Privacy Policy

Table of Contents

1. General

Brainhero GmbH (hereinafter: “we”, “our” and “Brainhero”) respects your privacy and is committed to protecting your personal data. Therefore, we comply with the applicable legal provisions on the protection and handling of personal data, in particular the General Data Protection Regulation (“GDPR”), the Austrian Data Protection Act (“DSG”), the Research and Organization Act (“FOG”) and the Austrian Telecommunications Act (“TKG”).

This Privacy Policy is intended to inform you in a precise, transparent, understandable and easily accessible manner about how we process your personal data when you use the services via the Brainhero websites brainhero.eu and api.brainhero.eu (accessible via Brainhero – Home – hereinafter: “the Website”) or through the Brainhero App (hereinafter: “Brainhero” or “App”) and to assist data subjects in exercising their rights under Section 7.

2. Name and address of the controller

The controller for the processing of your personal data is:

Brainhero GmbH
Fuchsthallergasse 2/10
1090 Vienna
E-mail: help@brainhero.eu
Tel: +43 (0) 1 997 42 94

Our data protection officer Mr. Leopold Weninger can be reached at the following e-mail addresses: datenschutzbeauftragter@brainhero.eu and dataprotectionofficer@brainhero.eu.

If you have any questions about this privacy notice, including requests to exercise your legal rights, please contact us using the contact details provided.

3. How is your personal data processed?

3.1 Website

3.1.1 Registration for events

On the website, you can express your interest in events offered by filling out a form for the respective event. We process the personal data you provide in this process exclusively in order to communicate with you about this specific event. The non-binding registration for events is only valid for this one event.

In order to provide you with the requested information, we process the following data on the basis of Art 6 para 1 lit b GDPR:

  • First and last name;
  • Your e-mail address;
  • Your registration for the specific event.
 

We store your personal data until the event is held, and beyond that for a maximum of three months in order to be able to respond to any queries.

3.1.2 Registration or creation of your personal user account

You can register/create a user account on our website. After successful registration and confirmation of your e-mail address, you can log in to your user account using your e-mail address and password. We process your personal data so that you can manage your profile and so we can provide you with our services related to Brainhero. When you register and log in, we process the following personal data based on Art 6 para 1 lit b GDPR:

  • Your email address
  • Your freely chosen password (however, not visible to us as a clear date)
  • Consent to our general terms and conditions and acknowledgement of our data protection information.
 

Your personal data will be stored in your user account as long as you do not delete it. All user data is stored within an independent module of the Brainhero architecture in encrypted form. If you are inactive, your personal data will be deleted after three years from the last activity.

3.1.3 Registration for a free information interview

You have the opportunity to have a free informational interview with us. We process your personal data in order to be able to contact you and to advise you whether our training is suitable for you and your child. In this context, we process the following data on the basis of Art 6 para 1 lit b GDPR:

  • First and last name
  • Your telephone number
  • The desired appointment (time frame in which you are available for a conversation)
  • Consent to the processing of medical data
  • Optional – consent to receive electronic marketing

 

We will process your personal data for as long as it is necessary for these purposes and store it for a further three years after the last contact.

If we do not have a free place for Brainhero Therapy at the time of the information interview, we may offer to put you on a waiting list for new products or a place in a clinical trial. For these waiting lists, we store the data collected during the information interview. We process the aforementioned data exclusively to contact you in case of a free place. This is done on the basis of your voluntary consent according to Art 6 para 1 lit a GDPR. You have the right to revoke your consent at any time with effect for the future.

3.1.4 Content of the free information interview

We process the following personal data in order to be able to advise you whether our training is suitable for you and your child, on the basis of your explicit consent given voluntarily as a parent or guardian on the basis of Art 6 para 1 lit a GDPR and Art 9 para 2 lit a GDPR. You have the right to revoke your consent at any time with effect for the future. Without your consent, we may not process the sensitive health data – but this also means that no substantive conversation with you is possible. We ask for your understanding in this regard.

  • First and last name
  • Age of the person training
  • Diagnosis of the person training
  • Comorbidities of the person training
 

We process your personal data for as long as it is necessary for these purposes and store it for another three years after the last contact.

3.1.5 Order form

If you meet the requirements for treatment, you will be given access to the order form after the information interview. In this context, we process the following data on the basis of Art 6 para 1 lit b GDPR:

  • Name of the training person;
  • Head measurements to determine the headband size of the training person;
  • delivery address.

Furthermore, we process the following personal data on the basis of your voluntary express consent as a parent or guardian pursuant to Art 9 para 2 lit a GDPR. You have the right to revoke your consent at any time with effect for the future:

  • ASD and/or ADHD diagnosis of the training person;
  • Information of the chosen training protocol if both diagnoses exist for the person training
  • Information that the training person is able to communicate verbally;
  • Information that the training person and those present at the training do not have epilepsy;
  • optional – explicit consent to data collection for research purposes, for monitoring after the product has been placed on the market (“Post market surveillance”) and for tips for training optimization.

Your personal data will be stored in your user account as long as you do not delete it. All user data is kept within an independent module of the Brainhero architecture in encrypted form. If you are inactive, your personal data will be deleted after three years from the last activity.

3.1.6 Payment data

As a method of payment, we offer advance transfer via invoice. We indicate any other payment methods on our homepage. Payments are confirmed on the basis of Art 6 para 1 lit b and Art 6 para 1 li c GDPR by matching the invoice number or order number. If this was not provided, the invoice will be traced back to the name.

We store your personal data for seven years after the end of the year in which you placed your order for tax and company law reasons.

3.1.7 Newsletter

We process the personal data you voluntarily provide when registering for the newsletter (your first and last name, as well as your e-mail address) for the purpose of sending you e-mail newsletters with information about innovations in Brainhero’s products and services, event invitations, advertising about other news in the field of neurofeedback research and current projects about Brainhero, current projects, marketing and product information.

We process this data on the basis of your voluntary consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent to receive our newsletter at any time free of charge (e.g. via the unsubscribe link in our email newsletters) with effect for the future. Upon receipt of your revocation, we will immediately stop sending you further e-mail newsletters and delete your personal data from the distribution list.

If you have only subscribed to our newsletter and are not a customer of ours beyond that, we will store your data until you revoke your consent or for a maximum of three years after your last contact with us.

3.1.8 Inquiries

If you contact us via the contact options offered on our website, we will process your voluntarily provided personal data (name, email address, content of your inquiry) in order to be able to answer your inquiry. This is done on the basis of our overriding interests pursuant to Art 6 para 1 lit f GDPR and, depending on the content, for pre-contractual measures pursuant to Art 6 para 1 lit b GDPR. We store this data as long as it is necessary to respond to your request, but for no longer than six months after the last contact.

We are obligated to delete any health data provided, unless you give us explicit consent to process it in your inquiry. Therefore, please do not provide us with such confidential data until the informational interview.

3.1.9 Expression of interest and implementation of usability tests

It is very important to us to continuously improve Brainhero with regard to the user experience. Therefore, we conduct usability tests on an ongoing basis, for which interested persons can register via a form on the website (brainhero.eu/en/usabilitytest).

In the event of an expression of interest in participating, we process your personal data on the basis of Art 6 para 1 lit b GDPR in order to inform you about upcoming usability tests as well as to arrange appointments, such as in particular

  • first name, last name
  • E-mail address
  • Telephone number
  • Preferred language

Furthermore, we process the following personal data on the basis of your voluntary express consent as a parent or guardian pursuant to Art 9 para 2 lit a GDPR. You have the right to revoke your consent at any time with effect for the future:

  • Confirmation of ASD and/or ADHD diagnosis.
  • Notes about observed behavior and your feedback during the usability test.

If you have expressed interest in participating in our usability tests, have taken part in them and are not a customer of ours beyond that, we will store your data until you revoke your consent or for a maximum of three years after your last contact with us.

3.2 Use of the Brainhero App

We process your personal data only to the extent necessary to provide you with a functional app. Your personal data can be either manually or automatically integrated into the app or collected directly via the app. To be able to use the training program, we provide you with our own app (“Brainhero”) via the App Store and Google Play Store. The app connects to the EEG to run the training program for your child.

Access to the App content will only be provided to you in connection with registration via our website, as well as after completion of the informational interview and a resulting training recommendation.

3.2.1 Provision of the App & Creation of Logfiles

We process your personal data to ensure the presentation of the app and its functional scope. The aforementioned data is also temporarily stored in internal log files in order to create statistical information about the use of our app, to further develop our app with regard to the usage habits of our visitors, and to administratively maintain our app. In this context, we process the following data on the basis of Art 6 para 1 lit b GDPR and Art 6 para 1 lit f GDPR:

  • Training duration, as well as intermediate storage of data in case of upload failure;
  • Chosen training protocol;
  • Calibration Data and data on therapy efficiency;
  • Error codes and when they occurred;
  • Language settings;
  • Status in the order process;
  • Status of tutorials;
  • User ID and usernames;
  • First and last name;
  • Name of the training person; 
  • Session User and Session Token;
  • IP Address;
  • Device ID;
  • Status for email confirmation;
  • Changes to contact information.

Personal data is stored on your mobile device within the app as long as you do not delete it. All User Data is stored within an independent module of the Brainhero architecture in encrypted form.

3.2.2 Your contact details and communications

When you contact our customer service, we process the following data based on Art 6 para 1 lit b GDPR to process your request:

  • First and last name;
  • Your telephone number;
  • Your email address;
  • the content of your messages and communications.
 

We process your personal data for as long as it is necessary for these purposes and store it for a further six months after the last contact in order to be able to answer any follow-up questions.

3.2.3 Monitoring tool / Post-clinical observation

In order to be able to provide you or the person training with the best possible support during and after Brainhero therapy, we process personal data of the person training that results from the use of the app on the basis of your express consent pursuant to Art 9 (2) lit a GDPR, such as in particular

  • Training duration, frequency and usage behavior;
  • User ID and contact details;
  • Clinical diagnoses; 
  • Calibration Data;
  • Data on therapy efficiency;
  • Changes in brain activity over the duration of the therapy (EEG);
  • Data collected as part of monitoring after releasing the product (Post market surveillance)  for assessment of changes in behavior

We process this data for as long as it is necessary for these purposes and store it for a further three years after the last contact, unless you withdraw your consent earlier.

3.2.4 Training tips

We are happy to help you to make Brainhero Therapy as effective as possible. For this purpose, we process personal data of the person training on the basis of your explicit consent according to Art 9 (2) lit a GDPR, such as in particular

  • Training duration;
  • User ID and username;
  • Clinical diagnoses; and
  • Changes in brain activity over the duration of the therapy (EEG).
 

We process this data for as long as it is necessary for these purposes and store it for a further three years after the last contact, unless you withdraw your consent earlier.

3.2.5 Internal research purposes

It is of great concern to us to continuously improve Brainhero with regard to the user experience. Therefore, we process personal data of the person training in accordance with your explicit consent pursuant to Art 9 (2) lit a GDPR in pseudonymized form, such as in particular

  • Training duration;
  • User ID and usernames;
  • Clinical diagnoses; 
  • Calibration data;
  • Data on therapy efficiency; and
  • Change in brain activity over the duration of the therapy (EEG).

We process this data for as long as necessary for these purposes and store it for a further three years after the last contact, unless you withdraw your consent earlier.

3.2.6 Research studies with external partners

The use of Brainhero may result in findings that have scientific value and can be used for the treatment of autism and ADHD. On the basis of your explicit consent pursuant to Art 9 (2) lit a GDPR, we therefore share personal data of the person training in pseudonymized form with external research institutions in order to research new treatments. For this purpose, we draw on the following usage data in particular:

  • Training duration;
  • Clinical diagnoses; 
  • Calibration data;
  • Data on therapy efficiency; and
  • Change in brain activity over the duration of therapy (EEG).

We process this data for as long as it is needed for these purposes and store it for another three years after the last contact, unless you withdraw your consent earlier.

3.2.7 Feedback on Brainhero

You have the possibility to give us feedback on Brainhero. For example, you can tell us about your satisfaction by mail, phone or email. We process the content of your message on the basis of our overriding interest based on Art 6 para 1 lit f GDPR in order to improve our service and to provide you and other data subjects with even better support in the future.

We process your personal data for as long as it is necessary for these purposes and store it for a further three years after the last contact.

3.2.8 Public feedback on Brainhero

If you give us your express written consent pursuant to Art 6 (1) lit a or Art 9 (2) lit a GDPR, we will publish your positive feedback with your first name on our website. In this context, we process the following data:

  • First name;
  • Content of your feedback.

We process your personal data for as long as it is necessary for these purposes and store it for another three years after the last contact, unless you revoke your consent earlier.

3.2.9 Bluetooth and location detection

In order for the Brainhero app to connect to the tablet, it is necessary to enable Bluetooth on the tablet. On Android devices, location permissions must also be enabled in order for the app to connect via Bluetooth. This is necessary because Android requires that any app that uses Bluetooth also has access to location. However, Brainhero does not process any location data from you and does not qualify as a controller or processor iSd Art 4 z 7 and 8 GDPR with regard to the location data. The activation of the location permissions only serves to ensure the Bluetooth functionality.

3.3 Processing for other purposes

If we intend to process the personal data for a purpose other than the original purpose, we will provide you with information about this other purpose and other necessary information prior to this further processing.

4. Possible recipients

We do not sell, rent or loan your personal data to third parties.

To the extent necessary, we transfer your personal data to the following external service providers (processors) who assist us in providing our services:

  • IT service providers and/or providers of data hosting solutions or similar services;
  • Other service providers, tool providers and software solution providers who also assist us in providing our services and act on our behalf (including marketing tool providers, communication service providers).

All of our processors process your data only on our behalf and based on our instructions so that we can provide our services to you.

In addition, we transfer your personal data to the following recipients (data controllers) to the extent necessary:

  • External third parties based on our legitimate interests to the extent necessary (e.g. auditors and tax advisors, insurance companies in the event of insurance claims, legal representatives in the event of an incident);
  • Research institutions (only on the basis of your express consent);
  • Authorities, courts and other public bodies to the extent required by law (e.g. financial or data protection authorities).

In the event of a merger, acquisition or sale of all or a portion of our assets, you will be notified by email and/or by a prominent notice on our website of any change in ownership or use of personal information and of your choices regarding personal information.

 

International transfer

Personal data will only be stored in the EU and Switzerland.

Data processing operations carried out through third party providers located outside the aforementioned geographical area can only be carried out partially or entirely in the countries of the respective establishment on the basis of an adequacy decision of the European Commission or, in the absence of an adequacy decision, in accordance with standard contractual clauses approved by the European Commission and any additional measures required.

5. Storage periods and deletion

We will retain personal data only for as long as necessary to fulfill the purposes for which we collected it, including to comply with legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for an extended period of time if we have a complaint or reasonably believe that litigation is imminent with respect to our relationship with you.

In determining the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes by other means, and applicable legal, regulatory, tax, accounting or other requirements.

If the data is no longer necessary for the purposes or legitimate interests pursued and no other legal basis intervenes, we will delete the data as soon as the other legal basis no longer applies.

5.1 Deletion of user data

If you exercise your right to be forgotten, all personal data as well as your health data that is not covered by any legal retention obligations will be deleted within 30 days. If you do not proactively request deletion of your data, then all personal data including health data will be automatically deleted after three years of inactivity. This does not require any further action on your part.

5.2 Deletion of the app

Uninstalling our mobile app on your tablet will only delete the app itself, but not the data stored up to that point. To delete your data, please proceed as described above.

6. Data security at Brainhero

We are aware that you entrust us with sensitive health data in accordance with Art 9 GDPR (hereinafter “sensitive data”) about the person exercising.

We have therefore taken appropriate security measures to prevent personal data from being accidentally lost, used without authorization or accessed, altered or disclosed. In addition, we restrict access to your personal information to those employees, agents, contractors and other third parties who need to know that information for business reasons. They will only process your personal data on our instructions and are bound to confidentiality.

We have appropriate procedures in place to deal with suspected personal data breaches and will notify you and the relevant supervisory authorities of a breach where we are required to do so by law.

We take various measures to protect your personal information from unauthorized access, use or alteration, and from unlawful destruction or disclosure,

  • we use encryption technology for the transmission and storage of your personal data
  • we restrict access to your personal data to a strict need-to-know principle;
  • we implement physical, electronic and procedural safeguards that comply with industry standards.

Please note that despite our best efforts, we cannot guarantee that unauthorized access will never be possible, as no method of transmitting or storing information is completely secure.

We strive to limit the collection of personal information to what is directly relevant and necessary to achieve the purposes stated above, in accordance with the principle of data minimization.

7. Your rights

7.1 Right to information

You have the right to obtain information from us about all data relating to you that is processed by us. You have the right to request information about whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art 46 GDPR in connection with the transfer.

7.2 Right to rectification and right to restriction of processing.

You may request that inaccurate or incomplete data be corrected or completed. You may, in certain circumstances, for example, if the accuracy of data is in dispute until the accuracy has been verified, request restriction of the processing of data to the effect that it may only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person, or for reasons of important public interest.

7.3 Right to data portability

You may request that we send you – or, if technically feasible, a third party designated by you – a copy of your data in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another controller without hindrance from the controller to whom the personal data was provided, provided that.

(1) the processing is based on consent pursuant to Art 6 para 1 lit a GDPR or Art 9 para 2 lit a GDPR or on a contract pursuant to Art 6 para 1 lit b GDPR, and

(2) the processing is carried out with the help of automated procedures.

In exercising this right, you also have the right to have the personal data relating to you transferred directly from us to another controller, insofar as this is technically feasible. Freedoms and rights of other persons must not be affected by this.

7.4 Right to deletion

You have the right to have data deleted in certain circumstances, such as if it is not processed in accordance with data protection requirements.

If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

7.5 Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art 6 para 1 lit e or f GDPR.

In this case, we will no longer process the personal data concerning you, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

7.6 Right to revoke the declaration of consent under data protection law.

You have the right to revoke any declaration of consent granted under data protection law at any time. The revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

7.7 Supervisory Authority

Notwithstanding any other legal remedies, you have the right to lodge a complaint with the national supervisory authority of your place of residence if unlawful processing of personal data is assumed. In Austria, the competent authority is the Data Protection Authority, Barichgasse 40-42, 1030 Vienna, e-mail dsb@dsb.gv.at, telephone: +43 1 52 152-0.

8. Changes to the privacy policy and our obligation to inform you about changes

We may change and revise this policy from time to time. All information we collect is subject to the Privacy Policy in effect at the time such information is collected.

Any changes we make to our Privacy Policy in the future will be posted on this page and, if applicable, communicated to you via email or the App. We therefore recommend that you read this page from time to time to be aware of how we process your data.

Version: 04 / Last updated: 2023-10-05

Version history: