Privacy Policy – Total Brain

Privacy Policy

Effective September 12, 2018

Welcome to Total Brain!

We know your privacy is important to you, and we value the trust you put in us to help improve your brain performance! To provide our services, we ask for important personal data, including information you and your health. Please review this Privacy Policy (the “Policy”) to understand how we collect, use, and share your personal data, as well as your choices and rights with respect to this information.

Who We Are

This is the Policy of Brain Resource, Inc. d/b/a Total Brain (“Total Brain,” “us,” “our,” or “we”), a California corporation. You can contact us here.

Applicability

This Policy applies to our “Services”, which includes:

  • our brain performance and mental health analysis software and mobile application (the “Mobile App(s)” and together with other software we may offer, the “Platform”);
  • our client reporting services (the “Reporting Services”); and
  • our corporate website at totalbrain.com, and other websites that link to/post this Policy (including any subdomains or mobile versions the “Site(s)”).

Agreement

This Policy is incorporated into the Terms of Use governing your use of any of our Platform. Any capitalized terms not defined in this Policy will have the definitions provided in our Terms of Use.

Following notice to you or your acknowledgement of this Policy (including any updates), your continued use of any of our Services indicates your consent to the practices described in this Policy.

Third Parties

Our Services may be provided to organizations that have entered into an agreement with us (our “Clients”). When our Services are provided as part of a Client agreement, we may share certain information with our Client about that Client’s users of our Services (“Client Users”) as part of our Reporting Services. This Policy reflects only how we process Personal Data through our Services. This Policy does not apply to Clients’ uses of data.

This Policy also does not apply to information processed by other third parties, for example, when you visit a third-party website or interact with third-party services, unless and until we receive your information from those parties. Please review any third parties’ privacy policies before disclosing information to them.

Collection and Use of Personal Data

Personal Data We Collect

We may collect and process information that relates to identified or identifiable individuals (“Personal Data”), including certain Personal Data that may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health information, or information relating to sex life or sexual orientation (“Special Category Data”). We collect and process the following categories of Personal Data (note, specific Personal Data elements listed in each category are only examples and may change):

Identity Data:

Personal Data about you and your identity, such as your name, username, birth year, gender, and other Personal Data you may provide on registration or purchase forms or as part of an account profile, or otherwise when you use our Services (e.g. biographical information).

Contact Data:

Personal Data used to contact an individual, e.g. email address, physical address, or phone number.

Device Data:

Personal Data relating to your device, browser, or application e.g. IP addresses, MAC addresses, application ID/AdID/IDFA, identifiers from cookies, session navigation history and similar browsing metadata, and other data generated through applications and browsers, including via cookies and similar technologies.
Location Data: Personal Data relating to your geographic location, such as information collected from your device’s GPS, or location information you voluntarily provide to us.

Financial Data:

Personal Data relating to financial accounts or services, e.g. a credit card or other financial account number, and other relevant information you provide in connection with a financial transaction.

Brain Performance Data:

Personal Data relating to an individual’s brain performance (such as memory, cognition, attention, or similar characteristics) that is provided by or collected from a user of the Services, or derived from such data.

Mental Health Data:

Personal Data, including Brain Performance Data, to the extent that data relates specifically to mental health, such as risk factors for or assessments of certain mental health conditions, or other similar matters relating to mental health (this may be classified under applicable law as Special Category Data).

Physical Data:

Personal Data relating to physical characteristics, such as your height and weight, and dominant hand (this may be classified under applicable law as Special Category Data).

Processing of Personal Data

Account Registration

Data:

Users and Clients may register and create an account on our Services. When you register, we process certain Personal Data, which typically includes Identity Data, Device Data, Contact Data, and if you choose to provide it, Location Data. Additionally, if you make a purchase or initiate or renew a paid subscription through our Services, we may process Identity Data, Financial Data, and certain Contact Data. Note, third parties typically processes these transactions on our behalf.

Uses:

We use Identity Data and Contact Data as necessary to create, maintain, and provide you with important information about your account. Additionally, we use the Transaction Data, Identity Data and Contact Data as necessary to complete and provide you with important information regarding your transaction. Financial Data is used only as necessary to process transactions that you request. Subject to Your Rights and Choices, and consistent with our legitimate business interests, we may process Identity Data, Location Data and Contact Data in connection with Marketing Communications, and for other lawful purposes described below. We may also use Location data in developing geographic clustering of brain profiles, and in personalization or recommendation of activities within the Platform.

Brain Performance Platform

Data:

If you use our Platform, we process Personal Data such as Identity Data, Device Data, Brain Performance Data, Location Data, Physical Data and Mental Health Data.

Uses:

We generally process the Personal Data provided through the Platform as necessary in connection with our provision of the Platform and services you request, including to create Brain Performance Data and Mental Health Data, provided however, that we process Mental Health Data, Location Data and Physical Data only in accordance with your consent if required by applicable law. If you are a Client User, we may also process this Personal Data in connection with Client Reporting.

Subject to Your Rights and Choices, and consistent with our legitimate business interests, we may process Identity Data, aggregate Location Data (if you have consented to provide this to us) and Brain Performance Data in connection with Research and Public Health, Aggregate Analytics, and Internal Processes and Service Improvement, and for other lawful purposes described below.

Note:

We may process Identity Data, Brain Performance Data, Location Data, Physical Data and Mental Health Data using Automated Processing. This processing helps us improve the accuracy and quality of our brain performance recommendations, program personalization, and assessment of risk factors.

Marketing Communications

Data:

We may process Identity Data, Location Data, Device Data and Contact Data in connection with email marketing communications if you register for a Client account or choose to enroll to receive marketing communications from our Site, or when you open or interact with our marketing communications.

Uses:

We use Identity Data and Contact Data as necessary to provide marketing communications (the “Marketing Communications”), and Location Data in order to tailor certain communications to individuals in various geographic regions. Additionally, we may process Device Data consistent with our legitimate business interests in understanding whether users open our emails or other aspects of engagement with our Marketing Communications. See Your Rights and Choices for information about how you can limit or opt out of Marketing Communications, or other aspects of this processing.

Surveys and Questionnaires

Data:

We may process Identity Data, and certain Contact Data if you choose to complete a customer survey, questionnaire, or similar form. Note, some surveys are operated/controlled by us, and others are operated/controlled by our third party partners. We may receive this data from third parties to the extent allowed by the applicable partner.

Uses:

Subject to Your Rights and Choices, and consistent with our legitimate business interests, we may also use this Identity Data and Contact Data to improve our services, in connection with Marketing Communication, and for other lawful purposes described below.

Promotions and Offers

Data:

We may process Identity Data and certain Contact Data if you choose to register for special promotions and offers such as sweepstakes or contests. Note, some special promotions and offers are operated/controlled by us, and others are operated/controlled by third parties. We may receive this data from third parties to the extent allowed by the applicable partner; otherwise, this Privacy Policy will not apply.

Uses:

Subject to Your Rights and Choices, and consistent with our legitimate business interests, we may also use this Identity Data and Contact Data to improve our services, in connection with Marketing Communication, and for other lawful purposes described below.

Note:

If you win a promotion, your acceptance of a prize may allow us to make certain Personal Data public, e.g. posting your name on a winner’s page. See the applicable program’s terms and conditions for details.

Cookies and Similar Tracking Technologies

Data:

We, and certain third parties, may process Identity Data, Contact Data, Location Data, and Device Data when you interact with cookies and similar technologies on our Sites. We may receive this data from third parties to the extent allowed by the applicable partner. Please note that the privacy policies of third parties may apply to these technologies and information collected.

Uses:

Subject to Your Rights and Choices, we use this information as follows:

  • (i) for “essential” or “functional” purposes, such as to enable various features of the Sites such as updating risk alerts, or staying logged in during your session;
  • (ii) for “analytics” and “personalization” purposes, consistent with our legitimate interests in how the Sites are used or performs, how Users engage with and navigate through the Sites, what sites Users visit before visiting our Sites, how often they visit our Sites, and other similar information, as well as to greet users by name and modify the appearance of the service to usage history, tailor the Sites based on geographic location, and understand characteristics of users in certain locations; and
  • (iii) for “retargeting” or similar advertising purposes, so that you can see advertisements from us on other websites. These technologies and the data they collect, which may also include, may be used by advertisers to deliver ads that are more relevant to you based on content you have viewed, including content on our Sites. These tracking technologies may also help prevent you from seeing the same advertisements too many times, and help us understand whether you have interacted with or viewed ads we’ve delivered to you. This collection and ad targeting takes place both on our Sites and on third-party websites that participate in the ad network, e.g. any advertisements delivered by that ad network on a third party website.

Note:

Some of these technologies can be used by us and/or our third-party partners to identify you across platforms, devices, sites, and services.

Specific Processes

Automated Processing

We may use software and other automation tools integrated into our Platform in order to help us improve the accuracy and quality of our brain performance recommendations, for program personalization, and to further validate our assessment of mental health risk factors. For example, we may use data analytics and algorithms to assess Users’ performance in games that test various cognitive abilities and compare that information prior outcomes and sequences of actions that have resulted in increased brain performance. We analyze this information to create a personalized course of action for the User that is customized to a User’s specific performance history, cognitive predispositions, and goals. When we process Personal Data using automated means, we do so subject to your consent where required by law, and at all times subject to Your Rights & Choices.

Aggregate Analytics

We will collect and aggregate your Personal Data and information about your use of the Services in order to identify certain trends in how our Services are used, including without limitation, cognitive trends, user brain performance outcomes, geographic trends, etc. relating to our Platform (“Aggregated Data”). Aggregated Data will not contain information from which you may be personally identified. For example, we may process Brain Performance Data to determine aggregate trends in brain performance and the response to various activities, games, and other aspects of our Platform. We may use this information in order to create automated analytics that help us better identify patterns and trends, and recommend more effective and personalized solutions. We may share Aggregated Data with third parties, including for Research and Public Health purposes, or with Clients as part of Client Reporting, to give them a better understanding of our business and improve the marketability or performance of our Services. When we process Personal Data for this purpose, we do so subject to your consent where required by law, and at all times subject to Your Rights & Choices.

Client Reporting

We process Client User’s Identity Data, Brain Performance Data, and Mental Health Data in order to create aggregate, anonymized reports of mental health risks facing Clients and the Client Users that are part of their organization. These Client Reports consist of only Aggregated Data representing a summary of the productivity, mental health risks, and the mental/personality characteristics of Client Users in Client’s organization.

Internal Processes and Service Improvement

Subject to Your Rights and Choices, we may use any Personal Data we process through our Services as necessary in connection with our legitimate interests in improving the design of our Services, to create a personalized user experience (such as greeting you by name, or associating Clients and Users), and for ensuring the security and stability of the Platform. For example, we may use Personal Data to understand what parts of our Services are most relevant to users, how users interact with various aspects of our Platform, how our Services perform or fail to perform, etc., or we may analyze use of the Services to determine if there are specific activities that indicate an information security risk to the Services or our Clients and Users.

Research and Public Health

We may also process and disclose your Personal Data for uses related to medical research, public health, and for other research and public health/safety grounds, to the extent and under the conditions allowed by applicable law.

Miscellaneous Processing

If we process Personal Data in connection with our Services in a way not described in this Policy, this Policy will still apply generally (e.g. with respect to Your Rights and Choices) unless otherwise stated when you provide it.

Note that we may, without your consent, also process your Personal Data on certain public interest grounds. For example, we may process Personal Data as necessary to fulfill our legal obligations, to protect the vital interests of any individuals, or otherwise in the public interest. Please see the Data Sharing section for more information about how we disclose Personal Data in extraordinary circumstances.

Data Sharing

Information we collect may be shared with a variety of parties, depending upon the purpose for and context in which that information was provided. We generally transfer data to the following categories of recipients:

Clients

We process data on behalf of Clients, and may share with Clients the Client Reports with aggregate data derived from your Personal Data, and that reflect brain performance characteristics of Client Users related to a given Client. We may also disclose to Clients that a specific named individual has taken an assessment, and the time the person has spent performing activities within the Platform, however we will not disclose the results of an assessment or any other Personal Data to the Client.

Service Providers

In connection with our general business operations, product/service improvements, to enable certain features, and in connection with our other legitimate business interests, we may share any Personal Data with service providers or subprocessors who provide certain services or process data on our behalf.

Affiliates

In order to streamline certain business operations and develop products and services that better meet the interests and needs of our customers, and inform our customers about relevant products and services, we may share your Personal Data with any of our current or future affiliated entities, subsidiaries, and parent companies.

Marketers

In order to deliver certain advertisements, and develop better products and services, we may share with trusted third parties for marketing, advertising, or similar commercial purposes the Personal Data described in the Cookies and Similar Technology section, and any information that we may use for Marketing Communications.

Corporate Events

Any Personal Data may be processed in the event that we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.

Legal Disclosures

In limited circumstances, we may, without notice or your consent, access and disclose your Personal Data, any communications sent or received by you, and any other information that we may have about you to the extent we believe such disclosure is legally required, to prevent or respond to a crime (including in connection with law enforcement or national security investigations), to investigate violations of our Terms of Use, or when in the vital interests of us or any person. Note, these disclosures may be made to governments that do not ensure the same degree of protection of your Personal Data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your Personal Data to such parties.

Other Disclosures

We may disclose any Personal Data in accordance with your consent, or on certain public interest grounds. For example, we may process information as necessary to fulfil our legal obligations, to protect the vital interests of any individuals, for public health and other matters in the public interest. In addition, we may disclose Personal Data to medical providers or healthcare organizations, either with your consent, or where allowed by applicable law.

Your Rights & Choices

Your Rights

Subject to the rights granted to other individuals, and our rights to limit or deny access/disclosure under applicable law, you have the following rights in your Personal Data. We may require that you provide additional Personal Data to exercise these rights, e.g. information necessary to prove your identity. Note: We do not share Personal Data with Clients other than the fact that a specific individual has taken an assessment and how much activity the individual has engaged in within the Platform (but not the results of any assessments or other Personal Data). Accordingly, we are unable to directly fulfill rights requests regarding Personal Data controlled by Clients. Please contact the Client directly for data rights requests regarding Client-controlled information, and we will assist the Client to the extent necessary in the fulfillment of your request. You may exercise your rights by contacting us at the address set forth below in the Contact Us section.

Access:

You may receive a list of your Personal Data that we process to the extent required and permitted by law.

Rectification:

You may correct any Personal Data that we hold about you to the extent required and permitted by law. You may be able to make changes to much of the information you provided directly via the Services via your account settings menu.

Erasure:

To the extent required by applicable law, you may request that we delete your Personal Data from our systems.

Data Export:

To the extent required by applicable law, we will send you a copy of your Personal Data in a common portable format of our choice.

Regulator Contact:

You have the right to contact or file a complaint with regulators or supervisory authorities about our processing of Personal Data. To do so, please contact your local data protection or consumer protection authority.

California Rights:

Residents of California (and others to the extent required by applicable law) may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes during the preceding calendar year.

Your Choices

You have the following choices regarding the Personal Data we process:

Consent:

If you consent to processing, you may withdraw your consent at any time, to the extent required by law. You may be required to close your account in order to withdraw consent where your consent is necessary to perform essential aspects of the service.

Direct Marketing:

You have the choice to opt-out of or withdraw your consent to direct marketing communications. You may have a legal right not to receive such messages in certain circumstances, in which case, you will only receive direct marketing communications if you consent. You may exercise your choice via the links in our communications or by contacting us re: direct marketing.

Cookies & Similar Tech:

If you do not want information collected through the use of cookies, you can manage/deny cookies (and certain technologies) using your browser’s settings menu. You must opt out of third party services directly via the third party. For example, to opt-out of Google’s analytic and marketing services, visit Google Analytics Terms of Use, the Google Policy, or Google Analytics Opt-out. To learn more about how to opt out of Google’s use of cookies for advertising or retargeting, visit Google’s Ads Settings, here. Please note, at this time, our Site does not respond to your browser’s do-not-track request.

Automated Processing:

To the extent we process Mental Health Data, Physical Data, Biometric Data or other Personal Data relating to health conditions by automated means, you may opt-out of, or revoke your consent, to this processing or elect to have an individual review any of the results of processing.

Research and Public Health:

You may request that Total Brain not use data gathered through your use of the Services for these purposes and Total Brain will promptly comply with any such request.

Other Processing:

You may have the right under applicable law to object to our processing of your Personal Data for certain purposes, including without limitation, situations where we process in accordance with our legitimate interests. You may do so by contacting us re: data rights requests. Note that we may not be required to cease processing based solely on an objection.

Security

We implement and maintain reasonable security measures to safeguard the Personal Data you provide us. However, we sometimes share Personal Data with third parties as noted above, and we do not have control over third parties’ security processes. Please note, we do not warrant perfect security and we do not provide any guarantee that your Personal Data or any other information you provide us will remain secure.

Data Retention

We retain information for so long as it, in our discretion, remains relevant to its purpose, and in any event, for so long as is required by law. We will review retention periods periodically, and may sometimes pseudonymize or anonymize data held for longer periods, if appropriate.

International Transfers

We operate in and use service providers located in the United States. If you are located outside the U.S., your Personal Data may be transferred to the U.S. The U.S. does not provide the same legal protections guaranteed to Personal Data in the European Union. Accordingly, your Personal Data may be transferred to the U.S. pursuant to the EU-U.S. Privacy Shield Framework, the Standard Contractual Clauses, or other adequacy mechanisms, or pursuant to exemptions provided under EU law. Contact us for more information regarding the mechanisms to ensure adequate protection of data subject to EU Law.

Information for EU Users

Controller

Brain Resource Limited is the data controller for Personal Data collected under this Policy.

Legal bases for processing

The legal bases for our processing of your personal data are described in the table below. If you have questions about the legal basis of how we process your personal data, contact us at legal@totalbrain.com.

Legal Basis

Processing is necessary to perform the contract governing our provision of the Services or to take steps that you request prior to signing up for the Services. This may include processing that is in connection with operations that are necessary to provide the Services themselves.

The following processing activities constitute our legitimate interests. We balance any potential impact on you when we process your personal data for our legitimate interests. You may object to this processing as permitted by law. For example, our legitimate interests include:

Direct Marketing

Determining the effectiveness of marketing campaigns

To create, provide, support, maintain, and improve the functionality and performance of our Services, and operate our business

To secure our platform and network, investigate suspicious activity or violations of our terms or policies; and to protect the safety of Personal Data, including to prevent exploitation or other harms to which users may be particularly vulnerable.

Processing is necessary to comply with our legal obligations, for example, tax laws, fraud reporting, etc.

Processing is based on your consent solely to the extent these processes involve the processing of Mental Health Data. Where we rely on your consent you have the right to withdraw it anytime by closing your account.

Note, we may process and disclose personal data where it is in the vital interests of a data subject, to comply with a legal obligation to which we are subject, in the public interest, for public health purposes and medical or scientific research, or other appropriate legal ground which may apply under applicable law.

Rights of EU Users

In addition to the rights set forth above, EU users have the following additional rights

Right to Object:

Where we process data on the basis of our legitimate interests, you can object to that processing to extent allowed by law. Note that we must only limit processing where our interests in processing do not override an individual’s interests, rights, and freedoms, or the processing is not for the establishment exercise, or defense of a legal claim.

Right to Restrict:

You may have the restrict processing of your Personal Data where the accuracy of the Personal Data is contested, the processing is unlawful but you object to deleting the Personal Data, or we no longer require the Personal Data, but it is still required for the establishment, exercise, or defense of a legal claim, or while we assess an objection to processing.

Changes to Our Policy

We may change this Policy from time to time. Changes will be posted on this page with the effective date. Please visit this page regularly so that you are aware of our latest updates. Your use of the Services following notice of any changes indicates acceptance of any changes.

Contact Us

Feel free to contact us with questions or concerns using the appropriate address below.

Email:

legal@totalbrain.com

Physical address:

Total Brain

Attn: Legal

268 Bush Street #2633
San Francisco, CA 94104