This is the Policy of Brain Resource, Inc. d/b/a Total Brain (“Total Brain,” “us,” “our,” or “we”), a California corporation. You can contact us here.
This Policy applies to our “Services”, which includes:
Following notice to you or your acknowledgement of this Policy (including any updates), your continued use of any of our Services indicates your consent to the practices described in this Policy.
We may change this Policy from time to time. Changes will be posted on this page with the effective date. Please visit this page regularly so that you are aware of our latest updates. Your use of the Services following notice of any changes indicates acceptance of any changes.
Feel free to contact us with questions or concerns using the appropriate address below.
268 Bush St.
San Francisco, CA 94104
Our Services may be provided to organizations that have entered into an agreement with us, such as an employer or a clinic (our “Clients”). When our Services are provided as part of a Client agreement, we may share certain information with our Client about that Client’s users of our Services (“Client Users”) as part of any authorized Reporting Services and/or any authorized Clinical Reporting. The extent of this reporting will vary based on the nature of the Client relationship, your consent, rights, choices, and other variables discussed further below. This Policy reflects only how we process Personal Data through our Services. This Policy does not apply to Clients’ uses of data accessed or made available through our Services.
This Policy also does not apply to information processed by other third parties, for example, when you visit a third-party website or interact with third-party services, unless and until we receive your information from those parties. Please review any third parties’ privacy policies before disclosing information to them.
Personal Data We Collect
We may collect and process information that relates to identified or identifiable individuals (“Personal Data”), including certain Personal Data that may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health information, or information relating to sex life or sexual orientation (“Special Category Data”). We collect and process the following categories of Personal Data (note, specific Personal Data elements listed in each category are only examples and may change):
Personal Data about you and your identity, such as your name, username, birth date, gender, and other Personal Data you may provide on registration or purchase forms or as part of an account profile, or otherwise when you use our Services (e.g. biographical information).
Personal Data used to contact an individual, e.g. email address, physical address, or phone number.
Personal Data relating to your device, browser, or application e.g. IP addresses, MAC addresses, application ID/AdID/IDFA, identifiers from cookies, session navigation history and similar browsing metadata, and other data generated through applications and browsers, including via cookies and similar technologies.
Personal Data relating to your geographic location, such as information collected from your device’s GPS, or location information you voluntarily provide to us.
Personal Data relating to financial accounts or services, e.g. a credit card or other financial account number, and other relevant information you provide in connection with a financial transaction.
Personal data contained in any free text or unstructured format, such as notes, comments, or other text entered into a text box, whether by you, a Client User, or provided by another third party.
Personal Data relating to inferences drawn from Personal Data to create a profile about you, such as predispositions, behavior, and attitudes.
Brain Performance Data
Inference Data relating to an individual’s brain performance (such as memory, cognition, attention, or similar characteristics) that is provided by or collected from a user of the Services or that is inferred or derived from an analysis of other Personal Data we collect under this Policy.
Personal Data relating to physical characteristics, such as your height and weight, and dominant hand (this may be classified under applicable law as Special Category Data).
Mental Health Data
Personal Data, including Brain Performance Data, to the extent that data relates specifically to mental health, such as risk factors for or assessments of certain mental health conditions, or other similar matters relating to mental health (this may be classified under applicable law as Special Category Data).
We collect Personal Data in various ways, which vary depending on the context in which we process that Personal Data:
Data you provide to us
You may provide us or our Clients with Personal Data directly, for example, as part of account registration or when you provide information through the Platform.
Data we create or infer
We or our Clients (or third parties operating on our behalf) create and infer Personal Data such as Inference Data, Mental Health Data, or Brain Performance Data based on our observations or analysis of other Personal Data processed under this Policy.
We may receive Personal Data from third parties with whom we or a Client have a relationship. For example, we may receive certain Personal Data when you sign up through your employer or clinical practice.
We generally process your Personal Data in connection with the following activities and purposes, as well as for the Business and Commercial purposes described below.
When you create an account on our Services, we process certain Personal Data, which typically includes Identity Data, Device/Network Data, Contact Data, and if you choose to provide it, Location Data. Additionally, if you make a purchase or initiate or renew a paid subscription through our Services, we may process Identity Data, Financial Data, and certain Contact Data. Note, third parties typically processes these transactions on our behalf.
We use Identity Data and Contact Data as necessary to create, maintain, and provide you with important information about your account. Additionally, we use the Transaction Data, Identity Data and Contact Data as necessary to complete and provide you with important information regarding your transaction. Financial Data is used only as necessary to process transactions that you request. We may also use Location data in developing geographic clustering of brain profiles, and in personalization or recommendation of activities within the Platform.
Brain Performance Platform
If you use our Platform, we process Personal Data such as Identity Data, Device/Network Data, Brain Performance Data, Location Data, Physical Data and Mental Health Data. We generally process the Personal Data provided through the Platform as necessary in connection with our provision of the Platform and services you request, including to create Brain Performance Data and Mental Health Data, and related Inference Data regarding your mental performance and mental health. For example, we may track and analyze your memory, attention and cognition at a point in time or over time, or in response to certain environmental or other circumstances, and provide you with a dashboard summarizing this analysis.
If you are a Client User, we may also process this Personal Data in connection with Client Reporting or Clinical Reporting if you access our Service through a Client or a clinic/health care provider.
Note: We process Mental Health Data, Brain Performance Data, Location Data and Physical Data only in accordance with your consent where your specific is consent required by applicable law. We may also process Identity Data, Brain Performance Data, Location Data, Physical Data and Mental Health Data using AI & Automated Analysis. This processing helps us better personalize the Platform, improve the accuracy and quality of our brain performance analysis, and our assessment of mental health risk factors.
We may process Identity Data, User Content and certain Contact Data if you choose to complete a customer survey, questionnaire, or similar form. Note, some surveys are operated/controlled by us, and others are operated/controlled by our third party partners. We may receive this data from third parties to the extent allowed by the applicable partner.
In certain cases, we may also offer clinical questionnaires where you may answer additional questions regarding your mental health and progress, in which case we will collect additional Identity Data, Brain Performance Data, Location Data, Physical Data and Mental Health Data. This information will be processed in the same manner and subject to the same restrictions as data collected in connection with our Platform (described above), and in some cases, may be shared with the respective clinical Client.
Promotions and Offers
Note: If you win a promotion, your acceptance of a prize may allow us to make certain Personal Data public, e.g. posting your name on a winner’s page. See the applicable program’s terms and conditions for details.
Cookies and Similar Tracking Technologies
We, and certain third parties, may process Identity Data, Contact Data, Location Data, and Device/Network Data when you interact with cookies and similar technologies on our Services. We may receive this data from third parties to the extent allowed by the applicable partner. Please note that the privacy policies of third parties may apply to these technologies and information collected.
Subject to users’ Rights and Choices, we use this information as follows:
Note: Some of these technologies can be used by us and/or our third-party partners to identify you across platforms, devices, sites, and services.
Business and Commercial Purposes of Processing
The following provides additional information regarding the business and commercial purposes of processing.
Service Provision and Contractual Obligations
We process any Personal Data as is necessary to provide the Services, authenticate users and their rights to access the Services, and as otherwise necessary to fulfill our contractual obligations to you, and provide you with the information, features, and Services you request.
Internal Processes and Service Improvement
We may use any Personal Data we process through our Services as necessary in connection with our legitimate business interests in improving the design of our Services, understanding how are Services are used or function, for customer service purposes, in connection with logs and metadata relating to Services use, and for ensuring the security and stability of the Services. Additionally, we may use Personal Data to understand what parts of our Services are most relevant to users, how users interact with various aspects of our Services, how our Services perform, etc., or we may analyze use of the Services to determine if there are specific activities that might indicate an information security risk to the Services or our users. This processing is subject to users’ Rights and Choices applicable to processing performed in accordance with our legitimate business interests.
We process Personal Data in connection with our legitimate business interest in personalizing the Platform. For example, the Service may be customized to you so that it displays your name, reflects service preferences or to display content that we think may be of interest to you based on your interactions with our Platform, questionnaires, assessments, etc. This processing may involve the creation and use of Inference Data relating to your preferences. This processing is subject to users’ Rights and choices applicable to processing performed in accordance with our legitimate business interests.
AI & Automated Analysis
We may use software and other automation tools integrated into our Platform in order to help us improve the accuracy and quality of our brain performance recommendations, for program personalization, and to further validate our assessment of mental health risk factors. For example, we may use data analytics and algorithms to assess users’ performance in games that test various cognitive abilities and compare that information prior outcomes and sequences of actions that have resulted in increased brain performance. We analyze this information to create a personalized course of action for the User that is customized to a User’s specific performance history, cognitive predispositions, and goals. When we process Personal Data using automated means, we do so subject to your consent where required by law, and at all times subject to users’ Rights & Choices.
We process Client User’s Identity Data, Brain Performance Data, and Mental Health Data in order to create aggregate, anonymized reports of mental health risks facing Clients and the Client Users that are part of their organization. Unless you agree to have your Personal Data disclosed, these Client Reports consist of only Aggregated Data representing a summary of the productivity, mental health risks, and the mental/personality characteristics of Client Users in the Client’s organization.
With your consent and if permitted under our Client Agreement, we may disclose to Clients that a specific named individual has taken an assessment, the time the person has spent performing activities within the Platform, and the results of an assessment or any other Personal Data to the Client (note, in such cases, you may be required to provide your prior consent to us or the Client).
In certain contexts and with your authorization (e.g. where our Service is used by a health care practice or clinical environment), we may provide access to complete assessments, including the Identity Data, Brain Performance Data, Location Data, Physical Data and Mental Health Data in them, as well as additional analytics or features exclusive to a clinical offering. Certain health care providers may also provide additional Personal Data in connection with User Content they input into the Platform regarding a given user.
We will collect and aggregate your Personal Data and information about your use of the Services in order to identify certain trends in how our Services are used, including without limitation, cognitive trends, user brain performance outcomes, geographic trends, etc. relating to our Platform (“Aggregated Data”). Aggregated Data will not contain information from which you may be personally identified. For example, we may process Brain Performance Data to determine aggregate trends in brain performance and the response to various activities, games, and other aspects of our Platform. We may use this information in order to create automated analytics that help us better identify patterns and trends, and recommend more effective and personalized solutions. We may share Aggregated Data with third parties, including for Research and Public Health purposes, or with Clients as part of Client Reporting, to give them a better understanding of our business and improve the marketability or performance of our Services. When we process Personal Data for this purpose, we do so subject to your consent where required by law, and at all times subject to users’ Rights & Choices.
Research and Public Health
We may also process and disclose your Personal Data for uses related to medical research, public health, and for other research and public health/safety grounds, to the extent and under the conditions allowed by applicable law.
Compliance, Health, Safety & Public Interest
Note that we may, without your consent or further notice to you, and to the extent required or permitted by law, process any Personal Data for purposes determined to be in the public interest, required by law, or as necessary in connection with the establishment or defense of our legal rights. For example, we may process information as necessary to fulfil our legal obligations, to protect the vital interests of any individuals, to establish claims for violations of applicable contracts, for authorized medical or public health purposes, or as otherwise in the public interest or required by a public authority. Please see the data sharing section for more information about how we disclose Personal Data in extraordinary circumstances.
We use Personal Data as necessary to provide marketing communications, and consistent with our legitimate business interests, we may send you marketing and promotional communications if you sign up for such communications or register for our Platform. We may also process Device/Network Data and Contact Data when you interact with our communications in connection with our interest in understanding communication response and open rates.
Other Processing of Personal Data
If we process Personal Data in connection with our Service in a way not described in this Privacy Notice, this Privacy Notice will still apply generally (e.g. with respect to users’ Rights and choices) unless otherwise stated when you provide it.
Information we collect may be shared with a variety of parties, depending upon the purpose for and context in which that information was provided. We generally transfer data to the following categories of recipients:
We process Personal Data on behalf of Clients and may share with Clients information in connection with our Reporting Services and any Clinical Reporting.
In connection with our general business operations, product/service improvements, to enable certain features, and in connection with our other legitimate business interests or other business purposes, we may share your Personal Data with service providers or subprocessors who provide certain services or process data on our behalf. For example, we may use cloud-based hosting providers to host portions of our Service or may disclose information as part of our own internal operations, such as security operations, internal analytics, product development, etc.
In order to streamline certain business operations and develop products and services that better meet the interests and needs of our customers, and inform our customers about relevant products and services, we may share your Personal Data with any of our current or future affiliated entities, subsidiaries, and parent companies.
In order to deliver certain advertisements, and develop better products and services, we may share with trusted third parties for marketing, advertising, or similar commercial purposes the Personal Data described in the Cookies and Similar Technology section, and any information that we may use for Marketing Communications.
Any Personal Data may be processed in the event that we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.
We may disclose any Personal Data in accordance with your consent, or on certain public interest grounds. For example, we may process information as necessary to fulfil our legal obligations, to protect the vital interests of any individuals, for public health and other matters in the public interest. In addition, we may disclose Personal Data to medical providers or healthcare organizations, either with your consent, or where allowed by applicable law.
Subject to the rights granted to other individuals, and our rights to limit or deny access/disclosure under applicable law, you have the following rights in your Personal Data. We may require that you provide additional Personal Data to exercise these rights, e.g. information necessary to prove your identity. Note: As described above, we generally do not share Personal Data with Clients. Accordingly, we are unable to directly fulfill rights requests regarding Personal Data controlled by Clients. Please contact the Client directly for data rights requests regarding Client-controlled information, and we will assist the Client to the extent necessary in the fulfillment of your request. You may exercise your rights by contacting us at the address set forth below in the Contact Us section.
Note: you may have additional rights under local law. Additional rights and disclosures for the EU/EEA/Switzerland and California are included below.
You may receive a list of your Personal Data that we process to the extent required and permitted by law.
You may correct any Personal Data that we hold about you to the extent required and permitted by law. You may be able to make changes to much of the information you provided directly via the Services via your account settings menu.
Erasure: To the extent required by applicable law, you may request that we delete your Personal Data from our systems.
To the extent required by applicable law, we will send you a copy of your Personal Data in a common portable format of our choice.
You have the right to contact or file a complaint with regulators or supervisory authorities about our processing of Personal Data. To do so, please contact your local data protection or consumer protection authority.
You have the following choices regarding the Personal Data we process:
Consent: If you consent to processing, you may withdraw your consent at any time, to the extent required by law. You may be required to close your account in order to withdraw consent where your consent is necessary to perform essential aspects of the service.
You have the choice to opt-out of or withdraw your consent to direct marketing communications. You may have a legal right not to receive such messages in certain circumstances, in which case, you will only receive direct marketing communications if you consent. You may exercise your choice via the links in our communications or by contacting us re: direct marketing.
Cookies & Similar Tech
To the extent we process Mental Health Data, Physical Data, Biometric Data, Brain Performance or other Personal Data relating to health conditions by automated means, you may opt-out of, or revoke your consent, to this processing or elect to have an individual review any of the results of processing.
Research and Public Health
You may request that Total Brain not use Personal Data gathered through your use of the Services for these purposes and Total Brain will promptly comply with any such request.
You may have the right under applicable law to object to our processing of your Personal Data for certain purposes, including without limitation, situations where we process in accordance with our legitimate interests. You may do so by contacting us re: data rights requests. Note that we may not be required to cease processing based solely on an objection.
We implement and maintain reasonable security measures to safeguard the Personal Data you provide us. However, we sometimes share Personal Data with third parties as noted above, and we do not have control over third parties’ security processes. Please note, we do not warrant perfect security and we do not provide any guarantee that your Personal Data or any other information you provide us will remain secure.
We retain information for so long as it, in our discretion, remains relevant to its purpose, and in any event, for so long as is required by law. We will review retention periods periodically, and may sometimes pseudonymize or anonymize data held for longer periods, if appropriate.
We operate in and use service providers located in the United States. If you are located outside the U.S., your Personal Data may be transferred to the U.S. The U.S. does not provide the same legal protections guaranteed to Personal Data in the European Union. Accordingly, your Personal Data may be transferred to the U.S. pursuant to the EU-U.S. Privacy Shield Framework, the Standard Contractual Clauses, or other adequacy mechanisms, or pursuant to exemptions provided under EU law. Contact us for more information regarding the mechanisms to ensure adequate protection of data subject to EU Law.
Under the California Consumer Privacy Act (“CCPA”) and other California laws, California residents may have the following rights in addition to those set forth in the Rights & Choices section above, subject to your submission of an appropriately verified request (see below for verification requirements):
|Right to Know||You may request any of the following, for the 12 month period preceding your request: (1) the categories of Personal Data we have collected about you, or that we have sold, or disclosed for a commercial purpose; (2) the categories of sources from which your Personal Data was collected; (3) the business or commercial purpose for which we collected or sold your Personal Data; (4) the categories of third parties to whom we have sold your Personal Data, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data we have collected about you.|
|Right to Delete||You have the right to delete certain Personal Data that we hold about you, subject to exceptions under applicable law.|
|Right to Non-Discrimination||You have the right to not to receive discriminatory treatment as a result of your exercise of rights conferred by the CCPA.|
|Direct Marketing||You may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes during the preceding calendar year.|
|Opt-Out of Sale||If we engage in sales of data (as defined by applicable law), you may direct us to stop selling or disclosing Personal Data to third parties for commercial purposes. We do not currently “sell” your Personal Data.|
Submission of Requests
You may submit requests, as follows (see below for summary of required verification information):
|Right to Know||You may email us at firstname.lastname@example.org. Please provide your email address, phone number and address we have on file for you along with your desire to know what Information we have on you.|
|Right to Delete||You may email us at email@example.com. Please provide your email address, phone number and address we have on file for you along with your desire to have your data deleted.|
|Direct Marketing||You may request a list of any relevant direct marketing disclosures via email to our privacy team at firstname.lastname@example.org.|
Verification of Requests
All rights requests must be verified to ensure that the individual making the request is authorized to make that request, to reduce fraud, and to ensure the security of your Personal Data. We may require that you provide the email address we have on file for you (and verify that you can access that email account) as well as an address, phone number, or other data we have on file, in order to verify your identity. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.
Categories of Personal Data Disclosed for Business Purposes
For purposes of the CCPA, we may disclose to Service Providers for “business purposes” the following categories of Personal Data: Identity Data; Contact Data; Device/Network Data; Location Data; Financial Data; User Content; Inference Data; Brain Performance Data; Physical Data; Mental Health Data.
No Data Sale
For the purposes of the CCPA, we do not “sell” your Personal Data.
Right to Know
|Category of Data||Category of Sources||Business Purposes||Category of Recipients|
|Identity Data||Data you provide to us; Data we create or infer; Automatic collection; Clients||Service Provision/Contract; Process/Service Improvement; Personalization; AI/Automated Analysis; Client Reporting; Clinical Reporting; Aggregate Analytics; Research/Public Health; Compliance, Health, Safety & Public Interest; Marketing Communications||Clients (if and to extent authorized); Service Providers; Affiliates; Marketers; Successors; Legal Disclosures; Other|
|Contact Data||Data you provide to us; Data we create or infer; Automatic collection; Clients||Service Provision/Contract; Process/Service Improvement; Personalization; Compliance, Health, Safety & Public Interest; Marketing Communications||Clients (if and to extent authorized); Service Providers; Affiliates; Marketers; Successors; Legal Disclosures; Other|
|Device/Network Data||Automatic collection||Service Provision/Contract; Process/Service Improvement; Personalization; AI/Automated Analysis; Client Reporting; Clinical Reporting; Aggregate Analytics; Research/Public Health; Compliance, Health, Safety & Public Interest; Marketing Communications||Service Providers; Affiliates; Marketers; Successors; Legal Disclosures; Other|
|Location Data||Data you provide to us; Data we create or infer; Automatic collection; Clients||Service Provision/Contract; Process/Service Improvement; Personalization; AI/Automated Analysis; Client Reporting; Clinical Reporting; Aggregate Analytics; Research/Public Health; Compliance, Health, Safety & Public Interest;||Clients (if and to extent authorized); Service Providers; Affiliates; Successors; Legal Disclosures; Other|
|Financial Data||Data you provide to us||Service Provision/Contract; Process/Service Improvement; Compliance, Health, Safety & Public Interest||Service Providers; Affiliates; Successors; Legal Disclosures; Other|
|User Content||Data you provide to us; Clients||Service Provision/Contract; Process/Service Improvement; Personalization; AI/Automated Analysis; Client Reporting; Clinical Reporting; Aggregate Analytics; Research/Public Health; Compliance, Health, Safety & Public Interest; Marketing Communications||Clients (if and to extent authorized); Service Providers; Affiliates; Marketers; Successors; Legal Disclosures; Other|
|Inference Data||Data you provide to us; Data we create or infer; Clients||Service Provision/Contract; Process/Service Improvement; Personalization; AI/Automated Analysis; Client Reporting; Clinical Reporting; Aggregate Analytics; Research/Public Health; Compliance, Health, Safety & Public Interest;||Clients (if and to extent authorized); Service Providers; Affiliates; Successors; Legal Disclosures; Other|
|Brain Performance Data||Data you provide to us; Data we create or infer; Clients||Service Provision/Contract; Process/Service Improvement; Personalization; AI/Automated Analysis; Client Reporting; Clinical Reporting; Aggregate Analytics; Research/Public Health; Compliance, Health, Safety & Public Interest;||Clients (if and to extent authorized); Service Providers; Affiliates; Successors; Legal Disclosures; Other|
|Physical Data||Data you provide to us; Data we create or infer; Clients|
|Mental Health Data||Data you provide to us; Data we create or infer; Clients|
Legal bases for processing
The legal bases for our processing of your Personal Data are described in the table below. If you have questions about the legal basis of how we process your Personal Data, contact us at email@example.com.
|Processing purpose||Legal Basis|
Brain Performance Platform
Surveys and Questionnaires
Promotions and Offers
|Processing is necessary to perform the contract governing our provision of the Services or to take steps that you request prior to signing up for the Services. This may include processing that is in connection with operations that are necessary to provide the Services themselves.|
|The following processing activities constitute our legitimate interests. We balance any potential impact on you when we process your personal data for our legitimate interests. You may object to this processing as permitted by law. For example, our legitimate interests include:|
|Determining the effectiveness of marketing campaigns|
Internal Processes and Service Improvement
Cookies and Similar Tracking Technologies
|To create, provide, support, maintain, and improve the functionality and performance of our Services, and operate our business|
Internal Processes and Service Improvement
|To secure our Platform and network, investigate suspicious activity or violations of our terms or policies; and to protect the safety of Personal Data, including to prevent exploitation or other harms to which users may be particularly vulnerable.|
|Processing is necessary to comply with our legal obligations, for example, tax laws, fraud reporting, etc.|
Brain Performance Platform
|Processing is based on your consent solelyto the extent these processes involve the processing of Mental Health Data or Special Category Data. Where we rely on your consent you have the right to withdraw it anytime by closing your account.|
|All Personal Data||Note, we may process and disclose Personal Data where it is in the vital interests of a data subject, to comply with a legal obligation to which we are subject, in the public interest, for public health purposes and medical or scientific research, or other appropriate legal ground which may apply under applicable law.|
In addition to the rights set forth above, EU users have the following additional rights
Right to Object
Where we process Personal Data on the basis of our legitimate interests, you can object to that processing to extent allowed by law. Note that we must only limit processing where our interests in processing do not override an individual’s interests, rights, and freedoms, or the processing is not for the establishment exercise, or defense of a legal claim.
Right to Restrict
You may have the right to restrict processing of your Personal Data where the accuracy of the Personal Data is contested, the processing is unlawful but you object to deleting the Personal Data, or we no longer require the Personal Data, but it is still required for the establishment, exercise, or defense of a legal claim, or while we assess an objection to processing.
We comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data from European Union member countries, the UK, and Switzerland. We have certified that we adhere to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. Furthermore, we require third party recipients of EU/Swiss/UK residents’ Personal Data to agree to respect these principles, and we accept liability for third parties’ processing of EU/Swiss/UK residents’ data to the extent required by law.