Privacy Policy
Last Updated: 15 January 2026
1. Introduction
This Privacy Policy outlines how Brainfloss UK Private Limited ("we", "us", or "our") collects, uses, and protects the personal data of users ("you" or "your") of the Brainfloss platform (the "Service"). We are committed to protecting your privacy and ensuring that your personal data is handled in a safe and responsible manner in compliance with the UK General Data Protection Regulation (UK GDPR).
Brainfloss provides scalable, cloud-native platforms that simplify how organisations train, operate, and adopt technology — including cloud-first learning, operations, and digital enablement solutions. This policy applies to all personal data processed by us in connection with the Service.
2. Data Controller Information
The data controller for the personal data processed through the Service is:
Company Number: 14536853
Registered Address: Unit 66, The Grange, 1 Central Road, Morden SM4 5PQ
For any data protection inquiries, you can contact our Data Protection Officer at [email protected].
3. Data We Collect
We collect the following types of personal data from and about users of our Service:
| Data Category | Examples | Purpose |
|---|---|---|
| Identity Data | First name, last name, email address. | To create and manage your user account and identify you on the platform. |
| Technical Data | IP address, browser type and version, operating system, and device identifiers. | To ensure the security and proper functioning of our platform, and for analytics. |
| Usage Data | Activity logs, submissions, feature interactions, and time spent on tasks. | To provide the Service, monitor for security/integrity, and improve our platform. |
Note: We do not collect any special categories of personal data (e.g., health, race, religious beliefs, or ethnic origin).
4. How We Use Your Data
We use your personal data for the following purposes:
- To Provide and Manage the Service: This includes creating and managing your account, providing you with access to the platform, and delivering the core functionalities of the Service.
- For Monitoring and Security: We monitor activity within the platform to ensure its security and integrity. This is to prevent misuse of the Service and to ensure a safe environment.
- For Analytics and Improvement: We use analytics tools to understand how our Service is used, which helps us to improve the user experience and develop new features.
- To Communicate with You: We may use your contact information to send you important notices about the Service, such as updates to our terms or policies.
5. Lawful Basis for Processing
Under UK GDPR, we rely on the following lawful bases for processing your personal data:
Performance of a Contract
The processing is necessary for the performance of the contract between us and the client (your employer or training provider) to provide you with the Service.
Legitimate Interests
We process data for our legitimate interests (security monitoring, service improvement), provided these aren't overridden by your rights.
6. Data Sharing and Third Parties
We do not sell or rent your personal data to third parties. However, we may share your data with the following categories of third-party service providers who act as data processors on our behalf:
- Authentication Services: We use Amazon Web Services Cognito for user authentication (email/password and SSO). Cognito processes your identity data to facilitate secure access.
- Analytics Providers: We use Google Analytics and PostHog to collect and analyze usage data. This data helps us improve our Service and is processed without directly identifying you where possible.
We have strict data processing agreements in place with these providers to ensure security and compliance.
7. Data Retention
We will retain your personal data for a period of one year after the completion of your engagement, or as otherwise required by our agreement with the client. After this period, your personal data will be securely deleted or anonymized.
8. Your Data Protection Rights
Under the UK GDPR, you have the following rights:
- The right to be informed about collection and use.
- The right of access to your personal data.
- The right to rectification of inaccurate data.
- The right to erasure ('right to be forgotten').
- The right to restrict processing of your data.
- The right to data portability for your own purposes.
- The right to object to processing in certain cases.
To exercise any of these rights, please contact us at [email protected].
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO). Website: www.ico.org.uk.
10. Data Security
We have implemented appropriate technical and organizational security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Please note that no method of internet transmission is 100% secure.
11. Changes to This Privacy Policy
We may update this Privacy Policy periodically. We will notify you of changes by posting the new policy on this page and updating the "Last Updated" date.
12. Contact Us
If you have any questions about this Privacy Policy or our data protection practices, please contact us at: