Brainloop AG

Brainloop AG Privacy Notice for the Use of the Customer Service Portal

(https://support.brainloop.com)

Version: March 2026

The protection of personal data is a matter of great importance to Brainloop AG (“Brainloop” or “we”) and its subsidiaries (each a “Brainloop Subsidiary”). We process personal data exclusively in accordance with legal requirements, in particular the EU General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (“BDSG”).

The following Privacy Notice for the use of the Customer Service Portal (“Privacy Notice”) informs you about the processing of your personal data by Brainloop and your related rights when you visit our Customer Service Portal at https://support.brainloop.com (“Customer Service Portal”) or contact Customer Support by telephone (“Telephone Support”) or email (via support@brainloop.com) (“Email Support”). We also inform you about which cookies are used when you use the Customer Service Portal and what options you have regarding the adjustment of your personal settings for the use of cookies.

The Privacy Notice applies exclusively to users of the Customer Service Portal and to any support requests via the email address support@brainloop.com. If you visit our general website at www.brainloop.com, a separate privacy notice applies, which you can access at any time via the footer of our website.

We reserve the right to adapt the content of this Privacy Notice from time to time. We therefore recommend that you review this Privacy Notice at regular intervals. You can access the current version of this Privacy Notice at any time at https://support.brainloop.com/legal/privacynotice.

1. Who is responsible for the processing of my data and how can I contact Brainloop?

For the processing of your data in connection with your use of the Customer Service Portal and/or any requests to Customer Support, Brainloop is responsible as the controller within the meaning of the GDPR. Brainloop (i.e., Brainloop AG in Germany) provides the central customer service for all business customers of the Brainloop group (each a “Customer”), regardless of whether the respective Customer has concluded the contract for the use of the respective Brainloop Service with Brainloop AG or a Brainloop Subsidiary in Austria (Brainloop Austria GmbH) or Switzerland (Brainloop Switzerland AG).

You can reach Brainloop at any time using the following contact details:

Brainloop AG,
Theatinerstraße 12
80333 Munich, Germany
Tel.: +49 89 444 699 0
E-Mail: legal@brainloop.com

You can reach the data protection officer of Brainloop AG at any time using the following contact details:
Email: dpo@brainloop.com

2. What data of mine is processed? For what purposes and on what legal basis is it used?

2.1 Use of the Customer Service Portal

(a) Access data (log files)

You can visit our Customer Service Portal without providing any personal information. In this case, Brainloop only collects and stores access data that is automatically transmitted to Brainloop by your browser when you access the pages of the Customer Service Portal.

This may include the following information: Internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), referring/exit pages, operating system, date/time stamp, or clickstream data.

We require this access data for the duration of your session at most, in order to enable the technical delivery of the Customer Service Portal's content to your device. In addition, the data is stored by us in log files for a short period of time for the technical security of the Customer Service Portal's web pages, in particular to defend against attempted attacks on our web server. We may also analyze the automatically collected information in a statistical and aggregated form in order to optimize the Customer Service Portal and the services offered to you and to improve functionalities. In this process, the information is anonymized so that it is generally no longer possible to trace it back to you personally.

Brainloop bases the processing of your data on its legitimate interest in ensuring the functionality and security of the Customer Service Portal, optimizing the services offered to you, and improving the functionalities of the Customer Service Portal (Art. 6(1) sentence 1 lit. f) GDPR).

(b) Access to the restricted customer area

Most information in the Customer Service Portal is accessible without prior registration. However, some documents can only be accessed by registered and logged-in users of our Customers for the respective Brainloop Service concerned. To gain access to the restricted customer area of the Customer Service Portal, you must first apply for a support account via Brainloop Support. The creation of a support account is only possible for persons authorized by the Customer. For registration purposes, including the verification and determination of access authorization, as well as the provision of access, Brainloop collects and processes the following data: email address, first name, last name, and the platform used for the respective Brainloop Service (“Support Account Data”).

Brainloop processes any Support Account Data exclusively for the purposes of technical and administrative account management (in particular registration, as well as creation, administration, and provision of the support account) and for the purposes of operating and securing the customer area (in particular ensuring authentication and login processes, providing access to the customer area).

Brainloop bases the processing of your Support Account Data for the above purposes on the necessity of the processing to safeguard our legitimate interests in the effective and secure provision of the restricted customer area for the confidential provision of access-restricted customer information (Art. 6(1) sentence 1 lit. f) GDPR).

(c) Cookies

Brainloop uses “cookies” to enable users to use the functionalities of the Customer Service Portal. Cookies are small text files that are temporarily stored on your device when you visit the Customer Service Portal. Cookies store certain information that is sent back to us by your browser when you access the pages of the Customer Service Portal (depending on the storage duration of the cookie).

On the Customer Service Portal, Brainloop exclusively uses so-called “session cookies”, which are set by Brainloop itself and are deleted at the latest when you end your session and close your browser. All cookies we use are technically necessary for the provision of the functionalities offered via the Customer Service Portal (so-called “essential cookies”) (§ 25(2) no. 2 TDDDG) and serve to provide and ensure an effective and secure login to the restricted customer area. The essential cookies we use are only set when you log into your support account. Insofar as these cookies allow an inference to your person, Brainloop bases the lawfulness of the processing of your data on the necessity of the processing to safeguard its legitimate interests (effective and secure provision of the functionalities and services of the restricted customer area of the Customer Service Portal) (Art. 6(1) sentence 1 lit. f) GDPR).

You can set your browser to inform you about the setting of cookies and to allow cookies only in individual cases, to exclude the acceptance of cookies for certain cases or in general, and to activate the automatic deletion of cookies when closing the browser. If you completely deactivate cookies, the functionality of the access to the customer area of the Customer Service Portal may be significantly restricted.

(d) Service Announcements

You can subscribe on our Customer Service Portal by providing your e-mail address to receive technical, maintenance, and support announcements relating to the Brainloop Services. In this case, Brainloop processes your e-mail address solely for the purpose of informing you about service changes, planned maintenance, technical interruptions, or similar events impacting the Brainloop Services.
The processing of your e-mail address for this purpose is based on your consent, which you provide by subscribing (Art. 6 (1) sentence 1 lit. a) GDPR). You may withdraw your consent and unsubscribe at any time, for example, by using the unsubscribe link included in every announcement.

2.2 Use of Customer Support

Brainloop offers users of its Customers the opportunity to contact our Customer Support for support requests by telephone or by email (via support@brainloop.com).

In this case, Brainloop receives certain data provided by the respective user as part of the support request. To process a support request effectively, the following information is generally required: user identification data (name, email address, telephone number), data on the support request/ticket (time/date and form of the request), problem description (Brainloop Service used, product component (web, desktop client, mobile app) and platform/URL (e.g., my.brainloop.net), date and time of the error, summary, detailed description), as well as screenshots and/or log files if applicable (when using Email Support). In addition, it may be necessary to collect certain other data on behalf of and at the instigation of the user via the respective Brainloop Service used by the Customer in order to process the specific support request, including any service usage data as well as diagnostic and maintenance data (to the extent relevant for processing the support request). When using Telephone Support, the duration of the call is also recorded for internal analysis purposes.

In principle, Brainloop processes the data collected in the course of processing the respective support request (“Support Data”) as a processor on behalf of and in accordance with the contractual agreements with the respective Customer who ordered the Brainloop Service affected by the support request.

However, Brainloop also processes Support Data to a limited extent as a controller for its own legitimate business purposes, insofar as this is necessary for:

• internal analysis, statistics, and reporting;
• the general technical operation, ensuring the functionality and maintenance of the Brainloop Services, including error analysis and troubleshooting;
• the general security of the Brainloop Services, including data security and cybersecurity; as well as
• product research and development.

For these purposes, it is necessary for Brainloop to store, retain, analyze, and process information about the use of the Brainloop Services across multiple Customers and users to a limited extent, including relevant information derived from Support Data. To the extent that the corresponding datasets contain personal data, Brainloop will, as far as technically practicable and sufficient for the respective purposes, anonymize them as early as possible and process them only in aggregated and anonymized form.

Brainloop bases the processing of your personal data for the above purposes on the necessity of the processing (i) for the performance of the contract with you as a user of the affected Brainloop Services on the basis of the respective terms of use (Art. 6(1) sentence 1 lit. b) GDPR) and (ii) to safeguard our legitimate interests in fulfilling our contractual obligations towards Customers and users of the Brainloop Services, ensuring the functionality and security of the Brainloop Services, as well as optimizing and improving Brainloop products and services (Art. 6(1) sentence 1 lit. f) GDPR).

In addition, Brainloop stores and processes certain Support Data in its role as a controller to safeguard the legitimate interests of Brainloop in (i) demonstrating compliance with legal and operational requirements, including in the context of any certification procedures of Brainloop, and (ii) optimizing customer support (Art.6 (1) sentence 1 lit. f) GDPR).

2.3 Legal Obligations and Legal Claims

In addition, Brainloop processes personal data of users of the Customer Service Portal and Customer Support, including any Support Account Data and Support Data, to the extent necessary to ensure and document compliance with Brainloop's legal obligations and for the establishment, exercise, and defense of legal claims (Art.6 (1) sentence 1 lit. c) and f) GDPR).

3. Am I obliged to provide my Data?

In principle, you are neither legally nor contractually obliged to provide your data to Brainloop. However, if you do not provide us with certain data, you may not be able to use the services provided by Brainloop and the Brainloop Subsidiaries, or only to a limited extent.

4. Who will my data be disclosed to?

As a matter of principle, we do not disclose your data to third parties, unless this is necessary for the processing of your support request or we are legally obliged to do so.

If you, as a user of a Customer of our Brainloop Subsidiaries in Austria (Brainloop Austria GmbH) or Switzerland (Brainloop Switzerland AG), direct a support request to Brainloop, it may be that we pass on your data to the respective Brainloop Subsidiary, insofar as this is necessary for the purposes described above under section2, in particular for processing the support request. Brainloop and the respective Brainloop Subsidiary act in this respect as joint controllers within the meaning of Art. 26 GDPR. To effectively exercise your rights as a data subject (see section 7), you can contact the central point of contact at Brainloop at any time using the contact details listed under section 1. You are of course free to also exercise your rights directly against the respective Brainloop Subsidiary.

The contact details of the respective Brainloop Subsidiaries are as follows:

Brainloop Austria GmbH
Ausstellungsstraße 50 / C / 2 OG., 1020 Vienna, Austria
Tel.: +49 89 444 699 0
Email:legal@brainloop.com

Brainloop Switzerland AG
Gotthardstrasse 30, 6300 Zug, Switzerland
Tel.: +41 41 710 39 71
Email:legal@brainloop.com

Further information on the joint controllership and the essence of the relevant agreement between Brainloop and the respective Brainloop Subsidiary can be obtained at any time upon request.

In addition, Brainloop uses external service providers who support us in providing the services offered to you. In particular, we engage technical service providers to store and manage your data and to technically operate the offered functionalities of the Customer Service Portal (i.e., in particular hosting service providers, IT service providers, media agency service providers, email service providers, and web content management providers). All service providers act exclusively on our behalf and are obliged to take all necessary technical and organizational measures to protect your personal data in accordance with data protection requirements. Our service providers are not permitted to disclose your data to third parties or use it for other purposes.

Otherwise, your data will not be disclosed to third parties without your prior consent, unless this is necessary for the exercise, establishment, or defense of our legal claims or Brainloop is legally obliged to do so. This may be the case, for example, if we are obliged to cooperate with security authorities in connection with legal investigations.

5. Will my data also be processed in countries outside the EU / EEA?

Your personal data is stored and processed by Brainloop exclusively within the European Union (EU), the contracting states of the European Economic Area (EEA), and/or Switzerland.

6. How long will my data be stored?

Unless expressly stated otherwise in this Privacy Notice, your data will be stored by us only for as long as is necessary for the respective purpose for which we collect and process your data.

The following data categories will be stored as follows:

• Access data (log files): The access data collected in the course of your use of the Customer Service Portal (see section 2.1(a) above) will be completely deleted or anonymized by shortening your IP address at the latest after thirty days, unless a longer storage period is necessary to achieve the purposes pursued with the data and the storage can be justified on the basis of a legal ground.

• Support Account Data: We generally store any Support Account Data for as long as is necessary to provide the support account. Your data will be deleted if (i) your support account is deleted (for example, as a result of a deletion request) or (ii) you are no longer listed as an authorized user for a Brainloop Service.

• Usage data (cookies): Insofar as Brainloop collects usage data via cookies that allow an inference to your person, this data will only be processed for as long as is necessary to provide secure access to the restricted customer area. All cookies are deleted at the latest when the respective browser session is terminated.

• Support Data: Any Support Data that Brainloop or a Brainloop Subsidiary processes in the role of a controller will be retained – to the extent necessary for the purposes listed under section 2.2 – for a maximum period of three (3) years and then deleted.
• E-mail addresses for service announcements: Where you have subscribed to receive service announcements, your e-mail address will be retained for this purpose until you withdraw your consent (for example, by unsubscribing). We will check in with you with reasonable frequency to see if you are still interested in our announcements. Upon withdrawal of your consent, your e-mail address will be deleted from the corresponding distribution list.

After expiry of the respective storage period, your data will be deleted in accordance with our general deletion routines, unless statutory retention obligations (in particular due to commercial and tax law requirements, insofar as necessary for the performance of our contract with Customers) prevent this, or a longer storage period is necessary in the specific individual case to safeguard our legitimate interests (interest in fulfilling our legal obligations and the necessity of processing for the establishment, exercise or defense of legal claims).

7. What rights do I have?

To the extent you are affected by the data processing carried out by Brainloop, you have the right, in accordance with applicable legal provisions:

• to obtain information on the personal data processed concerning you and to obtain a copy of such data (right of access);
• to obtain the rectification of any inaccurate data and, taking into account the purposes of the processing, to have incomplete data completed (right to rectification);
• if there are legitimate reasons, to request the deletion of your data (right to erasure);
• to request the restriction of the processing of your data, if the legal requirements are met (right to restriction of processing);
• if the legal requirements are met, to receive the data provided by you in a structured, commonly used and machine-readable format and to transfer this data to another controller or, if technically feasible, to have it transferred by Brainloop (right to data portability); and
• not to be subject to a decision based solely on automated processing which produces legal effects concerning you or significantly affects you in a similar way, if the legal requirements are not met. An automated decision-making process is not carried out by Brainloop.

You also have the right to object, in accordance with the statutory provisions, to the processing of your data, which is necessary for the purpose of Brainloop's legitimate interests, on grounds relating to your particular situation (right to object). If your personal data is processed by Brainloop for direct marketing purposes, you have the right to object to this processing at any time, without any special reason being required.

If you have given us consent for the processing of your data, you can withdraw this consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing of your data based on the consent before its withdrawal.

To exercise your rights (including the withdrawal of any consent given), as well as in the event of questions regarding the processing of your personal data, you can contact Brainloop or Brainloop's data protection officer at any time using the contact details listed in section 1. You may exercise your rights with regard to the processing of personal data within the scope of the joint controllership described in section 4 in respect of and against each of the controllers mentioned (i.e., against Brainloop AG or the respective Brainloop Subsidiary in Austria or Switzerland that has concluded the corresponding user contract with the customer). To exercise your rights effectively, we recommend that you contact the central point of contact at Brainloop AG using the contact details listed in section 1.

Without prejudice to any other remedies, you also have the right to lodge a complaint with a supervisory authority at any time.