[//cmplz-document type=”privacy-statement” region=”eu”]

PRIVACY POLICY

Version 1.0
Last Updated: January 22, 2026

This Privacy Policy applies to citizens and legal permanent residents of the European Economic Area, Switzerland, and worldwide users of our website and services.

Overview

At Brainarm, protecting the privacy of our website visitors, service users, and those who contact us is our highest priority. This policy explains what personal data we process, for which purposes, on what legal basis, and what rights you have regarding your data, in compliance with the General Data Protection Regulation (EU GDPR), the Swiss Federal Data Protection Act (FADP), and other applicable data protection laws.

By using our services and website, users acknowledge and agree to the Terms of Service, which may contain additional legal obligations regarding data use.

1. General Information

1.1 Introduction

At Brainarm (“we,” “us,” or “our”), we are committed to protecting your personal data and ensuring you have a positive experience on our website and when using our services. This privacy policy is designed to inform you about:

  • The types of personal data we process
  • The purposes for which we process your data
  • The legal basis for processing
  • How long we retain your data
  • Your rights as a data subject
  • How we protect your data
  • Who we share your data with

For any questions about this policy or to exercise your data protection rights, please contact us using the information provided in Section 9.

1.2 Data Controller and Responsible Persons

Data Controller:
Guido Mallardi
Address: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Website: https://www.brainarm.com
Email: info@brainarm.com

Person Responsible for Data Protection:
Elisa Campofiloni
Email: info@brainarm.com (please add “Privacy” as the subject line)

2. Processing of Personal Data

2.1 General Principles

We collect and process personal data only for specific, legitimate purposes explained in this policy. Our processing complies with the following principles:

  • Lawfulness and Transparency: We process data only on a lawful basis and inform you clearly about our practices
  • Purpose Limitation: Data is used only for the stated purposes
  • Data Minimization: We collect only what is necessary
  • Accuracy: We keep data accurate and up-to-date
  • Storage Limitation: We retain data only as long as necessary
  • Integrity and Confidentiality: We protect data with appropriate security measures
  • Accountability: We document our processing practices

2.2 Processing During Website Visits

Your visit to our website is logged by our hosting provider and consent management platform. We do not directly collect data; however, our processors do:

  • Hosting Provider: Keliweb S.r.l. processes server logs and technical data
  • Consent Management Platform: Complianz records your privacy and cookie choices
  • Video Hosting: Automattic (VideoPress) processes viewer data for embedded video content

Legal Bases: Legitimate interest in maintaining website security, ensuring functionality, and analyzing usage patterns; and consent for analytics cookies.

Data Retention: Server logs and technical data are retained according to Keliweb’s standard practices for security and troubleshooting purposes, typically 30–90 days. Automated backups may be retained longer for disaster recovery.

2.3 Business Partnership & Professional Inquiries (Email Communication)

Purpose: To evaluate potential business collaborations, respond to inquiries, and manage professional correspondence.

Data Categories:

  • Full name
  • Email address
  • Telephone number
  • Professional/employment information
  • Communication content

Legal Basis:

  • Legitimate Interest (Art. 6(1)(f) GDPR / Art. 31(1) FADP): when you inquire about our methodology or respond to preliminary collaboration proposals
  • Performance of Pre-contractual Measures (Art. 6(1)(b) GDPR / Art. 31(1) FADP): when discussions involve NDAs, know-how sharing, or formalizing a partnership

Data Retention:

  • If no agreement is reached: 12 months
  • If an agreement is executed: for the duration of the relationship plus up to 10 years thereafter (to meet legal and evidentiary requirements)

Processor: Proton Mail AG (Swiss-based encrypted email service)

2.4 Communication Channels and Security Levels

In compliance with GDPR and FADP transparency requirements, we inform users of the following security levels for different communication methods:

High-Security Channels (Recommended):

  • Proton Mail (zero-access, end-to-end encryption)
  • Brave Talk (with Video Bridge Encryption enabled)
  • Physical Mail

Identified Risks:

  • Traditional SMS and Voice Calls: Transmitted over standard mobile networks; do not support end-to-end encryption
  • Hardware Security: The Controller uses secure, modern devices; however, network security remains the responsibility of respective service providers (ISP/SIM)

Recommendation: For highly confidential information, use Proton Mail or Brave Talk with encryption enabled.

2.5 Email Communication (Proton Mail)

Purpose: To protect privacy and ensure security of sensitive data through end-to-end encrypted communication.

Data Categories:

  • Sender and recipient email addresses
  • Communication metadata (date, time, frequency)
  • Technical logs (IP addresses [temporary], login timestamps, account activity records)
  • Service data (spam detection, abuse prevention, system monitoring)

Note: Email content is protected by zero-access encryption, meaning even the service provider cannot read it.

Legal Basis:

  • Performance of Contract (Art. 6(1)(b) GDPR / Art. 31(1) FADP): facilitating email communication
  • Legitimate Interest (Art. 6(1)(f) GDPR / Art. 31(1) FADP): detecting spam, preventing abuse, and maintaining system integrity
  • Legal Obligation (Art. 6(1)(c) GDPR): complying with Swiss legal requirements for metadata retention

Data Retention:

  • Email Content: Retained under your account control; permanently deleted from backups within 30 days upon account termination
  • Technical Metadata: Minimum 6 months (as required by Swiss Telecommunications Surveillance Ordinance – BÜPF)
  • Billing/Audit Records: 10 years (as required by Swiss Commercial Code – OR Art. 957a)
  • Backup Copies: Encrypted backups retained up to 30 days before permanent deletion

Security Measures:

  • AES-256 encryption at rest
  • TLS 1.3 in transit
  • Zero-access encryption (Proton cannot decrypt message content)
  • Access controls and personnel training
  • Regular security audits and penetration testing
  • Incident response procedures

Processor: Proton Mail AG, Route de la Galaise 32, 1228 Plan-les-Ouates, Geneva, Switzerland

Sub-processors: Stripe (payment processing), cloud infrastructure providers, SimpleLogin SAS (hide-my-email functionality)

International Transfers: Proton Mail is headquartered in Switzerland and primarily stores data in Switzerland and Germany. For transfers outside EU/EFTA, Proton uses Standard Contractual Clauses (SCCs) and other GDPR-approved mechanisms.

Your Rights: You may exercise access, rectification, erasure, restriction, objection, and portability rights by contacting info@brainarm.com. Proton AG will coordinate with us to facilitate your request.

Further Information: Proton Mail Privacy Policy | Data Processing Agreement

2.6 Postal Exchange and Contractual Documentation (NDA and Contracts)

Scope: This section covers processing of personal data related to physical postal exchanges and execution of Non-Disclosure Agreements, Professional/Institution Assessment Statements, and related contractual documentation.

Data Categories:

  • Identification data (full name, signature)
  • Postal address (residential or professional)
  • Postal correspondence and attachments
  • Identity document copies (collected only when strictly necessary to verify identity or preserve evidentiary value for NDAs, in accordance with data minimization)
  • Postal metadata (tracking, delivery, and receipt confirmations)

Purposes:

  • Identification and verification of the contractual counterparty
  • Drafting, execution, and administration of NDAs and contractual documents
  • Postal communication and contractual correspondence
  • Legal protection: establishment, exercise, or defence of legal claims; ensuring enforceability and evidentiary value of NDAs

Legal Basis:

  • Contractual Necessity (Art. 6(1)(b) GDPR): when processing is necessary to execute contracts
  • Legal Obligations (Art. 6(1)(c) GDPR): including tax and record-keeping duties
  • Legitimate Interest (Art. 6(1)(f) GDPR): maintaining legally valid documentation and preventing fraud (following documented balancing test confirming these interests do not override data subject rights)

Data Retention:

  • Contractual Records and Correspondence: Retained for the duration of the contractual relationship and up to 10 years thereafter, where justified by statutory limitation periods or legal obligations
  • Identity Document Copies: Retained only when necessary for evidentiary purposes and destroyed once the need for retention (e.g., risk of legal challenge) no longer exists
  • Postal Metadata: Retained only as long as necessary to confirm delivery/receipt, then securely deleted

Retention periods are applied in accordance with data minimization principles and documented justification for any extended retention.

2.7 Video Conferencing (Brave Talk)

Service Provider: Brave Software, Inc. (Independent Data Controller)

Purpose: To conduct meetings, webinars, and provide secure virtual communication services.

Brave Talk as Independent Controller:

Brave Talk operates as an independent data controller rather than as a processor acting under our instructions. This means:

  • Brave Talk establishes its own privacy policies and data handling procedures
  • Brave Talk independently determines what metadata to collect, the purposes for such collection, and retention periods
  • Brave Talk provides a standardized service with uniform features to all users
  • No Data Processing Agreement is required because we use Brave Talk for preliminary communication purposes (toward possible collaboration) and without commercially processing personal data of third parties; acceptance of Brave’s Terms of Service and Privacy Policy serves as the contractual basis

In such circumstances, you and we are both independent controllers of data processed through Brave Talk.

Data Collected by Brave Talk:

  • IP address and meeting URL (processed only to enable calls; deleted immediately at call end)
  • Chat content (temporarily cached during meeting; not retained after call ends)
  • Audio and video streams (not logged or stored unless you enable recording, which we do not allow)
  • Name and email address (processed only if you choose to display them during the meeting)

Legal Basis:

  • Performance of a Contract (Art. 6(1)(b) GDPR / Art. 31(1) FADP): when meetings are necessary to deliver our services
  • Legitimate Interest (Art. 6(1)(f) GDPR / Art. 31(1) FADP): for optional communications and training
  • Consent (Art. 6(1)(a) GDPR / Art. 31(1) FADP): when you opt in to recording/transcription (note: we do not enable recording)

Data Retention:

  • During Call: Technical data processed in real-time but not logged or stored beyond what is necessary for the active session
  • After Call Ends: IP addresses, meeting URLs, chat content, and audio/video streams are not retained by Brave Talk
  • Call Data: Deleted immediately after call ends
  • No Long-Term Storage: Brave does not maintain logs or archives of call data

Security and Privacy Features:

  • Data Minimization: Only minimum information strictly necessary for the call is processed
  • Encryption in Transit: Transport-layer encryption (TLS) by default
  • Optional Video Bridge Encryption (VBE): End-to-end or near-end-to-end encryption of video/audio streams
    • Note: VBE disables recording and livestreaming
    • Not compatible with Safari, most iOS browsers, or Chromium versions 83 and older
  • No Tracking or Profiling: Brave does not use data for tracking, marketing, or behavioral analysis
  • User Controls: Features such as lobby and passcode give hosts control over access and security

Our Security Measures for Brave Talk Calls:

  • Lobby Control: Manually activated before every call starts
  • Browser Choice: Chrome 83+, Brave, Edge, or Opera (not the Jitsi/Brave app)
  • Brave Shield: Set to “Aggressive” mode for enhanced protection
  • Browser Maintenance: Updated without suspicious extensions
  • Video Bridge Encryption (VBE): Enabled when technically feasible
  • No Data Entry in Chat: No personal or sensitive information entered in name field or chat
  • Local Recording Only: If recording is necessary, we use local, privacy-friendly tools with encrypted storage

Recommendations for Participants:

  • Use Chrome 83+, Brave, Edge, or Opera browsers
  • Keep browser updated without suspicious extensions
  • Enable E2EE (VBE) by clicking the lock icon in the meeting toolbar
  • Do not enter personal data in the name field or chat
  • Be cautious about sharing confidential information

Important Note: We do not authenticate users or their avatar images. Never share confidential information unless certain of the caller’s identity.

Sub-Processor (Brave Talk Infrastructure):

Brave Talk is powered by 8×8’s Jitsi platform. 8×8 acts as a sub-processor on behalf of Brave. Data is processed in accordance with Brave’s and 8×8’s Privacy Policies. Both parties are bound by GDPR obligations.

Your Data Sharing Rights:

If you wish to exercise rights concerning data processed by Brave Talk (access, deletion, portability, objection, etc.), contact Brave Software Inc. directly via privacy@brave.com or their privacy policy, rather than through us.

Provider Information:

Premium Accounts: If you upgrade to Brave Talk Premium, Brave requires an email address to create and manage your account. Brave uses Stripe as a third-party payment provider; Stripe processes your email address, name, and payment card data. Brave does not receive nor have access to your payment method details.

3. Cookie Policy

Our website uses cookies to enhance user experience and gather analytics. For detailed information about cookies, tracking technologies, and your cookie management options, please refer to our Cookie Policy.

4. Data Recipients and Data Protection Policy

We share personal data only with processors acting under our instruction and with independent controllers that operate under their own privacy policies. Below is a comprehensive list of all recipients and processors.

4.1 Email, Phone, Letter, and Video Conferencing Communications

Proton Mail (Independent Controller – Email Communication Services)

Provider: Proton Mail AG, Route de la Galaise 32, 1228 Plan-les-Ouates, Geneva, Switzerland

Proton Mail AG is a Swiss-based end-to-end encrypted (E2EE) email service provider offering GDPR and FADP-compliant communication. E2EE is only possible if both sender and recipient use Proton Mail. We use Proton Mail (rather than cPanel) for sending/receiving sensitive information and data communications. Therefore, to ensure encrypted communication, you are obliged to use Proton Mail when exchanging sensitive data with us.

Data Collected:

  • Technical data: server logs, IP addresses, login timestamps, account activity records
  • Communication metadata: sender/recipient email addresses, date/time, frequency of messages
  • Service data: spam detection, abuse prevention, system monitoring

Email content is encrypted under your control and is not actively processed by Proton AG for independent purposes.

Purposes of Processing:

  • Facilitate email communication (receipt, routing, encryption, management)
  • Provide technical support related to the email platform
  • Maintain service security, detect spam, prevent abuse, and monitor system functionality
  • Fulfill contractual obligations and manage client relationships
  • Comply with Swiss legal retention obligations and applicable law enforcement requirements

Sub-Processors:

  • Stripe (payment processing)
  • Cloud infrastructure providers
  • SimpleLogin SAS (hide-my-email functionality)
  • Complete list available at: https://proton.me/legal/dpa

Legal Basis:

  • Performance of Contract (Art. 6(1)(b) GDPR / Art. 31(1) FADP): email communication services
  • Legitimate Interest (Art. 6(1)(f) GDPR / Art. 31(1) FADP): service security, fraud prevention, and system optimization (with documented balancing test)
  • Legal Obligation (Art. 6(1)(c) GDPR): compliance with Swiss legal obligations (Swiss Commercial Code Art. 957a OR requiring data retention for billing and audit purposes up to ten years)

Data Retention:

  • Email Content: Retained indefinitely under your account control; deleted upon account termination, with complete deletion from backups within 30 days
  • Technical Metadata, Login Records, IP Logs: Minimum 6 months (required by Swiss Telecommunications Surveillance Ordinance – BÜPF)
  • Billing/Audit Data: 10 years (required by Swiss Commercial Code Art. 957a)
  • Backup Copies: Encrypted and retained up to 30 days before permanent deletion

Security Measures:

  • End-to-end encryption (E2EE) for email content
  • Zero-access encryption (Proton cannot decrypt user messages)
  • AES-256 encryption for data at rest
  • TLS 1.3 for data in transit
  • Access controls and personnel training
  • Regular security audits and penetration testing
  • Incident response procedures
  • Data Processing Agreement (DPA) ensuring GDPR Article 28 and Swiss FADP compliance

International Transfers:

  • Headquartered in Switzerland; primarily stores data in Switzerland and Germany
  • For transfers outside EU/EFTA: uses Standard Contractual Clauses (SCCs) and other GDPR-approved mechanisms
  • Transfers governed by Swiss-U.S. Data Privacy Framework (Swiss DPF) where applicable

Data Subject Rights:

Data subjects may exercise rights (access, rectification, erasure, restriction, objection, portability) by contacting info@brainarm.com. Proton AG will forward requests to the controller for response.

Further Information:

DominiOK (Independent Controller – DNS Infrastructure)

Provider: DominiOK provides DNS resolution infrastructure for our Proton Mail services.

Data Controllers: DominiOK acts as an independent data controller for DNS query data collected by its infrastructure.

Data Processed:

  • IP addresses contained in DNS queries
  • Timestamps
  • DNS query metadata
  • Technical identifiers

Purposes and Legal Basis:

  • DNS resolution, caching, network performance monitoring, security and abuse prevention, and operational logging
  • DominiOK relies on its own lawful basis for processing (e.g., legitimate interests and/or performance of contract)

Retention:
DominiOK is an independent data controller for DNS query logs collected by its infrastructure. We do not retain or control DominiOK’s DNS logs. Retention periods are determined exclusively by DominiOK and governed by its privacy policy.

Exercising Your Rights:

  • To exercise rights regarding data we control, contact info@brainarm.com
  • For requests concerning DNS logs controlled by DominiOK, contact DominiOK directly at their contact information or consult their privacy policy

Further Information:

Telecommunication and Connectivity Services (Independent Controllers)

Technical and traffic metadata related to communications (voice calls, SMS, internet connectivity) are processed by service providers: spusu Italia s.r.l. and Dimensione s.r.l. (Italy).

These providers act as Independent Data Controllers in accordance with their own privacy policies and statutory obligations. They independently determine the purposes and means of processing for routing, billing, network security, and compliance with mandatory legal requirements (including data retention laws). They do not act as processors on our behalf.

spusu Italia s.r.l.

Dimensione s.r.l.

Brave Talk (Independent Data Controller – Video Conferencing)

See Section 2.7 for comprehensive details.

Provider: Brave Software, Inc., San Francisco, USA

Brave Talk operates as an independent data controller (not a processor). It establishes its own privacy policies and data handling procedures without receiving specific instructions from us. It independently determines what metadata to collect, the purposes for collection, and retention periods.

Provider Information:

4.2 Website Visits

Keliweb S.r.l. (Data Processor – Web Hosting Services)

Data Controller: Guido Mallardi (website owner)

Processing Chain:

  1. Guido Mallardi (Data Controller) has a Data Processing Agreement with Daniele Gasperoni (Processor – Webmaster/Technical Contractor)
    • Webmaster treats data exclusively according to documented instructions
    • Implements appropriate technical and organizational measures to protect data
    • Manages the Keliweb account on our behalf without independent decision-making authority
    • Ensures sub-processors (Ace Media and Keliweb) comply with GDPR Article 28
    • Provides annual documentation of hosting costs
  2. Ace Media (San Marino) has a Data Processing Agreement with Keliweb S.r.l.
    • Acts as a sub-processor responsible for providing and maintaining hosting infrastructure
    • Ensures Keliweb’s compliance with data protection standards
    • Maintains the contractual chain protecting the data controller under GDPR
  3. Keliweb S.r.l. acts as a sub-processor
    • Address: Via Bartolomeo Diaz 35, 87036 Rende (CS), Italy
    • Provides web hosting and server infrastructure
    • Processes visitor data and technical logs according to documented instructions
    • Implements appropriate security measures for data storage and access
    • Maintains backups and disaster recovery procedures
    • Manages server logs for technical, security, and abuse prevention purposes

Data Collected:

  • Visitor Data: IP addresses, HTTP request logs, connection metadata, session identifiers, and access patterns
  • Technical Data: Server logs, authentication records, and infrastructure management data necessary for service delivery and security monitoring

Account Management:
The Keliweb hosting account is held in the name of Ace Media (San Marino). However, Guido Mallardi (website owner) remains the data controller. The webmaster acts on our behalf to manage the account and coordinate with Ace Media and Keliweb but makes no independent data processing decisions.

Data Processing Agreement:
Appropriate Data Processing Agreements are in place at all levels of the chain (Guido Mallardi ↔ Webmaster; Webmaster/Keliweb ↔ Ace Media; Ace Media ↔ Keliweb) ensuring GDPR Article 28 compliance.

Automattic (Data Processor – VideoPress Video Player/Media Hosting)

Provider: Automattic Inc. (San Francisco, USA) and its EU entities, including Aut O’Mattic A8C Ireland Ltd. (Dublin, Ireland)

Contact: dpa@automattic.com

Certification: Automattic, Inc. is certified under the EU-U.S., Swiss-U.S., and UK-U.S. Data Privacy Framework.

Service Description:
We use VideoPress, a video hosting and streaming service, to host and embed video content on our site.

Data Collected:

  • Log data: viewer’s IP address, browser type, device information, language, operating system, referring site, date/time of access, user agent
  • Usage data: video play/pause interactions, page views
  • Cookies or similar tracking technologies: for analytics, performance, and personalized content/ads (if enabled)
  • Approximate location data: derived from IP address

Processor Determination Based on User Location:

  • If you reside outside Designated Countries (Australia, Canada, Japan, Mexico, New Zealand, Russia, Europe): processor is Automattic Inc.
  • If you reside in Designated Countries: processor is Aut O’Mattic A8C Ireland Ltd.

Legal Basis:

  • Legitimate Interest (Art. 6(1)(f) GDPR): delivering video content, ensuring playback functionality, improving services, and protecting security
  • Consent: for marketing/analytics cookies when the viewer has consented

Sub-Processors:

Privacy and Security Features:

  • Personal data may be transferred to or processed in countries outside the EEA, including the United States
  • Automattic uses standard contractual clauses and other safeguards for international transfers
  • Third-party advertising and analytics vendors may set their own cookies or tracking technologies as part of advertising programs

Further Information:

Complianz (Data Processor – Consent Management Platform)

Provider: Complianz (GDPR and compliance management platform)

Purpose: To record your privacy choices, manage cookie consent, and facilitate compliance with privacy regulations.

Data Collected:

  • Your cookie consent choices and preferences
  • Timestamps of consent
  • Technical identifiers necessary to record your choices

Data Retention:
Consent records are retained for the period necessary to demonstrate compliance (typically 3 years, in accordance with privacy audit requirements).

Legal Basis:

  • Legal Obligation (Art. 6(1)(c) GDPR): compliance with privacy regulations requires documentation of user consent
  • Legitimate Interest (Art. 6(1)(f) GDPR): ensuring service functionality and user experience

4.3 Social Media

We maintain profiles on the following social media platforms. When you interact with our profiles, the platform operators act as independent data controllers:

Each platform has its own privacy policy and data handling procedures. We recommend reviewing their respective privacy statements.

5. Data Retention

Personal data is retained only as long as necessary to fulfill the purposes for which it was collected and to comply with applicable legal obligations.

Summary of Retention Periods by Purpose

Purpose/Data Category Retention Period Legal Basis
Email content (Proton Mail) Indefinitely (under your account control); deleted upon account termination with complete deletion from backups within 30 days User control; contractual obligation
Email metadata and logs (Proton Mail) Minimum 6 months (Swiss BÜPF requirement); up to 10 years for billing/audit (Swiss Commercial Code OR Art. 957a) Legal obligation
Business partnership inquiries (no agreement reached) 12 months Legitimate interest; contractual potential
Business partnership inquiries (agreement executed) Duration of relationship plus up to 10 years thereafter Legal obligation; legitimate interest
Contractual records and correspondence Duration of relationship plus up to 10 years thereafter (justified by statutory limitation periods or legal obligations) Legal obligation; legitimate interest
Identity document copies Retained only when necessary for evidentiary purposes; destroyed once need for retention no longer exists Legitimate interest; legal protection
Postal metadata Only as long as necessary to confirm delivery/receipt; then securely deleted Legitimate interest
Server logs and technical data (Keliweb) Typically 30–90 days; automated backups may be retained longer for disaster recovery Legitimate interest; security and troubleshooting
Brave Talk call data Deleted immediately after call ends Data minimization; no long-term storage
Brave Talk optional recordings 24 hours maximum (by Brave Talk); controller may retain downloaded recordings separately under its own retention policy User control
Cookie consent records (Complianz) Typically 3 years (privacy audit compliance) Legal obligation
VideoPress viewer data (Automattic) In accordance with Automattic’s standard retention practices (typically 30–90 days) Legitimate interest

All retention periods are applied in accordance with data minimization principles. Data is securely deleted or anonymized once the retention period expires, except where extended retention is required by law (e.g., tax records, legal claims).

6. Legal Basis and Your Rights

6.1 Legal Basis for Processing

We process personal data on one or more of the following legal bases, as appropriate for each processing activity:

Legal Basis Application
Consent (Art. 6(1)(a) GDPR / Art. 31(1) FADP) When you explicitly agree to processing (e.g., opt-in to cookies, recording features)
Contract Performance (Art. 6(1)(b) GDPR / Art. 31(1) FADP) When processing is necessary to execute contracts or pre-contractual measures (e.g., discussing NDAs or partnerships)
Legal Obligation (Art. 6(1)(c) GDPR / Art. 31(1) FADP) When processing is required by law (e.g., tax records, data retention mandates, law enforcement requests)
Legitimate Interest (Art. 6(1)(f) GDPR / Art. 31(1) FADP) When processing serves our legitimate interests (e.g., website security, fraud prevention, evaluating partnerships) provided such interests do not override your rights and freedoms (following documented balancing tests)

6.2 Your Data Protection Rights

As a data subject, you have the following rights under GDPR and other applicable privacy laws:

Right of Access (Art. 15 GDPR / Art. 25 FADP):
You have the right to request access to all personal data we hold about you and to receive a copy of such data in a structured, commonly used, and machine-readable format.

Right to Rectification (Art. 16 GDPR / Art. 26 FADP):
You have the right to correct inaccurate or incomplete personal data.

Right to Erasure – “Right to be Forgotten” (Art. 17 GDPR / Art. 27 FADP):
You have the right to request deletion of your personal data, subject to certain exceptions (e.g., where data must be retained for legal compliance or to establish, exercise, or defend legal claims).

Right to Restrict Processing (Art. 18 GDPR / Art. 28 FADP):
You have the right to request that we limit the processing of your data (e.g., while you contest its accuracy or while you object to processing).

Right to Data Portability (Art. 20 GDPR / Art. 29 FADP):
You have the right to request all your personal data from us and transfer it in its entirety to another controller in a structured, commonly used, and machine-readable format.

Right to Object (Art. 21 GDPR / Art. 32 FADP):
You have the right to object to the processing of your data. We will comply with your objection unless we have justified grounds for continued processing (e.g., legal obligations or legitimate interests that override your rights).

Right to Withdraw Consent (Art. 7 GDPR / Art. 31(4) FADP):
If we process your data based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Right to Lodge a Complaint (Art. 77 GDPR / Art. 53 FADP):
You have the right to lodge a complaint with the competent data protection authority without prejudice to any other administrative or judicial remedy.

6.3 How to Exercise Your Rights

To exercise any of your data protection rights, please contact us with:

  • Clear identification of who you are
  • Description of the right(s) you wish to exercise
  • Any relevant supporting information

Contact Information:

We will respond to your request without undue delay, typically within 30 days (or within statutory timeframes as required by law). If your request is complex or voluminous, we may extend the response period up to 90 days total, with advance notice explaining the reason for delay.

Data Subject Rights Concerning Third-Party Processors:

If your request concerns data held specifically by a third-party processor or independent controller, we will coordinate with them to facilitate your request. For example:

  • Requests concerning Proton Mail data: we will coordinate with Proton AG
  • Requests concerning Brave Talk data: contact Brave Software Inc. directly (privacy@brave.com)
  • Requests concerning VideoPress data: we will coordinate with Automattic

7. Security Measures

We are committed to the security of your personal data. We implement appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, and destruction. These measures include:

Technical Measures

  • Encryption in Transit: TLS/SSL encryption for all data transmitted over the internet
  • Encryption at Rest: AES-256 encryption for sensitive data stored on servers
  • End-to-End Encryption: Zero-access encryption for email communications (Proton Mail)
  • Security Headers: Implementation of HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), and related browser security policies
  • DANE/DNSSEC: DNS security enhancements to prevent DNS spoofing and man-in-the-middle attacks
  • Hardware Security: Use of secure, modern devices for managing systems and accessing sensitive data
  • Firewalls and Intrusion Detection: Network-level protections to prevent unauthorized access

Organizational Measures

  • Access Controls: Only authorized personnel with specific needs access personal data
  • Personnel Training: Regular data protection training for all staff handling personal data
  • Data Protection Policies: Documented procedures for data handling, breach notification, and incident response
  • Vulnerability Management: Regular security audits, penetration testing, and vulnerability assessments
  • Incident Response: Documented procedures for responding to and reporting data breaches
  • Backup and Recovery: Regular encrypted backups with tested disaster recovery procedures
  • Sub-Processor Management: Contractual requirements binding all processors and sub-processors to equivalent data protection standards
  • Accountability: Documentation of all processing activities, risk assessments, and compliance measures

Limitations on Security

While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute protection against all threats. Network security for certain communication channels (e.g., standard mobile networks for voice/SMS) remains the responsibility of respective service providers (ISP/SIM providers). For highly sensitive communications, we recommend using high-security channels such as Proton Mail or Brave Talk with encryption enabled.

8. Third-Party Websites and External Links

This privacy policy applies only to our website and services. It does not apply to third-party websites linked from our site or to external services we use. While we carefully select our processors and service providers, we cannot guarantee that third parties handle your personal data in a reliable or secure manner.

We recommend that you:

  • Review the privacy statements of all third-party websites before using them
  • Understand the data handling practices of external services you interact with through our site
  • Exercise caution when sharing personal information with third parties

For information about how specific third parties handle your data, please refer to their respective privacy policies.

9. Changes to This Privacy Policy

We reserve the right to amend this privacy policy at any time to reflect changes in our data processing practices, regulatory requirements, or other circumstances. Any material changes will be communicated to you in advance where practicable.

We recommend that you review this privacy policy regularly to stay informed of any updates. The date of the most recent version is displayed at the top of this policy.

10. Contact and Data Subject Rights

If you have any questions about this privacy policy, wish to exercise your data protection rights, or want to know what personal data we hold about you, please contact us using the following information:

Brainarm

Data Controller:
Guido Mallardi
Address: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Website: https://www.brainarm.com
Email: info@brainarm.com

Data Protection Officer/Privacy Contact:
Elisa Campofiloni
Email: info@brainarm.com (please add “Privacy” as the subject line)

When contacting us, please clearly identify yourself so we can ensure we respond to the correct person. Requests will be processed in accordance with applicable privacy legislation and responded to within statutory timeframes (typically 30 days, or up to 90 days for complex requests).

11. Supervisory Authority

If you believe we have violated your data protection rights or this policy and we have not resolved your concern, you have the right to lodge a complaint with the competent data protection authority. The competent authority for Brainarm (based in Italy) is:

Garante per la protezione dei dati personali (Italian Data Protection Authority)
https://www.garanteprivacy.it/
Contact: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/7056611

You may also lodge a complaint with the data protection authority in your country of residence or where you believe the violation occurred.

This Privacy Policy was last updated on January 22, 2026.

Appendix: Links and Additional Resources