Privacy Policy
This document outlines our commitment to safeguarding your personal data and ensuring compliance with applicable data protection regulations.
Last updated: January 2026
Privacy Policy
We, Brain1 GmbH, are delighted that you have visited our website at https://brain1.com/ and are using the Brain1 app.
This privacy policy explains what data we collect when you visit our website, use our app, for contract processing, for marketing measures and for other processing listed in the privacy policy, how we use it and to whom we pass it on. We also inform you about your rights to information, correction, objection and deletion of your data.
We use your data exclusively in accordance with the applicable data protection regulations. If we use your data for other purposes, we will inform you in advance and, if necessary, ask for your consent. You can revoke your consent at any time free of charge. The legality of the processing prior to revocation remains unaffected.
We may update this privacy policy from time to time to bring information up to date or to reflect changes in the law. For new processing purposes that affect your data already provided, we will, where required by law, obtain separate consent from you or inform you of significant changes by email.
1. General
1.1 Responsible body and contact details
We, Brain1 GmbH, are the responsible body within the meaning of data protection law insofar as we process your personal data.
Brain 1 GmbH
Domhofstrasse 65
63263 Neu-Isenburg
Germany
Email: info@brain1lab.com
We have appointed a data protection officer for our company:
Dr Georg F. Schröder, LL.M.
legal data Schröder Rechtsanwaltsgesellschaft mbH
If you have any questions about data protection or would like to contact us or our data protection officer, please feel free to get in touch with us at any time. Simply write to: info@brain1lab.com
1.2 Processing and storage period
As the responsible body, it is our duty to process your data only to the extent permitted by law and to secure the processing with appropriate protective measures.
We only store your data for as long as is necessary for the purpose for which it was collected, unless a legal basis requires longer storage. Your data will then be deleted.
The various processing operations we carry out and the associated information are listed under point 3 – Data processing.
1.3 Data transfer
We only pass on personal data to third parties in the following cases:
- If you have expressly given us your consent in accordance with Art. 6 (1) (a) GDPR.
- If this is legally permissible and necessary for the fulfilment of a contractual relationship or for the implementation of pre-contractual measures, e.g. to payment or shipping service providers (in accordance with Art. 6 (1) (b) GDPR).
- If there is a legal obligation to disclose, e.g. to authorities, social security institutions or law enforcement agencies (in accordance with Art. 6 (1) (c) GDPR).
- If the transfer is necessary to safeguard our legitimate interests or to assert, exercise or defend legal claims and there are no overriding interests on your part that are worthy of protection (in accordance with Art. 6 (1) (f) GDPR).
- If we use external service providers (processors) in accordance with Art. 28 GDPR, who only process your data in accordance with our instructions and are bound to data secrecy, e.g. in the IT or marketing area.
1.4 Transfer to third countries
Your personal data is generally processed in Germany or within the EU, where the GDPR guarantees a high level of data protection. If we commission service providers outside the EU, a lower level of data protection may apply in these countries.
For transfers to third countries, we ensure compliance with data protection requirements in accordance with Art. 44 ff. GDPR through EU standard contractual clauses. When commissioning service providers in the USA, data is transferred on the basis of the adequacy decision of the EU-US Privacy Framework, provided that the company is certified. Otherwise, we use standard contractual clauses.
2. Your data protection rights
Under the General Data Protection Regulation, you have various rights with regard to your personal data. These rights are listed below:
Right of access pursuant to Art. 15 GDPR
You have the right to obtain information about the personal data we process. This includes information about the purposes of the processing, the categories of data processed, the recipients or categories of recipients to whom your data has been or will be disclosed, the planned storage period or the criteria for storage, and the origin of your data if it has not been collected directly from you.
In addition, you may request information about automated decisions, including profiling, and the logic used in the process, as well as the possible effects of this processing. You may also obtain information about the safeguards pursuant to Art. 46 GDPR when your data is transferred to third countries.
Right to rectification pursuant to Art. 16 GDPR
You have the right to have inaccurate data stored by us corrected without delay and incomplete data completed.
Right to erasure pursuant to Art. 17 GDPR
You have the right to request the erasure of your personal data in accordance with Art. 17(1) GDPR. However, this right does not apply if the processing is necessary for exercising freedom of expression, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.
Right to restriction of processing pursuant to Art. 18 GDPR
You have the right to request the restriction of the processing of your personal data if you have contested that your data is inaccurate, if it has been processed unlawfully, if it is needed for legal proceedings after we no longer need it, or if you have lodged an objection due to your particular situation, as long as it is not clear whether our legitimate reasons prevail.
Right to be informed pursuant to Art. 19 GDPR
If you exercise your right to rectification, erasure or restriction of processing, we are obliged to notify all recipients to whom we have disclosed your data, unless this is impossible or would require a disproportionate effort. You also have the right to be informed about these recipients.
Right to data portability pursuant to Art. 20 GDPR
You have the right to receive your personal data in a structured, commonly used and machine-readable format or to request its transfer to another controller, provided that this is technically feasible.
Right to withdraw consent pursuant to Art. 7(3) GDPR
You may revoke your consent to data processing at any time with effect for the future. In the event of revocation, we will delete the data concerned without delay, unless there is another legal basis for processing. The lawfulness of the processing carried out on the basis of your consent until then shall not be affected by your revocation.
Right to lodge a complaint pursuant to Art. 77 GDPR
If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. This applies in addition to other possible administrative or judicial remedies.
Right to object pursuant to Art. 21 GDPR
If we process your personal data on the basis of our overriding legitimate interest, you have the right to object to this processing at any time with effect for the future for reasons arising from your particular situation.
If we use your data for direct marketing, you have the right to object to the processing of your data for advertising purposes at any time. In this case, we will immediately stop processing your data for direct marketing purposes.
3. Data processing
In the following, we would like to give you a detailed overview of the individual data processing operations, as well as the purposes, legal bases, storage periods and recipients of this data.
3.1 Website
3.1.1 General
When you visit our website without providing us with further data by registering or using the contact form, we automatically collect technical log data (so-called log files) that is sent from your device to our server. This includes, among other things:
- IP address
- Date and time of the request
- URL of the subpage accessed
- URL of the referring page (referrer URL)
- Access status/HTTP status code
- Browser type, language and version
- Operating system
This data processing is necessary to display our website to you and to ensure its security and stability. The legal basis is Art. 6 (1) lit. f GDPR, as the processing is necessary to safeguard our legitimate interests.
The data will be deleted as soon as it is no longer required for the display of the website, but no later than seven days after your visit. The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. There is no possibility for the user to object to this.
3.2 Pre-contractual and contractual processing
We collect personal data about you in the context of pre-contractual relationships and when concluding a contract. This includes, for example, your first and last name, your address, your e-mail address or your means of payment.
Legal basis: Art. 6 (1) (b) GDPR. If you have also given your consent: Art. 6 (1) (a) GDPR.
Your data will be deleted as soon as it is no longer required, subject to statutory retention periods (up to 10 years, e.g. HGB/AO).
For payment processing, we transmit required payment information to payment service providers. Legal basis: Art. 6 (1) (b) GDPR.
3.3 Contact options
When you contact us (e.g. by telephone, contact form or email), personal data is collected. This data is stored and used exclusively for processing your enquiry or establishing contact.
Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest) or Art. 6 (1) lit. b GDPR (contract-related).
Your data will be deleted after processing your enquiry, unless retention obligations apply.
3.4 Marketing and advertising measures
3.4.2 Competitions
From time to time, we may offer surveys or competitions. Depending on participation, additional data may be required (e.g. address for prize delivery, email/phone for contact, date of birth for age verification).
Legal basis: Art. 6 (1) (b) GDPR. Any further use (e.g. publishing a winner) only with consent.
After completion, we delete your data unless we are permitted/required to store it for another legal reason.
3.5 Brain1 app
3.5.1 General
Brain1 is an application for brain training and mental fitness, available as a mobile app for Android, iOS, virtual reality application (Meta Quest / Oculus) and via our website (brain1.com) (collectively “Brain1”).
It offers interactive exercises and games to improve memory, concentration, responsiveness and logical thinking. Exercises are individually tailored to your performance level.
Obtaining the mobile app
When downloading via Google/Apple platforms, certain data is transferred (e.g. account info, device ID, time of download). This processing is carried out by the platform providers; we have no influence.
- Google: https://policies.google.com/privacy
- Apple: https://www.apple.com/legal/privacy/de-ww/
- Meta: https://www.meta.com/legal/privacy-policy/
Use via the website
Using Brain1 via the website processes technical data (IP address, browser type/version, date/time) needed to provide the service.
3.5.2 Legal basis for data processing
- Contract fulfilment (Art. 6(1)(b) GDPR)
- Legal obligations (Art. 6(1)(c) GDPR)
- Legitimate interests (Art. 6(1)(f) GDPR)
- Consent (Art. 6(1)(a), (7), (8), (9) GDPR) – revocable anytime
a) Account & registration
During registration we process email address, first/last name, username. Password is stored only as a hash.
Legal basis: Art. 6(1)(b) GDPR; and Art. 6(1)(f) GDPR for security. Stored until account deletion; backups up to 30 days.
b) Profile data
Optional profile data may include avatar/profile picture, country, settings.
Legal basis: Art. 6(1)(b) GDPR (and implied consent where applicable). Stored until deletion/changes.
c) Email communication
Transactional emails are required (confirmations, reset). Marketing emails only with consent (unsubscribe any time).
Legal basis: Art. 6(1)(b) GDPR (transactional); Art. 6(1)(a) GDPR (marketing).
d) Game and training data
We process scores, events, progress, training history to provide core functions and statistics.
Legal basis: Art. 6(1)(b) GDPR. Stored until account deletion; backups up to 30 days.
e) Brain Performance Index (BPI)
We calculate BPI from training results. BPI may be used for anonymised benchmarking for leaderboards/group challenges.
Legal basis: consent Art. 6(1)(a) GDPR. Stored until consent revoked or account deleted. Anonymised comparison data is stored permanently.
f) Leaderboards
If enabled, other users may see username, profile picture (optional), scores, ranking. You can disable this in settings.
Legal basis: consent Art. 6(1)(a) GDPR. Stored until revoked or account deleted.
g) Social features
Friends list, invitations, profile visibility settings. Other users can find you via username.
Legal basis: Art. 6(1)(b) GDPR. Stored until you delete/change/remove it.
h) Optional surveys
Voluntary surveys for optional evaluations/segmentations (not for advertising).
Legal basis: consent Art. 6(1)(a) GDPR. Stored until revoked or account deleted.
i) Analytics (Meta SDK)
Used to analyse usage and improve the app. Pseudonymised app/device data; no email addresses transmitted. Only with consent.
Legal basis: consent Art. 6(1)(a) GDPR. Meta may process outside EU/EEA; safeguards incl. SCCs (Art. 46(2)(c) GDPR).
j) Push notifications
We use Firebase Cloud Messaging (Google) to send push notifications (push token + settings). Promotional notifications require consent.
Legal basis: Art. 6(1)(b) GDPR (functional); Art. 6(1)(a) GDPR (promotional). Stored until opt-out or account deletion.
k) Billing (web via Stripe)
Payments via brain1.com are processed by Stripe Payments Europe Ltd. We transmit required order/payment data for processing.
Legal basis: Art. 6(1)(b) GDPR; and Art. 6(1)(c) GDPR for accounting/tax retention (usually 10 years).
l) In-app purchases (Apple/Google)
Payments are processed by Apple/Google. We receive transaction info (purchase status, receipt) to unlock content.
Legal basis: Art. 6(1)(b) GDPR. Storage per statutory retention and store guidelines.
m) Server operation and security
We process technical logs and admin audit info to ensure security, prevent misuse, fix errors.
Legal basis: Art. 6(1)(f) GDPR. Stored up to 30 days by default.
n) Technical data
App/browser data, device/app metadata, technical logs for functionality, troubleshooting, security.
Legal basis: Art. 6(1)(f) GDPR. Stored up to 30 days by default.
o) Overview of data processing
| Processing | Data categories | Purpose | Legal basis | Storage period |
|---|---|---|---|---|
| Account & registration | Email address, password hash, first and last name, username | Provision of your account and enabling registration | Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR | Until account deletion; backups up to 30 days |
| Profile data | Avatar/profile photo (optional), country (optional), personal settings | Personalisation of your profile and app usage | Art. 6(1)(b) GDPR | Until account deletion or until you remove/change it |
| Email communication | Email address, sending logs | Transactional emails and (with consent) marketing emails | Art. 6(1)(b) GDPR; Art. 6(1)(a) GDPR | Until revoked or account deleted |
| Game and training data | Scores, events, progress, history | Core functions, statistics and leaderboards | Art. 6(1)(b) GDPR | Until account deletion; backups up to 30 days |
| Brain Performance Index (BPI) | Training results, BPI value | BPI calculation and comparison | Art. 6(1)(a) GDPR | Until revoked or account deletion |
| Leaderboards | Username, profile picture (optional), scores, ranking | Leaderboards visible to other users | Art. 6(1)(a) GDPR | Until revoked or account deletion |
| Social functions | Friends list, invitations, optional profile info | Friends/social features | Art. 6(1)(b) GDPR | Until account deletion or you remove/change it |
| Optional surveys | Voluntary information | Optional segmentation/evaluations | Art. 6(1)(a) GDPR | Until revoked or account deletion |
| Analytics (Meta SDK) | Event data, pseudonymised app/device metadata | Usage analysis and improvement | Art. 6(1)(a) GDPR | Until revoked or per provider standards |
| Push notifications | Push tokens, settings, notification events | Functional + (with consent) promotional notifications | Art. 6(1)(b) GDPR; Art. 6(1)(a) GDPR | Until opt-out or account deletion |
| Billing (web via Stripe) | Payment/billing data, transaction IDs | Payment processing and accounting | Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR | Per statutory retention (often 10 years) |
| In-app purchases | Store transaction data, purchase status | Activate subscriptions/premium content | Art. 6(1)(b) GDPR | Per store rules + statutory retention |
| Server operation & security | Technical logs, admin audit info | Security, misuse detection, troubleshooting | Art. 6(1)(f) GDPR | Up to 30 days |
| Technical data | App/browser data, device/app metadata, technical logs | Functionality, security, troubleshooting | Art. 6(1)(f) GDPR | Up to 30 days |
3.5.3 Storage period within the app
Unless otherwise specified, we store your personal data until you request deletion, revoke consent, or the original purpose no longer applies.
- Account data and training data – until your account is deleted
- Backup copies – up to 30 days after deletion
- Technical log data – up to 30 days
- Billing data – per statutory retention (usually 10 years)
You can delete your account via app settings (“Account management” → “Delete account”) or website account settings. After deletion, data may remain in backups up to 30 days before final deletion.
If legal retention obligations apply (e.g. transaction data for tax/accounting), those parts remain until retention expires.
3.5.4 Recipients and processors
To provide Brain1, we work with service providers acting as processors under Art. 28 GDPR.
| Service provider | Purpose | Data location |
|---|---|---|
| Microsoft Azure | Hosting, databases and storage | EU (Germany) |
| Meta Platforms | Analytics via Meta SDK / VR integration | EU/USA |
| Google Firebase | Push notifications (FCM) | EU/USA |
| Stripe | Payment processing on our website | EU/USA |
| Apple | In-app purchases (iOS) | EU/USA |
| In-app purchases (Android) | EU/USA | |
| Email delivery service | Transactional emails and (with consent) marketing emails | EU |
3.5.5 Data transfers to third countries
Our backend systems are hosted in the European Union (Germany). Your data therefore remains within the EU.
Some providers (e.g. Meta, Google, Apple) may process data outside the EU/EEA (in particular USA). We ensure an adequate level of protection using safeguards under Art. 46 GDPR, especially standard contractual clauses, and additional technical and organisational measures.
Content sourced from your uploaded Privacy Policy document.