Privacy Policy

Effective Date: 12 March 2026

This Privacy Policy ("Policy") explains how SOFTGRID STUDIO LLC ("Company," "we," "us," or "our") collects, uses, stores, shares, and protects your Personal Data when you access or use our website https://brainsmate.com/ (the "Site"), and the services made available through it ("Services").

Please read this Policy carefully to understand how we handle your Personal Data and what rights and choices you have. For details on our use of cookies, please also read our Cookie Policy.

1. Data Controller

The Data Controller responsible for Processing your Personal Data is:

Company: SOFTGRID STUDIO LLC

Reg. number: 10509336

Address: 8 The Green, STE A, Dover, DE, 19901, United States

Contact email: [email protected]

2. Definitions

"Personal Data": Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to identifiers such as name, identification number, location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
"Data Controller": The natural or legal person who determines the purposes and means of processing Personal Data.
"Data Processor": A natural or legal person who processes Personal Data on behalf of the Data Controller.
"Processing": Any operation or set of operations performed on Personal Data, including collection, recording, storage, use, disclosure, analysis, transfer, or deletion.
"You / User": Any natural person who accesses or uses the Site or interacts with the Service.

3. Types of Data We Collect, Purpose and Legal Basis

We collect information in several ways:

3.1. Data you provide to us

We collect Personal Data that you voluntarily provide when you register, contact us, or use the Services.

Category of Data	Personal Data	Source	Purpose	Legal basis
Account & identity	Email address; name or username.	Data provided by you when you register an account.	Creating and managing your account; authenticating you via magic link; providing access to the Service; sending service notices; managing subscriptions.	Performance of a contract. Legitimate interests (in operating and securing the Service).
Demographic	Age range; education level.	Data provided by you when you use the Service.	Site content personalisation.	Legitimate interests (improving Site content relevance and user experience).
Communications	Email; support requests; feedback; survey responses; any other information you choose to provide when contacting us.	Data provided by you when you contact us.	Communications; responding to inquiries; providing customer support; improving the Service.	Legitimate interests (maintaining customer relations and improving the Service).
Tests inputs & results	Test responses, final scores, completion time.	Data provided by you when you use the Service.	Delivering core Service; calculating and displaying your score; emailing results.	Performance of contract.

3.2. Data collected automatically

We automatically collect certain information when you visit, use, or navigate the Site.

Category of Data	Personal Data	Purpose	Legal basis
Device & usage	IP address; browser type/version; OS; device model; language settings; screen resolution; referring URLs; pages viewed; clicks; session duration/timestamps; country/region (derived from IP — general location only).	Operating and securing the Service; improving performance; understanding user interaction; fraud prevention.	Legitimate interests (service security, performance optimisation, fraud prevention).
Performance & Server Logs	Server logs; load times; error messages; diagnostic information; network latency.	Monitoring system health; detecting and fixing technical problems; optimizing the service.	Legitimate interests (technical reliability and service quality).
Cookies & tracking technologies	Necessary cookies; non-necessary cookies. Please refer to our Cookie Policy for a detailed list.	Website operation and security; improving the Services and user experience; monitoring Site performance; marketing.	Legitimate interests (necessary cookies). Consent (non-necessary cookies).

3.3. Data received from third parties

We may receive Personal Data from third parties, depending on your settings and how you use the Service.

Category of Data	Description of collection	Source	Purpose of processing	Legal basis
Payment-related	Transaction date/time; amount; email; payment method; IP address; card geo; last 4 digits. We do NOT store full card numbers, CVV or similar card data.	Data provided by the payment processor.	Providing you with paid features; fulfilling tax, accounting, and financial reporting obligations.	Performance of contract. Legal obligation.
Social Login (if enabled)	Email address; name or display name; provider-issued token/identifier. We do not receive your password for the third-party service.	Google / Apple / Facebook (if social login is enabled).	Allowing you to sign in; linking your account with the chosen provider.	Performance of a contract.

4. Children's Privacy

The Service is intended for users aged 18 or older. We do not knowingly collect Personal Data from individuals under this age. If you are a parent or guardian and believe your child has provided Personal Data to us, please contact us at [email protected] and we will take steps to delete such information.

5. When and With Whom Do We Share Your Personal Data?

We mainly share your Personal Data only with our contractors in the scope we need to provide services and technical and customer support.

5.1. Service Providers (Data Processors)

Category	Name	Location	Role	Privacy Policy
Hosting & Infrastructure	Netlify, Render, Supabase	US / EU	Hosting application and database. Supabase: encryption at rest on AWS; row-level security.	Netlify, Render, Supabase
CDN & Network Security	Cloudflare	US / Global	DNS, CDN, DDoS protection.	Cloudflare
Analytics	Amplitude, Google Analytics, Meta (Facebook) Pixel	US	Aggregated usage patterns and session behavior; conversion measurement.	Amplitude, Google Analytics, Meta (Facebook)
Payment processors	Flintn, Stripe	US / EU	Processing payments.	Flintn, Stripe
Customer Support	Zendesk	US / EU	Managing support tickets and communication history.	Zendesk
Communication	Customer.io	US	Transactional emails: confirmations, cancellations.	Customer.io
Technical Monitoring	Sentry	US	Tracking server errors and performance.	Sentry

These companies act as our Data Processors and may have access to your Personal Data only to the extent necessary to perform their functions. They are contractually obliged to: 1) process the data only on our instructions; 2) implement appropriate technical and organizational security measures, and 3) not use the data for their own purposes.

5.2. Business transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company. Users will be notified where legally required.

5.3. Legal Obligations

We may disclose information if required to comply with a legal obligation, court order or governmental request, or to protect the rights, property or safety of our company, users or others.

6. International Data Transfers

We are based in the US and the Services are hosted in the US. Where Personal Data is transferred internationally, we ensure that adequate safeguards are in place:

Adequacy decisions — where the European Commission has determined that the recipient country provides an adequate level of protection.
Standard Contractual Clauses (SCCs) adopted by the European Commission.
EU–US Data Privacy Framework (DPF) — for transfers to US-based processors certified under the DPF.

You may request further information about the specific safeguards by contacting us at [email protected].

7. Data Retention

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal, accounting or reporting obligations:

Category	Data retention
Account data	Duration of the active account or 3 years after the last log in into account.
Test Results	Duration of active account, or upon deletion request.
Communications data	3 years after the last communication.
Payment records	7 years after a payment or as required by law.
Technical Logs	90 days to 1 year, unless needed longer for security or legal reasons.
Consent Records	Kept for 5 years after consent is withdrawn.
Marketing Data	Kept until consent withdrawal.
Cookies	Please see our Cookie Policy.

When we no longer need Personal Data and are not required by law to keep it, we will either securely delete it or irreversibly anonymize it so that it can no longer be associated with you. In some cases (for example, backups), it may not be immediately possible to delete individual items from all systems; in such cases, we will isolate the data and prevent further active Processing until deletion becomes feasible.

8. How Do We Keep Your Data Safe?

We implement industry-standard technical and organisational measures to protect your data. These include:

Transmission security. All data transmitted between your device and our servers is encrypted using HTTPS/TLS. Access credentials and other sensitive configuration values are managed via secure environment variables.
Payment data. We do not store any payment card data on our systems. All payment processing is handled exclusively by PCI-DSS compliant processors. We only receive a tokenised reference to your payment method.
Database security. Supabase (PostgreSQL on AWS): encryption at rest, role-based access control (RBAC), and row-level security (RLS) enforced at the database layer.
Network protection. DDoS protection via Cloudflare; rate limiting and access controls against automated abuse.
Organisational measures. Access to Personal Data is restricted to authorised personnel who require it to perform their duties. All relevant staff are bound by confidentiality obligations. Where feasible, we apply pseudonymisation or anonymisation for analytics.

While we apply these measures diligently, no method of electronic transmission or storage is 100% secure. We cannot guarantee that unauthorised third parties will never be able to defeat our security controls. Transmission of Personal Data to and from our Services is therefore at your own risk, and you should only access the Services within a secure environment.

9. What Legal Bases Do We Rely On? (EEA, UK and Switzerland users)

For users located in EEA, UK or Switzerland, we rely on the following legal bases:

Consent (Art. 6(1)(a) GDPR). We may process your information if you have given us consent to process your Personal Data for a specific purpose (e.g. receiving marketing emails). You can withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Performance of a contract (Art. 6(1)(b) GDPR). We may process your Personal Data where Processing is necessary to perform the contract with you (creating your account, processing payments) or to take steps at your request before entering a contract.

Legitimate interests (Art. 6(1)(f) GDPR). We may process your Personal Data where it is reasonably necessary for our legitimate business interests, provided that such interests are not overridden by your rights and freedoms (e.g. ensuring the security of our Service, improving the Service).

Legal obligations (Art. 6(1)(c) GDPR). We may process your Personal Data where necessary to comply with applicable laws, regulatory obligations, or lawful requests from authorities (e.g. keeping certain records for tax and accounting purposes).

10. What Are Your Privacy Rights?

The rights available to you depend on your place of residence. To exercise any right, see .

10.1. For US users (CCPA / CPRA)

Right to know: Request information about categories and specific pieces of data collected, used, disclosed or sold in the past 12 months.
Right to access: The right to obtain a copy of the specific personal information we have collected about you.
Right to delete: The right to request deletion of personal information we have collected from you, subject to statutory exceptions.
Right to correct: The right to request correction of inaccurate personal information.
Right to opt-out of sale or sharing: The right to direct us not to sell or share your personal information for cross-context behavioral advertising. Please note that we do not sell personal information as defined under California law, nor do we share it for cross-context behavioural advertising.
Right to limit use and disclosure of sensitive information: The right to restrict the use and disclosure of sensitive personal information. Please note that we do not use or disclose sensitive personal information beyond purposes permitted by the CPRA.
Right to non-discrimination: The right not to receive discriminatory treatment for exercising any of your privacy rights. Please note that we will not discriminate against you for exercising any of your CCPA rights.
Right to data portability: The right to receive personal information in a machine-readable format, where technically feasible.

California residents may also request a list of third parties to whom we disclosed Personal Data for direct marketing in the previous year (California "Shine the Light" law). To submit such a request, please email [email protected] with the subject line "California Shine the Light Request."

We do not offer any financial incentives, price differences, or service differences in exchange for the collection, retention, sale, or sharing of your personal information.

Residents of other U.S. states with applicable privacy laws may have similar rights under their respective state laws. To exercise any of these rights, please contact us at [email protected] and we will respond in accordance with applicable law.

10.3. For Canada users

Right to access: The right to request access to personal information that we hold about you.
Right to rectification: You have the right to request correction of inaccurate or incomplete personal information.
Right to withdraw consent: The right to withdraw your consent to the collection, use, or disclosure of your personal information at any time.
Right to file a complaint: The right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC).

10.4. For Australia users

Right to access: You have the right to request access to the personal information we hold about you and to obtain a copy of such information.
Right to correction: You have the right to request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
Right to withdraw consent: Where we rely on your consent to collect, use, or disclose personal information, you may withdraw that consent at any time.
Right to anonymity or pseudonymity: You have the right to remain anonymous when dealing with us, where possible.
Right to opt-out of direct marketing: You have the right to opt-out of receiving direct marketing communications.
Right to make a complaint: The right to lodge a complaint with a competent supervisory authority.

Please note that these rights are not absolute and may be subject to statutory exemptions.

11. How to Exercise Your Privacy Rights?

You can exercise any of your rights by sending us an email at [email protected].

In your request, please include: (i) the right you wish to exercise; (ii) sufficient information to verify your identity (e.g., the email address associated with your account).

We will respond to verified requests within 30 days or, where allowed by law, within a maximum of 60 days.

If you are an authorized agent submitting a rights request on behalf of a California consumer you need to provide a copy of the written authorization signed by the consumer.

12. Links to Third-Party Websites

The Site may contain links to third-party websites or services not operated by us. We have no control over, and are not responsible for, the content, privacy practices, or security of third-party sites. Inclusion of a link does not imply endorsement. Any Personal Data collected by third parties is governed by their own privacy policies. You should review the policies of such third parties and contact them directly to respond to your questions.

13. Updates to the Privacy Policy

We may update this Policy from time to time to reflect changes in our data practices, applicable law, or business operations. The updated version will be indicated by the "Effective date" at the top of this page. You are encouraged to periodically review this Policy to stay informed of updates. Your continued use of the Service after the effective date constitutes your acceptance of the updated Policy. If we make material changes, we will notify you via website banner or email, where legally required.

14. How Can You Contact Us?

If you have any questions about this Policy, please contact us:

Email: [email protected]