Brainloop AG

Brainloop Privacy Notice

1. April 2020

Brainloop AG ("Brainloop" or "we") and its affiliated companies take the security and protection of your personal data very seriously.

The below Brainloop privacy notice ("Privacy Notice") applies to:

  • users of our website (www.brainloop.com);
  • individuals interested in our products and services;
  • customers, suppliers and other business partners; and 
  • applicants for employment.

The below Privacy Notice does not apply to the processing of personal data from our customers in connection with the use of our Brainloop Secure Dataroom Services ("Services"). Any personal relating to users of our Services and any data submitted or transferred to our Services by our customers are subject to separate privacy notices which we will make available to you in the context of your use of our Services.

We reserve the right to change the content of this Privacy Notice from time to time; we therefore recommend that you review it at regular intervals. You can access the current version of this Privacy Policy at any time under https://www.brainloop.com/en/privacy-notice.

1. Who is responsible for the processing of my data?

Brainloop AG is responsible for the processing of your personal data as controller within the meaning of the General Data Protection Regulation ("GDPR").

2. How can I contact Brainloop and its Data Protection Officer?

You can reach Brainloop at any time under the following contact details:

Brainloop AG, Franziskanerstr. 14, 81669 Munich, Germany
Tel.: 089 444 699 0
Email: legal(at)brainloop.com
Website: www.brainloop.com

You can reach out data protection officer at any time under the following contact details:

Dr. Sebastian Kraska, IITR Datenschutz GmbH, Marienplatz 2, 80331 Munich, Germany
Tel.: 089 18917360
Email: email@iitr.de
Website: www.iitr.de

3. What are "Personal Data" and what does "Processing" mean?

3.1 Personal Data

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3.2 Processing

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

4. What data will be collected about me? For which purposes and on which legal basis will my data be used?

Depending on the type of business relationship or interaction with you we collect and process different categories of personal data.

In most cases there will not be an obligation that you disclose certain information about yourself to us. We may be required to collect certain personal data about you either by law or as a consequence of any contractual relationship we have with you. Failure to provide this information may prevent or delay the fulfillment of these obligations. We will inform you at the time your information is collected whether certain data is compulsory and the consequences of the failure to provide such data.

The categories of information we collect include:

  • Personal details (e.g., name, title, employer or organization, or similar professional or employment related information);
  • Contact details (e.g., phone number, email address, postal address, or similar identifiers);
  • Commercial information about your organization (e.g., annual operating budget, number of board members, number of committee members);
  • Payment information, such as information required for payment processing or fraud prevention, including credit card information and card verification numbers;
  • Demographic information (e.g., age, sex, etc., including protected classifications); 
  • Education or employment information (e.g., education status, degree information, previous employers, or similar information);
  • Information we collect automatically from you or your device, including internet or other electronic network activity data collected using cookies and other device identifying technologies. Additional information about our use of cookies and tracking technologies is available in our Cookie Policy;
  • Account information (such as user ID, contact details, answers to security questions, or similar identifiers);
  • Commercial information about your usage of our services or the websites (such as support requests, recordings of or information from phone calls with our sales or support teams, or information provided to us to resolve such support requests); and
  • Inferences drawn from any of the above information;

We collect information about you from you directly, from your employer or organization, from publicly available websites and filings and/or from our business partners.

Below we set out additional information about which data we collect from you, and for which business or commercial purposes and on which legal basis we use such data.

4.1 Processing of personal data in connection with the use of our Website www.brainloop.com

Below we inform you which data we collect and process when you use our Website available under www.brainloop.com ("Website"), for which business or commercial purposes we use such data and on which legal ground the processing of your data is based. Please also note the additional information relating to the processing of your data in sections 5 to 9 of this Privacy Notice.

(a) Data about Website access (log files)

You can generally visit our Website without actively entering any personal data about yourself. In this case Brainloop only collects and stores data about your Website access which will automatically be transmitted from your browser to Brainloop when you access our Website. 

This information may include Internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data.

Please see our Brainloop Cookie Policy for further information on how we use such data.

We process your personal data on the basis of our legitimate interests to ensure the security of our Website and to optimize our Website and services we offer to you, and to improve marketing, analytics, or site functionality (Art. 6(1) lit. f) GDPR).

In addition we use cookies on our Website that store information about your settings or usage behaviour on our Website (see section 4.1(c) below) and our Brainloop Cookie Policy.

(b) Contact information, communications, downloads, free trial access

Our Website offers you the possibility to get in contact with us through different ways, such as to submit enquiries in relation to our products and services, to request our whitepapers or other information, or to register for a free trial access.

If you use our web forms for this purpose, you have to provide information marked with an asterisk as mandatory (e.g. details about your person, or your email address). We need the mandatory information to be able to efficiently process your request. In addition you can optionally disclose further information (such as title, branch or your message). This optional information helps us to better relate and more efficiently process your request.

If you contact us via the contact details provided on the Website, we will process the personal data that you disclose to us or that you submit due to the type of your request.

We process the personal data that we receive through the different communication channels for the processing of your request. In this respect, the processing is based on the necessity of the processing for purposes of our legitimate interests in ensuring efficient and user friendly communication and processing of your request, in analysing and optimizing our processes and in enabling a reliable documentation for evidentiary purposes (to the extent necessary for the establishment, exercise or defense of legal claims) (Art. 6(1) lit. f) GDPR). The processing of your personal data in the context of the establishment of a contract is further based on the necessity of the processing in order to take steps at your request prior to entering into a contract in order to make a decision about establishing the contract with you (Art. 6(1) lit. b) GDPR).

In addition, we may process your data because we are under a legal obligation (Art. 6(1) lit. c) GDPR) or because the processing is necessary for the establishment, exercise or defense of legal claims (Art. 6(1) lit. f) GDPR). Finally, we may use the data we receive from you on the basis of our legitimate interests (Art. 6(1) lit. f) GDPR) for marketing purposes (see section 4.2 below).

(c) Cookies, Social Plug-Ins, Analysis-, Tracking- and Retargeting-Technologies

Brainloop uses “cookies” in order to make your visit to the Website as pleasant as possible and to enable you to utilize all of its functions. A cookie is a text file that is temporarily saved on your computer when you visit the Website. Brainloop primarily uses "session cookies" on the Website which expire after your visit to our Website has ended. In addition, for certain functionalities, we also use "permanent cookies" which will be stored beyond your session until the storage period expires or the cookies are deleted from your device. For the storage period of the cookies used by us, please see our Brainloop Cookie Policy.

Most of the cookies used on our Website are technically necessary to operate our Website and/or provide the functionalities offered on our Website (so-called "essential website cookies"). To the extent these cookies can be attributed to your person, the processing of your data will be based on the necessity to process the data for purposes of our legitimate interests (effective and secure provision of the functionalities and services on our Website) (Art. 6(1) lit. f) GDPR).

To the extent you have provided your consent via our cookie banner (or at a later point in time via our cookie tool on our Website), we will further place cookies for performance and functionality purposes (“performance and functionality cookies”), for purposes of analyzing usage behaviour (“analytics cookies”), and for displaying personalized marketing content, including for retargeting and remarketing purposes (“advertising cookies”). In addition, we place cookies for purposes of enabling interaction with social networks (“social networking cookies”; see also section  4.1(e) below). These different types of cookies are not strictly necessary to provide the functionalities and services offered on our Website but help us to provide you with a more comfortable and attractive user experience and to display targeted content which is of interest to you. Please see our Brainloop Cookie Policy for more information on the different types of cookies we use, for which purposes we use such cookies, and on the options available to you with respect to our use of cookies. To the extent we process your personal data in connection with the use of the above cookies, we rely on your consent (Art. 6(1) lit. a) GDPR). You can withdraw your consent in full or in part, or change your cookie settings, at any time via our cookie settings in our cookie tool on our website or the opt-out links in our Brainloop Cookie Policy. The withdrawal of your consent does not affect the lawfulness of the processing of your personal data until withdrawal.

Most of the cookies used on our Website will be placed by ourselves (so-called "first-party cookies"). However, we work together with third party service providers (e.g. for analysis and marketing purposes or to integrate social-plugins) which also place cookies on our Website (so-called "third-party cookies"). Please see our Brainloop Cookie Policy to learn more about the service providers and partner companies we work with and for information on whether third parties have access to the cookie information.

(d) Links to Other Sites

Our Website includes links to other websites whose privacy practices may differ from our practices. If you submit personal data to any of those sites, your information is governed by their privacy policies. We are not responsible for the privacy practices or the content of any sites to which our Website provides links. We encourage you to carefully read the privacy policy of any site you visit.

(e) Social Media Features

Our Website includes social media features, such as the Facebook Like button, and widgets, such as the Share button, or interactive mini-programs that run on our Website (the “Features”). To protect your privacy, we have implemented technical solutions for these features that prevent that any data (e.g., your IP-address) will be transferred to the respective providers of the Features upon mere opening of our Website. Please note, however, that these Features may collect your Internet protocol address, which page you are visiting on our Website, and other information, in case you interact with the corresponding Features. In addition, the respective providers may set cookies to enable the Features to function properly or to collect further information about your use of the respective Features (see also section 4.1(c) above). Please also see our Brainloop Cookie Policy to learn more about those cookies. The Features are either hosted by a third party or hosted directly on our Website. Your interactions with these Features are governed by the privacy statement of the provider providing these Features. Brainloop does not exercise influence over the data collected by such providers and their respective use, and does not have access to the corresponding data.

You can access further information about the Features and the corresponding providers, and exercise your rights, under the following links:

4.2 Processing of personal data relating to prospects and other individuals interested in our products and services for marketing purposes

Below we inform you about the data we process for marketing purposes about you as prospect or other individual interested in our products and services, how we process your data and on which legal the processing of your data is based. Please also note the additional information relating to the processing of your data in sections 5 to 9 of this Privacy Notice.

You may sign-up for our email newsletter on our Website. In this context, any mandatory information to be provided is indicated with an asterisk. You can optionally provide further data. Such data is not necessary to sign-up for the newsletter but it helps us to set up our newsletter service more efficiently and in a more targeted manner. You can also sign-up for our newsletter in other ways, such as by requesting our e-mail newsletter via telephone or in the context of another interaction with us.

If you expressly request information from us (such as by using our web forms), you consent that we may use the data provided by you (e.g., name, surname, email address) to send you the requested information about products and services offered by Brainloop and/or its affiliated Diligent group companies (see here), including via email to an email address provided by you.

For sending our newsletter and other email marketing communication we use a technical service provider. For measuring effectiveness, our service provider collects information about your usage of our marketing emails via so-called tracking pixels or similar technologies (e.g., whether you have received or opened our emails, and whether you have clicked on links or content in our emails). We analyze the information to better understand our users' interests and preferences, to optimize our newsletter service and to tailor the content of our marketing emails in accordance with our users' interests.

To the extent our analysis aims at statistical and aggregated capturing and analyzing the reading and usage behaviour as well as interests of our users, without any personalization of our emails on the basis of your individual data, the processing of personal data will be based on our legitimate interests in analyzing the interactions of our email recipients for the above purposes (Art. 6(1) lit. f) GDPR).

By signing-up for our newsletter you consent that Brainloop may process the data you provided in the context of your sign-up for marketing purposes in order to regularly inform you via email about news and interesting developments with respect to the products and services offered by Brainloop and its affiliated Diligent group companies (see here). The content of our newsletter can be personalized based on the analysis of your newsletter usage as set out above. By signing-up for our newsletter you consent to the related processing of your personal data (including the capturing and analysis of usage behaviour).

A confirmation email is sent to the email address first entered for information mailing in a double opt-in process for legal reasons. We also send a confirmation email to prospects who contact us via a web form. This confirmation email serves to check whether the owner of the email address has authorized receipt of the information email.

We record your sign-up for our newsletter or receipt of other marketing information to prevent misuse and to document and provide proof of our sign-up process according to legal requirements. The recording takes place on the basis of our need to process the data for purposes of our legitimate interests in complying with legal requirements and ensuring a legally compliant and user friendly sending of our email communications (Art. 6(1) lit. f) GDPR).

Any processing of personal data in connection with the personalization and sending of the newsletter (including any analysis of your usage behaviour in connection with the usage of our marketing emails) will be based on your consent (Art. 6(1) lit. a) GDPR). You are free to provide your consent. Your consent can be withdrawn at any time with effect for the future by clicking on the unsubscribe link at the end of our newsletter or by contacting us at the contact details set out in section 2.

Without your consent, we will only contact you for marketing purposes via email if we have received your email address from you in connection with the sale of a product or services, the marketing content in our email relates to similar products or services (including customer satisfaction surveys) and you have not objected to the use of your email address. You can object to the use of your email address at any time, without costs to you other than for the transmission of your objection on the basis of the standard rates of your telecommunication service provider. The related processing of your personal data will be based on our legitimate interests in marketing our products and services (Art. 6(1) lit. f) GDPR).

If you otherwise communicate with us for purposes of receiving information about our products and services (e.g., if you contact us by email or telephone, or interact with one of our employees in the context of an event or exhibition), we collect the data that we receive from you in connection with this interaction. If you have provided your consent we will process such data to send you marketing information about the products and services offered by Brainloop and its affiliated Diligent group companies (see here) via your preferred channel (via email, fax and/or telephone). You can withdraw the consent provided to us at any time with effect for the future by contacting us at the contact details set out in section 2.

In addition, we may use your data to the extent permitted by law for the postal sending of marketing information on the products and services offered by Brainloop or its affiliated companies of the Diligent Group (see here). You can object to this use of your data for marketing purposes at any time with effect for the future. Further information on the right of objection can be found in section 9.

4.3 Processing of personal data relating to customers, suppliers and other business partners

If you or the company you work for or you represent are a customer, supplier, distributor or other business partner of Brainloop or an affiliated company of the Diligent Group, we may collect the following data about you:

  • contact information, such as first and last name, title, job description, department, company/organization, business address, business phone number, business mobile phone number, business fax number and business email address;
  • order, service and contract data, including revenue information and payment terms;
  • payment and billing information, such as information required for payment processing or fraud prevention, including credit card information and card verification numbers, as well as bank and account data, tax numbers, and billing addresses;
  • history of orders, transaction and business interactions as well as commercial information about the use of products and services;
  • other information the processing of which is necessary for a project or the handling of a contractual relationship with Brainloop or which is voluntarily provided by you or your company, e.g., in connection with orders, inquiries or project details;
  • personal data that we collect from publicly available sources, information databases or from credit agencies;
  • where legally required as part of compliance screenings: date of birth, ID card and ID card numbers, information on criminal convictions, relevant court proceedings and other legal disputes in which you or your company is involved.

There is no legal or contractual obligation for you to provide us with your data; however, if you do not provide your data it may be that the business relationship between Brainloop and you or your company cannot be established or performed.

We process your data for the following business and commercial purposes and according to the following legal bases:

  • Planning, execution and administration of the (contractual) business relationship between Brainloop and you or your company, e.g., to process orders for products and services, for accounting, billing and auditing purposes, including the collection of debts and enforcement of claims, as well as to perform deliveries, services, customer service and maintenance activities. As far as the business relationship exists between Brainloop and you personally, we rely on the necessity of the processing for the performance of the contract with you or in order to take steps at your request prior to entering a contract with you (Art. 6(1) lit. b) GDPR). As far as the business relationship exists between Brainloop and your company, we rely on our legitimate interests in the establishment, performance and handling of the business relationship with your company (Art. 6(1) lit. f) GDPR);
  • Safeguarding our legitimate interest in an effective and service oriented care of our business contacts, including on the basis of historical commercial information (customer relationship management) (Art. 6(1) lit. f) GDPR);
  • Safeguarding our legitimate interests in communication with you in connection with the business relationship between Brainloop and you or your company, e.g., when we inform you about changes to our terms and conditions or when you contact us with questions (Art. 6(1) lit. f) GDPR); for advertising communication with you, see section 4.2;
  • Safeguarding our legitimate interests in market analysis, quality assurance and product and service improvement (Art. 6(1) lit. f) GDPR);
  • Ensuring compliance with our statutory retention obligations under commercial and tax law (Sec. 257 HGB, Sec. 147 AO) as well as other legal obligations of Brainloop (Art. 6(1) lit. c) GDPR);
  • Safeguarding our legitimate interests in ensuring and documenting compliance with legal requirements and establishing, exercising and/or defending of legal claims (Art. 6(1) lit. f) GDPR);
  • Safeguarding our legitimate interests in the marketing of our products and services, in particular, in order to build a profile of you and place you or your company in particular marketing segments in order understand your preferences better and to appropriately personalise the marketing messages we send you (Art. 6(1) lit. f) GDPR). It is in our legitimate interests to provide more relevant and interesting advertising messages. Where necessary, we will obtain your consent before we build profiles and send marketing messages (Art. 6(1) lit. a) GDPR) (see also section 4.2).

If you or your company are a customer of Brainloop, we also process your data for the following purposes: 

  • Posting of customer testimonials on our websites, which might contain personal data about you. We obtain your consent via e-mail prior to posting the testimonial to post your name, title and name of your company along with the testimonial (Art. 6(1) lit. a) GDPR). If you wish to update or delete the testimonial containing your data, you can contact us at marketing@brainloop.com.

Insofar as we base the processing for the aforementioned purposes on your consent, you can withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing based on the consent before its withdrawal.

Please also note the additional information relating to the processing of your data in sections 5 to 9 of this Privacy Notice.

4.4 Processing of personal data relating to applicants

We process personal data regarding you for the purposes of your application for employment, in so far as it is required for the decision on employment. The legal basis is § 26(1) and (8) of the German Federal Data Protection Act (FDPA). This applies to data in connection with your application, such as data on your identity (first and last name, address, contact information), information on your professional qualifications and education, information on professional training, or other information that you provide to us in connection with your application. In addition, we may process professional information that you have made publicly available, such as on profiles in social media networks.

Further, we may process your personal data to the extent necessary to defend against legal claims arising from the application process. The legal basis is Art. 6(1) lit. f) GDPR.

Should an employment relationship be established between us, we may process your personal data already received for the purposes of the employment relationship as well, if required for carrying out or terminating the employment relationship (legal basis: § 26(1) FDPA).

Please also note the additional information relating to the processing of your data in sections 5 to 9 of this Privacy Notice.

5. Who will my data be disclosed to?

Brainloop ensures a high level of security when disclosing your data. 

We have disclosed the following categories of personal data for a business purpose in the past 12 months:

  • Personal details;
  • Contact details;
  • Commercial information about your organization;
  • Payment information;
  • Demographic information;
  • Education or employment information;
  • Information we collect automatically from you, including internet or other electronic network activity data collected using cookies and other device identifying technologies;
  • Account information;
  • Commercial information about your usage of our products and services or the websites; and
  • Inferences drawn from any of the above information.

We disclose your personal data in the below scenarios to the following categories of third parties and other recipients:

5. 1 Service providers, business partners and affiliates (as processors):

We only transmit your data to partner companies and service providers, including Brainloop's affiliates of the Diligent Group (in particular, Diligent Corporation, USA), which have been carefully selected beforehand and which are contractually obliged as data processors in accordance with the relevant data protection regulations. For instance, we may share your personal data with our service providers and business partners that perform marketing services and other business operations for us. These companies are authorized to use your personal data only as necessary to provide these services to us. In addition, a transfer of data to partner companies and service providers only occurs if this is necessary to perform the services offered, if you have given us your consent, or if the transfer is legally required or permissible. Your data will neither be sold to third parties nor marketed in any other way. An up-to-date list of all partner companies and service providers is available upon request from Brainloop under the contact details listed in section 2.

5.2 Affiliated Diligent group companies (as controllers):

Brainloop will also share your data with companies of the Diligent Group affiliated with Brainloop, in particular Diligent Corporation, USA (1385 Broadway, 19th Floor, New York, NY 10018). Diligent Corporation and affiliated companies of the Diligent group will process the personal data as controllers within the meaning of the GDPR. A list of companies within the Diligent group with which – to the extent necessary for the below purposes – your personal data may be shared can be found here.

(a) The disclosure includes, in particular, contact information (such as name, title, job description, department, e-mail address, company name, address, telephone number), data necessary for accounting and billing purposes, data collected and processed as part of Customer Relationship Management, including historical commercial information, (see section 4.3 above), information about the use of our products and services as well as use of our website, including cookie information and tracking and web-analysis data (see section 4.1 above), or data collected and processed by or for marketing purposes (see section 4.2 above).

(b) The data transfer takes place for purposes of Brainloop's and its Diligent group affiliates' legitimate interests in ensuring an efficient and cost-effective provision of group wide uniform business services and functions in an integrated, worldwide organizational structure, including the provision of global systems and functions for central storage and processing of personal data. This includes, in particular, the disclosure and processing for the following purposes:

  • to process your requests and provide the services offered on the website. This is especially necessary when Brainloop products and services are requested from other countries;
  • to prepare and handle the contractual relationship with customers, suppliers and business partners;
  • to purchase centrally supplier and business partner services and to manage and maintain the related business relationships;
  • to handle customer support via centralized processes and ticketing-systems;
  • to store your data for accounting and billing purposes in a central customer database;
  • for Customer Relationship Management purposes;
  • for statistical evaluations to ensure and continuously optimize the smooth operation of the offering;
  • internal reporting, customer and market insights, quality assurance and service optimization;
  • to support, prepare, optimize and carry out marketing measures.

(c) The applicant data collected by Brainloop (see section 4.4 above) will be passed on, for example, for handling of the application procedure, the centralized management of applicant data, and the implementation of personnel planning and development measures concerning several companies of the Diligent Group.

(d) The Diligent Privacy Policy of Diligent Corporation and of the Diligent group companies affiliated with Brainloop can be found here. The Diligent Privacy Policy describes how Diligent group companies collect, process, share and secure your personal data, and your related rights. It also describes your choices regarding use, access and correction of your personal data.

5.3 Law enforcement agency, court, regulator, government authority or other third party:

We may share your personal data with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party. Where permitted by law or regulation and reasonably practicable, we will attempt to notify you of such requirements.

5.4 Asset purchasers:

We may share your personal data with any third party that purchases, or to which we transfer, all or substantially all of our assets and business. Should such a sale or transfer occur, we will use reasonable efforts to try to ensure that the entity to which we transfer your personal data uses it in a manner that is consistent with this Privacy Notice. You will be notified via email and/or a prominent notice on our websites of any change in ownership or uses of your personal data.

6. Will my data be processed also in countries outside the EU/EEA?

Brainloop takes the security and protection of your personal data very seriously. To the extent Brainloop transfers your personal data to countries outside the European Union (EU) or the contracting states of the European Economic Area (EEA) (so-called "Third Countries"), Brainloop has ensured by putting into place appropriate safeguards (such as contractual commitments) that your personal data will always be protected adequately and in accordance with legal requirements. For more information on the appropriate safeguards in place, please contact us at the contact details set out in section 2.

To the extent we engage service providers or business partners (including Diligent group companies affiliated with Brainloop) as processors which are located in Third Countries for which there has not yet been an adequacy decision from the European Commission, your data will only be transferred if suitable guarantees in accordance with Art. 44 et seqq. GDPR have been put in place with the processor to ensure an adequate level of data protection. This is done in particular through entering into an agreement on the basis of the EU standard contractual clauses for processors approved by the EU Commission (Commission decision of 5 February 2010, C(2010)593) pursuant to Article 46(2) lit. c),(5) GDPR. A copy of the measures implemented by us is available upon request from Brainloop at the contact details set out in section 2. In addition, an up-to-date list of all partner companies and service providers, and the Third Countries in which your personal data are being processed, is available upon request from Brainloop at the contact details set out in section 2.

To the extent we disclose personal data to affiliated companies of the Diligent group as controllers and these companies are located in Third Countries that do not provide for a level of data protection as considered adequate by the European Commission, we will ensure by means of an intra-group agreement on the basis of the standard contractual clauses for controllers approved by the EU Commission (Commission decision of 27 December 2004, C(2004)5271) that your data will be processed and protected in accordance with legal requirements by the respective recipient of the Diligent Group (Art. 46(1) lit. c), (5) GDPR). Please contact Brainloop at the contact details set out in section 2 to learn more about the recipients of your personal data and the Third Countries in which your personal data are being processed, and, as applicable, to receive a copy of the measures taken.

Diligent Corporation further participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Diligent Corporation is committed to subjecting all personal data received from European Union (EU) Member States, the United Kingdom (UK) and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework and to view Diligent Corporation's certification, visit the US Department of Commerce’s Privacy Shield List: https://www.privacyshield.gov/list.

7. How will my personal data be protected?

We implement comprehensive technical and organizational measures to ensure a level of security appropriate to the risk to the personal data we process. These measures are aimed at fully ensuring the ongoing integrity and confidentiality of personal data. We evaluate these measures on a regular basis to ensure the security of the processing permanently.

8. How long will my personal data be stored?

Except as expressly indicated otherwise in this Privacy Notice, your personal data will be stored by us only for as long as necessary for the respective purpose for which we collect and process your personal data.

The below data categories will be stored as follows:

Data in connection with website usage:

  • Data about website access (log files): The data about website access collected in the context of your use of our Website (see section 4.1(a) above) will be completely deleted or anonymized by shortening your IP-address at the latest after seven days, except in case a longer storage is necessary to achieve the purposes to be fulfilled with the data and the storage can be justified based on your consent or another legal basis.
  • Contact data, communications, downloads, free trials: Your personal data disclosed to use in the context of a contact, such as an enquiry, the request for information, or the registration for a free trial (see section 4.1(b) above) will be stored by Brainloop only for as long as necessary for the complete processing and handling of your request. We may further store your personal data to the extent necessary for managing the customer relationship with you as customer, supplier or business partner (see section 4.3 above) or as an individual interested in our products and services (see section 4.2 above) (for the respective storage period see also below in this section 8).
  • Usage data (cookies): To the extent we use cookies to collect usage data that allows us to attribute the information to your person, we will only store such data for as long as necessary to provide the relevant functionalities and services or to achieve the purposes to be fulfilled with the relevant cookies. Please see our Brainloop Cookie Policy for information on the storage period of the cookies used by us.

Data relating to prospects and other individuals interested in our products and services:

We will keep your personal data for the duration of our business relationship with you or your company with regard to the marketing purposes set out in section 4.2 above. Once your data is no longer required for these purposes, or you withdraw your consent to the use of your data for marketing purposes or you object to the processing of your data for marketing purposes, we will delete your data, unless your data is required also for other purposes set out in this Privacy Notice or the further storage is necessary for one or more of the following purposes:

    • Comply with data retention requirements under the law;
    • Defend or bring any existing or potential legal claims; and
    • Deal with any complaints regarding our products and services.

We will delete your personal data entirely from our systems when it is no longer required for these purposes. If there is any information that we are unable, for technical reasons, to delete entirely, we will put in place appropriate measures to prevent any further processing or use of the data.

Customer, supplier and business partner data:

We will keep your personal data for as long as we have a relationship with you. Once our relationship with you has come to an end, we will delete your data, unless it is required for one or more of the following purposes:

    • Maintain business records for analysis and/or audit purposes;
    • Comply with data retention requirements under the law;
    • Defend or bring any existing or potential legal claims;
    • Deal with any complaints regarding our products and services; and
    • Enforce our commercial agreements.

We will delete your personal data entirely from our systems when it is no longer required for these purposes. If there is any information that we are unable, for technical reasons, to delete entirely, we will put in place appropriate measures to prevent any further processing or use of the data.

Applicant data:

Applicant data are stored as long as necessary for the decision regarding your application. If no employment relationship is established between us, your application data are deleted four months after the negative decision is announced, if a longer period of storage is not required to avoid litigation.

Your data will be deleted in accordance with our deletion routines once the corresponding storage periods set out above have expired, except in case we are under statutory data retention obligations (in particular according to commercial and tax law requirements) or a longer storage is necessary in the individual case for purposes of our legitimate interests (interests in ensuring compliance with legal obligations and/or in the establishment, exercise or defense of legal claims).

9. Which rights do I have?

To the extent you are affected by the data processing carried out by Brainloop you have – in accordance and as provided for by applicable laws – the following rights. You may exercise your below rights at any time by contacting Brainloop or its data protection officer at the contact details set out in section 2 above.

Subject to applicable law, you may freely exercise these rights without fear of being denied goods or services. If you are a California resident, we may, however, provide a different level of service or charge a different rate reasonably relating to the value of your personal data.

9.1 Right of access

You have the right to obtain information from Brainloop free of charge at any time regarding the personal data stored about you, and a copy of such information. You also have a right to information about the following:

  • The purpose of the data processing;
  • The categories of personal data collected, disclosed and otherwise processed;
  • The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  • Where possible, the envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period;
  • The existence of a right to request from Brainloop rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
  • The existence of a right to lodge a complaint with a supervisory authority;
  • Where the personal data are not collected from you: any available information as to their source;
  • The existence of automated decision-making process, including profiling, referred to Art. 22(1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

In addition, you have the right to know whether your personal data were transferred to a third country or to an international organization. If this is the case, you also have the right to be informed of the appropriate safeguards relating to the transfer.

9.2 Right to rectification

You have the right to obtain from Brainloop without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

9.3 Right to erasure ("right to be forgotten")

You have the right to obtain from Brainloop the erasure of your personal data without undue delay, where one of the following grounds applies:

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • You withdraw consent on which the processing is based according to Art. 6(1) lit. a) GDPR or Art. 9(2) lit. a) GDPR and there is no other legal ground for the processing;
  • You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR;
  • The personal data have been unlawfully processed;
  • The personal data have to be erased for compliance with a statutory obligation to which Brainloop is subject;
  • The personal data have been collected in relation to the offer of “information society services” referred to Art. 8(1) GDPR.

Where Brainloop has made the personal data public and where Brainloop is obliged to erase them as the controller according to Art. 17(1) GDPR, Brainloop will take reasonable steps taking account of the available technology and the costs of implementation to inform other responsible parties processing the published personal data that you have requested that they delete all links to the data and copies of the data.

9.4 Right to restriction of processing

You have the right to obtain from Brainloop restriction of the data processing where one of the following applies:

  • The accuracy of the personal data is contested by you disputed for a period enabling Brainloop to verify the accuracy of the personal data;
  • The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • Brainloop no longer needs the personal data for the purposes of the processing, but you are require them for the establishment, exercise or defence of legal claims;
  • You have objected to the data processing pursuant to Art. 21(1) GDPR, and the verification whether the legitimate grounds of Brainloop override those of you is pending. 

9.5 Right to data portability

You have the right to receive the personal data concerning you, which you have provided Brainloop outside of the Brainloop Secure Dataroom Services in a structured, commonly used and machine-readable format and the right to transmit the personal data to another controller without hindrance from Brainloop, where the processing is based on consent pursuant to Art. 6(1) lit. a) GDPR or Art. 9(2) lit. a) GDPR, or on a contract pursuant to Art. 6(1) lit. b) GDPR, and where the processing is carried out by automated means.

When exercising your right to data portability according to Art. 20(1) GDPR, you have the further right to have the personal data transmitted directly from controller to another, where this is technically feasible.

The above rights do not apply to processing necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or where the right adversely affects the rights and freedoms of others.

9.6 Right not to be subject to automated decision making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on you or which similarly significantly affects you. Brainloop does not carry out automated decision making.

9.7 Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data taking place based on Art. 6(1) lit. e) or f) GDPR. This also applies to profiling based on these provisions.

Brainloop no longer processes personal data in the case of an objection unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing. If you object to Brainloop to the data being processed for direct marketing purposes, Brainloop will no longer process your personal data for these purposes.

9.8 Right to withdraw your data protection consent

You have the right to withdraw your consent to the processing of personal data at any time. The withdrawal of your consent does not affect the lawfulness of the processing of your personal data until withdrawal.

9.9 Right to complain to a supervisory authority

Without prejudice to any other judicial remedy, you have the right to lodge a complaint with a supervisory authority responsible for data protection if you consider that the processing of your personal data infringes the GDPR. The competent supervisory authorities are in particular those of the Member State of your habitual residence, your place of work, or the place of alleged infringement.