Version: 1 March 2023
Brainloop AG and its subsidiaries take the security and protection of your personal data very seriously.
The below Brainloop privacy notice (“Privacy Notice“) informs you about the processing of your personal data by Brainloop AG, Brainloop Austria GmbH and Brainloop Switzerland AG (each individually and separately “Brainloop” or “we“) as well as your related rights.
The Privacy Notice applies to:
-
users of the website (brainloop.com);
-
individuals interested in our products and services; and
-
customers, suppliers and other business partners.
The below Privacy Notice does not apply to the processing of personal data from our customers in connection with the use of the Brainloop Secure Dataroom Services (BDRS) and the Brainloop Services MeetingSuite and MeetingSuiteCONNECT (collectively “Brainloop Services“). Any personal data relating to users of our Brainloop Services and any data entered into or submitted to our Brainloop Services by our customers are subject to separate privacy notices which you can access under https://www.brainloop.com/en-gb/privacy-notice/.
If you apply for a job with Brainloop any processing of your personal data in the context of your application is subject to our separate Data Protection Notice for Job Applicants which you can access under https://www.brainloop.com/en-gb/privacy-notice-career/.
We reserve the right to change the content of this Privacy Notice from time to time; we therefore recommend that you review this Privacy Notice at regular intervals. You can access the current version of this Privacy Policy at any time under https://www.brainloop.com/en-gb/privacy-notice.
1. Who is responsible for the processing of my data?
If you visit the Website www.brainloop.com as a user (see section 4.1), Brainloop AG is responsible for the processing of your personal data as controller within the meaning of the General Data Protection Regulation (“GDPR“).
For the processing of personal data of prospects and other individuals interested in our products and services (see section 4.2) as well as customers, suppliers and other business partners (see section 4.3), the respective Brainloop group company listed in section 2 with which you enter into contact, establish or maintain a business relationship, or with which you otherwise interact is responsible as controller within the meaning of the GDPR.
To the extent that Brainloop AG supports the group companies in Austria (Brainloop Austria GmbH) or Switzerland (Brainloop Switzerland AG) in the context of its respective business activities by providing group-wide integrated business services, functions and systems (see section 5.2) the respective group company and Brainloop AG act as joint controllers (according to Art. 26 GDPR).
You can find the contact details of the respective controllers in the following section 2.
2. How can I contact Brainloop and its Data Protection Officer?
You can reach the respective Brainloop group company responsible for the processing of your personal data at any time under the following contact details:
Brainloop AG
Theatinerstrasse 12
80333 Munich, Germany
Tel.: +49 89 444 699 0
Email: legal@)brainloop.com
Website: www.brainloop.com
Brainloop Austria GmbH
Ausstellungsstraße 50 /c /2 OG., 1020 Vienna, Austria
Tel.: +49 89 444 699 0
Email: legal@brainloop.com
Website: www.brainloop.com
Brainloop Switzerland AG,
Gotthardstrasse 30, 6300 Zug, Switzerland
Tel.: +41 41 710 39 71
Email: legal@brainloop.com
Website: www.brainloop.com
You can reach the data protection officer of Brainloop AG at any time under the following contact details:
Email: dpo@brainloop.com
3. What are “Personal Data” and what does “Processing” mean?
3.1 Personal Data
“Personal data” means any information relating to an identified or identifiable natural person (“data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
3.2 Processing
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. What data will be collected about me? For which purposes and on which legal basis will my data be used?
Depending on the type of business relationship or interaction with you we collect and process different categories of personal data.
In most cases there will not be an obligation that you disclose certain information about yourself to us. We may be required to collect certain personal data about you either to fulfil our legal obligations or for the performance of a contract that we concluded with you or your company. Failure to provide this information may prevent or delay the fulfillment of these obligations. We will inform you at the time your information is collected whether certain data is compulsory and the consequences of the failure to provide such data.
The categories of information we collect include:
- personal details (e.g., name, title, employer or organization, or similar professional or employment related information);
- contact details (e.g., phone number, email address, postal address, or similar identifiers);
- communication content and data (e.g., content of emails that we exchanged with you or notes on phone calls);
- commercial or legal information about your organization (e.g., annual operating budget, number of board members, number of committee members, information regarding relevant legal disputes);
- order or contract data (e.g., information related to contracts that we concluded with your employer or your organization, contract offers that we received from you or your employer respectively your organization);
- payment information, such as information required for payment processing or fraud prevention, including credit card information and card verification numbers;
- information on marketing activities (e.g., documentation of marketing activities that have been directed to you, recording of marketing consent that has been collected;
- demographic information (e.g., age, sex, etc., including protected classifications);
- information we collect automatically from you or your device, including logfiles and internet or other electronic network activity data collected using cookies and any other device identifying technologies. Additional information about our use of cookies is available in the Brainloop Cookie Policy;
- account information (such as user ID, contact details, answers to security questions, or similar identifiers);
- commercial information about your usage of our services or the websites (such as support requests, recordings of or information from phone calls with our sales or support teams, or information provided to us to resolve such support requests); and
- Inferences drawn from any of the above information.
We collect information about you either directly from you, or from your employer or organization and/or from our business partners, from other Brainloop group companies or other companies of the Diligent group affiliated with Brainloop, or from publicly available sources, information databases or credit agencies.
Below we set out additional information about which data we collect from you, and for which business or commercial purposes and on which legal basis we use such data.
4.1 Processing of personal data in connection with the use of the Website www.brainloop.com
The Website www.brainloop.com is provided to you by Brainloop AG. Below we inform you which data Brainloop AG collects and processes when you use the Website, for which business or commercial purposes such data is used and on which legal ground the processing of your data is based. Please also note the additional information relating to the processing of your data in sections 5 to 9 of this Privacy Notice.
(a) Data about Website access (log files)
You can generally visit the Website without providing any personal data about yourself. In this case Brainloop AG only collects and stores data about your Website access which will automatically be transmitted from your browser to Brainloop AG when you access the Website.
This information may include Internet protocol (IP) addresses, browser type and browser version, internet service provider (ISP), referring/exit pages (referrer URL), operating system, date/time stamp of the request, and/or clickstream data.
We need the data relating to your Website access for the duration of your session to enable the technical delivery of our Website’s content to your device.
The data will further be stored by us in logfiles for a short period of time for purposes of the technical security of our Website, in particular to protect us against attempts to attack our web server. In addition, we will analyze the automatically collected information in statistical and aggregated form in order to optimize the Website and the services offered to you and to improve the marketing, analytics or site functionality. In this respect, the information will be anonymized so that it can no longer be attributed to your person.
Brainloop AG processes your personal data on the basis of its legitimate interests in ensuring the security of the Website and optimizing the Website and services Brainloop AG offers to you, and in improving marketing, analytics, or site functionality (Art. 6(1) lit. f) GDPR).
In addition, Brainloop AG uses cookies on the Website that store limited information about your settings or other information necessary for providing the services (see section 4.1(c) and the Brainloop Cookie Policy).
(b) Contact information, communications, downloads, free trial access
The Website offers you the possibility to contact us through different ways, such as to submit enquiries in relation to our products and services, to request our whitepapers or other information, or to register for a free trial access.
If you use the web forms on the Website for this purpose, you have to provide information marked as mandatory with an asterisk (e.g. details about your person or your email address). We need the mandatory information to be able to efficiently process your request. In addition, you can optionally disclose further information (such as title, branch or your message). This optional information helps us to better attributing your request and to process it more efficiently.
If you contact us via the contact details provided on the Website (e.g., by telephone or email), we will process the personal data that you disclose to us and/or that you submit due to the type of your request.
If necessary to process your request, Brainloop AG may share your personal data with other Brainloop group companies or affiliated Diligent group companies (listed here), in particular if requests are made with respect to products and services from other countries or other group companies. Any requests addressed to the Brainloop group company in Austria or Switzerland will be processed by Brainloop AG and the respective Brainloop group company (i.e., Brainloop Austria GmbH or Brainloop Switzerland AG) within a joint controllership (in the meaning of Art. 26 GDPR) (see section 5.2(a)).
Additionally, when you make an enquiry or request via our Website, your data will be further disclosed to Diligent Corporation (USA), Diligent Boardbooks Limited (UK) and Diligent Boardbooks GmbH (Germany) (“Diligent Companies“) which process your data in the context of providing group-wide integrated business services, functions and global systems in order to support Brainloop by performing centralized tasks relating to customer, prospect and Website user support, including maintaining the business relationship and preparing, optimizing and implementing marketing activities. In this respect, Brainloop and the Diligent Companies mentioned above act as joint controllers (in the meaning of Art. 26 GDPR). For more information, please refer to section 5.2.
We process the personal data that we receive through the different communication channels for the processing of your request. In this respect, the processing is based on the necessity of the processing for purposes of our legitimate interests in ensuring efficient and user-friendly communication and processing of your request, in analysing and optimizing our processes and in enabling a reliable documentation for evidentiary purposes (to the extent necessary for the establishment, exercise or defense of legal claims) (Art. 6(1) lit. f) GDPR). The processing of your personal data in the context of the establishment of a contract is further – to the extent the contract is concluded directly with you – based on the necessity of the processing in order to take steps at your request prior to entering into a contract in order to make a decision about establishing the contract with you (Art. 6(1) lit. b) GDPR).
In addition, we may process your data to the extent we are under a legal obligation (Art. 6(1) lit. c) GDPR) or the processing is necessary for the establishment, exercise or defense of legal claims (Art. 6(1) lit. f) GDPR). Furthermore, we may use the data we receive from you on the basis of our legitimate interests (Art. 6(1) lit. f) GDPR) for customer relationship management purposes (see section 4.3 below) and for marketing purposes (see section 4.2 below).
(c) Cookies
Brainloop AG uses “cookies” in order to make your visit to the Website as pleasant as possible and to enable you to utilize all of its functions. A cookie is a text file that is temporarily saved on your computer when you visit the Website. Brainloop AG only uses so-called “session cookies” on the Website which will be deleted at the latest when you end your session and close your browser. For the storage period of the cookies used by us, please see the Brainloop Cookie Policy.
The cookies used on the Website are technically necessary to operate the Website and/or provide the functionalities offered on the Website (so-called “essential website cookies”). These cookies are set by Brainloop AG itself (“first party cookies”). To the extent that these cookies can be attributed to your person, the processing of your data will be based on the necessity to process the data for purposes of Brainloop AG’s legitimate interests (effective and secure provision of the functionalities and services on the Website) (Art. 6(1) lit. f) GDPR). For further information regarding cookies that we use please see the Brainloop Cookie Policy.
(d) Links to Other Sites
The Website includes links to other websites whose privacy practices may differ from the practices of Brainloop AG. If you submit personal data to any of those sites, your information is governed by their privacy policies. We are not responsible for the privacy practices or the content of any third party sites to which our Website provides links. We encourage you to carefully read the privacy policy of any site you visit.
4.2 Processing of personal data relating to prospects and other individuals interested in our products and services for marketing purposes
Below we inform you about the data we process for marketing purposes about you as prospect or other individual interested in our products and services, how we process your data and on which legal ground the processing of your data is based. Please also note the additional information relating to the processing of your data in sections 5 to 9 of this Privacy Notice.
(a) In the context of different interactions with Brainloop on our Website you may provide your consent to receive our email newsletter and other marketing communications via email in order to receive information about technology-supported governance solutions and current trends and developments with respect to the products and services offered by the Brainloop group companies and the other Diligent group companies affiliated with Brainloop (listed here). The emails will be sent by the Brainloop group companies (Brainloop AG, Brainloop Austria GmbH, Brainloop Switzerland AG) and by the Diligent Companies (i.e., Diligent Corporation (USA), Diligent Boardbooks Limited (UK) and/or Diligent Boardbooks GmbH (Germany)) (see also section 4.1(b)).
For this purpose, your data (including your consent) is stored in the group-wide central CRM system and connected marketing systems, which are operated by Diligent Corporation and our service providers in the USA. The stored data can be accessed by the companies mentioned above in order to contact you by email for marketing purposes in accordance with the content of your consent. With regard to marketing activities carried out by Brainloop and related marketing communications sent by Brainloop, in the context of the processing of your data as described in this Section 4.2(a), Brainloop and the Diligent Companies (to the extent they are involved in storing the personal data and/or providing support concerning the preparation, optimization and implementation of Brainloop’s marketing activities) act as joint controllers (within the meaning of Art. 26 of the GDPR). For more information, please refer to section 5.2. However, this does not preclude the Diligent Companies from accessing and using your data as separate and independent controllers for their own marketing purposes within the scope of your consent; any marketing communications sent by the Diligent Companies will be carried out in their own responsibility under data protection law.
If you use our newsletter form to sign-up for receiving marketing information, any mandatory information to be provided for the registration is indicated with an asterisk. You can optionally provide further data. Such data is not necessary to sign-up but helps us to set up the sending of our newsletter and other marketing communication more efficiently and in a more targeted manner. You can also sign-up for the newsletter and other marketing emails in other ways, such as by requesting our e-mail newsletter via telephone or in the context of another interaction (e.g. filling out a web form) with us.
For legal reasons, a confirmation email is sent in the double-opt-in process to the email address first entered for the information mailing. We also send a confirmation email to prospects who contact us via a web form and thereby have given consent to receive our email newsletter and other marketing communication via email. This confirmation email serves to check and document whether the owner of the email address has authorized receipt of the information email.
By signing-up for receiving our newsletter and other marketing emails, you consent that the Brainloop group companies (Brainloop AG, Brainloop Austria GmbH, Brainloop Switzerland AG) and Diligent Companies may process the data you provided in the context of your sign-up (e.g. name, surname, email address) for marketing purposes in order to regularly inform you via email about technology-supported governance solutions and current trends and developments with respect to the products and services offered by the Brainloop group companies and its affiliated Diligent group companies (listed here).
The Brainloop group companies and Diligent Companies use a technical service provider for sending the marketing emails. For measuring effectiveness, this service provider will collect information about your usage of the marketing emails sent to you via so-called tracking pixels or similar technologies (e.g., whether you have received or opened the emails, and whether you have clicked on links or content in the emails). The Brainloop group companies and Diligent Companies will analyze the information to better understand our users’ interests and preferences, to optimize our information service and to tailor the content of our marketing emails in accordance with our users’ interests. By signing-up for receiving our newsletter and other marketing emails you consent to the related processing of your personal data (including the capturing and analysis of usage behavior).
Providing you with the desired information may require that your personal data will be stored and processed by Diligent Corporation and our service providers in the USA. The laws of the USA do not provide for the same level of data protection as considered adequate in the European Union. In particular, there is a risk of data being accessed by U.S. security authorities without adequate judicial redress for the persons concerned. However, we have taken appropriate measures to ensure that your personal data will generally be adequately protected (see section 5 and 6). It cannot, however, be completely excluded that U.S. security authorities may have access your data. By signing up for our newsletter and other marketing emails, you also consent to the transfer of your personal data to Diligent Corporation and our service providers in the USA (Art. 49(1) lit. a) GDPR).
Your registration for our newsletter or receipt of other marketing information will be recorded to prevent misuse and to document and provide proof of our sign-up process according to legal requirements. The recording takes place on the basis of our need to process the data for purposes of our legitimate interests in complying with legal requirements and ensuring a legally compliant and user friendly sending of our email communications (Art. 6(1) lit. f) GDPR). Any processing of personal data in connection with the personalization and sending of the marketing emails (including any collection and analysis of your usage behavior in connection with the usage of the marketing emails sent to you) will be based on your consent (Art. 6(1) lit. a) GDPR). You are free to provide your consent. You can withdraw your consent at any time with effect for the future by clicking on the “unsubscribe”-link at the end of each of our newsletter emails or by sending an email to marketing@brainloop.com.
To the extent that any analysis of the usage of the marketing emails is carried out only for statistical and aggregated capturing and analysis of the reading and usage behavior as well as interests of the users, which serves the purpose of optimizing our newsletter service and email marketing communication, without any personalization of the emails on the basis of your individual data, the processing of personal data will be based on our legitimate interests in analyzing the interactions of our email recipients for the above purposes (Art. 6(1) lit. f) GDPR).
(b) Without your consent, a Brainloop group company will only contact you for marketing purposes via email if the respective group company has received your email address from you in connection with the sale of a product or services, the marketing content in the email relates to similar products or services (including customer satisfaction surveys) and you have not objected to the use of your email address. You can object to the use of your email address at any time, without costs to you other than for the transmission of your objection on the basis of the standard rates of your telecommunication service provider. The related processing of your personal data will be based on our legitimate interests in marketing our products and services (Art. 6(1) lit. f) GDPR).
(c) If you otherwise communicate with Brainloop for purposes of receiving information about our products and services (e.g., if you contact us by email, a Brainloop employee has contacted you by telephone or you interact with one of our employees in the context of an event or exhibition), we collect the data that we receive from you in connection with this interaction.
As part of these interactions, we may ask for your consent to be further contacted by Brainloop group companies and/or Diligent Companies. If you have provided your consent we will process your data to send you marketing information about the products and services offered by Brainloop and its affiliated Diligent group companies (see here) via your preferred channel (via email, fax and/or telephone). You will be contacted by the Brainloop group companies and/or the Diligent Companies in accordance with your consent. For this purpose, your data (including your consent) will be stored in the group-wide central CRM system and connected marketing systems operated by Diligent Corporation and our service providers in the USA (see also sections 5 and 6). The companies mentioned above can access the stored data in accordance with the scope of your consent in order to contact you via the desired channel for marketing purposes. With regard to marketing activities carried out by Brainloop and related marketing communications sent by Brainloop, in the context of the processing of your data as described in this Section 4.2(c), Brainloop and the Diligent Companies (to the extent they are involved in storing the personal data and/or providing support concerning the preparation, optimization and implementation of Brainloop’s marketing activities) act as joint controllers (within the meaning of Art. 26 of the GDPR). For more information, please refer to section 5.2. However, this does not preclude the Diligent Companies from accessing and using your data as separate and independent data controllers for their own marketing purposes within the scope of your consent; any marketing communications sent by the Diligent Companies will be carried out in their own responsibility under data protection law. You can withdraw the consent provided to us at any time with effect for the future by contacting us via the contact details set out in section 2.
In addition, we may use your data to the extent permitted by law for the sending via postal mail of marketing information on the products and services offered by Brainloop or its affiliated companies of the Diligent group (see here). You can object to this use of your data for marketing purposes at any time with effect for the future. Further information on the right of objection can be found in section 9.
4.3 Processing of personal data relating to customers, suppliers and other business partners
If you or the company you work for or you represent are a customer, supplier, distributor or other business partner of Brainloop or an affiliated company of the Diligent group, we may collect the following data about you:
- contact information, such as first and last name, title, job description, department, company/organization, business address, business phone number, business mobile phone number, business fax number and business email address;
- order, service and contract data, including revenue information and payment terms;
- payment and billing information, such as information required for payment processing or fraud prevention, including credit card information and card verification numbers, as well as bank and account data, tax numbers, and billing addresses;
- history of orders, transaction and business interactions as well as commercial information about the use of products and services;
- personal data that we collect in the context of the communication with you in the course of the business relationship with you or your organization respectively your employer;
- other information the processing of which is necessary for a project or the handling of a contractual relationship with Brainloop or which is voluntarily provided by you or your company, e.g., in connection with orders, inquiries or project details;
- personal data that we collect from publicly available sources, information databases or from credit agencies;
- where legally required as part of compliance screenings: date of birth, ID card and ID card numbers, information on criminal convictions, relevant court proceedings and other legal disputes in which you or your company is involved.
There is no legal or contractual obligation for you to provide us with your data. However, if you do not provide your data it may be that the business relationship between Brainloop and you or your company cannot be established or performed.
We process your data for the following business and commercial purposes and according to the following legal bases:
- planning, execution and administration of the (contractual) business relationship between Brainloop and you or your company, e.g., to process orders for products and services, for accounting, billing and auditing purposes, including the collection of debts and enforcement of claims, as well as to perform deliveries, services, customer service and maintenance activities. As far as the business relationship exists between Brainloop and you personally, we rely on the necessity of the processing for the performance of the contract with you or in order to take steps at your request prior to entering into a contract with you (Art. 6(1) lit. b) GDPR). As far as the business relationship exists between Brainloop and your company, we rely on our legitimate interests in the establishment, performance and handling of the business relationship with your company (Art. 6(1) lit. f) GDPR);
- safeguarding our legitimate interest in an effective and service oriented care of our business contacts, including on the basis of historical commercial information (customer relationship management) (Art. 6(1) lit. f) GDPR);
- safeguarding our legitimate interests in communication with you in connection with the business relationship between Brainloop and you or your company, e.g., when we inform you about changes to our terms and conditions or when you contact us with questions (Art. 6(1) lit. f) GDPR); for advertising communication with you, see section 2;
- safeguarding our legitimate interests in market analysis, quality assurance and product and service improvement (Art. 6(1) lit. f) GDPR);
- ensuring compliance with our statutory retention obligations under commercial and tax law (Sec. 257 HGB, Sec. 147 AO) as well as other legal obligations of Brainloop (Art. 6(1) lit. c) GDPR);
- safeguarding our legitimate interests in ensuring and documenting compliance with legal requirements and establishing, exercising and/or defending of legal claims (Art. 6(1) lit. f) GDPR);
- safeguarding our legitimate interests in the marketing of our products and services, in particular, in order to build a profile of you and place you or your company in particular marketing segments in order understand your preferences better and to appropriately personalise the marketing messages we send you (Art. 6(1) lit. f) GDPR). It is in our legitimate interests to provide more relevant and interesting advertising messages. Where necessary, we will obtain your consent before we create profiles and send marketing messages (Art. 6(1) lit. a) GDPR) (see also section2).
If you or your company are a customer of Brainloop, we also process your data for the following purposes:
- posting of customer testimonials on our websites, which might contain personal data about you. Before posting the testimonial, we will obtain your consent via email that we may post your name, title and name of your company along with the testimonial (Art. 6(1) lit. a) GDPR). If you wish to update or delete the testimonial containing your data, you can contact us at marketing@brainloop.com.
Insofar as we base the processing for the aforementioned purposes on your consent, you can withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing based on the consent before its withdrawal.
Please also note the additional information relating to the processing of your data in sections 5 to 9 of this Privacy Notice.
5. Who will my data be disclosed to?
Brainloop ensures a high level of security when disclosing your data. We have disclosed the following categories of personal data for a business purpose in the past 12 months:
- personal details;
- contact details;
- communication content and data;
- commercial or legal information about your organization;
- contact, service and order data;
- payment and billing information;
- demographic information;
- information we collect automatically from you, including data about Website access (logfiles) and internet or other electronic network activity data collected using cookies and other device identifying technologies;
- account information;
- commercial information about your usage of our products and services or the websites; and
- inferences drawn from any of the above information.
For details in relation to the data categories processed please see section 4.1, 4.2 and 4.3 above. We will disclose your personal data in the below scenarios to the following categories of third parties and other recipients:
5.1 Service providers, business partners and affiliates (as processors):
We transmit your data to partner companies and other service providers, including Brainloop’s affiliates of the Diligent group (in particular, Diligent Corporation, USA), which have been carefully selected beforehand and which are contractually obliged as processors in accordance with the relevant data protection regulations. For instance, we may share your personal data with our service providers and affiliated companies that perform IT services (including hosting services or other operational technical support) or other business operations for us which are carried out in accordance with our instructions. These companies may only use your personal data to the extent necessary to provide the services requested by us. Your data will neither be sold to third parties nor marketed in any other way. An up-to-date list of all partner companies and service providers is available upon request from Brainloop under the contact details listed in section 2.
5.2 Brainloop group companies and other affiliates of the Diligent group (as controllers or joint controllers):
Brainloop further uses – as described in section 5.2(a) to (e) below – global systems provided by affiliates of the Diligent group as well as group-wide integrated business services and functions provided by employees in various companies of the Diligent group affiliated with Brainloop (including by Brainloop AG).
a) In particular, Brainloop AG performs centralized functions and tasks for the markets in Germany, Austria and Switzerland and operates – to the extent that the Brainloop group companies do not use groupwide integrated technical infrastructure and business services provided within the Diligent group (see section 5.2(e) below) – related systems for storing and processing of data. Insofar as Brainloop AG supports the Brainloop group company in Austria (Brainloop Austria GmbH) or Switzerland (Brainloop Switzerland AG) within the scope of its respective business activities, the respective group company and Brainloop AG act as joint controllers (in the meaning of Art. 26 GDPR). The processing of data within the scope of the joint controllership covers the data described below in section 5.2(c) and is carried out for the purposes described in section 5.2(d). To effectively exercise your rights as a data subject (see Section 9), you may contact the designated central point of contact at Brainloop AG at any time using the contact details set out in section 2, even if the processing under the joint controllership is carried out by the other Brainloop group company. You are of course free to exercise your rights against the respective other Brainloop group company concerned (i.e., Brainloop Switzerland AG or Brainloop Austria GmbH). Further information on the joint controllership as well as the essence of the relevant agreement between Brainloop AG and the respective Brainloop group company can be obtained at any time upon request from Brainloop using the contact details set out in section
b) In addition, Brainloop will share your data with further companies of the Diligent group affiliated with Brainloop, in particular Diligent Corporation, USA (111 West 33rd Street, 16th Floor, New York, NY 10120), which provide global systems and applications as well as centralized business services in the areas of finance, accounting, tax, sales, marketing, reporting, controlling and procurement. A list of the companies within the Diligent group with which – to the extent necessary for the purposes described in section2(d) – your personal data may be shared can be found here.
c) The disclosure of your data as described above includes, in particular, contact information (such as name, title, job description, department, e-mail address, company name, address, telephone number), data necessary for accounting and billing purposes, data collected and processed as part of customer relationship management, including historical commercial information (see section3 above), information about the use of our products and services as well as use of the Website (see section4.1 above), or data collected and processed by or for marketing purposes (see section 4.2 above).
d) The data transfer takes place for purposes of the legitimate interests of Brainloop and of its affiliates of the Diligent group, including the other Brainloop group companies, in ensuring an efficient and cost-effective provision of group wide uniform business services and functions in an integrated, worldwide organizational structure, including the provision of global systems and functions for central storage and processing of personal data. This includes, in particular, the disclosure and processing for the following purposes:
- to process your requests and provide the services offered on the Website. This is especially necessary when Brainloop products and services are requested from other countries;
- to prepare and handle the contractual relationship with customers, suppliers and business partners, including administration, accounting and billing;
- to purchase centrally supplier and business partner services and to manage and maintain the related business relationships;
- to handle customer support via centralized processes and ticketing-systems;
- support in the areas of finance, accounting, tax, sales reporting, controlling and procurement;
- to store and process your data for accounting and billing purposes in a central customer database;
- for Customer Relationship Management purposes;
- for statistical evaluations to ensure and continuously optimize the smooth operation of the offering;
- internal reporting, customer and market insights, quality assurance and service optimization;
- to support, prepare, optimize and carry out marketing activities, including for own purposes of the respective group company affiliated with Brainloop; and
- to provide global systems and applications, including respective centralized business services regarding operation, administration, maintenance, IT-support and IT security.
e) Brainloop and Diligent Corporation (and, as the case may be, further companiesof the Diligent group which may be involved in the processing) process your aforementioned data under a joint controllership in accordance with Art. 26 GDPR. In particular, the data of Website users, customers and prospects will be stored and processed in a central customer relationship management system and connected marketing systems, which are operated and administered centrally throughout the group by Diligent Corporation and our service providers in the USA. The data stored there can be accessed by Brainloop and the Diligent Companies (Diligent Corporation (USA), Diligent Boardbooks Limited (UK) and Diligent Boardbooks GmbH (Deutschland)) to the extent that this is necessary for the legitimate interests and purposes listed above under section 5.2(d)To effectively exercise your rights as a data subject (see section 9), you may at any time contact the designated central point of contact at Brainloop AG using the contact details set out in section 2, even if the processing is carried out under joint controllership by another company mentioned above. You are of course free to also exercise your rights against the other companies (in particular, Diligent Corporation). Further information on the joint controllership and the essence of the relevant agreement between Brainloop and the affiliated companies of the Diligent group can be obtained at any time upon request by contacting Brainloop using the contact set out in section 2.
f) This Privacy Notice applies mutatis mutandis to the processing of your personal data by the other Brainloop group companies that receive your personal data from Brainloop within the context of providing the above-mentioned services and functions.
g) To the extent that Diligent Corporation, Diligent Boardbooks Limited, Diligent Boardbooks GmbH or other companies of the Diligent group affiliated with Brainloop (see here) receive your data within the context of providing the above-mentioned services, functions and processing activities, the Diligent Privacy Policy of Diligent Corporation and its group companies (which can be found here) shall apply in addition the information provided in this Privacy Notice. The Diligent Privacy Policy describes how Diligent group companies (with the exception of the Brainloop group companies) collect, process, share and secure your personal data, and your related rights. It also describes your rights and choices regarding use, access and correction of your personal data.
5.3 Law enforcement agency, court, regulator, government authority or other third party:
We may share your personal data with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party, for example if we are obliged to cooperate with government authorities in the context of legal investigations. Where permitted by law or regulation and reasonably practicable, we will attempt to notify you of such requirements.
5.4 Asset purchasers:
We may share your personal data with any third party that purchases, or to which we transfer, all or substantially all of our assets and business. Should such a sale or transfer occur, we will use reasonable efforts to try to ensure that the entity to which we transfer your personal data uses it in a manner that is consistent with this Privacy Notice. You will be notified via email and/or a prominent notice on the websites of any change in ownership or uses of your personal data.
6. Will my data be processed also in countries outside the EU/EEA?
Brainloop takes the security and protection of your personal data very seriously. To the extent Brainloop transfers your personal data to countries outside the European Union (EU), the contracting states of the European Economic Area (EEA) or Switzerland (so-called “Third Countries“) that do not ensure a level of data protection as considered adequate by the European Commission under an adequacy decision, Brainloop has put into place appropriate safeguards (such as contractual commitments) to ensure that your personal data will always be protected adequately and as required by any potential risks. For more information on the appropriate safeguards in place, please contact us at the contact details set out in section 2. Additionally, for certain transfers to Third Countries, we also rely on your prior consent according to Art. 49(1) lit. a) GDPR (see sections 4.1(c) and 4.2).
To the extent we engage service providers or business partners (including Diligent group companies affiliated with Brainloop) as processors which are located in Third Countries for which there has not yet been an adequacy decision from the European Commission, your data will only be transferred if suitable guarantees in accordance with Art. 46 GDPR have been put in place with the processor to ensure an adequate level of data protection. This is done in particular through entering into an agreement on the basis of the EU standard contractual clauses approved by the EU Commission pursuant to Article 46(2) lit. c), (5) GDPR, and where necessary by implementing supplementary measures, such as additional technical, organizational and contractual safeguards. A copy of the measures implemented by us is available upon request from Brainloop at the contact details set out in section 2. In addition, an up-to-date list of all partner companies and service providers, and the Third Countries in which your personal data are being processed, is available upon request from Brainloop at the contact details set out in section 2.
To the extent we disclose personal data to companies of the Diligent group affiliated with Brainloop as (joint) controllers and these companies are located in Third Countries that do not provide for a level of data protection as considered adequate by the European Commission, we will ensure by means of an intra-group agreement on the basis of the standard contractual clauses approved by the EU Commission, and where necessary by implementing supplementary measures, such as additional technical, organizational and contractual safeguards, that your data will be processed and protected in accordance with legal requirements by the respective recipient of the Diligent group (Art. 46(2) lit. c), (5) GDPR). Please contact Brainloop at the contact details set out in section 2 to learn more about the recipients of your personal data and the Third Countries in which your personal data are being processed, and, as applicable, to receive a copy of the measures taken.
7. How will my personal data be protected?
We implement comprehensive technical and organizational measures to ensure a level of security appropriate to the risk to the personal data we process. These measures are aimed at fully ensuring the ongoing integrity and confidentiality of personal data. We evaluate and improve these measures on a regular basis to ensure the security of the processing permanently.
8. How long will my personal data be stored?
Except as expressly indicated otherwise in this Privacy Notice, your personal data will be stored by us only for as long as necessary for the respective purpose for which we collect and process your personal data.
The below data categories will be stored as follows:
8.1 Data in connection with Website usage:
- Data about Website access (log files): The data about Website access collected in the context of your use of our Website (see section1(a) above) will be completely deleted or anonymized by shortening your IP-address at the latest after seven days, except in case a longer storage is necessary to achieve the purposes to be fulfilled with the data and the storage can be justified based on your consent or another legal basis.
- Contact data, communications, downloads, free trials: Your personal data disclosed to use in the context of a contact, such as an enquiry, the request for information, or the registration for a free trial (see section1(b) above) will be stored by Brainloop only for as long as necessary for the complete processing and handling of your request. We may further store your personal data to the extent necessary for managing the customer relationship with you as customer, supplier or business partner (see section4.3 above) or as an individual interested in our products and services (see section 4.2 above) (for the respective storage period see also below in this section 8).
- Usage data (cookies): To the extent Brainloop AG uses cookies to collect usage data that allow to attribute the information to your person, Brainloop AG will only store such data for as long as necessary to provide the relevant functionalities and services or to achieve the purposes to be fulfilled with the relevant cookies. Please see the Brainloop Cookie Policy for information on the storage period of the cookies used.
8.2 Data relating to prospects and other individuals interested in our products and services:
We will keep your personal data for the duration of our business relationship with you or your company with regard to the marketing purposes set out in section 4.2 above. Once your data is no longer required for these purposes, or you withdraw your consent to the use of your data for marketing purposes or you object to the processing of your data for marketing purposes, we will delete your data, unless your data is required also for other purposes set out in this Privacy Notice or the further storage is necessary for one or more of the following purposes:
- comply with data retention requirements under the law;
- establish, exercise or defend any existing or potential legal claims; and
- deal with any complaints regarding our products and services.
We will delete your personal data entirely from our systems when it is no longer required for these purposes. If there is any information that we are unable, for technical reasons, to delete entirely, we will put in place appropriate measures to prevent any further processing or use of the data.
8.3 Customer, supplier and business partner data:
We will keep your personal data for as long as we have a relationship with you. Once our business relationship with you has ended, we will delete your data, unless it is required for one or more of the following purposes:
- maintain business records for analysis and/or audit purposes;
- comply with data retention requirements under the law;
- establish, exercise or defend any existing or potential legal claims;
- deal with any complaints regarding our products and services; and
- enforce our commercial agreements.
We will delete your personal data entirely from our systems when it is no longer required for these purposes. If there is any information that we are unable, for technical reasons, to delete entirely, we will put in place appropriate measures to prevent any further processing or use of the data.
9. Which rights do I have?
To the extent you are affected by the data processing carried out by Brainloop you have the right in accordance with applicable legal provisions:
- to obtain information on the personal data processed concerning you and to obtain a copy of such data (right of access);
- to obtain the rectification of any inaccurate personal data and, taking into account the purposes of the processing, to have incomplete personal data completed (right to rectification);
- if there are legitimate reasons, to request the deletion of the personal data (right to erasure);
- to request the restriction of the processing of the personal data, if the legal requirements are met (right to restriction of processing);
- if the legal requirements are met, to receive the personal data provided by you in a structured, commonly used and machine-readable format and to transfer this personal data to another controller or, if technically feasible, to have it transferred by Brainloop (right to data portability); and
- not to be subject to a decision based solely on automated processing which produces legal effects concerning you or significantly affects you in a similar way, if the legal requirements are not met. An automated decision making process is not carried out by Brainloop.
You also have the right to object, in accordance with the statutory provisions, to the processing of personal data, which is necessary for the purpose of Brainloops’s legitimate interests, on grounds relating to your particular situation (right to object). If your personal data is processed by Brainloop for direct marketing purposes, you have the right to object to this processing at any time, without any special reason.
If the data processing is based on consent you can withdraw the consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing of your personal data until withdrawal.
In order to exercise your rights (including the withdrawal of your consent), as well as in the event of questions regarding the processing of your personal data, please contact the respective Brainloop group company or the data protection officer of Brainloop AG (if your request is directed to this company) at any time using the contact details set out in section 2 above. In order to exercise your rights with regard to the processing of data carried out under a joint controllership as described in section 5.2(a) or 5.2(e), you may exercise your rights in respect of and against each of the controllers mentioned above. To effectively exercise your rights you may contact the designated central point of contact at Brainloop AG using the contact details set out in section 2.
Without prejudice to any other remedies, you also have the right to lodge a complaint with a supervisory authority at any time.
Subject to applicable law, you may freely exercise your rights without fear of being denied goods or services. If you are a California resident, we may, however, provide a different level of service or charge a different rate reasonably relating to the value of your personal data.