1. Definitions and who this policy applies to
Throughout this policy, capitalised words have the meanings given here. "BrainCraft", "we", "us", "our" refers to the operator of the Service. BrainCraft is currently operated, pending incorporation, by Philibert Stéphane Zang Bengono, a sole proprietor based in Belgium, who acts as the data controller for personal data described in this policy. Once a dedicated BrainCraft legal entity is incorporated (jurisdiction to be confirmed at incorporation), that entity will become the data controller from its registration date, on commitments equivalent to those set out in this policy, and you will be notified per Section 14. "Service" means the BrainCraft platform, websites, and any related services. "User" means anyone who has signed up for a BrainCraft account, on a Free, Educator, Pro or Institution plan. "Administrator" means a User who manages a Workspace and can invite or administer Team Members. "Team Member" means a User who has joined a Workspace administered by an Administrator (typically inside a school, company, or organisation). "Audience" means a person who participates in a session hosted on BrainCraft, usually anonymously, without creating an account. "Visitor" means anyone who browses our public websites without taking part in a session or signing up. This policy applies to all of these roles. Where the rights or processing differ by role, we say so explicitly.
2. What data we collect
We only collect data we actually need. Depending on how you interact with us, we may process the following categories. Contact data: your name, email address, professional or institutional affiliation, billing address, and any other information you provide when creating or modifying your Account or contacting our support team. Interaction data: how you use the Service. This includes sessions you have created or hosted, slides you have built, response patterns you have collected, dates and times of log-on and log-off, and your interactions with our customer support. Device data: technical information automatically reported by your browser or device, including IP address, user agent, browser type, operating system, screen resolution, and approximate location derived from your IP address. Cookie data: information stored by cookies and similar technologies on your device. See our Cookie Policy for full details. Payment data: when you pay for a paid plan, our payment processors (Stripe for cards, PayPal, and where available bank transfer or mobile money providers) receive and process your payment information directly. BrainCraft does not store card numbers, expiry dates, or CVV codes. We retain a limited transaction history (such as a transaction ID, date, amount, type of card, and last four digits) for accounting and dispute purposes. Audience data: when you participate in a session as an Audience member, we typically receive only your responses and a temporary device identifier used to prevent abuse. We do not require an account to participate. If a host asks for your name or email, you choose whether to provide it. Additional data you provide: information you choose to share when participating in a survey, contest, request for support, beta program, or webinar, such as a profile photo or job title. You (and not BrainCraft) are responsible for any personal data that you upload into your sessions as content (for example, names of students, contents of slides, or images you choose to display). We process that data on your behalf as a processor, in line with our Terms.
3. How we process your data and why
We only process your data for clearly identified purposes and on a defined legal basis. The summary below explains what we do, why, on what legal basis under the GDPR, and how long we keep the data. Account creation and identity verification. We process Contact data and Device data to set up and secure your Account, on the basis of our contract with you. We retain this data for as long as your Account is active. Providing the Service. We process Contact, Interaction, and Device data to deliver the features you sign up for: hosting sessions, displaying live results, generating recap pages. Legal basis: contract. Retention: as long as your Account is active. Customer support. We process Contact, Interaction, and Additional data to respond to your questions over chat and email. Legal basis: contract. Retention: as long as your Account is active, then archived for up to 12 months. Billing and tax compliance. We process Contact and limited Payment data to issue invoices and process renewals. Legal basis: contract and legal obligation. Retention: as required by tax and accounting law (typically up to 10 years). Product improvement and analytics. We process Interaction and Device data, in aggregated and pseudonymised form where possible, to understand how the Service is used and improve it. Legal basis: legitimate interest, balanced against your reasonable expectations. Retention: pseudonymised after 24 months, then deleted within an additional 12 months. Fraud prevention, abuse detection, and security monitoring. We process Contact, Device, Interaction, and Cookie data to detect multi-account abuse, fraudulent payment, attempted intrusions, denial-of-service attempts, and Terms violations. Legal basis: legitimate interest. Retention: security logs are retained for up to 90 days, except where a specific incident is under investigation. Direct marketing about BrainCraft. We may send you product updates, tips, or invitations to events using Contact data, but only if you have given consent (or in narrow cases of legitimate interest about features closely related to a paid plan you already use). Legal basis: consent or legitimate interest. Retention: until you unsubscribe. Webinars, contests, surveys, focus groups. If you participate, we process Contact and Additional data for the purpose of running the activity. Legal basis: consent. Retention: up to 24 months from the activity. Legal compliance and defence of legal claims. We may process any of the above data when we are legally required to (court order, regulator request) or to defend ourselves against claims. Legal basis: legal obligation or legitimate interest. Retention: as required by the relevant proceeding.
4. Sharing data with third parties
We share your personal data only with parties who help us operate BrainCraft, and only to the extent each party needs the data to perform their role. Sub-processors. We engage trusted third parties who process personal data on our behalf and only on our instructions, under written data-processing agreements that meet GDPR requirements. The categories include: cloud hosting and infrastructure (currently AWS in the European Union), payment processing (Stripe, PayPal, and where applicable bank-transfer or mobile-money providers), transactional email delivery, error monitoring and uptime monitoring, customer support tooling, and privacy-friendly product analytics. We can provide a current list of named sub-processors on request to privacy@braincraft.live. Third-party integrations you choose. If you connect BrainCraft to a third-party service (for example a Learning Management System, identity provider, or webinar platform), the relevant third party becomes an independent or joint controller for the data exchanged through that integration, and their own privacy policy applies. We do not enable any integration without your action. Authorities and law enforcement. We may disclose limited personal data to police, courts, tax or financial authorities when we are legally required to, or when we have a good-faith belief that disclosure is necessary to protect rights, property, or safety. We push back on overbroad requests and ask for a legal basis. Professional advisers. We may share data, under confidentiality, with our lawyers, auditors, accountants, and insurers when reasonably necessary. Business changes. If BrainCraft is involved in a merger, acquisition, financing transaction, restructuring, or sale of assets, your personal data may be transferred to the acquirer or counterparty under appropriate confidentiality and data-protection commitments equivalent to those in this policy. We do not sell your personal data, and we do not share it with advertisers for cross-site behavioural advertising.
5. Where your data is stored and international transfers
By default, BrainCraft stores customer data at rest in the European Union (currently the AWS Frankfurt region). Backups remain in the EU. Limited categories of data may be transferred outside the EU/EEA, only when a sub-processor we rely on operates from another region (for example, certain customer-support or developer tooling providers based in the United States). When that happens, the transfer is covered by the European Commission's Standard Contractual Clauses adopted in Decision (EU) 2021/914 of 4 June 2021, supplemented by additional technical measures where appropriate (encryption in transit and at rest, access controls, pseudonymisation), or by an applicable adequacy decision. We do not, in any case, sell or transfer your personal data to a third party for that party's own marketing purposes.
7. How long we keep your data
We retain personal data only for as long as needed for the purpose for which it was collected, or as required by applicable law. Account data is kept while your Account is active. If you close your Account or it stays inactive for an extended period, we delete or anonymise your Account data within 90 days, except where a longer retention is required by law (notably for billing and tax records, where applicable retention can reach up to 10 years). Session content and Audience responses are tied to the session that produced them. They are kept while the session and its host's Account exist; you can delete a session and its responses at any time from your dashboard. Security and audit logs are retained for 90 days, except where an active investigation requires a longer hold. Marketing data (subscriptions to our newsletter or product-update emails) is retained until you unsubscribe, then promptly deleted. Where we receive a request to erase data, we comply within 30 days unless we have a legal obligation that requires us to retain a specific item; in that case we tell you which obligation and for how long.
8. Your rights
You have the rights described in this section. Most can be exercised free of charge, and we will respond within 30 days of your request, or tell you why we need more time (up to a further two months for complex requests). Right to be informed. You have the right to know how we process your data; this policy is the main vehicle for that. Right of access. You can request a copy of the personal data we hold about you. We can supply it in a machine-readable format. Right to rectification. You can correct inaccurate or incomplete data, either directly through your Account settings or by emailing privacy@braincraft.live. Right to erasure ("right to be forgotten"). You can request that we delete your data. Free Users and single-account Users can also delete their entire Account from the Account settings page. If you are a Team Member, please contact your Workspace Administrator first; we will then assist. Right to restrict processing. You can ask us to limit what we do with your data, for example while you contest its accuracy. Right to data portability. Where processing is based on your consent or on a contract, you can ask to receive your data in a structured, machine-readable format and have it transmitted to another controller where technically feasible. Right to object. You can object at any time to processing based on legitimate interest, including for direct marketing. Where you object to direct marketing, we stop without further questions. Right to withdraw consent. Where processing is based on consent (for example, marketing emails or non-essential cookies), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Right to lodge a complaint. You can lodge a complaint with your national data-protection supervisory authority. Because BrainCraft is registered in Belgium, you may also contact the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) at autoriteprotectiondonnees.be. Right not to be subject to fully automated decisions. We do not make decisions about you that have legal or similarly significant effects on you using fully automated processing, including profiling. To exercise any of the rights above, write to privacy@braincraft.live. We may need to verify your identity before acting on your request.
9. Age requirements and minors
BrainCraft is intended for organisations and for individuals aged at least 13. In jurisdictions where the General Data Protection Regulation or national law requires parental consent for the processing of a child's personal data below age 16 (or another threshold defined by national law between 13 and 16), the relevant minimum age applies. When BrainCraft is used in a school or institutional context for participants below the minimum age, we rely on the school or institution to obtain the necessary consent from a parent or legal guardian and to act as the data controller for those participants' contributions during the session. We do not knowingly collect personal data directly from a child below the applicable minimum age. If you are a parent or guardian and you believe your child has provided us with personal data without your consent, contact privacy@braincraft.live and we will delete the data promptly.
10. Security
We work hard to protect your data, and we are honest about what that means. No online service can guarantee perfect security, but we apply industry-standard technical and organisational measures designed to reduce risk to a reasonable level. In transit, all communication with BrainCraft uses TLS 1.2 or higher. At rest, data is encrypted in our cloud infrastructure. Access to production data is limited to authorised employees, governed by least-privilege principles, logged, and reviewed. We perform regular dependency updates, automated vulnerability scanning, and periodic third-party penetration testing of the platform. Live Terminal sessions run in isolated, ephemeral containers that are destroyed after the session ends. We operate an incident-response process. If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, and we will inform affected Users without undue delay where the risk is high. You also play a role in keeping your account safe. Use a strong, unique password, do not share your credentials, and enable any additional security features we may offer.
11. Payment processing
BrainCraft uses Stripe and PayPal as primary payment processors. Where supported by your country, we also accept bank transfers and mobile-money services through additional regulated providers. These providers are independent controllers for the payment-related data they collect directly from you when you pay (full card number, expiry date, CVV, three-D-Secure verification, transaction risk signals). They process this data under their own privacy policies, which we recommend you review. BrainCraft itself receives only limited payment-related information necessary for invoicing, dispute handling, fraud prevention, and tax compliance. Specifically: a transaction identifier, transaction date, amount, currency, the type of payment instrument used, the last four digits of the card (where applicable), and your billing address. When you pay by invoice, we may collect additional information needed to issue and track the invoice, such as your company name, VAT number, registration number, and contact phone number.
12. Workspace administration and access by your organisation
If you joined BrainCraft via a Workspace administered by an organisation (for example a school, company, or training provider), the Administrator of that Workspace can perform certain actions on your Team Member Account. Depending on your plan, an Administrator can: see your name, email, role, and aggregate usage statistics within the Workspace; invite or remove you from the Workspace; reassign content you created within the Workspace; suspend or delete your Account; and apply organisation-wide settings (such as branding, single sign-on, or session-retention rules). When you sign up using an email address that belongs to an organisation, we may also disclose your email address to that organisation as part of our outreach to potential or existing Customers. If you would prefer to avoid this, register with your own personal email address instead. If an Administrator's request affects your data and conflicts with your individual rights, contact privacy@braincraft.live and we will work through it with both sides.
13. Other situations when your data may be disclosed
Beyond the cases described above, your data may be processed, shared, or disclosed in the following situations. Aggregated or de-identified data. We may publish or share aggregated statistics about how the Service is used (for example, the average response rate per session). Such data is not personal data once it can no longer be linked back to an individual. Notifications about this policy and our Terms. If you have subscribed to be notified of changes to our Terms or this Privacy Policy, we will use your email address to communicate those changes. Enforcement, fraud prevention, and safety. We may disclose data to protect and defend the rights, property, or safety of BrainCraft, our Users, or others; to enforce our Terms; or to investigate suspected fraud or security incidents. Legal compliance. We may disclose data when required by mandatory applicable law, governmental regulations, or by an order from a court of competent jurisdiction.
14. Changes to this policy
We may update this Privacy Policy from time to time, for example when our service evolves, when we engage new sub-processors, or when applicable law changes. For material changes that affect your rights or how we process your data, we will give you at least 30 days' notice via email or an in-app banner before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent revision. If you disagree with a change, you can stop using the Service and request the deletion of your Account before the change takes effect.
15. Contact and company information
BrainCraft is currently operated by Philibert Stéphane Zang Bengono, a sole proprietor based in Belgium, pending incorporation of a dedicated legal entity (jurisdiction to be confirmed). The registered name and registration number of that future entity will be displayed here once incorporation is complete; until then, all enquiries reach the same operator and team. For any privacy-related question, request, or complaint, write to privacy@braincraft.live. We aim to acknowledge requests within 5 working days and to provide a substantive response within 30 days. For general questions about BrainCraft, write to hello@braincraft.live. For legal matters that are not privacy-related, write to legal@braincraft.live. If you believe your personal data has been processed in violation of applicable law, you also have the right to lodge a complaint with the Belgian Data Protection Authority (autoriteprotectiondonnees.be) or with the supervisory authority in your country of residence.
Questions about your privacy or this policy? Write to privacy@braincraft.live and we will get back to you within five working days.