Personal Data Protection Policy
Last updated: 25 March 2026
1. Who is the data controller?
Brain Security SAS, registered with the Paris Trade and Companies Register (RCS) under number 918 391 905, with its registered office at 229 rue Saint-Honore, 75001 Paris, France (hereinafter “Brain”), is the data controller for the processing of personal data carried out through the website startbrain.ai and the Brain platform.
When the platform is used by employees of a client organisation, Brain acts as a data processor (within the meaning of the GDPR). The client organisation is then the data controller.
For any questions: contact@startbrain.ai
2. What personal data do we process?
Data collected via the startbrain.ai website
| Data | Source | Purpose |
|---|---|---|
| Professional email address | Demo request form | Sending demo access and sales follow-up |
| Company name | Demo request form | Demo personalisation |
| Industry sector | Demo request form | Content personalisation |
| Company size | Demo request form | Sales qualification |
| IP address, browser, pages visited | Website browsing | Audience measurement, website improvement |
| Cookie preferences | Consent banner | Respecting your choices |
Data collected via the demo area
| Data | Source | Purpose |
|---|---|---|
| Access code and password | Automatically generated | Demo access authentication |
| Completed exercises, scores | Demo usage | Demonstrating platform functionality |
| Customisations (sector, theme, free text) | Prospect’s choices | Content adaptation |
| Navigation events (logins, clicks) | Demo usage | Sales tracking (internal notifications) |
Data collected via the platform (employees of client organisations)
| Data | Source | Purpose |
|---|---|---|
| Surname, first name, professional email | Provided by the client organisation | Account creation and management |
| Role, department, group | Provided by the client organisation | Course assignment |
| Completed exercises, scores, time spent | Platform usage | Progress tracking |
| Login data | Platform usage | Security and logging |
3. Why is your data processed?
| Purpose | Legal basis |
|---|---|
| Sending personalised demo access | Consent (form) |
| Internal notification during demo usage | Legitimate interest (sales follow-up) |
| Sending email with login credentials | Performance of request (consent) |
| Generating personalised content via AI (Gemini) | Legitimate interest (product demonstration) |
| Creating and managing user accounts | Performance of contract |
| Delivering exercises and calculating scores | Performance of contract |
| Reporting and statistics for the client organisation | Legitimate interest |
| Website audience measurement (Google Analytics, Clarity) | Consent (cookies) |
| Page visit tracking (HubSpot) | Consent (cookies) |
| Platform improvement | Legitimate interest |
| Compliance with legal obligations | Legal obligation |
4. Who may access your data?
Your personal data may be accessed by:
- Authorised employees of Brain Security
- Your employer (platform administrator): aggregated progress data and scores by group
- Our technical subprocessors:
| Subprocessor | Service | Data location |
|---|---|---|
| Google Cloud (Cloud Run, Firestore) | Hosting and database | Europe (Belgium) |
| Google (Gemini API) | AI content generation | EU / United States* |
| SendGrid (Twilio) | Transactional email sending | United States* |
| Slack (Salesforce) | Internal notifications | United States* |
| Google Analytics | Audience measurement | United States* |
| Microsoft Clarity | UX analysis | United States* |
| HubSpot | CRM and sales tracking | United States* |
* Transfers are governed by the European Commission’s Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.
Brain does not sell your personal data to third parties. Brain does not share your browsing data with third parties for advertising purposes.
5. How is your data protected?
Brain implements the following technical and organisational measures:
- Encryption of data in transit (TLS/HTTPS) and at rest
- Authentication via hashed passwords (bcrypt) and signed session tokens (JWT)
- Hosting in Europe on Google Cloud Run (region europe-west1)
- Strict access control and logging
- Server-side input validation (injection protection)
- Rate limiting per email (anti-abuse)
- Honeypot field for anti-spam protection
6. How long is your data retained?
| Data type | Retention period |
|---|---|
| Demo request data (email, company) | 3 years |
| Demo access data (code, password, exercises) | Validity period of the demo (14 days by default) + 3 months |
| Account and progress data (platform) | Duration of contract + 1 year |
| Billing data | 10 years (accounting obligation) |
| Cookies and trackers | 13 months maximum |
| Anonymised statistics | Unlimited |
7. What are your rights?
In accordance with the GDPR, you have the following rights:
- Right of access: obtain a copy of your data
- Right to rectification: correct inaccurate data
- Right to erasure: request deletion of your data
- Right to restriction: restrict processing
- Right to data portability: receive your data in a structured format
- Right to object: object to processing based on legitimate interest
- Right to withdraw consent: withdraw your consent at any time
To exercise your rights: contact@startbrain.ai
Response time: 1 month. You may lodge a complaint with the relevant data protection authority.
8. Cookies and trackers
For information on cookies and trackers used on startbrain.ai, please see our Cookie Policy.
9. Artificial intelligence
Brain uses the Gemini API (Google) to generate personalised content within demo spaces. The data sent to the API is limited to the sector, theme and free text entered by the prospect. No personally identifiable data is sent to the generation API.
10. Links to third-party websites
The website may contain links to third-party websites (HubSpot for appointment booking). Brain is not responsible for the privacy practices of these websites.
11. Changes to this policy
Brain may update this policy. In the event of a substantial change, you will be informed by email or via the platform. The date of the last update appears at the top of this page.
12. Contact us
Brain Security SAS 229 rue Saint-Honore, 75001 Paris, France Email: contact@startbrain.ai SIREN: 918 391 905