Privacy Policy

This Privacy Policy explains how Brainy Neurals Private Limited (“BrainyNeurals,” “we,” “us,” or “our”) collects, uses, shares, and protects personal data about visitors to our website at brainyneurals.com, users of our services, and individuals who contact us.

This policy applies to personal data we collect through:

• Our website at brainyneurals.com and its subdomains
• Our contact forms, newsletter subscription, and AI Readiness Assessment
• Direct communication with our team via email, calendar booking tools, or phone
• Engagement delivery activities with our enterprise clients

This policy does not apply to personal data processed on behalf of our clients under a separate Data Processing Agreement, which is governed by the terms of that agreement rather than this Privacy Policy.

Depending on your location and how you interact with us, different parts of this policy apply to you. We comply with the General Data Protection Regulation (GDPR) for residents of the European Economic Area, the UK Data Protection Act 2018 for UK residents, the California Consumer Privacy Act (CCPA, as amended by CPRA) for California residents, the Brazilian Lei Geral de Proteção de Dados (LGPD) for Brazilian residents, and similar frameworks in other jurisdictions where we operate.

BrainyNeurals is an enterprise AI development company focused on delivering production artificial intelligence systems for enterprise clients. The legal entity operating brainyneurals.com and this Privacy Policy is Brainy Neurals Private Limited.

Under GDPR and equivalent frameworks, we act as a data controller for personal data collected through our website and business operations. For personal data we process on behalf of our clients in the course of engagement delivery, we act as a data processor under the terms of the applicable Data Processing Agreement.

Contact Details

For privacy-related inquiries, please contact us at:

EU / UK Representative

If BrainyNeurals does not have an establishment within the EU but processes personal data of EU residents, an Article 27 representative must be appointed and disclosed here. Similarly for UK residents under UK GDPR.

We collect personal data directly from you when you interact with us, and automatically through cookies and similar technologies when you use our website. The categories below describe what we collect. Refer to Section 5 for why we collect each category and Section 8 for how long we retain it.

Contact and Identification Information

When you contact us, submit our forms, book a call, or subscribe to our newsletter, we collect:

• Full name
• Work email address
• Company name
• Professional role or title
• Phone number (optional, only if you provide it for calendar booking)
• LinkedIn profile URL (optional)

Inquiry and Communication Content

When you communicate with us, we collect the content of that communication:

• Content of messages sent via our contact form
• Email correspondence with our team
• Notes taken during scheduled calls or meetings
• Any files, documents, or attachments you voluntarily share

Assessment and Diagnostic Data

When you complete our AI Readiness Assessment or similar tools:

• Your answers to each assessment question
• Computed scores across the assessment dimensions
• The tier result generated from your answers
• Company context information you provide with the assessment

Automatically Collected Website Data

When you visit our website, we automatically collect:

• IP address (truncated or hashed where technically feasible)
• Approximate geographic location derived from IP (country and region level)
• Device type, browser type, and operating system
• Pages visited, time spent, and navigation patterns
• Referrer URL (the page you came from)
• UTM parameters if present

Marketing Attribution Data

If you interacted with our advertising or external content before visiting:

• Advertising platform identifiers (where consented)
• Campaign source information
• Conversion event data

Client Engagement Data

If you become an enterprise client, in the course of delivering contracted services we may process:

• Personal data embedded in client data you share under a Data Processing Agreement
• Authentication credentials for systems you grant us access to
• Meeting transcripts, project communications, and deliverable artifacts

Client engagement data is governed primarily by the applicable Data Processing Agreement rather than by this Privacy Policy, which addresses data BrainyNeurals processes as a controller rather than as a processor.

What We Do Not Collect

We want to be clear about what we do not collect on our public-facing website:

• We do not collect government identification numbers or financial account details via our public forms
• We do not collect health information
• We do not intentionally collect data about children under 16 (see Section 12)
• We do not collect biometric identifiers
• We do not collect precise geolocation data (GPS coordinates)

CCPA Category Mapping

For California residents under CCPA, the above categories map to CCPA-defined categories as follows:

• Identifiers: name, email, company, IP address
• Commercial information: inquiry content, engagement context
• Internet or network activity: browsing behavior, cookies, analytics data
• Professional or employment information: job title, company, role
• Inferences: engagement fit assessment, tier classification from readiness assessment

We collect personal data through three primary channels:

Directly from you

Most of the personal data we hold about you comes directly from you when you:

• Submit a form on our website (contact, newsletter, assessment, case study download)
• Email any address at the brainyneurals.com domain
• Book a call on our scheduling tool
• Communicate with our team during any stage of our engagement
• Provide information during a discovery call, technical conversation, or project delivery

Automatically through your use of our website

Some data is collected automatically through cookies, analytics tools, and server logs. Our Cookie Policy describes these technologies in full detail. Non-essential cookies and tracking technologies only activate if you consent through our cookie preference management interface.

From third parties (limited cases)

In limited cases, we receive personal data about you from third parties:

• If you click on our advertising on LinkedIn, Meta, or Google, we may receive attribution data from those platforms
• If a colleague refers you to us, we may receive your contact details from them with the expectation that you want to hear from us
• If your employer engages us, we may receive your contact information from your employer as the business contact for the engagement
• Publicly available professional profiles (such as LinkedIn) where relevant to evaluating a business context you have shared with us

We do not purchase personal data from data brokers, data enrichment services, or similar third parties.

For each way we use your personal data, we rely on a specific legal basis under applicable privacy law. This section explains each purpose and the legal basis we rely on.

Responding to Your Inquiries

When you contact us or submit an inquiry, we use your contact details and message content to:

• Respond to your question or request
• Evaluate whether we can help with your use case
• Schedule follow-up conversations if appropriate

Legal basis (GDPR): Legitimate interests (Article 6(1)(f)) — our interest in responding to business inquiries and your interest in receiving a response. Prior to contract (Article 6(1)(b)) for inquiries leading to engagement.

Delivering Contracted Services

When we have an engagement with your organization, we process personal data as needed to deliver the contracted services. This includes project communication, deliverable exchange, meeting scheduling, and related activities.

Legal basis (GDPR): Contract performance (Article 6(1)(b)).

Newsletter and Marketing Communications

If you subscribe to our newsletter or opt in to marketing communications, we use your email to send that content. You can unsubscribe at any time using the link in every marketing email.

Legal basis (GDPR): Consent (Article 6(1)(a)). You have the right to withdraw consent at any time.

Website Analytics and Improvement

We analyze aggregate website usage patterns to understand what content is useful, improve our pages, and fix usability problems. This uses cookies and similar technologies as described in our Cookie Policy.

Legal basis (GDPR): Consent (Article 6(1)(a)) for non-essential analytics cookies. Legitimate interests (Article 6(1)(f)) for essential functionality and aggregated analytics not tied to individuals.

Security and Fraud Prevention

We process access logs, IP addresses, and similar technical data to detect fraud, abuse, and security incidents affecting our systems or yours.

Legal basis (GDPR): Legitimate interests (Article 6(1)(f)) — our interest in operating secure systems; your interest in not being harmed by security incidents.

Legal Compliance

We process personal data where required to comply with applicable law, including tax regulations, contract retention requirements, and lawful requests from authorities.

Legal basis (GDPR): Legal obligation (Article 6(1)(c)).

Recruiting

If you apply for a role with us, we process your application data to evaluate your candidacy.

Legal basis (GDPR): Consent (Article 6(1)(a)) for retention beyond the specific role application. Pre-contractual (Article 6(1)(b)) for the active application process.

Changes in Purpose

If we intend to use your personal data for a purpose that is incompatible with the purposes above, we will notify you and, where required, obtain your consent before doing so.

We share personal data only where necessary for the purposes described in Section 5, with the categories of recipients below. Every processor we share data with operates under a written Data Processing Agreement that binds them to equivalent privacy protections.

Service Providers and Processors

We use trusted third-party service providers to help us operate our business. Each provider is contractually restricted to processing personal data only for our specified purposes and under our instructions. Our primary processors are:

Professional Advisors

We share personal data with our legal, accounting, and tax advisors as necessary for their provision of services to us. These advisors are bound by professional confidentiality obligations in addition to our Data Processing Agreement.

Authorities and Legal Processes

We disclose personal data to authorities where required by law — including court orders, subpoenas, tax audits, regulatory requests, and law enforcement lawful demands. We review every such request carefully before responding and challenge requests we believe are improper.

Business Transfers

In the event of a merger, acquisition, financing, reorganization, or sale of all or part of our business, personal data may be transferred as part of that transaction. Any successor entity will be bound by equivalent privacy obligations.

What We Do Not Do

• We do not sell personal data for money or other valuable consideration, as “sell” is defined under CCPA.
• We do not share personal data for cross-context behavioral advertising beyond the platforms listed above.
• We do not provide your personal data to data brokers or data enrichment services.
• We do not disclose client engagement details to third parties without your explicit consent.

BrainyNeurals is a global business. Personal data we collect may be transferred to, stored in, or accessed from countries outside the European Economic Area, the United Kingdom, or your home jurisdiction. When such transfers occur, we apply appropriate safeguards to ensure your data continues to receive an equivalent level of protection.

Safeguards We Use

Depending on the destination country, we rely on one or more of the following mechanisms:

• Adequacy decisions: transfers to countries the European Commission or the UK government has determined provide an adequate level of data protection.
• Standard Contractual Clauses (SCCs): EU Commission-approved contractual clauses incorporated into our agreements.
• UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs for UK data.
• Data Privacy Framework (DPF): where our US service providers are certified under the EU-US DPF or UK-US Data Bridge.
• Binding Corporate Rules: for intra-group transfers where applicable.

Transfer Destinations

Personal data we process may be transferred to:

• Our primary business operations locations for processing by our team
• Our service providers’ infrastructure regions — notably, cloud infrastructure providers operate data centers globally, and specific processing region is configured per service
• Our clients’ jurisdictions during the course of engagement delivery, with DPA controls per engagement

Request for Transfer Documentation

If you would like specific documentation about the transfer mechanisms we use for your personal data, you can request this by emailing privacy@brainyneurals.com. We will respond within 30 days of the request.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law. Our retention periods by data category are:

When retention periods end, we delete or anonymize personal data. Anonymization means we remove or replace identifying information such that the data can no longer be reasonably linked back to you.

Legal Hold Exceptions

In some cases, we may retain personal data longer than the periods above where legally required — for example, in response to a litigation hold, regulatory investigation, or tax audit. Once the legal basis for the extended retention ends, we resume normal deletion procedures.

Depending on where you live, you have legal rights over how we process your personal data. We honor these rights regardless of whether you are legally covered by the specific framework. The rights below apply to all our users in aggregate, with specific additional rights for residents of particular jurisdictions.

Rights Available to All Users

Right of Access. You can ask us for a copy of the personal data we hold about you. We provide this in a commonly used electronic format within 30 days of a verified request.

Right to Rectification. If any personal data we hold about you is inaccurate or incomplete, you can ask us to correct or complete it.

Right to Erasure (“Right to be Forgotten”). You can ask us to delete personal data we hold about you, subject to legal retention obligations.

Right to Restrict Processing. You can ask us to pause processing of your personal data while we investigate a concern you have raised.

Right to Data Portability. You can ask us to provide personal data you have given us in a structured, commonly used, machine-readable format.

Right to Object. You can object to our processing of your personal data where we rely on legitimate interests or direct marketing.

Right to Withdraw Consent. Where our processing relies on your consent, you can withdraw that consent at any time.

Right Not to Be Subject to Automated Decision-Making. We do not currently use automated decision-making for decisions that produce legal or similarly significant effects on you.

Additional Rights for California Residents (CCPA / CPRA)

Right to Know. You can request details about the categories and specific pieces of personal information we have collected about you in the preceding 12 months.

Right to Delete. You can request deletion of personal information we have collected from you, subject to statutory exceptions.

Right to Correct. You can request correction of inaccurate personal information.

Right to Opt Out of Sale or Sharing. You can direct us not to sell your personal information or to share it for cross-context behavioral advertising.

Right to Limit Use of Sensitive Personal Information. You can direct us to limit the use of any sensitive personal information.

Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights.

How to Exercise Your Rights

To exercise any of the rights above, contact us using the methods in Section 14. We will:

• Verify your identity before acting on the request
• Respond within 30 days for GDPR requests, or 45 days for CCPA requests
• Explain in writing if we cannot fulfill a request and why

Authorized Agents

California residents may designate an authorized agent to make requests on their behalf. We will verify both your identity and the agent’s authorization before acting on the request.

Right to Complain

If you believe we have not handled your personal data properly, you can lodge a complaint with a data protection authority. Section 14 lists the relevant authorities.

Our website uses cookies and similar technologies (such as pixels, tags, and local storage) to enable certain features, analyze site usage, and, where you consent, support advertising attribution.

Cookie Categories

Essential cookies. These cookies are required for the website to function. They enable core features like form submission, navigation, and security.

Analytics cookies. These cookies help us understand how visitors use our website. We use Google Analytics 4 and Microsoft Clarity for this purpose. Analytics cookies only activate with your consent.

Marketing cookies. If you consent to marketing cookies, we use LinkedIn Insight Tag and Meta Pixel to measure performance and build audience segments.

Functional cookies. These cookies remember your preferences, such as your cookie consent choices.

Managing Your Cookie Preferences

You can review, change, or withdraw your cookie consent at any time by clicking the “Cookie Preferences” link in our website footer.

Full Cookie List

For a complete list of cookies used on brainyneurals.com, their purposes, durations, and providers, see our Cookie Policy at /cookie-policy/.

Do Not Track Signals

Our website does not respond to “Do Not Track” browser signals at this time. We honor the Global Privacy Control (GPC) signal for California residents, which is interpreted as an opt-out of sale and sharing.

We take the security of your personal data seriously. Our information security program is certified under ISO/IEC 27001:2022 and subject to annual external audit. Specific measures we apply include:

Technical Measures

• Encryption of personal data in transit (TLS 1.2+ minimum for all website and API traffic)
• Encryption of personal data at rest (AES-256 or equivalent across our infrastructure)
• Multi-factor authentication required for all employee access to systems containing personal data
• Role-based access controls — employees access only the personal data necessary for their work
• Network-level protections including web application firewall, DDoS mitigation, and intrusion detection
• Regular vulnerability scanning and patch management for all systems
• Endpoint protection on all employee devices

Organizational Measures

• Privacy and security training required for all employees at onboarding and annually
• Documented incident response procedures tested at regular intervals
• Data Processing Agreement required with every processor before data sharing begins
• Vendor security review process for new service providers
• Annual ISO 27001 surveillance audit by an accredited certification body
• Data minimization principles applied at system design

Data Breach Notification

Despite the measures above, no system is perfectly secure. If we become aware of a personal data breach that poses a risk to affected individuals’ rights or freedoms, we will:

• Notify the competent supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Notify affected individuals directly where the breach is likely to result in high risk, as required by GDPR Article 34
• Notify California residents per California breach notification law if applicable
• Investigate the breach, remediate the root cause, and document lessons learned

Your Role in Security

Please help us keep your data secure:

• Use a strong, unique password for any BrainyNeurals account you create
• Do not share your credentials with anyone
• Report any suspicious communications purporting to be from us to security@brainyneurals.com
• Ensure your own devices and email accounts are secured

Our website and services are intended for use by adults engaged in business activities — typically professionals evaluating or engaging AI development services on behalf of their employer. We do not direct our services to children and do not knowingly collect personal data from children.

Age Thresholds by Jurisdiction

Different jurisdictions define “child” differently for data protection purposes:

• European Economic Area: children are under 16 (member states may lower this to 13)
• United Kingdom: children are under 13 for certain privacy purposes
• United States (COPPA): children are under 13
• Brazil (LGPD): children are under 12

Parental Notice

If you are a parent or guardian and believe your child has provided personal data to us, please contact privacy@brainyneurals.com. We will investigate, and if we confirm that we have inadvertently collected personal data from a child without proper parental authorization, we will delete that data promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make changes:

• We update the “Last updated” date at the top of this policy
• We maintain a change log summarizing material modifications
• For material changes, we provide additional notice — such as a prominent notice on our website, or a direct email
• For material changes that require new consent, we obtain fresh consent before implementing the change for your data

Change Log

• [DATE] · Version 1.0 — Initial publication

Recommended Practice

We recommend reviewing this Privacy Policy periodically, especially if your relationship with us continues over time. For prior versions, email privacy@brainyneurals.com and we will provide the version applicable to the date you are asking about.

How to Reach Us on Privacy Matters

For any question about this Privacy Policy, to exercise your rights, or to raise a concern:

Response Time

We respond to privacy requests within 30 days for GDPR-based requests, 45 days for CCPA-based requests, and reasonable time for other inquiries. For time-sensitive issues, please mark your email “Urgent — Privacy” in the subject line.

Your Right to Complain to a Supervisory Authority

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a data protection authority in your jurisdiction. Some authorities that may be relevant:

• European Union residents: The data protection authority in your EU member state. A list is maintained at https://edpb.europa.eu/about-edpb/about-edpb/members_en
• United Kingdom residents: Information Commissioner’s Office (ICO) at https://ico.org.uk
• California residents: California Privacy Protection Agency at https://cppa.ca.gov
• Brazilian residents: Autoridade Nacional de Proteção de Dados (ANPD) at https://www.gov.br/anpd
• Canadian residents: Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca
• Australian residents: Office of the Australian Information Commissioner at https://www.oaic.gov.au

We would prefer to resolve concerns directly with you first — please contact us before filing a complaint. Many issues can be resolved within a few days by direct communication.

HIPAA-Adjacent Engagements

This Privacy Policy does not cover Protected Health Information (PHI) processed under HIPAA. If BrainyNeurals processes PHI on behalf of a covered entity as a Business Associate, that processing is governed by the executed Business Associate Agreement with that covered entity, not by this Privacy Policy. Questions about PHI handling in the context of a specific engagement should be directed to the covered entity or to privacy@brainyneurals.com.

Sensitive Personal Information

We do not intentionally collect Sensitive Personal Information through our public-facing website. If Sensitive Personal Information reaches us inadvertently (for example, if a user includes health information in a contact form message), we handle it according to the more restrictive protections applicable to that data category and limit its use to the purpose for which you shared it.

Automated Decision-Making

We do not make decisions about you based solely on automated processing — including profiling — that produce legal effects or similarly significant effects. Our AI Readiness Assessment returns a tier result based on your answers, but the tier is informational and does not produce any legal or significant effect on you. All engagement decisions, hiring decisions, and similar consequential decisions involve human review.

Employee & Contractor Privacy

If you are a BrainyNeurals employee, contractor, or applicant, your personal data is handled under our internal Employee Privacy Notice rather than this public-facing Privacy Policy. For questions about that notice, contact hr@brainyneurals.com.