Privacy Policy
Privacy Policy
We, Brain1 GmbH, are delighted that you have visited our website at https://brain1.com/ and are using the Brain1 app.
This privacy policy explains what data we collect when you visit our website, use our app, for contract processing, for marketing measures and for other processing listed in the privacy policy, how we use it and to whom we pass it on. We also inform you about your rights to information, correction, objection and deletion of your data.
We use your data exclusively in accordance with the applicable data protection regulations. If we use your data for other purposes, we will inform you in advance and, if necessary, ask for your consent. You can revoke your consent at any time free of charge. The legality of the processing prior to revocation remains unaffected.
We may update this privacy policy from time to time to bring information up to date or to reflect changes in the law. For new processing purposes that affect your data already provided, we will, where required by law, obtain separate consent from you or inform you of significant changes by email.
Last updated: January 2026
Contents
1.General2
1.1.Responsible body and contact details2
1.2.Processing and storage period2
1.3.Data transfer2
1.4.Transfer to third countries3
2.Your data protection rights3
3.Data processing4
3.1.Website4
3.1.1.General4
3.1.2.Cookies5
3.2.Pre-contractual and contractual processing7
3.3.Contact options7
3.4.Marketing and advertising measures7
3.4.1.Newsletter registration7
3.4.2.Competitions8
3.5.Brain1 app8
3.5.1.General8
3.5.2.Legal basis for data processing9
3.5.3.Storage period within the app16
3.5.4.Recipients and processors16
3.5.5.Data transfers to third countries17
General
Responsible body and contact details
We, Brain1GmbH, are the responsible body within the meaning of data protection law insofar as we process your personal data.
Brain 1 GmbHDomhofstrasse 6563263 Neu-IsenburgGermany
Email: info@brain1lab.com
We have appointed a data protection officer for our company:
Dr Georg F. Schröder, LL.M.legal data Schröder Rechtsanwaltsgesellschaft mbH
If you have any questions about data protection or would like to contact us or our data protection officer, please feel free to get in touch with us at any time.
Simply write to: info@brain1lab.com
Processing and storage period
As the responsible body, it is our duty to process your data only to the extent permitted by law and to secure the processing with appropriate protective measures.
We only store your data for as long as is necessary for the purpose for which it was collected, unless a legal basis requires longer storage.Your data will then be deleted.
The various processing operations we carry out and the associated information are listed under point 3 – Data processing.
Data transfer
We only pass on personal data to third parties in the following cases:
If you have expressly given us your consent in accordance with Art. 6 (1) (a) GDPR.
If this is legally permissible and necessary for the fulfilment of a contractual relationship or for the implementation of pre-contractual measures, e.g. to payment or shipping service providers (in accordance with Art. 6 (1) (b) GDPR).
If there is a legal obligation to disclose, e.g. to authorities, social security institutions or law enforcement agencies (in accordance with Art. 6 (1) (c) GDPR).
If the transfer is necessary to safeguard our legitimate interests or to assert, exercise or defend legal claims and there are no overriding interests on your part that are worthy of protection (in accordance with Art. 6 (1) (f) GDPR).
If we use external service providers (processors) in accordance with Art. 28 GDPR, who only process your data in accordance with our instructions and are bound to data secrecy, e.g. in the IT or marketing area.
Transfer to third countries
Your personal data is generally processed in Germany or within the EU, where the GDPR guarantees a high level of data protection. If we commission service providers outside the EU, a lower level of data protection may apply in these countries. For transfers to third countries, we ensure compliance with data protection requirements in accordance with Art. 44 ff. GDPR through EU standard contractual clauses. When commissioning service providers in the USA, data is transferred on the basis of the adequacy decision of the EU-US Privacy Framework, provided that the company is certified. Otherwise, we use standard contractual clauses.
Your data protection rights
Under the General Data Protection Regulation, you have various rights with regard to your personal data. These rights are listed below:
Right of access pursuant to Art. 15 GDPRYou have the right to obtain information about the personal data we process. This includes information about the purposes of the processing, the categories of data processed, the recipients or categories of recipients to whom your data has been or will be disclosed, the planned storage period or the criteria for storage, and the origin of your data if it has not been collected directly from you. In addition, you may request information about automated decisions, including profiling, and the logic used in the process, as well as the possible effects of this processing. You may also obtain information about the safeguards pursuant to Art. 46 GDPR when your data is transferred to third countries.
Right to rectification pursuant to Art. 16 GDPRYou have the right to have inaccurate data stored by us corrected without delay and incomplete data completed.
Right to erasure pursuant to Art. 17 GDPRYou have the right to request the erasure of your personal data in accordance with Art. 17(1) GDPR. However, this right does not apply if the processing is necessary for exercising freedom of expression, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.
Right to restriction of processing pursuant to Art. 18 GDPRYou have the right to request the restriction of the processing of your personal data if you have contested that your data is inaccurate, if it has been processed unlawfully, if it is needed for legal proceedings after we no longer need it, or if you have lodged an objection due to your particular situation, as long as it is not clear whether our legitimate reasons prevail.
Right to be informed pursuant to Art. 19 GDPRIf you exercise your right to rectification, erasure or restriction of processing, we are obliged to notify all recipients to whom we have disclosed your data, unless this is impossible or would require a disproportionate effort. You also have the right to be informed about these recipients.
Right to data portability pursuant to Art. 20 GDPRYou have the right to receive your personal data in a structured, commonly used and machine-readable format or to request its transfer to another controller, provided that this is technically feasible.
Right to withdraw consent pursuant to Art. 7(3) GDPRYou may revoke your consent to data processing at any time with effect for the future. In the event of revocation, we will delete the data concerned without delay, unless there is another legal basis for processing. The lawfulness of the processing carried out on the basis of your consent until then shall not be affected by your revocation.
Right to lodge a complaint pursuant to Art. 77 GDPRIf you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. This applies in addition to other possible administrative or judicial remedies. In particular, you can contact the supervisory authority in the Member State of your place of residence, workplace or alleged infringement.
Right to object pursuant to Art. 21 GDPRIf we process your personal data on the basis of our overriding legitimate interest, you have the right to object to this processing at any time with effect for the future for reasons arising from your particular situation. In the event of your objection, we will cease processing the data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, or the processing serves to assert, exercise or defend legal claims.
If we use your data for direct marketing, you have the right to object to the processing of your data for advertising purposes at any time. In this case, we will immediately stop processing your data for direct marketing purposes.
Data processing
In the following, we would like to give you a detailed overview of the individual data processing operations, as well as the purposes, legal bases, storage periods and recipients of this data.
Website
General
When you visit our website without providing us with further data by registering or using the contact form, we automatically collect technical log data (so-called log files) that is sent from your device to our server. This includes, among other things:
IP address
Date and time of the request
URL of the subpage accessed
URL of the referring page (referrer URL)
Access status/HTTP status code
Browser type, language and version
Operating system
This data processing is necessary to display our website to you and to ensure its security and stability. The legal basis is Art. 6 (1) lit. f GDPR, as the processing is necessary to safeguard our legitimate interests.
The data will be deleted as soon as it is no longer required for the display of the website, but no later than seven days after your visit. The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. There is no possibility for the user to object to this.
Cookies
Our website uses cookies. These are small text files that are stored on your device. There are two types of cookies:
"Session cookies": These cookies are temporarily stored on your computer or device during your visit to our website and are deleted at the end of the browser session.
"Persistent cookies": These cookies remain on your computer or device for a longer period of time and enable us or our partner companies (third-party cookies) to recognise your browser the next time you visit.
When cookies are set, they collect and process certain user information, such as browser and location data and IP address values, to an individual extent.
The following categories of cookies are distinguished:
Technically necessary cookies ("Necessary")
The use of technically necessary cookies ("necessary") serves to simplify your use of our website and to ensure security on our website. Some functions of our website cannot be offered without the use of technically necessary cookies.
The legal basis for the processing of your personal data in connection with the use of technically necessary cookies is Art. 6 (1) lit. f GDPR. Our legitimate interest lies in ensuring the secure and functional operation of our website. Technically necessary cookies enable basic functions such as navigation, the storage of session data and protection against security risks. Without these cookies, the website would not be able to function properly. Your personal data will be deleted as soon as it is no longer required for the purpose of its processing; this is particularly the case when you leave the website.
Cookies are stored on your computer and transmitted from there to our website. Therefore,you have full control over the use of cookies. You can generally deactivate or restrict the transmission of cookies by changing the settings in your browser. Each browser differs in the way it manages cookie settings. This is described in the help menu of each browser, , which explains how you can change your cookie settings. You can delete cookies that have already been stored at any time. This can also be done automatically. If technically necessary cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.
Functionality, website optimisation, user behaviour analysis and advertising cookies ("preferences, statistics, marketing")
We may work with advertising partners who help us to make our website more interesting for you. For this purpose, cookies from partner companies are also stored on your hard drive when you visit our website (third-party cookies). "Preferences, statistics, marketing" cookies help us to improve our online offering and provide you with a user-friendly service. The processing of your personal data enables us to analyse your usage behaviour, optimise the user-friendliness of our website and promote sales through the sale of goods.
The legal basis for the processing of your personal data in connection with the use of cookies for the purposes of functionality, website optimisation, user behaviour analysis and the display of personalised advertising is your declared consent in accordance with Art. 6 (1) (a) GDPR.
You have the right to withdraw your consent at any time with effect for the future. Your personal data will be deleted as soon as you withdraw your declaration of consent or your personal data is no longer required to achieve the purpose for which it was collected. You can also disable or restrict the transfer of cookies in general by changing the settings in your browser. You can delete cookies that have already been stored at any time. This can also be done automatically.
Detailed information on the individual cookies, including type, legal basis, storage period and data transfer, can be found in our footer via the link "Cookie settings ".
There you will also find the option to customise and manage your cookie settings. When you visit the website for the first time, the cookie banner will be displayed as a pop-up window on the website. Here you can then activate the cookies, which are organised into functional groups, by clicking on the corresponding box. Please note that the technically necessary cookies are already stored when you visit the website. If technically necessary cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.
Configuring your browser settings
Most web browsers are set to automatically accept cookies. However, you can set your browser to accept only certain cookies or no cookies at all. Please note, however, that in this case you may not be able to use all the functions of our website to their full extent.
You can also delete cookies that have already been stored via your browser settings. In addition, the browser can be set to notify you before cookies are stored. Since different browsers have very different functions, it is best to checkyour browser's help section to see how you can change the settings.
Pre-contractual and contractual processing
We collect personal data about you in the context of pre-contractual relationships and when concluding a contract. This includes, for example, your first and last name, your address, your e-mail address or your means of payment. This data is collected and processed solely for the purpose of executing a contract concluded with you or fulfilling pre-contractual obligations, for example in the context of orders placed by customers, contracts with service providers, contractual partners and other business partners.
The legal basis for this is Art. 6 (1) (b) GDPR. If you have also given your consent, the additional legal basis is Art. 6 (1) (a) GDPR.
Your data will be deleted as soon as it is no longer required for the purpose of processing. In addition, legal regulations may impose obligations to retain data. The retention periods are up to ten years and are specified in the provisions of the German Commercial Code (HGB) and the German Fiscal Code (AO).Your data will be deleted after the specified periods have expired.
To process payments in connection with your order, we process your personal data, such as your name, billing address, payment information and other data required for payment processing. This information is passed on to the respective payment service provider. The legal basis for processing is the fulfilment of the contract in accordance with Art. 6 para. 1 lit. b GDPR.
Your data will only be stored for as long as is necessary to process the payment and to comply with statutory retention obligations.
Contact options
When you contact us (e.g. by telephone, contact form or email), personal data is collected. The data collected via the contact form can be seen on the respective contact form. This data is stored and used exclusively for the purpose of processing your enquiry or for establishing contact and the associated technical administration. The legal basis for the processing of the data is our legitimate interest in processing your request in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. If your contact is aimed at concluding a contract, the legal basis for the processing is Art. 6 para. 1 sentence 1 lit. b GDPR. Your data will be deleted after your enquiry has been processed if it can be inferred from the circumstances that the matter in question has been conclusively clarified and provided that there are no legal obligations to retain the data.
Marketing and advertising measures
Newsletter registration
If you subscribe to our email newsletter, we will send you regular information about our offers. The only mandatory information required for sending the newsletter is your email address. The provision of further data is voluntary and will be used to address you personally. We use the double opt-in procedure to send the newsletter. This means that we will only send you an email newsletter once you have expressly confirmed that you consent to receiving the newsletter. We will then send you a confirmation email askingyou to confirm that you wish to receive the newsletter in future by clicking on a corresponding link.
By activating the confirmation link, you give us your consent to process your personal data in accordance with Art. 6 (1) (a) GDPR. When you subscribe to the newsletter, we store your IP address as entered by your Internet service provider (ISP) as well as the date and time of registration in order to be able to trace any possible misuse of your email address at a later date. The data collected by us when you subscribe to the newsletter will be used exclusively for the purpose of advertising via the newsletter.
You can unsubscribe from the newsletter at any time by clicking on the link provided in the newsletter or by sending us a message via our contact form. Once you have unsubscribed,your email address will be deleted from our newsletter distribution list immediately, unless you have expressly consented to further processing of your data or we reserve the right to use your data in other ways that are permitted by law and about which we inform you in this privacy policy.
Competitions
From time to time, we give you the opportunity to participate in surveys or competitions. If you participate, additional data may be required for participation, which will then be requested from you (e.g. your address for the purpose of notifying you of your prize, as well as your email address and telephone number to ensure that you can be notified of your prize even in the event of accidentally incorrect address details, and, if necessary, your date of birth for the purpose of age verification).
This data will be processed in accordance with Art. 6 (1) (b) GDPR for the purpose of fulfilling the agreement regarding your participation in the specific survey or competition. Any further processing or use of your data, for example for the purpose of publishing the winner on our platform, will only take place with your consent. Following the completion of the survey or competition, we will delete your data unless we are entitled or obliged to continue storing or processing it for another legal reason.
Brain1 app
General
Brain1 is an application for brain training and mental fitness, available as a mobile app for Android, iOS, virtual reality application (Meta Quest / Oculus) and via our website (brain1.com) (hereinafter collectively referred to as "Brain1"). It offers interactive exercises and games to improve memory, concentration, responsiveness and logical thinking. The exercises are individually tailored to your performance level.
Obtaining the mobile app
The Brain1 mobile app is available for download via the official Google and Apple distribution platforms. When you download the app via one of these services, certain data is transferred to the respective platform operator. This includes, among other things, your account information such as your username and email address, an individual device ID and the time of download.
This data processing is carried out by Google Ireland Limited and Apple Distribution International, both based in Ireland. We have no influence over this process and bear no responsibility for it.
For more details on data processing, please refer to the privacy policies of the respective providers:
Google: https://policies.google.com/privacy
Apple: https://www.apple.com/legal/privacy/de-ww/
Meta (Oculus / Meta Quest): https://www.meta.com/legal/privacy-policy/
Use via the website
You can also use Brain1 directly via our website (brain1.com). When using the website, technical data such as your IP address, browser type and version, and the date and time of access are processed. This data is necessary to provide you with the website and its functions.
Below, we inform you about which personal data is collected and processed in connection with the registration and use of Brain1.
Legal basis for data processing
The processing of your personal data is based on different legal bases depending on the context:
Contract fulfilment (Art. 6(1)(b) GDPR) – if processing is necessary to provide you with the app and its functions
Legal obligations (Art. 6(1)(c) GDPR) – if we are legally obliged to process the data, for example for tax reasons (e.g. for purchases)
Legitimate interests (Art. 6(1)(f) GDPR) – if processing is necessary to safeguard our legitimate interests, for example to ensure the security of our systems
Consent (Art. 6(1)(a), (7), (8), (9) GDPR) – if you have expressly given us your consent. You can revoke your consent at any time with effect for the future. If you are under 16 years of age, the consent of your parent or legal guardian is also required.
In detail:
Account & registration
When you register with Brain1 and create a user account, we collect and process the personal data you provide during registration. This includes your email address, first and last name, and username. Your password is stored exclusively in encrypted form (as a so-called hash), so we do not have access to your plain text password.
We need this data to create your account, identify you when you log in, and provide you with the functions of Brain1. Without this data, we would not be able to give you personal access.
Processing is based on Art. 6(1)(b) GDPR (performance of a contract), as it is necessary for the provision of the service. To ensure the security of your account, we also rely on Art. 6 (1) (f) GDPR (legitimate interest). Your account data will be stored until your account is deleted. It may remain in backup copies for up to 30 days after deletion before being permanently removed.
Profile data
You have the option of personalising your profile on Brain1 by providing additional information. This includes optional information such as an avatar or profile picture, your country and personal settings for using the app.
We use this data to offer you a personalised user experience and to design your profile according to your preferences. You decide for yourself which of this optional information you wish to provide.
Processing is carried out on the basis of Art. 6 (1) (b) GDPR (performance of a contract), as personalisation is part of the service you use. In addition, your use of the personalised functions constitutes implied consent to the processing required for this purpose in accordance with Art. 6 (1) (a) GDPR; the provision of the relevant data constitutes implied action in this regard.Your profile data will be stored until you delete your account or until you change or remove it yourself.
Email communication
When you use Brain1, we send emails to the email address you have provided. We distinguish between transactional emails and marketing emails.
Transactional emails are necessary for the use of the service and include, for example, registration confirmations, password reset notifications or important information about your account. We only send marketing emails, such as tips, news or offers, if you have given your prior consent.
Transactional emails are processed on the basis of Art. 6 (1) (b) GDPR (performance of a contract). We rely on your consent in accordance with Art. 6 (1) (a) GDPR to send marketing emails. You can revoke this consent at any time, for example via the unsubscribe link in every marketing email. Your email address and the associated shipping logs will be stored until you revoke your consent or until your account is deleted.
Game and training data
When you use Brain1, we collect and process data about your game activities and training sessions. This includes, in particular, your scores, game events, your progress and your training history.
We need this data to provide you with the core functions of the app, including personalised statistics on your performance development and participation in leaderboards. Without this data, we would not be able to offer you a personalised training experience.
The processing is based on Art. 6 (1) (b) GDPR (performance of a contract), as it is necessary for the provision of the agreed functions. Your game and training data will be stored until your account is deleted. It may remain in backup copies for up to 30 days after deletion before it is permanently removed.
Brain Performance Index (BPI)
We calculate your individual Brain Performance Index (BPI) based on your training results. The calculation is based on a mathematical formula that takes various factors of your training performance into account. The BPI allows you to track your personal progress over a longer period of time.
In addition, the BPI can be used as a benchmark to anonymously measure your results against those of other users – for example, in leaderboards or group challenges. To enable meaningful comparisons, we store BPI values in anonymised form for different comparison groups. This means that we use anonymised performance data to create reference values for specific user groups – for example, based on age group. We also use this anonymised data for future comparisons in order to continuously improve the accuracy of the results and offer you even more precise assessments of your performance.
The calculation and storage of your BPI value and the comparison with other users is based on your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke this consent at any time with effect for the future. Your BPI value will be stored until you revoke your consent or until your account is deleted. The anonymised comparison data can no longer be attributed to any individual and is stored permanently to improve the comparison functions.
Leaderboards
Brain1 offers you the opportunity to participate in global and group-specific leaderboards. If you use this feature, the following data may be visible to other users: your username, your profile picture (if available), your scores and your ranking position.
Publishing your profile in leaderboards allows you to compete with other users and share your achievements. In the settings, you have the option to hide certain profile information or completely disable participation in leaderboards.
Processing is based on your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke this consent at any time by deactivating participation in leaderboards in your settings. Your data in the leaderboards will be stored until you revoke your consent or delete your account.
Social features
Brain1 offers various social features that allow you to connect with other users. These include, in particular, maintaining a friends list, sending and receiving invitations, and displaying your profile to friends.
You can specify which information in your profile is visible to others in the settings. There you have the option to show or hide optional profile information such as your country or avatar.
Other users can find you via your username. We therefore recommend that you do not use your real name or contact information in your username.
Processing is based on Art. 6 (1) (b) GDPR (performance of a contract), as the social functions are part of the service you use. Your data will be stored until you delete your account or until you change or remove it yourself.
Optional surveys
Optional surveys may occasionally be displayed in Brain1. Participation is completely voluntary and can be skipped at any time.
We use the answers you provide exclusively for optional evaluations and segmentations within the app, for example for filters, statistics or personalised content. They are not used for advertising purposes.
Processing is based on your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke your consent at any time. Your information will be stored until you revoke your consent or delete your account.
Analytics (Meta SDK)
We use the Meta SDK exclusively for analysis purposes to understand how Brain1 is used and to continuously improve the app. Event data (e.g. app launch) and pseudonymised app and device information are processed. We do not transmit email addresses or other directly identifying data.
Analytics is only used if you have given your consent. For users under the age of 16, the consent of a parent or legal guardian is required.
Meta may also process data outside the EU or the EEA. Where necessary, we use appropriate safeguards, in particular standard contractual clauses in accordance with Art. 46(2)(c) GDPR.
Processing is based on your consent in accordance with Art. 6(1)(a) GDPR. The data will be stored until you withdraw your consent or in accordance with the provider's standards.
Further information on data protection at Meta can be found at https://www.facebook.com/privacy/policy/.
Push notifications
We use Firebase Cloud Messaging (FCM), a service provided by Google Ireland Limited, to send push notifications. This involves processing a so-called push token that is assigned to your device and enables notifications to be sent. We also store your notification settings and information about notifications that have been sent.
We distinguish between functional notifications (e.g. reminders about your training or important account information) and motivational or promotional notifications (e.g. tips, achievements or offers). We can send you functional notifications without your separate consent, provided they are necessary for the use of the service. We only send motivational or promotional notifications with your consent.
You can deactivate push notifications at any time in your device settings or directly in the app.
The processing of motivational and functional notifications is based on Art. 6 (1)lit. b GDPR (contract fulfilment). For promotional notifications, we rely on your consent in accordance with Art. 6 (1)lit. a GDPR. The data will be stored until you opt out or delete your account.
For more information on data protection at Firebase, please visit https://firebase.google.com/support/privacy.
Billing (web via Stripe)
When you make a payment via our website (brain1.com), the payment is processed by the payment service provider Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
In this case, we will transmit the information provided during the ordering process and the data relating to your purchase to Stripe. This includes, in particular, your name, address, account number, bank code, credit card number (if applicable), invoice amount, currency and transaction number. The data is transferred exclusively for the purpose of payment processing and only to the extent necessary for this purpose.
The processing is based on Art. 6 (1) (b) GDPR (performance of a contract). For the storage of billing data for accounting and tax reasons, we rely on Art. 6 (1) (c) GDPR (legal obligation). Storage is based on the statutory retention periods (usually 10 years for documents relevant to tax law).
For more information on data protection at Stripe, please visit https://stripe.com/de/privacy.
In-app purchases (Apple/Google)
For in-app purchases via the Apple App Store or Google Play Store, payment is processed directly by Apple or Google. We only receive store transaction information such as purchase status and payment receipt from the platform operators.
We need this data to verify your purchase and unlock the purchased content, such as subscriptions or premium features. The actual payment processing and processing of your payment data is carried out exclusively by Apple or Google.
Processing is based on Art. 6 (1) (b) GDPR (performance of a contract). The storage of transaction data is governed by the statutory retention periods and the guidelines of the respective store operators.
Further information on data protection can be found at:
Apple: https://www.apple.com/legal/privacy/de-ww/
Google: https://policies.google.com/privacy
Meta (Oculus / Meta Quest): https://www.meta.com/legal/privacy-policy/
Server operation and security
To ensure the secure and stable operation of Brain1, we process technical log data and admin audit information. This data is collected automatically when you use our services.
We use this data to ensure the security of our systems, detect and prevent misuse, and fix technical errors. Without this data processing, we would not be able to ensure the reliable and secure operation of the app.
Processing is based on Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in maintaining the security, availability and integrity of our systems. Log data is stored for up to 30 days by default and then automatically deleted.
Technical data
When using Brain1, certain technical data is automatically collected and processed. This includes app and browser data, device and app metadata, and technical logs. This data includes, for example, information about your device, the operating system used, the app version, and technical events during use.
We need this data to provide you with the app, to detect and fix technical errors, and to ensure the security of our systems. Without the processing of this technical data, Brain1 would not be able to function properly.
Processing is based on Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in providing a functional, secure and error-free application. The technical data is stored for up to 30 days by default and then automatically deleted.
Overview of data processing:
Processing
Data categories
Purpose
Legal basis
Storage period
Account & registration
Email address, password hash, first and last name, username
Provision of your account and enabling registration
Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR
Until account deletion; in backups for up to 30 days
Profile data
Avatar/profile photo (optional), country (optional), personal settings
Personalisation of your profile and app usage
Art. 6(1)(b) GDPR
Until account deletion or until you change or remove the data yourself
Email communication
Email address, sending logs
Transactional emails (e.g. confirmations, password resets) and, with your consent, marketing emails
Art. 6(1)(b) GDPR (transactional); Art. 6(1)(a) GDPR (marketing)
Until revoked or account deleted
Game and training data
Scores, events, progress, history
Provision of core functions, statistics and leaderboards
Art. 6(1)(b) GDPR
Until account deletion; in backups for up to 30 days
Brain Performance Index (BPI)
Training results, BPI value
Calculation of your individual BPI value and comparison with other users
Art. 6(1)(a) GDPR (consent)
Until revoked or account deletion
Leaderboards
Username, profile picture (optional), scores, ranking
Publication of your profile in leaderboards that are visible to other users
Art. 6(1)(a) GDPR (consent)
Until revoked or account deletion
Social functions
Friends list, invitations, profile information (optional)
Enabling friendships, leaderboards and profile display according to your settings
Art. 6(1)(b) GDPR
Until account deletion or until you change or remove the data yourself
Optional surveys
Voluntary information
Optional segmentation and evaluations
Art. 6(1)(a) GDPR (consent)
Until revoked or until the account is deleted
Analytics (Meta SDK)
Event data, pseudonymised app and device metadata
Analysis of app usage and improvement
Art. 6(1)(a) GDPR (consent)
Until revoked or in accordance with the provider's standards
Push notifications
Push tokens, settings, notification events
Sending of functional and – with appropriate consent – motivational notifications
Art. 6(1)(a) GDPR (marketing)
Until opt-out or account deletion
Billing (web via Stripe)
Payment and billing data, transaction IDs
Payment processing and accounting
Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR
In accordance with statutory retention periods
In-app purchases (in the respective store)
Store transaction data, purchase status
Activation of subscriptions and premium content
Art. 6(1)(b) GDPR
In accordance with statutory retention periods and store guidelines
Server operation & security
Technical log data, admin audit information
Ensuring security, detecting misuse, troubleshooting
Art. 6(1)(f) GDPR
Up to 30 days
Technical data
App and browser data, device and app metadata, technical logs
Provision of the app, troubleshooting, security
Art. 6(1)(f) GDPR
Up to 30 days
Storage period within the app
Unless otherwise specified in this privacy policy, we store your personal data until you request us to delete it, revoke your consent to its storage, or the original purpose for which it was collected no longer applies.
The following storage periods apply:
Account data and training data – until your account is deleted
Backup copies – up to 30 days after deletion
Technical log data – up to 30 days
Billing data – in accordance with statutory retention periods (usually 10 years)
You can delete your user account at any time. In the mobile app, you can do this directly via the settings under "Account management" and the item "Delete account". When using the website, you will find this option in your user profile under the account settings. When you delete your user account, your personal data will also be removed, provided that there are no legal retention obligations to the contrary. Please note that after deletion, your data may still be stored in our backup copies for up to 30 days before it is finally and irrevocably deleted.
Complete deletion will not take place as long as legal retention obligations exist or another legally permissible reason – such as a legitimate interest – requires further storage. This is the case, for example, if you have made in-app purchases or purchases via the website: we must retain the associated transaction data for accounting and tax reasons. In such a case, your data on your progress and training sessions will be deleted, but the information on your purchases will remain stored until the statutory retention periods have expired. Only then will this data also be permanently deleted.
Recipients and processors
To provide Brain1, we work with various service providers who process personal data on our behalf. These service providers act as processors and are contractually and legally obliged to process your data only in accordance with our instructions and exclusively for the specified purposes. We have concluded appropriate contracts with all processors in accordance with Art. 28 GDPR.
In particular, we work with the following service providers:
Service provider
Purpose
Data location
Microsoft Azure
Hosting, databases and storage
EU (Germany)
Meta Platforms
Analytics via Meta SDK / VR integration (Meta Quest / Oculus)
EU/USA
Google Firebase
Push notifications via Firebase Cloud Messaging
EU/USA
Stripe
Payment processing on our website
EU/USA
Apple
Payment processing for in-app purchases (iOS)
EU/USA
Payment processing for in-app purchases (Android)
EU/USA
Email delivery service
Sending transactional emails and, with appropriate consent, marketing emails
EU
Data transfers to third countries
Our backend systems are hosted in the European Union (Germany). Your data therefore remains within the EU.
However, some of our service providers, in particular Meta, Google and Apple, may also transfer data to countries outside the EU or the European Economic Area (EEA) or process it there – in particular to the USA. In these cases, we ensure that an adequate level of data protection is guaranteed. To this end, we use appropriate safeguards in accordance with Art. 46 GDPR, in particular the standard contractual clauses approved by the European Commission. In addition, we take additional technical and organisational protective measures to protect your data in the best possible way.