This appendix forms part of the Brain-Shot Academy privacy hub.
Privacy hub documents: Main Privacy Notice, Cookie Policy, Cookie Inventory, Processor Appendix, International Transfers Appendix, Retention Appendix, Legal Bases Matrix, and Required and Optional Data Matrix.
It provides a purpose-by-purpose view of the legal bases that Brain-Shot Academy relies on under the GDPR, where the GDPR applies, using broader public-facing categories rather than system-by-system technical detail.
Purpose-by-purpose matrix
| Processing purpose / activity | Main data involved | Main legal basis or bases | Description |
|---|---|---|---|
| Account access, authentication, recovery, and service continuity | account, identity, contact, and access data | Performance of a contract or steps at the user’s request before entering into a contract | Covers sign-in, session handling, account recovery, routing, permissions, and shared account continuity |
| Service delivery, entitlements, and protected access | account, access, profile, and service data | Performance of a contract | Covers Airport, protected services, entitlements, and related access control. Security-specific protective processing is addressed separately in the security and fraud-prevention row. |
| Learning delivery, participation, progress, and learner support | account, access, learning, participation, and support data | Performance of a contract; legitimate interests | Covers courses, progress, completion, live participation, downloads, and learner continuity |
| Partner and public profile functions | partner profile, certification, interaction, and related service data | Performance of a contract | Covers partner pages, badges, partner interactions, and related features. Partner profile information is provided by the partner directly, and user traffic may go from Brain-Shot Academy to the partner if the user chooses to visit the partner's website. |
| Purchases, orders, payments, refunds, and entitlement administration | identity, contact, billing, transaction, and entitlement data | Performance of a contract | Covers checkout, payment handling, refunds, entitlement fulfilment, and related transaction administration |
| Accounting, tax, audit, and statutory financial recordkeeping | identity, contact, billing, transaction, and accounting records | Legal obligations | Covers accounting, tax, statutory retention, auditability, and related required financial administration |
| Support, service communications, and continuity | contact, correspondence, support, and service relationship data | Performance of a contract; legitimate interests for general relationship continuity | Covers enquiries, support handling, operational notices, continuity records, and communication through email, WhatsApp, or platform-based tools where relevant |
| Website enquiries, bookings, calls, consultations, and related pre-contract steps | contact, request, registration, scheduling, and enquiry data | Steps at the user’s request before entering into a contract | Covers contact forms, registrations, consultations, calls, meetings, and similar pre-service administration |
| Event, webinar, and enrolled-service participation | contact, registration, participation, event, and recording-related participation data | Performance of a contract | Covers event administration and live-session participation once the person is enrolled, booked into the service, or attending as part of the service. Where sessions are recorded, participants are warned before recording starts. |
| CRM contact management and customer relationship administration | contact, relationship, communication, and preference data | Legitimate interests | Covers lead management, segmentation, follow-up, and customer continuity |
| Marketing and campaign communications | contact details, marketing preferences, consent records, and campaign interaction data | Consent | Opt-out is available through the unsubscribe link for non-account holders and through account settings where the recipient has a Brain-Shot Academy account |
| Consent, cookie, and preference management | consent and preference records, identifiers needed to apply choices | Legal obligations; legitimate interests; consent | Needed to evidence and respect choices |
| Security, fraud prevention, anti-abuse, telemetry, and platform protection | device, browser, usage, security, audit, and risk data | Legitimate interests; legal obligations where applicable | Covers misuse detection, challenge-response controls, temporary protective measures such as challenge steps, rate limiting, or short-term restrictions, supportability, and platform integrity; more serious actions are generally subject to human review |
| Public-site analytics and campaign measurement | website, device, usage, consent, and analytics data | Consent where required; legitimate interests for strictly necessary technical measurement where applicable | Optional analytics or campaign technologies are kept separate from essential processing |
| Internal administration, governance, and legal protection | operational, audit, compliance, and dispute-related records | Legitimate interests; legal obligations where mandatory | Covers protected internal functions, moderation, governance, legal defense, and rights protection |