Brainframe's privacy policy
1. Introduction
Your privacy is important to us. It is Brainframe Technologies' policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you. This includes across our https://brainframe.com website, as well as any subdomain, media form, media channel, mobile website, or mobile application related, linked, or otherwise connected thereto.
Personal information is any information about you that can be used to identify you. This includes:
- Information about you as a person (such as name, address, and date of birth).
- Your devices.
- Payment details.
- Information about how you use a website or online service.
If our site contains links to third-party websites and services, please note that those sites and services have their own privacy policies. After following a link to any third-party content, you should review their privacy policies for details on how they collect and use personal information. This Privacy Policy does not apply to any of your activities after you leave our site.
📅 Current version: 15 February 2025
- Improved description of GDPR rights
- Alignment on legal basis with more detailed processing activities
- Addition of Third Parties specific to purchases of their products (PECB, EC-COUNCIL and AIKIDO)
- Addition of Third Party specific for SOC, Threat intelligence and business continuity (F3C Systems Luxembourg)
- Clarifications on data retention periods
- Clarification on our actions for data breach notifications
📅 Update: 1 July 2021
- Addition of subcontractor details
📅 Original: 1 July 2020 - First version
2. Information We Collect & Processing Activities
We collect personal information when you interact with our website and services. The information collected may be voluntarily provided or automatically collected.
2.1 Collection and Use of Information
We may collect personal data when you:
- Register for an account on our platform.
- Store documents with personal data on our platform.
- Sign up to receive updates via email or social media.
- Use a mobile device or web browser to access our content.
- Contact us via email, social media, or other communication channels.
- Mention us on social media or interact with our content.
2.2 Purpose of Processing
We collect, store, use, and disclose personal information for the following purposes. Personal information will not be further processed in a manner incompatible with these purposes:
- To provide our platform's core services and features.
- To allow customization and personalization of the user experience.
- To deliver products and/or services to users.
- To contact and communicate with users.
- To enable access and use of our website, associated applications, and social media platforms.
- For internal record keeping and administrative purposes.
- To comply with legal obligations and resolve disputes.
- For security and fraud prevention, ensuring that our services are safe, secure, and used in accordance with our terms.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.
2.3 Processing Activity Overview
| Processing Activity | Data Collected | Purpose of Processing | Legal Basis (GDPR) | Retention Period |
|---|---|---|---|---|
| Website Visit | IP addresses, connection times, electronic signature | Ensure security and performance | Legitimate interest (Art. 6(1)(f)) | Full IP address stored for max 7 days |
| Cookie Storage | Essential cookies | Ensure website functionality | Legitimate interest (Art. 6(1)(f)) | Duration of session, or until explicit logout |
| Customer Support | Name, email, contact details | Provide support via email or chat | Contractual necessity (Art. 6(1)(b)) | Duration of contract |
| Online Payments | Name, payment details | Process payments and prevent fraud | Contractual necessity (Art. 6(1)(b)) | Max 10 years |
| Account & User Data | Name, email, phone | Manage user access and permissions | Contractual necessity (Art. 6(1)(b)) | Duration of contract |
| Marketing & Communication | Name, email, marketing preferences | Send newsletters, promotional content, and service updates | Consent (Art. 6(1)(a)) | Until withdrawal of consent |
| Fraud Prevention & Security | IP addresses, device identifiers, authentication data | Protect against fraud and ensure service security | Legitimate interest (Art. 6(1)(f)) | As necessary for security purposes |
| User-Generated Content | Text, images, videos | Publish content submitted by users | Consent (Art. 6(1)(a)) | Until user requests removal or deletes account |
| Partner Product Purchases | Name, contact details, purchase details | Process purchases of partner products and services (e.g., PECB, EC-COUNCIL, Aikido, F3C Systems Luxembourg) | Contractual necessity (Art. 6(1)(b)) | Duration of contract |
Personal data is stored and processed within the EU. For specific third-party services such as Stripe and PayPal, personal data may be transferred outside the EEA with appropriate safeguards, including Standard Contractual Clauses (SCCs), as per GDPR requirements.
3. Disclosure of Personal Information to Third Parties
We may process personal information via the following, and only in line with the purpose for which the data was initially collected:
- A parent, subsidiary, or affiliate of our company.
- Third-party service providers for enabling services, including:
- IT service providers, cloud storage, and server hosting.
- Analytics, error logging, and security monitoring.
- Payment processors, professional advisors, and marketing services.
- Our employees, contractors, and/or related entities.
- Our agents or business partners. such as F3C Systems Luxembourg (Threat intelligence, business continuity and SOC services)
- Regulatory authorities, courts, and law enforcement where required by law.
- Third parties for training and certification services, such as PECB and EC-Council (for course materials, where their privacy policies apply).
- Security providers such as Aikido (for automated security scanning and vulnerability management).
- An entity that buys or to which we transfer all or substantially all of our assets and business.
Third Parties We Currently Use
At no point will we share any of your data (e.g. workspace data) with Third Parties. The following Third parties are only used for the purpose to deliver the best quality and security of our services/purchases.
- Google Analytics (Website analytics & usage tracking, not enabled on Brainframe GRC).
- Amazon Web Services (AWS) (Cloud services hosted in Europe EU-central-1 with BCP in EU-west-1).
- Cloudflare (CDN, DDoS protection, and website security).
- Odoo (ERP system for business process management).
- Stripe & PayPal (Online payments).
- Datadog (Service performance and error tracking).
- PECB (When you purchase PECB course material)
- EC-COUNCIL (When you purchase EC-COUNCIL course material)
- Aikido (When you purchase a Brainframe defend subscription)
- F3C Systems Luxembourg (Business continuity, Threat intelligence, delivery of Brainframe SOC service)
We ensure all data transfers to third parties are secured through Data Processing Agreements (DPAs) in compliance with GDPR and applicable data protection laws.
4. Data Retention
We only retain personal data as long as necessary for its purpose:
- Account data: Retained for the contract duration.
- Payment records: Retained for up to 10 years for legal compliance.
- Website analytics logs: Stored for no more than 12 months.
- Inactive accounts: Deleted or anonymized after 3 years of inactivity.
📌 Once the retention period expires, data is securely deleted or anonymized unless required for legal obligations.
5. Security of Your Personal Information
We implement industry best-practice security measures to protect personal data against unauthorized access, loss, and misuse in line with ISO27001:
Our Security Page details how we protect your data, including encryption for data in transit (TLS 1.2+) and data at rest (AES-256) to prevent unauthorized access.
However, while we take appropriate precautions, no online service can guarantee absolute security. Users are responsible for choosing strong passwords and keeping login credentials confidential.
6. Your Rights Under GDPR
We respect your rights under GDPR (Articles 12-22) and apply similar principles globally where applicable.
| Your Right | Description |
|---|---|
| Right to Access | Request a copy of your personal data (Art. 15 GDPR). |
| Right to Rectification | Request corrections to inaccurate data (Art. 16 GDPR). |
| Right to Erasure | Request deletion of your personal data ("Right to be Forgotten") (Art. 17 GDPR). |
| Right to Restriction | Request to limit processing under certain conditions (Art. 18 GDPR). |
| Right to Data Portability | Receive your data in a structured format (Art. 20 GDPR). |
| Right to Object | Object to processing based on legitimate interest (Art. 21 GDPR). |
| Right to Lodge a Complaint | File a complaint with CNPD Luxembourg or other local authorities. |
Although GDPR is the primary legal framework, we also extend similar privacy rights to all users regardless of jurisdiction, in line with best practices for international data protection. Upon user request for account deletion, data will be permanently removed within 30 days. Secure backups may be retained for up to 90 days for disaster recovery purposes, after which they are securely deleted.
📩 Users may withdraw marketing consent at any time by clicking ‘unsubscribe’ in our emails
📩 At any time, you can execute your rights (including withdrawal of consent) by contacting our support team at [email protected].
7. Data Breach Notification
In the event of a data breach affecting personal data, we will:
- Notify CNPD Luxembourg within 72 hours, if required under GDPR.
- Inform affected users where there is a high risk to their rights.
- Take immediate remedial actions to mitigate impact.
8. Contacting Us
📧 Davy Cox (Data Protection Officer - DPO)
📩 [email protected]
📍 Brainframe Technologies, Luxembourg