privacy policy

BRAIN LAB (hereinafter “We”, “Service”) values users’ personal information. This privacy policy explains what personal information we collect and how we use, store, share, and protect it in the course of providing web-based cognitive tests, score results, summary interpretation, detailed reports, results confirmation pages, payment, customer support, and related functions.

Effective date: 2026-03-05

Last revision date: 2026-03-05

document version: v2026.03.05

Contact Email: support@mail.brainlab.it.com

This Policy applies to global users, and additional legal rights or notices may apply depending on where you live or access from.

1. Service provider and scope of coverage

Service name: BRAIN LAB
Service Provider / Personal Information Processor: BRAIN LAB
Inquiry email: support@mail.brainlab.it.com
Address or location: Republic of Korea
Scope: This policy applies throughout the BRAIN LAB website, results pages, detailed reports, payment procedures, customer support, email communications and related functions.
Related documents: This policy may apply together with our Terms of Use, Billing and Refunds Policy, cookie banner, or individual notices displayed on the payment screen.

2. Personal information we collect

We may collect the following categories of personal information:

2.1 Information provided directly by users

email address
Name or nickname (if entered by the user or provided during payment processing)
Customer support inquiries and attached materials
Information submitted when participating in surveys, feedback, events or promotions
Other information entered directly by the user while using the service

2.2 Information regarding tests, results and reports

Test responses, selections, inputs, or submitted data
Scores, sub-scores, analysis results, summary results, detailed report contents
Whether the test was completed, completion time, and result creation time
Whether to access the results page or view/download the report
Dedicated link for checking results, access token, link issuance and usage history

2.3 Payment and transaction-related information

We may process payments through PayPal, Braintree, or other third-party payment processors. During this process, we may collect or receive limited transaction information, such as:

In principle, we do not store the entire card number or card security code (CVV/CVC) on our own servers. The collection and processing of this information takes place primarily in the payment processing company's systems.

Order number, transaction number, payment status
Payment amount, currency, refund or cancellation status
Payment method type
Limited payment method information provided by the payment processor (e.g. card brand, last 4 digits, expiration date, billing country, etc.)
Information needed for tax calculation or accounting purposes

2.4 Information automatically collected

IP address
Browser type and version
Operating system, device type, screen information
Language settings, time zone, approximate location (IP-based estimate)
Access date and time, page views, clicks, referrer URL
Log data, error records, diagnostic information
Information collected through cookies, local storage, and similar tracking technologies

2.5 Information collected from third parties

We may receive information from the following third parties:

Payment processing companies (PayPal, Braintree, etc.)
Email delivery or authentication service providers
Providers of analytics, security, hosting or customer support services
Third-party services to which you have permitted connection or integration

3. How to collect personal information

We collect personal information in the following ways:

When provided directly by the user through inspection, payment, inquiry, email entry, result inquiry, or customer support
When collected through logs, cookies, device information, etc. that are automatically generated while the user uses the website
Sent from payment processors, analytics providers, email providers or other service providers.
When checked for fraud prevention, security checks or regulatory compliance, to the extent permitted by law.

4. Purpose of use of personal information

We process personal information for the following purposes:

4.1 Service provision and operation

Deliver tests, process responses, calculate scores, and generate results
Results page, detailed report, dedicated link provided
Manage account or access status
Maintaining the functionality of the Service, troubleshooting problems, and correcting errors.
Process user requests and provide customer support

4.2 Payment, Billing and Dispute Response

Order confirmation and payment processing
Confirm refund, cancellation, duplicate payment
Respond to chargebacks, suspected fraudulent transactions, and abnormal payments
Accounting, Taxation, and Recordkeeping

4.3 Security and fraud prevention

Detect unauthorized access, account abuse, link sharing, bots or automated abuse.
System security, access control, log inspection
Protecting service integrity and enforcing terms and conditions

4.4 Analysis, improvement and operational optimization

Analysis of service usage patterns
Feature improvements, UX improvements, performance optimizations
Error monitoring, quality control, statistical creation
Internal testing and operational improvements

4.5 Communication

Results delivery, receipts, service notifications
Security Notice
Inquiry response and support information
Important legal or policy notices

4.6 Marketing and Promotion

Notify you of newsletters, promotions or updates if you have given your consent
Providing service-related news to the extent permitted by law
You can opt out of receiving marketing at any time

5. Legal basis for processing

If your local law applies GDPR, UK GDPR or a similar regime, we will generally process your personal information on the following legal basis:

Performance of a contract or actions taken prior to entering into a contract: providing testing, generating results, processing payments, customer support, fulfilling orders.
Legitimate interests: operating the service, maintaining security, preventing fraudulent use, improving the service, analyzing logs, responding to disputes.
Comply with legal obligations: tax, accounting, regulatory compliance, responding to legal requests, record retention
Consent: Non-essential cookies, certain marketing, processing that requires consent by law

5.1 Caution regarding sensitive or health-related information

Although the Service does not provide medical practice, some of the information you enter or the results the Service generates may relate to your cognitive characteristics, attention patterns, or health-related inferences. If such information is assessed as sensitive information or special category information under applicable laws, we will process it with consent or on other lawful grounds to the extent required by law.

Users should be careful not to submit unnecessary sensitive information, government-issued identification numbers, complete payment card information, or original medical records to customer support channels or free input fields. Please do not submit any sensitive information that we have not explicitly requested.

6. Payment processing

Payments are processed through PayPal, Braintree, or a third party payment processor designated by us.
A significant portion of payment-related information may be processed independently by the relevant payment processor, in which case the privacy policy and terms and conditions of each processor may additionally apply.
We may receive limited transaction information for purposes such as transaction verification, accounting, refunds, dispute resolution, and fraud prevention.
In principle, we do not store the entire card number or security code on our own servers.

7. Cookies, analytics and similar technologies

We may use cookies, local storage, pixels, tags, or similar technologies to operate our Services and analyze their performance.

7.1 Essential skills

The following skills may be required to provide services:

Log in or maintain session
Security and Fraud Prevention
Check payment status
Maintain user settings
Dedicated link validation

7.2 Performance and analysis techniques

We may use analytics tools to analyze Service reliability, errors, connection flow and performance. During this process, we may collect page views, clicks, device information, approximate location, IP-based information, event logs, etc.

Tool in action: Google Analytics

Do not list tool names that are not actually used.

7.3 Advertising and Remarketing

We do not currently use non-essential tracking technologies for third-party personalized advertising or remarketing.

7.4 Options

You can manage the use of cookies through your browser settings, device settings, cookie banners or other optional tools we provide. However, if you block essential technologies, some features of the Service may not work.

8. Sharing and disclosure of personal information

We may share or disclose personal information in the following cases:

8.1 Service Providers

We may share personal information with the following categories of trustees or service providers:

These providers may process your information only to the extent necessary to perform tasks on our behalf or to fulfill their own legal obligations.

Payment processing company
Hosting, cloud, CDN, security providers
Email delivery and authentication provider
Analytics, error monitoring, and performance measurement provider
Customer support, operations, and communication providers
Accounting, legal, auditing or professional advice providers

8.2 Legal Requirements and Rights Protection

We may disclose personal information in the following cases:

When necessary to respond to laws, court orders, regulatory requests or lawful public agency requests.
As necessary to investigate violations of our terms of use or policies, prevent fraud, or respond to security threats.
When necessary to protect the rights, property or safety of us, our users or third parties.

8.3 Business transfer

Personal information may be inherited or transferred in connection with a merger, acquisition, asset transfer, reorganization, investment or bankruptcy proceeding. In such cases, we will provide reasonable notice to users.

8.4 Disclosure at your direction

If you explicitly request or consent, we may provide your personal information to third parties at your direction.

8.5 De-identified or Aggregated Information

We may generate statistics, aggregate data or de-identified information that does not directly identify an individual and use it for Service analysis, operational or research purposes.

8.6 Notice regarding selling or sharing

We do not sell your personal information for monetary compensation without separate notice.

However, if the concept of sharing or customized advertising is separately recognized by applicable laws, we will provide the necessary additional notice and options.

9. International data transfers

In the course of operating our Global Services or using global service providers, we may process your personal information in countries other than your country of residence. These countries may not have the same privacy laws as where you live.

Where required by applicable law, we strive to apply appropriate safeguards, including:

Standard Contractual Clauses (SCC) or similar transfer mechanism
Contractual Safeguards
Technical and organizational measures such as access control, encryption, and granting of minimum privileges
Appropriate review of service providers

10. Security

We apply reasonable technical, administrative and organizational measures to protect personal information. This may include access control, authentication procedures, log management, transmission section protection, backup, operational monitoring, minimum privilege granting, etc. as needed.

However, by their nature, the Internet or any other electronic storage method cannot guarantee complete security. Therefore, we cannot guarantee absolute security, and you are responsible for managing your account information, email access, dedicated links, and device security yourself.

In the event of a personal information breach, we will notify supervisory authorities or users to the extent required by applicable laws.

11. Storage period and deletion

We retain personal information for as long as necessary to fulfill the purpose for which it was collected or as required by law. The retention period may vary depending on the nature of the data, processing purposes, security needs, potential for disputes and legal obligations.

Common storage examples include:

At the end of the retention period, we may delete, de-identify, or convert that information to a form that no longer personally identifies you. Backup copies may remain for additional periods depending on system cycles.

Account or Contact Information: We will retain it for as long as your account is maintained or necessary to respond to inquiries, and we may retain it for additional reasonable periods for disputes, security, backups, or legal obligations.
Test response, score, results, and report information: We retain it for as long as necessary to provide service, verify results, provide customer support, respond to disputes, prevent fraud, and manage system quality. The user access period for the results confirmation page or detailed report may be the period stated in a separate policy or payment screen (e.g. 3 months), but the access period and internal record retention period may not be the same.
Transaction and accounting records: We keep them for as long as necessary for tax, accounting, refund, chargeback, dispute, or compliance with legal obligations.
Support and Inquiry Records: We generally keep them for [12 to 24 months] or as long as necessary to resolve disputes.
Security and Log Data: We typically retain it for [up to 12 months] or as long as required for fraud prevention and security purposes.
Marketing-related information: We retain it until you unsubscribe or as long as permitted by law.

12. Your rights and choices

You may have the following rights under applicable law:

12.1 General rights

Request to view your personal information
Request correction of inaccurate or incomplete personal information
Request for deletion of personal information
Opting out of marketing
Withdraw consent for consent-based processing
Request account deletion

12.2 Rights available when applying GDPR/UK GDPR, etc.

Request to restrict processing
Objections to processing
Right to data portability
Rights related to automated decision-making
Right to complain to supervisory authority

12.3 Rights of California Residents

California residents may have the following rights within the scope of applicable law:

Right to know the categories and sources of personal information collected
Right to know the purpose of use of personal information and categories of provision to third parties
Right to access certain personal information
Right to request erasure
Right to request correction
Right to opt out of selling or sharing (if applicable)
Right to request restrictions on use of sensitive information (if applicable)
Prohibition of discrimination in exercising rights

12.4 How to exercise your rights

Requests regarding personal information may be submitted to:

Email: support@mail.brainlab.it.com

We may require reasonable authentication procedures to verify the identity of the requestor. For example, we may ask you to confirm your registration email, confirm your order number, or submit additional authentication information. We will review and respond to your request within the time periods required by applicable law.

12.5 Filing a Complaint

Users may lodge a complaint with the personal data supervisory authority in their jurisdiction or jurisdiction. However, we encourage you to first resolve the issue directly with us.

13. Automated processing and profiling

The Service may generate scores, results, interpretations, or reports in an automated manner based on responses or input you submit. This automated processing is intended to provide core functionality of the Service.

We generally do not use these results to directly make decisions that have legal or similarly significant implications for you. If your local laws grant you additional rights regarding automated processing, you may contact us using the contact information above.

14. Personal information of children and minors

The Service is generally not directed to children under 13 years of age. We do not intentionally collect personal information from children under the age of 13 without appropriate consent from parents or legal guardians.

If a user is of an age that prevents them from independently consenting to the processing of personal information under the laws of their residence, the user must use the Service only to the extent that the involvement or consent of a parent or legal representative is required.

If we become aware that we have collected a child's personal information without appropriate consent, we will delete such information or take necessary measures to the extent required by law.

15. External Links and Third Party Websites

The Services may contain links to third-party websites, payment pages or external services. We do not control the privacy practices or content of these third party services, and you should check the privacy policies of each third party before using their services.

16. Changes to this policy

We may modify this Policy for legal, service structure, payment methods, analytics tools, operating procedures, or other reasons. When changes are made, the last revision date at the top is updated.

If we make changes that materially affect your rights or our practices, we may notify you through the Service screen, email or other reasonable means. If you continue to use the service after changes, the changed policy may be applied to the extent permitted by relevant laws.

17. Contact information

Service name: BRAIN LAB
Service Provider / Personal Information Processor: BRAIN LAB
Email: support@mail.brainlab.it.com
Address or location: Republic of Korea
Other contact methods: Go to customer support