitimate interests in fulfilling our contractual obligations to customers and users, ensuring the functionality and security of the Brainloop Services, and optimizing and improving Brainloop products and services (Art. 6 (1) f) GDPR).

Where Users use Brainloop Support, Brainloop also stores and processes certain Support Data in its role as controller to protect Brainloop’s legitimate interests in (i) demonstrating compliance with legal and operational requirements, including under any Brainloop certification procedures, (ii) optimizing customer support, and (iii) asserting, exercising, and defending legal claims (Art. 6 (1) f) GDPR).

2.3 Use of the Brainloop Authenticator App

Brainloop offers you the possibility of 2-factor authentication by means of a security code when accessing your user account for the respective Brainloop Service. For this purpose, you can use the Authenticator App provided by Brainloop whereby you can link your user account to your device to receive the security code in the form of a time-based one-time password.

If you use the Brainloop Authenticator App, Brainloop processes your email address and user ID stored for use of the Brainloop Service as well as the generated one-time password, insofar as this is necessary to link your device with your user account and to provide services for authentication. For this purpose, the information is stored locally on your device to enable communication with the Brainloop server as part of the respective authentication process.

Brainloop bases the processing of your personal data for these purposes on the necessity of processing (i) for the performance of the contract with you based on the Terms of Use (Art. 6 (1) b) GDPR) and (ii) for the purposes of our legitimate interests in fulfilling our contractual obligations towards customers and users, and ensuring the functionality and security of the Brainloop Services (Art. 6 (1) f) GDPR).

2.4 Legal obligations and legal rights

In addition, Brainloop processes personal data of the User, including User Account Data, User Data, and Support Data, to the extent necessary to ensure and document compliance with Brainloop’s legal obligations and to assert, exercise, and defend legal claims (Art. 6 (1) c) and f) GDPR).

 

3. Am I obliged to provide my data?

In principle, you are neither legally nor contractually obliged to provide your data to Brainloop. However, if you do not provide us with certain data, you may not be able to use the Brainloop Service, or you may be able to use it only to a limited extent.

 

4. Who will my data be shared with?

As a matter of principle, we only pass your data to third parties if this is necessary to provide the Brainloop Service or if we are legally obliged to do so.

If the Customer who has designated you as an authorized user has concluded the user agreement for use of the Brainloop Service on the German Platform not with Brainloop AG but with a Brainloop Subsidiary in Austria or Switzerland, it is possible that Brainloop will also transfer your personal data to the respective Brainloop Subsidiary which concluded the agreement for the purposes described in Section 2 and/or that the respective Brainloop Subsidiary may exert an influence on the data processing performed for these purposes by Brainloop as the technical operator of the Brainloop Platform. In this respect, Brainloop and the respective Brainloop Subsidiary act as joint controllers within the meaning of Art. 26 GDPR. To effectively assert your rights as a data subject (see Section 8), you may approach the central contact point at Brainloop AG at any time using the contact details listed above in Section 1. Naturally you also have the option of asserting your rights directly against the respective Brainloop Subsidiary. The contact details of the respective Brainloop Subsidiaries are as follows:

Brainloop Austria GmbH, Ausstellungsstraße 50 /C /2 OG,
1020 Vienna, Austria
Tel.: +49 89 444 699 0
Email: legal@brainloop.com

Brainloop Switzerland AG, Gubelstrasse 15, 6300 Zug, Switzerland
Tel.: +41 41 710 39 71
Email: legal@brainloop.com

Further information about joint controllership and about the essential nature of the agreement in this regard between Brainloop AG and the respective Brainloop Subsidiary can be obtained at any time upon request.

We also use external service providers to help us operate the Brainloop Service and/or provide the services offered to you. In particular, we engage technical service providers to store and manage your data and technically operate the offered functionalities (especially hosting service providers, IT service providers). We also use external SMS providers to enable you to use 2-factor authentication and receive service-related text messages (such as notification functions) in the context of the provision of the Brainloop Service via the Brainloop Platform.

All service providers act exclusively on our behalf and are obliged to take all necessary technical and organizational measures to protect your personal data in accordance with the requirements of data protection law. Our service providers are not permitted to disclose this information to third parties or use it for other purposes.

Otherwise, your data will not be disclosed to third parties without your prior consent, unless this is necessary for the exercise, assertion or defense of our legal claims or we are required to do so by law. This may be the case, for example, if we are required to cooperate with security agencies in connection with legal investigations.

 

5. Where will my data be stored? Will my data also be transferred to and/or processed in countries outside the European Union?

Your personal data will be stored and processed by Brainloop exclusively within the European Union (“EU”).

However, depending on your use of the Brainloop Service, we may occasionally use technical service providers as SMS providers that are located outside the EU and the contracting states of the European Economic Area (“EEA”), including the United Kingdom and the USA. The SMS providers receive limited access to your data (mobile phone number, One Time PIN, message), to the extent that this is necessary in the respective individual case to technically enable and process the sending of the text messages requested by you (within the scope of the 2-factor authentication and notification function).

The data protection laws of countries outside the EU/EEA (such as the United States) may not ensure a level of data protection that is judged adequate by the European Commission. In particular, companies in these countries may be obliged to hand over personal data to security agencies without the data subjects having adequate legal protection. We have taken appropriate steps, including by entering into contracts based on the EU Standard Contractual Clauses, to ensure that any service providers processing your data provide appropriate safeguards to adequately protect your personal data. In addition, we base the transfer of your data on the necessity of performing the contract concluded with you or the contract concluded in your interest with our SMS providers (Art. 49 (1) b) and c) GDPR).

The data protection laws in the United Kingdom have been assessed as adequate by the European Commission.

To learn more about the recipients of your personal data and to obtain a copy of the safeguards and measures we have implemented, please contact Brainloop using the contact information given in Section 1 of this Privacy Notice.

 

6. How long will my data be stored?

Unless otherwise stipulated in this Privacy Notice, your data will only be stored by us for as long as is necessary for the respective purpose for which we collect and process your data.

The following categories of data are retained as follows:

User Account Data: We generally store any User Account Data for as long as is necessary to provide the user account and for your use of the Brainloop Services. Your data will be deleted again (i) if your User Account is deleted (for example, as a result of a deletion request), or (ii) if you are no longer an authorized user of a Brainloop Service for any existing customer (and no relevant dataroom activity history is stored by you for any existing customer) and you have been inactive for a period of more than six (6) months.

User Data: Any User Data that Brainloop processes in its role as controller will only be processed and stored in personal form for as long as it is necessary for the purposes listed in Section 2.2. The data is usually anonymized as early as possible, and then retained only in aggregated and anonymized form.

Brainloop Authenticator App: The data stored in the Brainloop Authenticator App is deleted as soon as you uninstall the app from your device.

Support Data: Any Support Data that Brainloop processes in its role as controller will be retained – to the extent necessary for the purposes set forth in Section 2.2 – for a maximum period of three (3) years, after which it will be deleted.

After the relevant storage period has expired, your data will be deleted in accordance with our general deletion routines, unless legal storage obligations (in particular due to commercial and tax law requirements, insofar as necessary for the handling of our contract with customers) conflict with this or longer storage is necessary in a specific individual case to protect our legitimate interests (interest in the fulfillment of our legal obligations as well as the necessity of processing for the assertion, exercise, or defense of legal claims).

 

7. Are cookies deployed when the Brainloop Platform is used?

7.1 What are cookies and what are they used for?

We deploy “cookies” when the Brainloop Service is used via the Brainloop Platform. Cookies are small text files stored in the memory of your device via your browser. Cookies store certain information (such as your page settings) that is sent back to us by your browser when you access the Brainloop platform (depending on how long the cookie is stored).

The cookies we use are stored on your device either temporarily for the duration of a session (“session cookies”) or for a longer period beyond the duration of your session (“permanent cookies”). Session cookies are automatically deleted at the end of your visit (i.e., when you end your session and close your browser/app). Permanent cookies remain stored on your device until the storage period of the cookies expires or you delete them yourself. The functional duration of the cookies we use is indicated in the summary table in Section 7.2 below.

Most of the cookies we use are set by us (“first-party cookies”). In addition, third-party cookies may be stored on your device if this is necessary to integrate services of external partners into the Brainloop Services (“third-party cookies”). You can see from the overview in Section 7.2 below whether the cookies used in the context of the Brainloop Services are set by us or by a third-party provider.

Cookies have various functions. The cookies we use are all technically necessary (“necessary cookies”) for the operation of the Brainloop Platform or the provision of Brainloop Services and their functionalities (e.g., page navigation, storage of page and language settings, storage of your cookie settings) (Section 25 (2) no. 2 of the German Telecommunications and Telemedia Data Protection Act (TTDSG)). Where these cookies allow us to draw conclusions about your person, we base the lawfulness of the processing of this data on the necessity of the processing (i) for the performance of the contract with you based on the Terms of Use (Art. 6 (1) b) GDPR), and (ii) for the purposes of our legitimate interests (effective and secure provision of the functionalities and services via our Brainloop Platform) (Art. 6 (1) f) GDPR).

7.2 Cookie overview

We only use necessary cookies within the scope of the Brainloop Secure Dataroom Services (BDRS). These are exclusively first-party cookies, which are described in more detail in the following table.

(a) Use of the web portal

Cookie nameFunctional durationPurpose and description
[BDRS-farmname]_[UserID]_sessionDeleted after closing the browser or 60 minutes of inactivity

Session cookie
This cookie is used to validate the authentication of the current session with the server.
[BDRS-farmname]_[UserID]_daily1 day

Permanent cookie
This cookie is used to validate the authentication of the current session with the server (depending on the authentication requirements according to the settings of the customer administrator)
[BDRS-farmname]_[UserID]_weekly1 week

Permanent cookie
This cookie is used to validate the authentication of the current session with the server (depending on the authentication requirements according to the settings of the customer administrator)
[bdrs-farmname]_0_system6 months

Permanent cookie
This cookie is used to store the system-wide permanent settings (e.g., language settings).
[bdrs-farmname]_webdav_session60 minutes after last save/edit

Permanent cookie
This cookie enables access to the WebDAV / Adobe RMS server to allow reading and editing of documents via Internet Explorer / Microsoft Edge.
[BDRS_farmname]_cookie_check1 month

Permanent cookie
This cookie is used for performance reasons and to determine whether your browser settings allow the necessary cookies to be stored and whether the cookies required for operation have been created correctly
apilogintokenDeleted after the session timeout time has expired (60 minutes by default)

Permanent cookie
The API token is needed to authenticate an API3 client (e.g. Secure Client) against the BDRS server and allows access to the SAML server
Brainloop_SessionIdDeleted after closing the browser or 60 minutes of inactivity

Session cookie
Validation of the current session
AccessDeniedDetected_cookieDeleted after closing the browser or 60 minutes of inactivity

Session cookie
Used to record any access denials, in order to identify and address any errors.
DAV_CONN_TEST4 hours

Permanent cookie
This cookie is used for a connection test with the WebDAV server
DAV_CONN_ANSWER4 hours

Permanent cookie
This cookie is used for a connection test with the WebDAV server
ADOBE_REVIEWLifetime configurable standard:10080 minutes

Permanent cookie
This cookie is used for authentication with the AEM server
Bluioldrequestid1 day

Permanent cookie
This cookie is used to load UI elements
ASP.net__SessionIdDeleted after closing the browser or 1 year of inactivity

Session cookie
Used to ensure a secure session (i.e., authentication of the user for the customer’s BDRS offer).
__RequestVerificationTokenDeleted after closing the browser or 1 year of inactivity

Session cookie
This cookie is used to protect against CSRF attacks.

 

(b) Use of the mobile app (Secure Client)

Cookie nameFunctional durationPurpose and description
apilogintokenDeleted after the login process is completed or after the app is closed

Session cookie
This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client.
ASP.net__SessionIdDeleted after the login process is completed or after the app is closed

Session cookie
This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client.
[bdrs-farmname]_0_systemDeleted after the login process is completed or after the app is closed

Session cookie
This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client.
[BDRS_farmname]_cookie_checkDeleted after the login process is completed or after the app is closed

Session cookie
This cookie is used for authentication with the server.
Brainloop_SessionIdDeleted after the login process is completed or after the app is closed

Session cookie
This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client.
BluioldrequestidDeleted after the login process is completed or after the app is closed

Session cookie
This cookie is generated on the server in the course of SAML authentication (if specified by the Customer) and transferred to the client.
MSISAuth

SamlSession

MSISAuthenticated

MSISLoopDetectionCookie

MSISSamlRequest
Cookies are deleted after the login process is completed or after the app is closed

Session cookie
The SAML login cookies allow access to the SAML server.

 

7.3 Cookie settings

You can set your browser so that you are informed when cookies are set and only allow cookies in individual cases, decline the acceptance of cookies in certain cases or in general, and enable the automatic deletion of cookies when the browser is closed. When cookies are disabled, the functionality of access to the Brainloop Service may be limited.

 

8. What rights do I have as a data subject and how can I exercise them?

By law you have the right:

– to request information about processed personal data concerning you and a copy of this data (right of access)

– to request the rectification of inaccurate data and, taking into account the purposes of the processing, the completion of incomplete data (right to rectification); please let us know if your data and, if applicable, which of your data that we store have changed so that we can correct or update the corresponding data.

– to request the deletion of your data if there are legitimate grounds for doing so (right to erasure)

– to request the restriction of the processing of your data, provided that the legal requirements are met (right to restriction of processing)

– if the legal requirements are met, to receive the data provided by you in a structured, commonly used, and machine-readable format, and to transfer this data to another controller or, if technically feasible, to have it transferred by us (right to data portability), and

– not to be subject to a decision based solely on automated processing, where the legal requirements for this are not met. Brainloop does not use automated decision-making processes.

You also have the right to object to processing of your data that is carried out to protect the legitimate interests of Brainloop or third parties on grounds relating to your particular situation, in accordance with the statutory provisions (right to object).

Where the processing of your data is based on consent, you have the right to withdraw your consent at any time without this affecting the lawfulness of the processing of your data carried out on the basis of the consent up to the time it is withdrawn.

To exercise your rights or to withdraw any consent you have given, please contact Brainloop using the contact details given in Section 1. You may assert your rights with regard to the processing of personal data within the scope of the joint controllership referred to in Section 4 above at and in relation to each of the aforementioned controllers (i.e., Brainloop AG or the respective Brainloop Subsidiary in Austria or Switzerland that has entered into a corresponding usage agreement with Brainloop). To exercise your rights effectively, we recommend that you approach the central contact point at Brainloop AG using the contact details given in Section 1.

You also have the right to file a complaint with a supervisory authority at any time, without prejudice to other legal remedies.