Privacy Policy
1. Introduction & Scope
This Privacy Policy explains how Brainspoke, Inc. (“Brainspoke, ” “we, ” “us, ” or “our”) collects, uses, processes, and protects your personal information when you use our EEG mental health monitoring ecosystem.
What This Means for You
We take your privacy seriously. This policy tells you exactly what data we collect, why we need it, how we protect it, and what rights you have over your information.
Our Ecosystem Includes:
- Hardware: EEG headset with PPG heart-rate sensor, IMU motion sensor, and on-device microphone
- Mobile Applications: iOS and Android companion apps
- Web Dashboard: Browser-based interface for users, clinicians, and research partners
- Cloud Infrastructure: APIs, data processing, and AI-driven analytics
Geographic Scope:
This policy applies to users in:
- United States
- HIPAA, CCPA/CPRA compliant
- EU/EEA + UK
- GDPR, UK-GDPR compliant
- APAC
- Japan, Singapore, Australia, Malaysia
2. Data We Collect
Biometric & Sensor Data
| Data Type | Source | Purpose | Retention |
|---|---|---|---|
| EEG Brain Waves | Headset electrodes | Mental state analysis, pattern recognition | 2 years or until deletion request |
| Heart Rate & HRV | PPG sensor | Stress detection, wellness metrics | 2 years or until deletion request |
| Motion & Posture | IMU sensors | Activity context, data quality | 1 year or until deletion request |
Account & Profile Data
- Name, email address, phone number
- Date of birth, gender, location (country/region)
- Account preferences and settings
- Profile photo (optional)
- Emergency contact information (optional)
Usage & Technical Data
- Device identifiers (MAC address, serial numbers)
- App usage patterns and session data
- Log files and error reports
- Network information (IP address, connection type)
- Browser type, operating system, device specifications
Cookies & Tracking Technologies
- Essential Cookies: Required for basic functionality (authentication, security)
- Analytics Cookies: Help us understand usage patterns (with your consent)
- Preference Cookies: Remember your settings and preferences
3. Legal Bases for Processing
EU/UK GDPR Legal Bases
- Consent (Art. 6(1)(a)): Biometric data processing, research participation
- Contract (Art. 6(1)(b)): Service delivery, account management
- Legitimate Interest (Art. 6(1)(f)): Security, fraud prevention, service improvement
- Legal Obligation (Art. 6(1)(c)): Regulatory compliance, safety reporting
US Processing Purposes
- Service Provision: Delivering core functionality and features
- User Consent: Optional features and data sharing
- Business Operations: Customer support, billing, security
- Legal Compliance: Responding to legal requests, safety obligations
Special Category Data EU/UK
EEG and biometric data are considered “special category” under GDPR. We process this data based on your explicit consent (Art. 9(2)(a)) and for scientific research purposes (Art. 9(2)(j)) with appropriate safeguards.
4. How We Use Data
Primary Use Cases
Mental Health Analytics
- Real-time mental state assessment
- Stress and mood pattern detection
- Personalized wellness insights
- Progress tracking and trends
Service Optimization
- Algorithm improvement and calibration
- Device performance optimization
- User experience enhancement
- Technical issue resolution
AI & Machine Learning
How We Use AI with Your Data
- Pattern Recognition: Identify mental health indicators in EEG and biometric data
- Predictive Modeling: Forecast potential wellness events and recommend interventions
- Personalization: Tailor insights and recommendations to your unique patterns
- Research Applications: Advance mental health understanding (with explicit consent)
EU/UK Automated Decision-Making Rights
Under GDPR Article 22, you have the right to object to purely automated decision-making. Our AI provides recommendations, but final health decisions always remain with you and your healthcare providers.
Research & Development
With your explicit consent, we may use de-identified data for:
- Scientific research to advance mental health understanding
- Development of new features and capabilities
- Collaboration with academic and medical institutions
- Publication of aggregated, anonymized research findings
5. Sharing & Disclosure
When We Share Your Data
| Recipient Category | Data Shared | Purpose | Legal Basis |
|---|---|---|---|
| Service Providers | Technical data, limited personal data | Cloud hosting, analytics, customer support | Contract necessity |
| Healthcare Partners | Wellness insights (with consent) | Clinical integration, care coordination | Explicit consent |
| Research Institutions | De-identified datasets | Scientific research | Explicit consent |
| Legal Authorities | As required by law | Legal compliance, safety | Legal obligation |
We Never Share Without Permission
Your Data Protection Guarantee
- We never sell your personal or biometric data
- No sharing for marketing or advertising purposes
- All third-party partners sign strict data protection agreements
- You control healthcare provider and research sharing
Data Processing Partners
We work with carefully selected partners who meet our security and privacy standards:
- Cloud Infrastructure: AWS, Google Cloud, Cloudflare (with data residency controls)
- Analytics: Anonymized usage analytics only
- Customer Support: Encrypted communication platforms
- Payment Processing: PCI-DSS compliant payment processors
6. Cross-Border Transfers & Data Localization
Regional Data Centers
- United States
- Primary: US-East (Virginia)
- Secondary: US-West (California)
- Compliance: HIPAA, CCPA/CPRA
- EU/EEA + UK
- Primary: EU-West (Ireland)
- Secondary: UK-South (London)
- Compliance: GDPR, UK-GDPR
- APAC
- Primary: Singapore
- Secondary: Australia-Southeast
- Compliance: PDPA, Privacy Act
International Transfer Safeguards
EU/UK Standard Contractual Clauses (SCCs)
For any transfers outside the EU/EEA, we use the European Commission’s Standard Contractual Clauses (2021/914) with additional technical and organizational measures.
- End-to-end encryption for all transfers
- Data minimization and purpose limitation
- Regular third-party security audits
- Immediate breach notification procedures
Data Residency Controls
You can control where your data is stored and processed:
- Regional Preference: Choose your preferred data region in account settings
- Transfer Restrictions: Opt out of cross-border processing (may limit functionality)
- Local Processing: Critical biometric analysis performed locally on device when possible
7. Data Retention & Deletion
Retention Periods
| Data Category | Retention Period | Rationale | User Control |
|---|---|---|---|
| EEG & Biometric Data | 2 years from last session | Long-term pattern analysis, trend detection | Delete anytime |
| Account Information | Until account deletion + 30 days | Account management, billing | Delete with account |
| Usage Analytics | 1 year | Service improvement | Opt-out available |
| Support Communications | 3 years | Customer service, quality assurance | Request deletion |
| Legal/Compliance Data | 7 years or as required by law | Regulatory compliance | Legal minimum law only |
Automated Deletion
Scheduled Data Cleanup
- Daily: Temporary files and session data older than 24 hours
- Weekly: Incomplete or abandoned data uploads
- Monthly: Analytics data beyond retention period
- Quarterly: Full retention policy compliance audit
User-Initiated Deletion
You can delete your data at any time through:
- In-App Controls: Delete specific sessions, data ranges, or data types
- Account Settings: Bulk data deletion with confirmation
- Support Request: Assisted deletion for complex cases
- Account Closure: Complete data deletion within 30 days
8. Security Measures
Technical Safeguards
Encryption
- AES-256 encryption at rest
- TLS 1.3 for data in transit
- End-to-end encryption for sensitive data
- Hardware security modules (HSM)
Access Controls
- Multi-factor authentication required
- Role-based access control (RBAC)
- Principle of least privilege
- Regular access reviews
Organizational Measures
Compliance & Certifications
- ISO 27001
- Information Security
- SOC 2 Type II
- Security Controls
- HIPAA
- Healthcare Privacy
- GDPR
- Privacy by Design
Monitoring & Incident Response
- 24/7 Security Monitoring: Real-time threat detection and response
- Regular Penetration Testing: Quarterly third-party security assessments
- Incident Response Plan: 24-hour breach notification procedures
- Employee Training: Mandatory privacy and security awareness programs
- Vendor Management: Due diligence and ongoing monitoring of all partners
Breach Notification
In the unlikely event of a security incident affecting your personal data, we will notify you and relevant authorities within 72 hours as required by applicable law.
9. Your Rights
Global Data Subject Rights
| Right | Description | How to Exercise | Response Time | Applicable Regions |
|---|---|---|---|---|
| Access | Request copy of your personal data | In-app request or email | 30 days | Global |
| Rectification | Correct inaccurate personal data | Account settings or support | 5 days | Global |
| Erasure | Delete your personal data | In-app deletion or email | 30 days | Global |
| Portability | Export data in structured format | In-app export tool | 30 days | EU/UK CA |
| Restriction | Limit processing of your data | Support request | 30 days | EU/UK |
| Objection | Object to certain processing | Privacy settings or email | 30 days | EU/UK |
| Withdraw Consent | Revoke previously given consent | Privacy settings | Immediate | Global |
California Privacy Rights CCPA/CPRA
Additional Rights for California Residents
- Right to Know: Categories and sources of personal information collected
- Right to Delete: Request deletion of personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out: Opt out of sale/sharing of personal information
- Right to Limit: Limit use of sensitive personal information
- Non-Discrimination: No discrimination for exercising privacy rights
How to Exercise Your Rights
In-App Request Center
Use our built-in privacy dashboard to manage your data rights directly from the app.
Email Request
Send detailed requests to [email protected] with identity verification.
Support Contact
Call our privacy hotline for assistance with complex requests or urgent matters.
Identity Verification
To protect your privacy, we verify your identity before processing data rights requests:
- Account Holders: Multi-factor authentication through your account
- Email Requests: Government-issued ID verification for sensitive requests
- Third-Party Requests: Notarized authorization letter required
- Emergency Situations: Expedited verification procedures available
10. Children’s Data Protection
Age Restrictions & COPPA Compliance
Brainspoke is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13 without verified parental consent.
Age Verification & Parental Controls
Ages 13-17 US
- Parental consent required for account creation
- Limited data collection (no voice data)
- Enhanced privacy controls
- Parent/guardian access to all data
- Simplified deletion procedures
Under 16 EU/UK
- Explicit parental consent required
- GDPR Article 8 compliance
- Regular consent renewal
- Parent/guardian data access rights
- Special category data restrictions
Parental Rights & Controls
Parents and legal guardians have the following rights regarding their minor child’s data:
- Access Rights: View all data collected about your child
- Deletion Rights: Request immediate deletion of your child’s data
- Consent Management: Withdraw consent at any time
- Data Portability: Export your child’s data
- Usage Monitoring: Receive regular reports on your child’s app usage
Discovery of Underage Users
Immediate Action Protocol
If we discover that a child under 13 has provided personal information without verified parental consent:
- Immediate suspension of data collection
- Parent/guardian notification within 24 hours
- Data deletion within 30 days unless consent obtained
- Account termination if consent not provided
11. Changes to This Policy
Change Notification Process
How We Notify You
- Material Changes: 30-day advance notice via email and in-app notification
- Minor Updates: Notification upon next app login
- Legal Requirement Changes: Immediate notification as required by law
- Emergency Updates: Immediate notification for security-related changes
Version History & Change Log
| Version | Date | Summary of Changes | Impact Level |
|---|---|---|---|
| 1.0 | January 1, 2025 | Initial policy version | New |
Your Options After Changes
When we update this policy, you have the following options:
- Accept Changes: Continue using our services under the new policy
- Review Changes: Compare versions using our change tracking tool
- Withdraw Consent: Opt out of new data processing activities
- Export Data: Download your data before policy changes take effect
- Delete Account: Close your account if you disagree with changes
12. Contact Information
Brainspoke Lab Co., Ltd. (R&D Office)
Address: 87/129, 16th Floor, Modern Town Building, Sukhumvit 63 (Ekkamai 3), Khlong Tan Nuea Subdistrict, Watthana District, Bangkok 10110
Email: [email protected]
If you have concerns about our privacy practices, you may also contact the relevant supervisory authority:
- EU/EEA: Your national data protection authority or the Irish Data Protection Commission
- UK: Information Commissioner’s Office (ICO)
- California: California Privacy Protection Agency
- Singapore: Personal Data Protection Commission
- Australia: Office of the Australian Information Commissioner