June 4, 2024

General

Where this Notice to European Users applies. The information provided in this “Notice to European Users” section applies only to individuals in the United Kingdom and the European Economic Area (i.e., “Europe” as defined at the top of this Privacy Policy).

Personal information. References to “personal information” in this Privacy Policy should be understood to include a reference to “personal data” (as defined in the GDPR (see below)) – i.e., information about individuals from which they are either directly identified or can be identified. The personal information that we collect from you is described in greater detail in the section “Personal Information we collect”.

Controller. Posit Science is the controller in respect of the processing of your personal information covered by this Privacy Policy for purposes of European data protection legislation (i.e., the EU GDPR and the so-called ‘UK GDPR’ (as and where applicable, the “GDPR”)). See the “How to contact us” section above for our contact details.

Our GDPR Representatives. We have appointed the following representatives in Europe as required by the GDPR – you can contact them directly should you wish:

Our Representative in the EU. Our EU representative appointed under the EU GDPR is EDPO. You can contact them:

  • By using EDPO’s online request form: https://edpo.com/gdpr-data-request/
  • By writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium

Our Representative in the UK. Our UK representative appointed under the UK GDPR is EDPO. You can contact them:

  • By using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
  • By writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom

Our legal bases for processing

In respect of each of the purposes for which we use your personal information, the GDPR requires us to ensure that we have a “legal basis” for that use. Our legal bases for processing your personal information as described in this Privacy Policy are listed below.

  • Where we need to perform a contract which we are about to enter into or have entered into with you (“Contractual Necessity”).
  • Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (“Legitimate Interests”). More detail about the specific legitimate interests pursued in respect of each Purpose we use your personal information for is set out in the table below.
  • Where we need to comply with a legal or regulatory obligation (“Compliance with Law”).
  • Where we have your specific consent to carry out the processing for the Purpose in question (“Consent”).

We have set out below, in a table format, the legal bases we rely on in respect of the relevant purposes for which we use your personal information. For more information on these purposes and the data types involved, see “How we use your personal information” and associated data sharing relevant to such purposes set out in “How we share your personal information”.

PurposeLegal basis
Apps delivery and operations

Delivery and operations, including sharing data with organizations that provide you our Apps (as described in “How we share your personal information”)

  • Contractual Necessity
  • Compliance with Law, in respect of security matters and associated processing.
  • Legitimate Interests. We have a legitimate interest in ensuring the ongoing security and proper operation of our Apps and associated IT services, systems and networks.

Personalization

  • Legitimate Interests. We have a legitimate interest in providing you with a good service via the Apps, which is personalized to you and that remembers your selections and preferences.
  • Consent, in respect of processing directly associated with any optional cookies used for this purpose.
Apps improvement, analytics and development
  • Legitimate Interests. We have a legitimate interest in providing you with a good service via the Apps and improving the Apps and our developing and growing our organisation.

  • Consent, in respect of processing directly associated with any optional cookies used for this purpose.
Data aggregation, de-identification and/or anonymization
  • Legitimate Interests. We have a legitimate interest in taking privacy protective steps such as aggregation, de-identification and/or anonymisation of your personal information, we also believe that such steps are also in your interests.
  • Compliance with Law. In certain circumstances, we may have legal obligations to take these privacy protective steps (e.g., when we no longer require your personal information in identifying form).
Research
  • Legitimate Interests. As a science-based company we have a legitimate interest in carrying out scientific research and analysis on our own or with other relevant parties (including publication of research-related findings and sharing without our collaborators) having first taken privacy protective steps (i.e., aggregation or de-identification of relevant personal information).
Marketing and advertising

Direct marketing

  • Legitimate Interests. We have a legitimate interest in promoting our operations and goals as an organisation and sending marketing communications for that purpose.
  • Consent, in circumstances or in jurisdictions where consent is required under applicable data protection laws to the sending of any given marketing communications.

Interest-based advertising

  • Consent, including in relation to any information collected via optional cookies used for is purpose
Compliance and protection
  • Compliance with Law.
  • Legitimate interest. Where Compliance with Law is not applicable, we and any relevant third parties have a legitimate interest in participating in, supporting, and following legal process and requests, including through co-operation with authorities. Also, we and any relevant third parties may also have a legitimate interest of ensuring the protection, maintenance, and enforcement of our and their rights, property, and/or safety.
Data sharing with Business Transferees
  • Legitimate interest. We and any relevant third parties have a legitimate interest in providing information to relevant third parties who are involved in an actual or prospective corporate event (including to enable them to investigate – and, where relevant, to continue to operate – all or relevant part(s) of our operations). However, we would look to take steps to minimize the amount and sensitivity of any personal information shared in these contexts where possible and appropriate.
With your consentConsent.
Further uses
  • The original legal basis relied upon, if the relevant further use is compatible with the initial purpose for which the personal information was collected.
  • Consent, if the relevant further use is not compatible with the initial purpose for which the personal information was collected.

Other info

No obligation to provide personal information. You do not have to provide personal information to us. However, where we need to process your personal information either to comply with applicable law or to deliver our Apps to you, and you fail to provide that personal information when requested, we may not be able to provide some or all of our services that are available via the Apps. We will notify you if this is the case at the time.

No sensitive personal information. We ask that you not provide us with any sensitive personal information (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, biometrics, health or genetic characteristics, criminal background or trade union membership) on or through the Apps. If you provide us with any sensitive personal information to us when you use the services, you must consent to our processing and use of such sensitive personal information in accordance with this Privacy Policy. If you do not consent to our processing and use of such sensitive personal information, you must not submit such sensitive personal information through our Apps.

No Automated Decision-Making and Profiling. As part of the Apps, we do not engage in automated decision-making and/or profiling, which produces legal or similarly significant effects.

General. The GDPR gives you certain rights regarding your personal information in certain circumstances. You may ask us to take the following actions in relation to your personal information that we hold:

  • Access. Provide you with information about our processing of your personal information and give you access to your personal information.
  • Correct. Update or correct inaccuracies in your personal information.
  • Delete. Delete your personal information where there is no good reason for us continuing to process it – you also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below), where we may have processed your information unlawfully, or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your deletion request for specific legal reasons. We will notify you of these, if applicable, at the time of your request.
  • Transfer. Transfer to you or a third party of your choice a machine-readable copy of your personal information which you have provided to us.
  • Restrict. Restrict the processing of your personal information, for example if you want us to establish its accuracy or the reason for processing it.
  • Object. Object to our processing of your personal information where we are relying on Legitimate Interests – you also have the right to object where we are processing your personal information for direct marketing purposes.
  • Withdraw Consent. When we use your personal information based on your consent, you have the right to withdraw that consent at any time.

Exercising These Rights. You may submit these requests by email to support@brainhq.com or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfill any request you make will depend on a number of factors (e.g., why and how we are processing your personal information), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions. Typically, you will not have to pay a fee to exercise your rights; however, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. We try to respond to all legitimate requests within a month. It may take us longer than a month if your request is particularly complex or if you have made a number of requests; in this case, we will notify you and keep you updated.

Your Right to Lodge a Complaint with your Supervisory Authority. In addition to your rights outlined above, if you are not satisfied with our response to a request you make, or how we process your personal information, you can make a complaint to the data protection regulator in your habitual place of residence.

  • For users in the European Economic Area – the contact information for the data protection regulator in your place of residence can be found here: https://edpb.europa.eu/about-edpb/board/members_en
  • For users in the UK – the contact information for the UK data protection regulator is below:
    The Information Commissioner’s Office
    Water Lane, Wycliffe House
    Wilmslow – Cheshire SK9 5AF
    Tel. +44 303 123 1113
    Website: https://ico.org.uk/make-a-complaint/

Data Processing outside Europe

We are a U.S.-based company and many of our service providers, advisers, partners or other recipients of data are also based in the U.S. This means that, if you use the Apps, your personal information will necessarily be accessed and processed in the U.S. It may also be provided to recipients in other countries outside Europe.

It is important to note that the US is not the subject of an ‘adequacy decision’ under the GDPR – basically, this means that the U.S. legal regime is not considered by relevant European bodies to provide an adequate level of protection for personal information, which is equivalent to that provided by relevant European laws.

Where we share your personal information with third parties who are based outside Europe, we try to ensure a similar degree of protection is afforded to it by making sure one of the following mechanisms is implemented:

  • Transfers to territories with an adequacy decision. We may transfer your personal information to countries or territories whose laws have been deemed to provide an adequate level of protection for personal information by the European Commission or UK Government (as and where applicable) (from time to time) or under specific adequacy frameworks approved by the European Commission or UK Government (as and where applicable) (from time to time), such as the EU-U.S. Data Privacy Framework or the UK Extension thereto.
  • Transfers to territories without an adequacy decision.
    • We may transfer your personal information to countries or territories whose laws have not been deemed to provide such an adequate level of protection (e.g., the U.S., see above).
    • However, in these cases:
      • we may use specific appropriate safeguards, which are designed to give personal information effectively the same protection it has in Europe – for example, standard-form contracts approved by relevant authorities for this purpose; or
      • in limited circumstances, we may rely on an exception, or ‘derogation’, which permits us to transfer your personal information to such country despite the absence of an ‘adequacy decision’ or ‘appropriate safeguards’ – for example, reliance on your explicit consent to that transfer.

You may contact us if you want further information on the specific mechanism used by us when transferring your personal information out of Europe. You may have the right to receive a copy of the appropriate safeguards under which your personal information is transferred by contacting us at the details shown at the “How to contact us” section above.

Online Tracking Opt-Out Guide

Like many companies online, we may use services provided by Google and other companies that use tracking technology. These services rely on tracking technologies – such as cookies and pixel tags – to collect directly from your device information about your browsing activities, your interactions with websites, and the device you are using to connect to the Internet. There are a number of ways to opt out of having your online activity and device data collected through these services, which we have summarized below:

  • Blocking cookies in your browser. Most browsers let you remove or reject cookies, including cookies used for interest-based advertising. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. For more information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org.
  • Blocking advertising ID use in your mobile settings. Your mobile device settings may provide functionality to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.
  • Using privacy plug-ins or browsers. You can block our websites from setting cookies used for interest-based ads by using a browser with privacy features, like Brave, or installing browser plugins like Privacy Badger, Ghostery or uBlock Origin, and configuring them to block third-party cookies/trackers.
  • Platform opt-outs. The following advertising partners offer opt-out features that let you opt-out of use of your information for interest-based advertising:
  • Advertising industry opt-out tools. You can also use these opt-out options to limit use of your information for interest-based advertising by participating companies:

Note that because these opt-out mechanisms are specific to the device or browser on which they are exercised, you will need to opt-out on every browser and device that you use.