Policies

Brain-Shot Academy

Privacy hub

Privacy Policy

A clear overview of how Brain-Shot Academy handles personal data across its services.

Updated 23 April 2026

1. Who we are

Brain-Shot Academy AG
Birsstrasse 320
4052 Basel
Switzerland

Email: privacy@brain-shot.academy
General contact: contact@brain-shot.academy

In this Privacy Notice, “Brain-Shot Academy,” “we,” “us,” and “our” mean Brain-Shot Academy AG, unless we state otherwise.

2. What this notice covers

This Privacy Notice explains how we process personal data across the Brain-Shot Academy platform and related services.

It covers, in particular:

  • our public website at brain-shot.academy
  • our shared account service at account.brain-shot.academy
  • our member landing and routing service known as Airport
  • our legacy campus at campus.brain-shot.ch
  • our Shop service
  • our Shorts service
  • our Partner Program service at partner.brain-shot.academy
  • shared account-access features shown within other Brain-Shot Academy services
  • internal authenticated telemetry, security, risk, and audit systems
  • separate public-site and marketing measurement systems
  • support, operational, legal, and administrative processes

Some Brain-Shot Academy features may appear directly inside another service even though they are powered by a shared account or platform component. For example, account access may appear as a built-in part of another service experience rather than as a separate destination. In this notice, we describe those functions according to what they do, not only according to how they are technically rendered.

This notice does not automatically cover third-party websites, services, or partner systems that we do not control, even if they link to us or integrate with us.

3. How our platform is organized

Brain-Shot Academy is a multi-service platform with a shared account and identity layer.

Most current Brain-Shot Academy websites and web apps use a shared proprietary account layer with Supabase-based authentication. The legacy campus at campus.brain-shot.ch operates separately with its own account, authentication, and content environment managed by EvolMind.

This means personal data may be processed:

  • within a specific service, such as Shop, Shorts, or Partner Program; and
  • within shared systems that support several services together, such as account management, security, access control, routing, support, internal telemetry, and related platform protection workflows.

This main notice is supported by separate appendix pages: Cookie Policy, Cookie Inventory, Processor Appendix, International Transfers Appendix, Retention Appendix, Legal Bases Matrix, and Required and Optional Data Matrix.

4. Categories of people whose data we process

Depending on the context, we may process personal data about:

  • visitors to our public websites
  • users and account holders
  • learners, trainees, and participants
  • customers and prospective customers
  • users of free gift or introductory-access flows
  • partner contacts and partner profile owners
  • support requesters
  • business contacts
  • applicants and contractors
  • authors, operators, or administrators using internal or protected service functions
  • other persons who communicate with us or interact with our services

5. Categories of personal data we process

Depending on the service and context, we may process the following categories of personal data.

5.1 Account, identity, and contact data

This may include your name, email address, phone number, postal or billing address, account identifiers, login details, account status, and related account preferences.

5.2 Service, profile, participation, and session data

This may include profile information, service settings, permissions, entitlements, service interactions, learning or participation records, live-session or event participation records, recording-related participation data, partner-related profile data, and other records needed to provide the relevant service.

5.3 Purchase, billing, and transaction data

This may include order, subscription, entitlement, invoice, payment-status, refund, accounting, and reconciliation records.

5.4 Communications, support, and relationship data

This may include enquiries, support messages, correspondence, booking or event administration records, learner-support records, CRM and contact-management records, and communication-preference records.

5.5 Device, browser, usage, and security data

This may include device, browser, network, session, request, log, usage, security, fraud-prevention, audit, and other platform-protection data.

5.6 Cookie, preference, and consent data

This may include cookie or similar-technology data, language or service preferences, consent choices, unsubscribe records, and other records needed to apply or respect your preferences.

5.7 Service-generated and provider-confirmation data

This may include service-generated status, entitlement, delivery, payment-status, booking, event, support, or security records, and limited confirmations or technical records received as part of providing, securing, or administering the relevant service.

6. Where we get personal data from

In general, we collect personal data directly from you and from your use of our services.

We may collect personal data:

  • directly from you
  • when you create, access, or use a Brain-Shot Academy account
  • when you use one of our services
  • when you navigate between services on our platform
  • when you interact with embedded account features or Brain-Shot Academy-provided partner embeds where relevant
  • when you contact us for support or other communication
  • when you make a purchase, receive an entitlement, or use a free gift or introductory-access flow
  • when you participate in learning, partner, or platform activities
  • from cookies and similar technologies, where relevant
  • from your device or browser during service use
  • from service-generated events and limited provider confirmations where relevant to the service, payment, booking, security, or support function

7. Why we process personal data

We process personal data for the following purposes.

7.1 To provide and operate our services

We use personal data to operate the Brain-Shot Academy platform and deliver the services you request, including the website, account services, Airport, the legacy campus, Shop, Shorts, Partner Program, and related platform components.

7.2 To manage accounts, access, and service continuity

We use personal data to create and manage accounts, authenticate users, maintain secure sessions, support password reset and recovery, route users to the correct service, and manage permissions, entitlements, and continuity across services.

7.3 To provide learning, partner, commerce, and related operational functions

We use personal data to deliver learning and participation features, maintain progress and completion records, operate partner-related functions, process purchases and invoicing, reconcile payments, and provide related contractual administration.

7.4 To communicate with you and support the relationship

We use personal data to answer enquiries, provide support, send service and account communications, manage bookings, webinars, meetings, and events, maintain customer and learner relationship records, and communicate through channels relevant to the service or requested by the user, including email, WhatsApp, and platform-based communication tools where appropriate.

Where live sessions, webinars, meetings, or group training are recorded, the recording may include audio, video, and associated participation elements such as chat, Q&A, polls, attendance, and screen sharing. Participants are warned before recording starts.

7.5 To market, measure, and improve our services

We may use personal data to manage leads and customer relationships, send marketing communications where permitted, measure website and campaign performance, understand service reliability and usage, and improve our services and infrastructure. Where required by law, we rely on consent or an appropriate regional consent model for optional analytics or marketing-related technologies.

If you no longer want to receive marketing emails from us, you can use the unsubscribe link in the relevant message. If you have a Brain-Shot Academy account, you can manage relevant communication preferences through your account settings.

7.6 To protect users, services, and our platform

We use personal data to detect and prevent misuse, fraud, account compromise, unauthorized access, abuse, and technical incidents, and to maintain security, auditability, supportability, and platform integrity.

7.7 To manage preferences, comply with law, and protect our rights

We use personal data to record and respect consent and communication preferences, keep required records, respond to legal and regulatory duties, defend legal claims, enforce our agreements, and protect our rights and business interests.

8. Legal bases

Where the GDPR applies, we rely on one or more of the following legal bases, depending on the context:

  • performance of a contract or steps taken at your request before entering into a contract
  • compliance with legal obligations
  • our legitimate interests
  • your consent, where required
  • protection of vital interests, where applicable
  • another lawful basis where applicable under relevant law

Our legitimate interests may include:

  • operating and maintaining a secure multi-service platform
  • authenticating users and managing access
  • preventing fraud, abuse, and unauthorized access
  • supporting users and resolving service problems
  • improving reliability, performance, and user experience
  • maintaining records relevant to contractual performance, support, safety, and auditability
  • protecting our legal and commercial interests

A more detailed purpose-by-purpose mapping is maintained in the separate Legal Bases Matrix.

Where the revised Swiss FADP applies, we process personal data in accordance with Swiss law and the related transparency and information duties.

9. Shared account and cross-service use

Brain-Shot Academy uses a shared account infrastructure across multiple services.

This shared account model covers the proprietary Brain-Shot Academy services that use the common account layer. The legacy campus at campus.brain-shot.ch operates separately with its own authentication environment managed by EvolMind.

If you use more than one Brain-Shot Academy service, we may use certain account, identity, session, permission, support, and security data across services to:

  • recognize your account
  • keep you signed in where appropriate
  • route you to the right service
  • show account access consistently
  • maintain permissions and entitlements
  • support account recovery and user support
  • prevent misuse and protect the platform

This does not mean we use all service data for all purposes. We use shared data only where it is relevant and compatible with the purposes described in this notice.

10. Cookies and similar technologies

We use cookies and similar technologies for several purposes, including:

  • account authentication
  • secure session handling
  • language and preference settings
  • service continuity across subdomains where appropriate
  • consent-state storage
  • technical service continuity and embedded service experiences
  • platform security and abuse prevention
  • website and campaign measurement, where permitted

Some of our services use shared cookies across the .brain-shot.academy domain to support sign-in continuity and cross-service access. Other cookies are service-specific or host-specific.

Because different Brain-Shot Academy services may use different technologies and legal rules, we maintain a global Cookie Policy and may supplement it with more specific service-level explanations, settings, or cookie tables where needed.

11. Internal telemetry and measurement systems

Brain-Shot Academy uses more than one internal measurement layer.

11.1 Authenticated platform telemetry

We operate an internal authenticated telemetry system for high-signal events relevant to:

  • security and fraud prevention
  • support operations
  • contractual evidence
  • platform auditability
  • academic guidance where relevant
  • reliability and user protection
  • related alerting, notification, and platform-protection workflows where applicable

This system is not designed as a generic clickstream or broad behavioral-surveillance system. It is focused on meaningful operational, security, account, learning, commerce, support, and partner events.

11.2 Public-site and marketing measurement

We also operate a separate website and marketing measurement system for public-site analytics, site measurement, campaign performance, and related consent-managed analytics.

That system is intentionally separated from our authenticated telemetry. It may use different identifiers, cookies, consent rules, storage behavior, and regional defaults.

12. Recipients and processors

Where necessary and lawful, we share personal data with selected service providers and processors that help us operate the Brain-Shot Academy platform and related services.

These recipients may include providers of:

  • cloud hosting and application infrastructure
  • authentication and identity services
  • database and backend services
  • anti-abuse or challenge services
  • customer relationship management and marketing automation services
  • webinar, meeting, and event delivery services
  • learning management platform services
  • email and communications delivery
  • content delivery and caching
  • media streaming, playback analytics, downloads, and protected media delivery
  • scheduling, booking, and calendar-related services
  • payment processing, accounting, invoicing, payment reconciliation, legal, and other professional services
  • security, monitoring, logging, and operational tooling

The current named processor summary is maintained in the separate Processor Appendix.

13. International transfers

We mainly process or disclose personal data in Switzerland and in Europe, especially Germany, France, and Spain.

Our own core Brain-Shot Academy platform services are primarily hosted in Switzerland.

Depending on the service used, some processing may also involve the United States and, in limited cases, other countries used for content delivery, security, or related infrastructure routing.

Transfers between Switzerland and countries with an adequate level of protection may take place without additional transfer guarantees where the law permits this.

If, in a specific case, personal data is transferred to another country outside the main locations above, we use the transfer mechanism required by the relevant legal framework. Depending on the case, this may include:

  • adequacy decisions
  • standard contractual clauses
  • contractual, organizational, and technical protections
  • other lawful transfer mechanisms

The current international transfer summary is maintained in the separate International Transfers Appendix.

14. Retention of personal data

We keep personal data only for as long as necessary for the relevant purpose, including to provide services, maintain security, comply with legal obligations, resolve disputes, defend claims, enforce agreements, and protect our rights.

In general:

  • most account, service, and learning records are kept while the account or active service relationship continues, plus up to 30 days after active account closure or relationship end where needed for support, continuity, security, deletion processing, or rights protection
  • recurring-group recordings are generally kept until 150 days after the last recording of that group, after which the recordings for that group are deleted
  • billing, transaction, tax, accounting, and similar financial records are kept for at least the period required by law and for audit, dispute, and claims-handling purposes
  • support, security, and operational records are kept for as long as needed for the relevant support, evidential, integrity, or protection purpose
  • consent, unsubscribe, and preference records are kept for as long as needed to demonstrate and respect the relevant choice
  • some analytics, measurement, or similar data may be deleted, aggregated, or anonymized earlier where appropriate

Where appropriate, we may delete, anonymize, aggregate, or otherwise de-identify data instead of keeping it in directly identifiable form.

The current retention schedule is maintained in the separate Retention Appendix.

15. Security

We use appropriate technical and organizational measures designed to protect personal data against unauthorized access, misuse, loss, destruction, alteration, or disclosure.

These measures may include:

  • role-based access controls
  • secure authentication and account controls
  • encryption or transport security where appropriate
  • monitoring, logging, and incident handling
  • infrastructure and application security controls
  • internal governance and review processes

No system can offer absolute security, but we take data protection and platform security seriously and work to apply protections appropriate to the risks involved.

16. Automated decisions and profiling

We may use automated systems to support:

  • authentication and security checks
  • fraud, misuse, and abuse detection
  • service reliability and operational protection
  • internal analytics and monitoring
  • temporary protective measures such as challenge steps, rate limiting, or short-term restrictions where needed to protect users, gift-access flows, checkout, accounts, or the platform

More serious fraud or abuse actions are generally reviewed by a human. We do not generally rely on solely automated decisions for admissions, invitations, or similar human-led commercial or academic decisions.

If we make a decision based solely on automated processing that produces legal or similarly significant effects, we will provide the additional information and any applicable review rights required by law.

17. Your rights

Depending on the applicable law and the circumstances, you may have the right to:

  • request information about how we process your personal data
  • access your personal data
  • request correction of inaccurate data
  • request deletion of your personal data
  • request restriction of processing
  • object to certain processing
  • withdraw consent where processing is based on consent
  • receive personal data in portable form where applicable
  • challenge certain automated decisions where applicable
  • lodge a complaint with a competent supervisory authority

To exercise your rights, please contact us at: privacy@brain-shot.academy

We may need to verify your identity before responding.

18. EU representative

For the purposes of the GDPR, we have appointed Prighter Group with its local partners as our privacy representative and point of contact in the following region:

  • European Union (EU)

If you would like to contact us via our representative, or exercise your data protection rights through that channel, please visit:

https://app.prighter.com/portal/Brain-Shot-Academy-AG

19. Complaints

If you believe that our processing of your personal data is unlawful, we encourage you to contact us first so that we can try to resolve the issue.

You may also have the right to lodge a complaint with a competent supervisory authority, including:

  • in Switzerland, the Federal Data Protection and Information Commissioner, where applicable
  • in the EEA or UK, your local supervisory authority, where applicable

20. Changes to this notice

We may update this Privacy Notice from time to time to reflect legal, technical, operational, or business changes.

When we do, we will update the “Last updated” date and, where appropriate, take additional steps to inform users.

21. Contact

Brain-Shot Academy AG
Birsstrasse 320
4052 Basel
Switzerland
privacy@brain-shot.academy
contact@brain-shot.academy

Privacy hub pages

This notice is supported by the following appendix pages:

  • Cookie Policy
  • Processor Appendix
  • International Transfers Appendix
  • Retention Appendix
  • Legal Bases Matrix
  • Required and Optional Data Matrix

Web app release policies-26.05.10.16.1. This version identifies the software running this site. Policy text may be updated separately, and the dates shown within each policy remain the relevant reference for that content.