Privacy Policy :: braincap.ro

BRAINCAP SRL (the "Company", "we", "us", or "our") is a company incorporated under the laws of Romania, Registered in the Trade Register No. J40/11790/2008, with its registered office at Bd. Dimitrie Pompeiu nr. 5-7, Hermes Campus 1, Building B, 2nd floor, room 221, sector 2, Bucharest. We are the data controller responsible for your personal data and for compliance with applicable data protection laws including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

About This Policy

The Company is committed to protecting the privacy and personal data of individuals in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws within the European Union.
This Privacy Policy sets out how the Company collects, uses, stores, and protects personal data when you use our cybersecurity, cloud, IT support, and online store services, and explains the rights of data subjects under EU data protection legislation.
The Company recognizes that personal data is any information relating to an identified or identifiable natural person and that the processing of such data must be conducted lawfully, fairly, and transparently.
This Privacy Policy applies to all personal data processing activities carried out by the Company, whether through its website, services, applications, or other interactions with data subjects.
The Company acts as a data controller for the purposes of the GDPR and is responsible for ensuring compliance with all applicable data protection principles and requirements.
This Privacy Policy demonstrates the Company's commitment to implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data.
The Company undertakes to respect the fundamental rights and freedoms of data subjects, particularly their right to the protection of personal data as established under EU law.

Definitions

Consent means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
Controller or Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Protection Authority means an independent public authority which is established by an EU Member State pursuant to Article 51 of the GDPR.
Data Protection Impact Assessment or DPIA means a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data.
Data Protection Officer or DPO means the person appointed by the Company to monitor internal compliance with the GDPR and to act as a contact point for data subjects and the supervisory authority.
Data Subject means an identified or identifiable natural person whose personal data is processed by the Company.
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Personal Data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Special Categories of Personal Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Supervisory Authority means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR and is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.
Third Country means a country that is not a Member State of the European Union.
Third Party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Legal Basis for Processing

The Company processes personal data only where it has a valid legal basis under Article 6 of the GDPR.

The Company relies on the following lawful bases for processing personal data:

Consent (Article 6(1)(a)): Where the data subject has given specific, informed and freely given consent to the processing of their personal data for one or more specific purposes.
Contract (Article 6(1)(b)): Where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legal obligation (Article 6(1)(c)): Where processing is necessary for compliance with a legal obligation to which the Company is subject under EU or Member State law.
Vital interests (Article 6(1)(d)): Where processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Public task (Article 6(1)(e)): Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company.
Legitimate interests (Article 6(1)(f)): Where processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

For Special Categories of Personal Data under Article 9 of the GDPR, the Company will only process such data where an additional condition under Article 9(2) is met, including explicit consent or other specified lawful conditions.

The specific legal basis relied upon for each processing activity will be communicated to data subjects at the time of data collection or as otherwise required by law.

Where the Company relies on consent as the legal basis for processing, data subjects have the right to withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Data We Collect

We collect personal data that you provide to us directly when you interact with our services, including when you create an account, make a purchase, contact us, or participate in surveys or promotions.

Information you provide directly may include:

Contact information such as name, email address, postal address, and telephone number.
Account credentials including username and password.
Payment information such as credit card details, billing address, and transaction history.
Communications data including the content of messages you send to us and records of our correspondence.
Marketing preferences and consent records.
Any other information you choose to provide when using our services or contacting us.

We automatically collect certain personal data when you visit our website or use our services through technological means.

Information collected automatically may include:

Technical data such as IP address, browser type and version, operating system, and device identifiers.
Usage data including pages visited, time spent on pages, click-through rates, and navigation patterns.
Location data derived from your IP address or, with your consent, precise location information from your device.
Cookies and similar tracking technologies as described in our Cookie Policy.

We may receive personal data about you from third parties, including business partners, service providers, publicly available sources, and social media platforms where you have given permission for such sharing.

We do not intentionally collect Special Categories of Personal Data unless specifically required for our services and where we have obtained your explicit consent or another lawful basis under Article 9 of the GDPR.

How We Use Your Data

We process your Personal Data for the following purposes based on the lawful grounds specified in Section 2:

To provide and deliver our services, products, or content that you have requested or purchased.
To communicate with you regarding your account, transactions, or inquiries, including customer support and service notifications.
To process payments, billing, and account management activities.
To comply with legal obligations, regulations, and legitimate requests from public authorities.
To protect our legitimate business interests, including fraud prevention, security monitoring, and risk assessment.
To improve and develop our services through analysis, research, and product development activities.
To send you marketing communications where you have provided Consent or where permitted under applicable law.
To personalize your experience and provide customized content and recommendations.

The specific processing activities we may undertake include:

Collection, recording, and storage of Personal Data you provide directly or through automated means.
Analysis and evaluation of Personal Data to understand usage patterns and preferences.
Combination of Personal Data from different sources to create comprehensive user profiles.
Sharing of Personal Data with Third Parties as described in Section 5.
Automated decision-making processes, including Profiling activities, subject to your rights under Section 8.

We will only process your Personal Data for purposes that are compatible with the original purposes for which it was collected, unless we obtain your Consent for additional processing or such processing is otherwise permitted by law.

Where we process Special Categories of Personal Data, we ensure that additional lawful grounds under Article 9 of the GDPR are met and implement enhanced protective measures.

Data Sharing and Disclosure

We may share your personal data with third parties only in the circumstances described in this section and in accordance with applicable data protection laws.

Service Providers and Processors

We may share personal data with trusted third-party service providers who process data on our behalf to provide services such as courier and delivery services, website analytics (including Google Analytics), hosting, customer support, payment processing, and marketing communications.
All processors are bound by written data processing agreements that ensure appropriate technical and organizational measures are implemented and that personal data is processed only in accordance with our instructions.

Legal and Regulatory Requirements

We may disclose personal data when required by law, regulation, legal process, or governmental request.
We may share personal data to establish or exercise our legal rights, defend against legal claims, or protect our property, rights, and safety or that of others.

Business Transfers

Personal data may be transferred as part of a merger, acquisition, sale of assets, or similar business transaction, provided the receiving party agrees to protect the data in accordance with this Privacy Policy.

Legitimate Interests

We may share personal data when necessary for our legitimate interests or those of a third party, provided such interests are not overridden by your fundamental rights and freedoms.

Consent

We may share personal data with third parties where you have provided specific, informed consent for such sharing.

Data Protection Safeguards

Before sharing personal data with any third party, we ensure appropriate contractual, technical, and organizational safeguards are in place to protect your personal data.
We conduct due diligence on third parties to verify their ability to comply with data protection requirements before sharing any personal data.

International Data Transfers

The Company may transfer personal data to Third Countries or international organizations outside the European Economic Area ("EEA") only where such transfers are necessary for the performance of our services and appropriate safeguards are in place.

Where personal data is transferred to a Third Country that has been subject to an adequacy decision by the European Commission, such transfers shall be deemed to provide an adequate level of protection.

In the absence of an adequacy decision, the Company shall implement appropriate safeguards for international transfers, including:

Standard Contractual Clauses approved by the European Commission;
Binding Corporate Rules approved by the relevant Supervisory Authority;
Codes of conduct or certification mechanisms approved under the GDPR; or
Other legally recognized transfer mechanisms under Articles 46-49 of the GDPR.

The Company may transfer personal data to Third Countries without adequate safeguards only in limited circumstances where:

The Data Subject has explicitly consented to the proposed transfer after being informed of the possible risks;
The transfer is necessary for the performance of a contract between the Data Subject and the Company;
The transfer is necessary for the establishment, exercise, or defense of legal claims; or
The transfer meets other derogation requirements under Article 49 of the GDPR.

Where the Company relies on derogations for specific situations, such transfers shall be occasional and not repetitive, concern only a limited number of Data Subjects, and be necessary for compelling legitimate interests.

The Company maintains records of all international transfers and the safeguards applied, and shall provide information about specific transfers to Data Subjects upon request.

Data Subjects have the right to obtain information about the safeguards applied to international transfers of their personal data and to lodge complaints with Supervisory Authorities regarding such transfers.

Data Retention

The Company shall retain personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by applicable legal obligations.

Personal data retention periods are determined based on the following criteria:

The purpose for which the personal data was originally collected and processed;
The legal basis for processing the personal data;
Applicable statutory retention requirements under EU or Member State law;
The legitimate interests of the Company and the rights of the data subject;
The nature and sensitivity of the personal data.

The following retention periods apply to different categories of personal data:

Account and registration data: Retained for the duration of the account relationship and for 3 years after the contractual relationship ends;
Transaction and payment data: Retained for 7 years after the completion of the transaction to comply with accounting and tax obligations;
Marketing and communication data: Retained until consent is withdrawn or for 3 years from the last interaction if based on legitimate interests;
Website analytics and technical data: Retained for 26 months unless anonymised earlier;
Customer service and support data: Retained for 3 years after the resolution of the inquiry or complaint;
Employment-related data: Retained in accordance with applicable employment law requirements, typically for 5 years after termination of employment.

Personal data shall be securely deleted or anonymised at the end of the applicable retention period, unless extended retention is required by law or court order.

The Company shall regularly review its data retention practices and update retention schedules as necessary to ensure compliance with changing legal requirements and business needs.

Data subjects may request information about specific retention periods applicable to their personal data by contacting the Company using the details provided in Section 13.

Your Rights

You have the right to be informed about the collection and use of your personal data. This Privacy Policy serves as our primary means of providing you with clear and transparent information about our data processing activities.

Right of Access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and where that is the case, access to the personal data and information about the processing.

You may request copies of your personal data that we hold.
We will provide the first copy free of charge, but may charge a reasonable fee for additional copies.

Right to Rectification: You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay.

You also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to Erasure ('Right to be Forgotten'): You have the right to obtain the erasure of personal data concerning you without undue delay where one of the following grounds applies:

The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
You withdraw consent and there is no other legal ground for the processing.
You object to the processing and there are no overriding legitimate grounds for the processing.
The personal data has been unlawfully processed.
The personal data must be erased for compliance with a legal obligation.

Right to Restriction of Processing: You have the right to obtain restriction of processing where one of the following applies:

You contest the accuracy of the personal data, for a period enabling us to verify the accuracy.
The processing is unlawful and you oppose erasure and request restriction instead.
We no longer need the personal data for processing purposes but you require it for legal claims.
You have objected to processing pending verification of whether our legitimate grounds override yours.

Right to Data Portability: Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.

You have the right to transmit this data to another controller without hindrance from us.
Where technically feasible, you have the right to have personal data transmitted directly from us to another controller.

Right to Object: You have the right to object to processing of your personal data where processing is based on legitimate interests, including profiling based on those provisions.

You have an absolute right to object to processing for direct marketing purposes, including profiling related to direct marketing.

Right Not to be Subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, where that decision produces legal effects concerning you or similarly significantly affects you.

This right does not apply where the decision:

is necessary for entering into, or performance of, a contract between you and the Company;
is authorized by applicable law and that law provides for suitable safeguards to protect your rights and freedoms and legitimate interests; or
is based on your explicit consent.

Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, please contact us using the details provided in the Contact Information section of this Privacy Policy.

We will respond to your request without undue delay and, in any event, within one month of receipt. Where a request is complex or numerous, we may extend this period by a further two months, and we will inform you of any such extension.

Cookies and Tracking Technologies

Cookies are small text files that are placed on your device when you visit our website or use our services to enhance your user experience and enable certain functionalities.

We use the following types of cookies:

Strictly necessary cookies that are essential for the operation of our website and cannot be switched off in our systems.
Performance cookies that collect information about how visitors use our website, such as which pages are visited most often.
Functional cookies that enable the website to provide enhanced functionality and personalization based on your interactions.
Targeting cookies that may be set through our site by our advertising partners to build a profile of your interests.

Web beacons (also known as pixel tags or clear GIFs) are small graphic images that may be included in our web pages, emails, or advertisements to monitor user activity and gather usage statistics.

We may use analytics tools such as Google Analytics to collect information about your use of our services, including IP addresses, browser types, referring pages, and pages visited.

Third-party cookies may be placed on your device by external service providers, advertising networks, or social media platforms integrated into our services.

You can manage your cookie preferences through your browser settings, but please note that disabling certain cookies may affect the functionality of our website.

For targeting and advertising cookies, we will obtain your explicit consent where required by applicable law before placing such cookies on your device.

We retain cookie data for varying periods depending on the type of cookie, ranging from session-only to a maximum of 13 months, unless longer retention is necessary for legal compliance.

You may withdraw your consent to cookies at any time by adjusting your browser settings or using any cookie preference tools we provide on our website.

Data Security

The Company implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing.

Technical security measures include:

Encryption of Personal Data both in transit and at rest using industry-standard encryption protocols;
Access controls and authentication mechanisms to ensure only authorized personnel can access Personal Data;
Regular security updates and patches to systems and software used in processing Personal Data;
Network security measures including firewalls and intrusion detection systems;
Secure backup and recovery procedures to prevent data loss.

Organizational security measures include:

Staff training on data protection and security practices;
Clear policies and procedures governing access to and handling of Personal Data;
Regular review and testing of security measures and incident response procedures;
Confidentiality agreements for all personnel with access to Personal Data;
Physical security measures to protect premises and equipment where Personal Data is stored or processed.

The Company conducts regular assessments of the effectiveness of its security measures and updates them as necessary to address evolving risks and technological developments.

In the event of a Personal Data Breach, the Company will notify the relevant Supervisory Authority within 72 hours of becoming aware of the breach, where feasible, and will communicate the breach to affected Data Subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

The Company requires third-party Processors to implement equivalent security measures and to provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures.

Children's Privacy

The Company recognizes that children require special protection regarding their personal data and implements enhanced safeguards when processing personal data of individuals under 16 years of age.

Where the Company's services are directed at children under 16 years of age, or where the Company has actual knowledge that it is collecting personal data from a child under 16, the Company will obtain verifiable parental consent before processing such data.

Verifiable parental consent means any reasonable effort, taking into consideration available technology, to verify that a parent or guardian has provided consent for the processing of their child's personal data.

The Company will provide clear and plain information about the processing activities to both the child and the parent or guardian, using age-appropriate language and communication methods.

Parents and guardians have the right to:

Access their child's personal data held by the Company;
Request rectification or erasure of their child's personal data;
Object to or restrict the processing of their child's personal data;
Withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

The Company will not process personal data of children under 16 for the purposes of creating personality or user profiles, targeted advertising, or direct marketing without explicit parental consent.

Personal data of children under 16 will be retained only for as long as necessary to fulfill the specific purpose for which it was collected or as required by applicable law.

The Company will implement appropriate technical and organizational measures to ensure the security of children's personal data, including restricted access controls and enhanced monitoring procedures.

If the Company becomes aware that it has inadvertently collected personal data from a child under 16 without appropriate parental consent, it will take immediate steps to delete such information.

Changes to This Policy

The Company reserves the right to update, modify, or replace this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or business operations.

Material changes to this Privacy Policy will be communicated to Data Subjects through one or more of the following methods:

Email notification to registered users using the contact information provided to us;
Prominent notice on our website or application for a period of at least thirty (30) days;
In-app notifications for mobile application users;
Direct communication where we have specific legal obligations to notify Data Subjects.

Non-material changes, including administrative updates, corrections, or clarifications that do not affect Data Subjects' rights, may be implemented without prior notice.

The updated Privacy Policy will become effective immediately upon publication on our website unless otherwise specified in the notice of changes.

Data Subjects are encouraged to review this Privacy Policy periodically to stay informed about how we collect, use, and protect personal data.

Continued use of our services after changes to this Privacy Policy have been published constitutes acceptance of the updated terms, except where additional Consent is required under applicable data protection law.

Where changes materially affect the legal basis for Processing or expand the purposes for which personal data is used, we will seek fresh Consent from Data Subjects where legally required.

Previous versions of this Privacy Policy will be archived and made available upon request for a period of three (3) years from the date of replacement.

Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, you may contact us using the following details:

Company Name: BRAINCAP SRL
Address: Bd. Dimitrie Pompeiu nr. 5-7, Hermes Campus 1, Building B, 2nd floor, room 221, sector 2, Bucharest
Email: support@braincap.ro
Phone: +40(747)644644

You have the right to lodge a complaint with your local Supervisory Authority if you believe that the processing of your personal data violates applicable data protection law. In Romania, the relevant authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP).

A list of EU data protection authorities and their contact details can be found at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

We aim to respond to all privacy-related inquiries within 30 days of receipt, or within the timeframes required by applicable law, whichever is shorter.

Effective Date: This Privacy Policy was last updated on 1 February 2026.

Advanced settings