Privacy Policy

This Privacy Policy describes the types of Personal Data (as defined below) we collect, the purposes for which we collect and use it, who we may share it with, and the measures we take to protect it. It also provides information about your rights in relation to your Personal Data and how you can contact us.

We update this Privacy Policy from time to time to reflect any changes to the way the products and services are provided or to comply with new business practices or legal requirements. We encourage you to check this Privacy Policy periodically to see whether any changes have occurred.

Introduction and scope

We are Brainfish Pty Ltd (ACN 655 960 482), a company incorporated in Australia (“we”, “us”, and “our”).

For those who purchase or otherwise interact with our products/services, all visitors to our website and mobile app, and all other individuals with whom we communicate in the course of providing our services or running our business (each referred to as “you” and “your”), we are the controller of your Personal Data. This means that we decide which information and data we collect, and how to use it. The measures and rights set out in this Privacy Policy apply only where we are the controller of your Personal Data. Where we process Personal Data on behalf of our business customers in connection with their use of the Brainfish platform (for example, knowledge base content and end-user queries), we act as a processor/service provider under our Data Processing Agreement and the customer’s instructions. In those cases, this Privacy Policy does not apply and the customer’s own privacy policy governs.

For the purposes of Article 27 of the GDPR and UK GDPR, we have appointed Prighter Group as our data protection representative in the European Economic Area (“EEA”) and Prighter Ltd as our representative in the United Kingdom (“UK”). You can contact them, including via their online portal, at: https://app.prighter.com/portal/16851006136

Legal requirements relating to data vary by country. Whilst we adopt a global approach to data compliance as far as possible, certain sections of this Privacy Policy will only apply to residents of certain jurisdictions, as indicated below. Where this is the case, it is indicated clearly below.  

Our services are directed at business users and are not intended for children. We do not knowingly collect Personal Data from children under 13 (or under 16 where applicable data protection laws require a higher age).

Meaning of Personal Data

Under the General Data Protection Regulation (EU) 2016/679) (“GDPR”), and the retained version of the same regulation in the UK (“UK GDPR”), “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Under the California Consumer Privacy Act of 2018 (“CCPA”), “Personal information” is defined as information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.

Under the Australian Privacy Act 1988 (Cth) (“APA”), “Personal Information” means “Information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.”

For the purposes of this Privacy Policy, we use the term “Personal Data” to refer to:

• Personal Data as defined in the GDPR and the UK GDPR;
• Personal Information as defined in the CCPA; and
• Personal Information as defined in the APA.

If you are a resident of California or Australia, your rights will be applicable only in respect of Personal Information, as defined above.

We do not collect or process special category data (also known as sensitive data under GDPR).

What we collect, how we collect it, and what we do with it

The Personal Data we collect from you, and how we collect it, will depend on the way you interact with us and our services

In some jurisdictions, (in particular the UK and EEA) we are required to identify a legal justification (also known as a “Lawful Basis”) for collecting and using your Personal Data, in addition to describing the purpose. There are six Lawful Bases that organisations can rely on. The most relevant of these to us are where we use your Personal Data to:

• Fulfil a contract that we have with you as an individual (“Contract”);
• Comply with our legal obligations (“Legal Obligation”);
• Pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (“Legitimate Interests”); or
• Do something for which you have given your consent (“Consent”).

We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together as follows:

• ‘Identity Data’ includes first name, last name, marital status, title, job title, profile photo, company, location, date of birth and gender;
• ‘Contact Data’ includes billing address, email address and telephone numbers;
• ‘Financial Data’ includes bank account and payment card details (through our third-party payment processor, Stripe) if you start a subscription;
• ‘Transaction Data’ includes details about payments to and from you, and other details of products and services you have purchased from us;
• ‘Technical Data’ includes internet protocol (IP) address, your login data for our services, Statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour, browser session data, webpage from which you came, webpage(s) or content you accessed, navigational and log data, information about your access and use of our website and Services, including through the use of Internet cookies, time zone settings and geolocation, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this Website;
• ‘Profile Data’ includes your username or similar identifier,  authentication credentials (for example SSO tokens), purchases or orders made by you, your interests, preferences, feedback and survey responses;
• ‘Usage Data’ includes information about how you use our website, products and services., including data that accumulates over the normal course of operation on our platform;
• ‘Customer Content Data’ includes any personal data contained within data, documents, files, communications, transaction records, stored files, analytics data, metrics, or other materials that you (or your authorised users) submit, upload, store, transmit, create, generate, or otherwise process when using our services;
• ‘Marketing and Communications Data’ includes your preferences in receiving marketing from us and our third parties and your communication preferences; and
• ‘Job Seeker Data’ includes CVs and résumés, application and interview notes, right-to-work documentation and background checks (where lawful), references, professional profiles, and payroll or tax identification information for staff or contractors.

The table below sets out what we collect, how we collect it, what we do with it (the specific purposes) and the Lawful Basis we rely on when we do so.  We may state a more specific additional purpose when we collect your Personal Data.

Please note that Financial Data collected and processed for billing and payment purposes is never stored on any of our servers or other equipment.  While such data is collected through our platform, it is stored on servers and other equipment managed by Stripe.

Where we use your information for our legitimate interests, we have assessed whether such use is necessary and that such use will not infringe on your other rights and freedoms.

In addition to the Lawful Bases set out in the table above, we may use your Personal Data (however collected) to fulfil a Legal Obligation if processing is necessary:

• to record your preferences (e.g. marketing) to ensure that we comply with applicable data protection laws;
• where we are required to assist government and law enforcement agencies or regulators;
• where we retain information to enable us to bring or defend legal claims; and/or
• where we are required to assist government and law enforcement agencies or regulators, including in relation to any eligible data breach declarations by any of them.

Anonymised and aggregated data

We may anonymise the Personal Data we collect (so it can no longer identify you) and then combine it with other anonymous information so it becomes aggregated data. Aggregated data helps us identify trends (e.g. what percentage of users responded to a specific survey). Data protection laws do not govern the use of aggregated data and the various rights described below do not apply to it.

Use of cookies

Cookies are small text files that we store on your browser, or the hard drive of your computer, if you agree. Cookies collect data which includes Personal Information.

We use our own cookies and similar technologies to keep track of your use of our Site, designed to provide a better user experience for you. We also use third party cookies.

Necessary cookies. These are cookies that are required for the operation of the Site. These essential cookies are always enabled because the Site will not work properly without them. They include, for example, cookies that enable certain security functions.

Preference cookies. These enable us to recognise you when you return to the Site, to personalise our content for you and remember your preferences.

Statistics cookies. These help us to understand how visitors interact with the Site. They include cookies that tell us how long people spend on the Site and the number of times they visit.

Marketing cookies. These are used to record your visit to the Site, to make the Site more relevant to your interests.

For further details about the cookies used on the Site, please see here our Cookie Policy.

Security measures

We have implemented security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include:

• access controls and user authentication (including multi-factor authentication)
• internal IT and network security
• regular testing and review of our security measures
• staff policies and training
• incident and breach reporting processes
• business continuity and disaster recovery processes
• other industry standard safeguards

If there is an incident which has affected your Personal Data, we will notify the regulator and keep you informed (where required under applicable data protection law).

Although we take appropriate measures, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

How long we keep your Personal Data

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for.

To decide how long to keep Personal Data (also known as its retention period), we consider the volume, nature, and sensitivity of the Personal Data, the potential risk of harm to you if an incident were to happen, whether we require the Personal Data to achieve the purposes we have identified or whether we can achieve those purposes through other means (e.g. by using aggregated data instead), and any applicable legal requirements (e.g. minimum accounting records for tax authorities).

If you have asked for information from us or you have subscribed to our mailing list, we keep your details until you ask us to stop contacting you.

Where your Personal Data is stored

Our production infrastructure is hosted primarily in the United States with major cloud providers (AWS and Google Cloud) in secure virtual private clouds with network segregation and firewalls.

Who we share your Personal Data with

We may share your Personal Data with the organisations listed below, for the specified reason(s).

As outlined in the region specific sections below, this may involve transfers overseas.

Automated decision making

We do not use automated decision-making (including profiling) that produces legal or similarly significant effects.

Unsubscribing to marketing messages

You can opt out of marketing and sales communications at any time by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails or messages we send you. You can also contact us at privacy@brainfi.sh

What happens if Personal Information is not provided

Where we require certain Personal Information from you in order to provide a service to you, and you choose not to provide us with that Personal Information, we may not be able to provide our services to you, or aspects of those services. If this is the case, we will inform you.

Contacting us and complaints

If you have questions, requests or concerns about your Personal Data or this Privacy Policy, you can contact us via: privacy@brainfi.sh.

If you have any complaints about this Privacy Policy or the way we handle your Personal Data, you are entitled to contact your local data protection authority using the details set out later in this Privacy Policy. However, we would encourage you to contact us first so that we can try to address your concerns.

If you are based in the UK or EEA, you may also contact our appointed representative (Prighter Group for the EEA, Prighter Ltd for the UK) via their portal:https://app.prighter.com/portal/16851006136.

ADDITIONAL CLAUSES APPLICABLE TO RESIDENTS OF THE UK, THE EEA OR SWITZERLAND

International data transfers

We only transfer your Personal Data overseas where we are able to comply with applicable data protection laws. If you are located in the UK, the EEA or Switzerland (the “GDPR Area”), and we transfer your Personal Data outside of the EEA, UK or Switzerland, we will take appropriate measures to ensure that the recipient protects your Personal Data adequately in accordance with this Privacy Policy and all applicable UK, EU and Swiss data protection laws and, where applicable, participation in the EU-U.S. Data Privacy Framework, the UK Extension and the Swiss-U.S. DPF.

Your rights regarding Personal Data

If you are a resident of the GDPR Area, your data protection rights are as follows:

• You can request access of your Personal Data.
• You can ask us to correct your Personal Data if it is inaccurate or incomplete. We might need to verify the new information before we make any changes.
• You can ask us to delete or remove your Personal Data if there is no good reason for us to continuing holding it or if you have asked us to stop using it. If we think there is a good reason to keep the information you have asked us to delete (e.g. to comply with regulatory requirements), we will let you know and explain our decision.
• You can object to processing of your Personal Data, ask us to restrict processing of your Personal Data or request portability of your Personal Data. If we think there is a good reason for us to keep using the information or for not complying with your request, we will let you know and explain our decision.
• You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. Otherwise, or to opt-out of other forms of marketing, please contact us using the email address below.
• If you are unhappy with the way we collect and use your Personal Data, you can complain to the Information Commissioner’s Office, but we would encourage you to contact us first so that we can try to address your concerns.

To contact us or submit requests in relation to any of the above, please email privacy@brainfi.sh .

If we have collected your Personal Data with your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your Personal Data conducted in reliance on a Lawful Basis other than consent.

ADDITIONAL CLAUSES APPLICABLE TO RESIDENTS OF AUSTRALIA

Scope

As mentioned in paragraph 2.5 above, if you are a resident of Australia, your rights in this Privacy Policy are only applicable only in respect of Personal Information, as defined in the APA, i.e. “Information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.” For the purposes of this Privacy Policy, we are using the term “Personal Data” to refer to Personal Information.

If there is any inconsistency between this “Additional Clauses Applicable to Residents of Australia” section and the rest of the Privacy Policy, this section shall prevail.

Transfers of Personal Data out of Australia

Your Personal Data may be transferred overseas or stored overseas for a variety of reasons. If we transfer your Personal Data to a recipient in a country with data protection laws which are at least substantially similar to the Australian Privacy Principles (“APP”), and where there are mechanisms available to you to enforce protection of your Personal Data under that overseas law, we will not be liable for a breach of the APP if your Personal Data is mishandled in that jurisdiction.

Notifiable Data Breach Scheme (NDBS) pursuant to the APA

If there is a data breach and we are required to comply with the NDBS, we will take all reasonable steps to contain the suspected or known breach where possible and follow the process set out in this clause.

If we have reasonable grounds to suspect that the data breach is likely to result in serious harm to any individuals involved, then we will take all reasonable steps to ensure an assessment is completed within 30 days of the breach, or sooner, if possible. We will follow all guidance published by the Office of the Australian Information Commissioner (“OAIC”) in making this assessment. If we reasonably determine that the data breach is not likely to result in serious harm to any individuals involved, or that any remedial action we take is effective in preventing serious harm from becoming likely, then we will not notify the affected individuals or the OAIC.

Your rights under the APP and the APA

If you are a resident of Australia, your data protection rights are as follows:

• You can request access to your Personal Data, subject to certain exceptions. For example we may, in accordance with the APP, refuse to provide you with access if, for instance, granting you access would have a negative impact on the privacy of another person.
• You can request corrections to any inaccurate, outdated, incomplete or misleading information regarding your Personal Data. If you request correction, we will address it within a reasonable timeframe and notify you of the outcome.
• We have an independent obligation to take reasonable steps to correct information that is inaccurate, out-of-date, incomplete, irrelevant or misleading.
• You can ask us to delete or de-identify your Personal Data if there is no good reason for us to continue holding it.
• You can ask to have your Personal Data, where technically feasible, sent to another organization, where we hold this Personal Data with your consent or for the performance of a contract with you.
• You can ask us not to send you any marketing materials. However, we may still send you newsletters and updates about your account, if you are a business contact.
• If you are unhappy with the way we collect and use your Personal Data, you can complain to the OAIC, but we would encourage you to contact us first so that we can try to address your concerns.

To contact us or submit requests in relation to any of the above, please email privacy@brainfi.sh. Please note that we may ask you to verify your identity before responding to such requests. If your request is particularly complex or requires a detailed search, we may charge you for dealing with it. Any such charge will be fair and reasonable, and we will let you know in advance what it is.

Automated decision making

We do not use automated decision-making (including profiling) that produces legal or similarly significant effects.

ADDITIONAL CLAUSES APPLICABLE TO RESIDENTS OF CALIFORNIA

Scope

As mentioned in paragraph 2.5 above, if you are a resident of California, your rights in this Privacy Policy are only applicable only in respect of Personal Information, as defined in the CCPA, i.e. “information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics”. For the purposes of this Privacy Policy, we are using the term “Personal Data” to refer to Personal Information.

The CCPA (as amended) provides consumers (California residents) with specific rights regarding the processing of their Personal Data. If you are a California resident, you may be subject to the following provisions. If there is any inconsistency between this “Additional Clauses Applicable to Residents of California” section and the rest of the Privacy Policy, this section shall prevail.

Categories of Personal Data collected

In the preceding 12 months we may have collected the following categories of Personal Data (as defined by the CCPA) about you. We may have collected this Personal Data directly from you, from third parties, and from your interactions with our services, software or applications, as outlined in this Privacy Policy:

• Identifiers such as name, business email address, address, and phone number;
• Commercial information such as records of subscriptions, services purchased, and related transactional data.
• Internet or other electronic network activity information, including technical data about your use of our website or applications (e.g. log data, device/browser information, pages viewed, cookies).
• Approximate geolocation data derived from your IP address.
• Professional or employment-related information; and/or
• Sensitive personal information limited to account access credentials (for example SSO tokens) and billing information, where provided.

Purposes for Collection

• For details of the purposes for which we use the categories of Personal Data outlined above, please see the table in paragraph 3 of this Privacy Policy.

Who we share or have shared your Personal Data with, including for cross-context behavioural advertising

• In the preceding 12 months, we may have disclosed the above categories of Personal Data to our service providers, affiliates and/or partners, in line with the applicable purposes as described above.
• We do not sell or share your Personal Data for cross-context behavioural advertising.

Sensitive Personal Data

• In the preceding 12 months we have not sold or shared any sensitive Personal Information as described in the CCPA. We only process limited sensitive Personal Information where necessary to provide our services, specifically account access credentials (such as usernames or passwords) and billing information provided for payment purposes.
• Payment data is processed directly by Stripe. We do not access or store this information.

Your rights under the CCPA

If you are a resident of California and are entitled to protection under the CCPA, your data protection rights are as follows:

• You have the right to know what Personal Data we collect, use, disclose, share and sell about you.
• You have the right to request that we correct Personal Data we collect and maintain about you, if such Personal Data is inaccurate.
• You have the right to request that we delete Personal Data we collect and maintain about you.
• You have the right to opt-out of the sale or sharing of your Personal Data. We share Personal Data as described above, which may be considered a “sale” of Personal Data under the CCPA.
• You have the right to limit the use or disclosure of your sensitive Personal Data. We do not share, or sell sensitive Personal Data. We only process limited sensitive Personal Data  as necessary to provide our services, namely authentication credentials (for example SSO tokens) used to provide account access. Payment data is processed directly by our payment provider (Stripe) and we do not access or store this information. We do not use sensitive Personal Data for purposes that would require us to provide a right to limit under the CCPA.
• You have the right not to receive discriminatory treatment from us for exercising your privacy rights under the CCPA.
• You have the right to designate an authorised agent to make a request on your behalf when exercising your privacy rights under the CCPA.

To contact us or submit requests in relation to any of the above, please email privacy@brainfi.sh

• You can also click on the “unsubscribe” or “opt-out” link in any marketing e-mails we send you.

If you are an authorised agent making a request on behalf of a California consumer, please email your request to privacy@brainfi.sh and provide us the first name, last name, and email address of the California consumer you are making the request for. If you do not provide the requested information, we may not be able to identify the California consumer and process the request. The information you provide will be used only to help verify and process the request. We reserve the right to request that you demonstrate evidence of your authorisation, either by providing us with a signed permission form or a copy of your power-of-attorney document granting you such authority.