Personal Data Protection Policy
Last updated: 01/10/2025
The website brainsecurity.io (hereafter referred to as the "Site"), published by the company Brain Security SAS (hereafter "Brain Security" or "we"), provides access to the Brain Security platform (hereafter referred to as the "Platform") designed for businesses. It aims to train and raise awareness among users about cybersecurity risks through gamified training sessions, competitions, and immersive events (hereafter "Cyber Training Services").
As you access, browse, and use the Site and the Platform, you may share personal data with Brain Security.
We kindly ask you to read this policy, which explains how your personal data is used by Brain Security and outlines your rights regarding this matter. This policy supplements the General Terms of Use and any document or information notice that refers back to the policy.
Should you need to, you can ask any questions directly to Brain Security by sending an email to the following address: contact@brainsecurity.io.
1. Who is responsible for processing your personal data?
1.1 Distribution of responsibilities
When you use the Brain Security Platform within your company:
Your employer is responsible for processing the personal data collected and processed for the provision of the Cyber Training Services it has subscribed to, particularly for training and raising awareness among its employees about cybersecurity risks.
Brain Security acts as a processor, on behalf and for your employer, of the personal data collected and processed for the provision of Cyber Training Services your employer has subscribed to.
1.2 Contact details of the processor
Brain Security SAS
229 rue Saint-Honoré
75001 Paris, France
SIREN: 918 391 905
Email: contact@brainsecurity.io
Website: brainsecurity.io
2. What personal data concerning you is processed?
All personal data has been directly provided by you or your employer, as well as generated during the use of Cyber Training Services, namely:
Identification data
Name
First name
Player username
Profile photo (optional)
Contact details
Work email address
Work phone number (optional)
Professional data
Company (name and sector)
Role
Department
Service
Site/location
Data related to your training progress
Micro-activities completed
Training modules attended
Scores achieved in quizzes and exercises
Time spent on each module
Training completion rates
Response history to questions
Cyber reflexes acquired out of the 150 proposed
Data related to competitions
League ranking (Starter, Bronze, Silver, Gold, Master)
Position on leaderboards (individual, team, inter-sites, global)
Points and tickets accumulated
Participation in internal competitions (Enterprise CyberCup)
Participation in events (Online Competition, On-Site Competition)
Super Quiz Arcade scores
Awards and badges obtained
Performance history
Number of runs completed
Data related to security
Password strength evaluation
General cybersecurity awareness level
Knowledge test results
Progress in the 8 families of cyber reflexes
Data related to your interactions with Brain Security
Date and subject of your exchanges
Content of your exchanges with customer support
Communications with Brain Security teams
Data related to your job application (if applicable)
Any information provided within a job application at Brain Security
Connection and browsing data
Moreover, some data is automatically collected by the Site via cookies/trackers:
Date and time of connection
IP address
Device used
Browser
Operating system
Approximate geolocation
Pages viewed
Journey on the Platform
Session duration
Application traces
Purposes of these automatic data: This data is necessary for the technical functioning of the Site and Platform, as well as for audience measurement, user experience improvement, and Site security. For more information on cookies/trackers, please refer to section 9 of this policy.
Mandatory or optional nature of the data
Some of this data is mandatory, others optional to fully benefit from the Site and Cyber Training Services. The mandatory or optional nature of the data to be provided is indicated on the collection forms by an asterisk (*).
If you refuse to provide the required mandatory data, Brain Security will not be able to process your request (e.g., account creation, access to training, participation in competitions, provision of Cyber Training Services, etc.).
3. Why does Brain Security use your personal data?
When you use the Brain Security Platform and Brain Security acts as a processor, your personal data is processed solely for the following purposes:
Creation and management of your professional account
Create your account on the Platform
Authenticate you via SSO (Google, Microsoft) or Magic Link
Manage your access and permissions
Synchronise your account with corporate directories (Google Workspace, Microsoft Teams)
Legal basis used by your employer: Legitimate interest of your employer to train and raise awareness among employees about cybersecurity risks
Provision of Cyber Training Services
Enterprise CyberCup:
Provide access to 150 cyber reflexes and 3-minute micro-activities
Record your progress in the TRAIN and COMPETE modules
Calculate your scores on the Super Quiz Arcade
Promote you through the league system (Starter, Bronze, Silver, Gold, Master)
Establish leaderboards (individual, team, inter-sites, global)
Distribute points and tickets
Manage CyberCup events
Arcade Booth:
Enable participation on booths deployed in your premises
Synchronise your scores between the web platform and the booths
Maintain leaderboard consistency
CyberCup Competition Online:
Register you for animated digital events
Record your performances during live sessions
CyberCup Competition On-Site:
Register you for in-person events
Track your participation in booth competitions
Establish real-time rankings
Legal basis used by your employer: Legitimate interest of your employer to protect its information systems and train its employees
Reporting and statistics for the employer
Create performance dashboards
Generate reports on team awareness levels
Establish global and anonymised statistics
Identify training needs
Measure collective and individual progress
Evaluate the effectiveness of awareness campaigns
Legal basis used by your employer: Legitimate interest of your employer
Support and assistance
Provide technical support
Answer questions from administrators and users
Resolve issues related to the use of the Platform, booths, or events
Handle support requests
Legal basis used by your employer: Performance of the contract with your employer
Legal compliance
Meet legal and regulatory obligations
Respond to your requests to exercise rights
Manage legal disputes
Legal basis: Legal obligations
Artificial intelligence
Brain Security may deploy features involving artificial intelligence to:
Personalise training paths according to your level
Generate content adapted to your industry and profession
Adjust the difficulty of exercises and quizzes
Recommend relevant content
Improve the detection of risky behaviours
Optimise the learning experience
These processes are performed respecting your rights and applicable regulations.
4. Who can access your personal data?
Brain Security and its authorised employees
Purposes: Management of the Site and Platform, provision of Cyber Training Services, technical support, maintenance
Your employer (data controller)
Purposes: Cybersecurity awareness management, tracking of employee progress, report generation
Technical service providers of Brain Security
Purposes:
Hosting: Google Cloud (hosting in France/EU, GDPR compliance)
IT services: Maintenance, updates, security
Analytics: Google Analytics for audience measurement
Customer support: Intercom or equivalent for online assistance
Authentication services
Purposes: Google, Microsoft for SSO authentication of users
Marketing partners (with your employer’s consent)
Purposes: Google Ads, LinkedIn for institutional communication campaigns
Administrative or judicial authorities
Purposes: Only upon an express and motivated request or proven infringement of legal provisions
External consultants
Purposes: Lawyers, auditors in the context of dispute management or compliance audits
Potential acquirers
Purposes: In case of restructuring, acquisition, merger, asset sale, or similar transaction involving Brain Security
Important
All service providers and processors of Brain Security are contractually obliged to respect the confidentiality and security of your personal data according to the GDPR. Brain Security carefully selects its providers and ensures they offer sufficient guarantees regarding the implementation of appropriate technical and organisational measures.
5. How does Brain Security protect your personal data?
5.1 Technical and organisational security measures
Brain Security has implemented rigorous technical and organisational measures to protect your personal data against any destruction, loss, alteration, disclosure, or unauthorized access, including:
Technical measures:
Encryption of sensitive data (in transit via HTTPS/TLS and at rest via AES-256)
Strong authentication and secure access management (SSO, Magic Link)
Firewalls and intrusion detection systems
Regular and secure backups
Regular security tests and audits
Logging of access and activities
Protection against DDoS and injection attacks
Complete isolation of client data
Organisational measures:
Information systems security policy
Employee training and awareness on data protection
Confidentiality clauses in employment contracts
Privilege-based access and permissions management
Procedures for managing security incidents
Physical access controls to premises and servers
5.2 Data hosting and location
All your data is hosted in France in Google Cloud data centres certified ISO 27001 and HDS. The European sovereignty of your data is guaranteed. No data transfer outside the European Union is performed.
5.3 Continuous commitment
These measures ensure an appropriate level of security, considering current knowledge, implementation costs, the nature of the data, and risks. Brain Security regularly reviews and updates its security practices to adapt to emerging threats.
5.4 Reporting vulnerabilities or incidents
If you identify a security vulnerability or wish to report an incident, we invite you to contact us immediately at the following address: contact@brainsecurity.io.
In case of a personal data breach likely to incur a high risk to your rights and freedoms, Brain Security commits to inform you as soon as possible in accordance with the GDPR obligations.
6. How long are your personal data retained?
Generally, your personal data will only be retained for the period strictly necessary to achieve the purposes for which they were collected.
6.1 Users of the Brain Security Platform (businesses)
Data provided or generated in connection with using the Services
Duration: Throughout the duration of the contractual relationship between Brain Security and your employer
After the end of the contract
Duration: 1 year, then deletion upon your employer's express request or anonymization
Progression history and scores
Duration: During the contract duration + 1 year after termination for potential reactivation or historical analysis
Billing data (business level)
Duration: 10 years from the closing of the financial year (legal obligation)
Customer support data
Duration: Treatment duration of your request + 1 year
Demo requests
Duration: 3 years from the demonstration for commercial prospecting purposes
Job application data
Duration: 2 years from your last contact with Brain Security, unless deletion request
Cookies and browsing data
Duration: Up to 13 months from collection
Statistics and reports aggregated and anonymized
Duration: Unlimited retention as anonymized (no longer allows identification)
6.2 Deletion and anonymization
Beyond the periods mentioned above, your personal data is either:
Permanently deleted from our systems
Irreversibly anonymized (anonymized data no longer allows identification and is no longer considered personal data)
Securely archived only if a legal obligation imposes it
7. What are your rights regarding your personal data?
In accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act, you have rights concerning your personal data.
7.1 Exercising your rights
For users of the Brain Security Platform (businesses):
You should primarily contact your employer (data controller). You can also contact Brain Security which will forward your request to your employer.
Contact Brain Security: contact@brainsecurity.io
7.2 Description of your rights
Right of access
Description: Obtain confirmation that your data is being processed and access your personal data
Exercise conditions: Always applicable
Right to rectification
Description: Obtain the rectification of your inaccurate, incomplete, or outdated data
Exercise conditions: Always applicable
Right to erasure (“right to be forgotten”)
Description: Obtain the erasure of your data in certain cases
Exercise conditions: Applicable if:
Data is not necessary
Consent withdrawal
Legitimate objection
Unlawful processing
Legal obligation
Right to restrict processing
Description: Obtain restriction of processing of your data temporarily
Exercise conditions: Applicable if:
Contestation of accuracy
Unlawful processing
Data needed for a legal claim
Objection pending verification
Right to data portability
Description: Receive your data in a structured format and transmit it to another controller
Exercise conditions: Applicable if:
Automated processing
Based on consent or contract
Technically feasible
Right to object
Description: Object to the processing of your data
Exercise conditions: Applicable for:
Processing based on legitimate interest
Commercial prospecting (always)
Scientific research (under conditions)
Right to withdraw your consent
Description: Withdraw your consent at any time
Exercise conditions: Applicable for processing based on consent
Post-mortem directives
Description: Define directives on the fate of your data after your death
Exercise conditions: Always applicable
7.3 Modalities of exercise
To exercise your rights:
Email to contact@brainsecurity.io
Clearly indicate:
Your identity (name, first name, email used on the Platform)
The right(s) you wish to exercise
Any information necessary to process your request
Attach a copy of an identity document if necessary to confirm your identity (a security measure to protect your data)
Response time
Brain Security commits to respond within one (1) month from the receipt of your request. This period may be extended by two months in case of complexity or a high number of requests (you will be informed).
Free of charge
Exercising your rights is free. However, in cases of requests that are manifestly unfounded or excessive (particularly repetitive ones), Brain Security may charge reasonable fees or refuse to comply with the request.
7.4 Right to file a complaint with the CNIL
If you believe that Brain Security does not comply with its obligations regarding your personal data, you may file a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):
Online: https://www.cnil.fr/fr/plaintes
By mail: CNIL - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
This right can be exercised at any time free of charge (excluding postal sending fees if applicable).
8. Data of minors in business
Within the use of the Brain Security Platform in a professional environment, if a minor under 18 years old (apprentice, intern, alternant) must access the Platform, this access can only be done under the supervision and responsibility of the client company.
The client company is solely responsible for compliance with obligations concerning minors' data protection, notably:
Obtain parental permission if necessary according to the applicable legal framework
Ensure proper supervision of the Platform use
Inform parents or legal guardians about the use of Cyber Training Services
Ensure that only strictly necessary data is collected
Brain Security commits to particularly protect minors' data and to collect only the information strictly necessary for the provision of Cyber Training Services.
9. Cookies and trackers
9.1 What is a cookie?
A cookie is a small text file placed on your device (computer, smartphone, tablet) during your visit to the Site or Platform. Cookies allow recognising your browser and collecting information about your Site use.
9.2 Types of cookies used
Brain Security uses different types of cookies:
Strictly necessary cookies
Purpose: Essential for the Site's functioning (authentication, security, session management)
Retention duration: Session or up to 13 months
Legal basis: Legitimate interest (Site functionality)
Examples:
Authentication cookies (Magic Link, SSO)
Session cookies
Anti-CSRF security cookies
Performance and analytics cookies
Purpose: Audience measurement, traffic statistics, Site and Platform improvement
Retention duration: Up to 13 months
Legal basis: Consent (via cookie banner)
Examples:
Google Analytics (audience measurement)
Usage statistics of features
User journey analysis
Functional cookies
Purpose: Memorisation of your preferences (language, display settings)
Retention duration: Up to 13 months
Legal basis: Consent or legitimate interest
Examples:
Preferred language
Interface settings
User preferences
9.3 Third-party cookies
The Site and Platform may integrate cookies issued by third parties (partners, providers), notably:
Google Analytics: Audience measurement and statistics
Intercom (or equivalent): Customer support and online chat
These third-party cookies are subject to the respective privacy policies of these third parties.
9.4 Managing your preferences
You can manage your cookie preferences at any time:
Via our cookie management banner
During your first visit, a banner enables you to accept or refuse non-essential cookies. You can modify your choices at any time by clicking the "Cookie Management" link at the bottom of the Site page.
Via your browser settings
You can configure your browser to:
Accept all cookies
Reject all cookies
Be notified when a cookie is set and be able to refuse it
Note: Refusing strictly necessary cookies may affect the Site's functionality and prevent access to some features.Useful links for managing cookies:
Firefox: https://support.mozilla.org/fr/kb/activer-desactiver-cookies
Safari: https://support.apple.com/fr-fr/guide/safari/sfri11471/mac
10. Links to third-party sites
The Site and Platform may contain links to third-party websites (partners, external resources, technical documentation).
Brain Security is not responsible for the privacy practices or content of these third-party sites. We recommend carefully reading these sites' privacy policies before providing your personal data.
11. Amendments to this policy
This personal data protection policy may be modified and updated by Brain Security at any time, particularly in case of changes to the Platform, Cyber Training Services, applicable regulations, or our practices.
Date of last update
The date of the last update is at the top of this policy.
Notification of significant changes
If any substantial modifications are made, Brain Security will inform you via email and/or through a notification on the Platform. Your continued use of the Platform after the changes take effect constitutes acceptance of the revised policy.
Recommendation
We recommend regularly checking this policy to stay informed about how we protect your personal data.
12. Contact us
For any questions regarding this personal data protection policy, to exercise your rights, or for any request related to your personal data, you can contact us:
Brain Security SAS
Data Protection Officer (DPO)
229 rue Saint-Honoré
75001 Paris, France
Email: contact@brainsecurity.io
Website: brainsecurity.io
We commit to responding to your requests promptly and no later than one (1) month from receiving your request.
This policy has been established in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act.
