LEGAL · PRIVACY POLICY · IOS

BrainBay Privacy Policy

Version
v1.0-draft
Effective date
2026-05-28
Scope
The BrainBay Global iOS application and the in-app WebView pages it loads.
TL;DR

We collect only the information needed to deliver brain-training to you — your sign-in identity (Apple or Google account), your questionnaire answers, and your training results; we use Sensors Analytics for anonymized usage statistics; we do not collect your location, microphone, camera, or contacts; we never sell your personal information; and you can access, correct, or delete your data, or delete your account, at any time.

Introduction

Welcome to BrainBay (the “Product” or “we”). The Product is developed and operated by SILVERDRAGON TECH PTE. LTD. (the “Operator”). We understand how important your personal information is to you, and we are committed to protecting it in accordance with applicable data-protection laws — including, where they apply to you, the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).

This policy explains how we collect, use, store, share, and protect your personal information when you use the Product, and how you can exercise control over your own information. Please read it carefully (especially the text shown in bold) before using the Product. By using the Product, you acknowledge that you have read and understood this policy.

If you do not agree with any term of this policy, please stop using the Product immediately.

Note (pre-launch draft): A few facts specific to the Global release — whether an EU/UK representative and a Data Protection Officer are required, and the location of data hosting together with the cross-border transfer mechanism — are shown below as items to be confirmed before launch and will be finalized by legal counsel.

1. Scope

This policy applies to:

  • The BrainBay iOS application (Global release)
  • The in-app WebView pages loaded by that application

Some parts of the BrainBay mobile app (such as the “Today” and “Training” pages) are rendered through an embedded WebView that loads web pages; the related data processing is also governed by this policy. Other BrainBay platforms and regional editions are covered by their own separate privacy policies.

2. Information We Collect and How We Use It

We collect and use your personal information only for the purposes described in this policy. “Personal information” means any information, recorded electronically or otherwise, that can identify a specific individual on its own or in combination with other information.

2.1 Information you provide

2.1.1 Sign-in information

To use the Product you first create and sign in to a BrainBay account. You can create and sign in using either of the following methods:

  • Sign in with Apple: When you choose Sign in with Apple, Apple provides us with a stable user identifier and, if you allow it, your name and an email address (which may be a private relay address you control). We use this to identify your account and sync your data across devices. We never receive your Apple ID password.
  • Sign in with Google: When you choose Sign in with Google, you authorize Google to share your Google account identifier and basic profile information (name, email address, and profile picture) with us. We use this to identify your account and sync your data. We never receive your Google account password.

2.1.2 Training-preference questionnaire

On first use, we ask you to complete a short training-preference questionnaire (lifestyle, focus level, available training time, training style, self-reported symptoms, training goals). Your answers are used to generate your personalized daily training plan and are stored in your account’s user profile.

2.1.3 Training data

When you complete each training, we record:

  • The training identifier (which training)
  • Result fields such as duration, score, and accuracy
  • The completion timestamp
  • Cumulative training count, current streak, and longest streak

2.2 Information we collect automatically

2.2.1 Device and log information

To keep the Product running correctly and to diagnose problems, we automatically collect:

  • Operating system type and version (e.g. iOS 17.4)
  • App version and build number
  • Device model and screen resolution
  • Access logs (request time, request path, HTTP status code, error stack traces)
  • The IP address from which your device connects (used only for risk-control and troubleshooting, not associated long-term with other device information)
  • The time-zone setting provided by your operating system (IANA time-zone identifier, e.g. Europe/London)

2.2.2 Behavioral analytics events

We use Sensors Analytics to record anonymized behavioral events such as page views, button taps, and training start/completion. See §5 for details.

2.3 Information we do NOT collect

The BrainBay iOS app does not collect the following (and declares no corresponding permission in its Info.plist):

  • Your precise or approximate location (GPS, cell, or Wi-Fi)
  • Microphone recordings or audio
  • Camera photos or video
  • Your contacts, messages, or call logs
  • The list of other apps on your device
  • Health data (HealthKit)
  • Payment credentials (the Product currently has no paid features)

2.4 How we use your personal information

  • Identity and account: using your Apple/Google account as your BrainBay identity to sign in, save training records, and sync progress across devices.
  • Personalized training plans: based on your questionnaire answers and training history, computing your training tier, primary dimension, and secondary dimension, and generating your daily training plan.
  • Ability map and statistics: showing how your ability changes across the six dimensions (reaction, logic, memory, focus, math, spatial), plus achievement metrics such as streaks and cumulative training count.
  • Diagnostics and improvement: locating crashes and failed requests through logs and stack traces, and understanding feature usage through aggregated, anonymized statistics.
  • Security and risk control: preventing account theft, abuse, and fraudulent activity.

We do not use this information for automated decision-making with legal or similarly significant effects, facial recognition, credit scoring, or targeted advertising. If we ever wish to use your personal information for a purpose not stated in this policy, we will seek your consent first.

2.5 Legal bases for processing (GDPR)

Where the GDPR applies to you, we rely on the following legal bases, mapped to each processing activity:

  • Account sign-in and identity (Apple / Google): performance of a contract — we cannot provide the service without an account to associate your data with (Art. 6(1)(b)).
  • Questionnaire answers and personalized training plans: performance of a contract — generating your plan is the core service you request (Art. 6(1)(b)).
  • Training results, ability map, and streaks: performance of a contract (Art. 6(1)(b)).
  • Device and log information, security and risk control: our legitimate interests in keeping the service secure and reliable, balanced against your rights and freedoms (Art. 6(1)(f)).
  • Behavioral analytics (Sensors Analytics): your consent, where consent is required in your jurisdiction; otherwise our legitimate interest in understanding and improving the product using anonymized events (Art. 6(1)(a) / 6(1)(f)).
  • Disclosures required by law: compliance with a legal obligation to which we are subject (Art. 6(1)(c)).

Where we rely on consent, you may withdraw it at any time (see §7.6); where we rely on legitimate interests, you have the right to object (see §7.5).

2.6 De-identification and anonymization

Once your personal information has been de-identified or anonymized such that the recipient cannot re-identify you, we may store and process that data without further notice or consent, to the extent permitted by applicable law.

3. App Permissions

The BrainBay iOS app follows a “minimum necessary” principle and requests as few system permissions as possible. As of the effective date of this policy:

  • Local network (development builds only): production releases do not request this; it is used only in internal development builds to connect to a development server on the local network.

The Product does not request camera, microphone, photo library, calendar, contacts, precise/approximate location, phone state, or the advertising identifier (IDFA / App Tracking Transparency). If we add a permission request in the future, we will update this policy and explain the purpose at the time of the request.

4. Cookies, Local Storage & Device Identifiers

4.1 On-device storage

The iOS app stores the following locally on your device:

  • Sign-in session credentials (held only on your device, to keep you signed in)
  • A local cache of training preferences (for offline review)
  • Cookies and cache generated by the WebView in its sandbox (same-origin with the web version)

4.2 Device identifiers

We do not actively obtain the IDFA (advertising identifier). The Sensors Analytics SDK may use the IDFV (identifier for vendor) as an anonymous device ID for behavioral analytics; this identifier is not tied to identifying information such as your name or email. We do not use persistent cross-app identifiers such as MAC address for tracking.

4.3 How you can control this

  • You can deny tracking requests in iOS Settings
  • Clearing app data removes local storage and WebView cookies
  • Signing out clears the on-device session credential
  • Deleting your account removes all server-side data (see §7.4)

5. Third-Party SDKs & Information Sharing

5.1 Third-party SDKs

To provide sign-in and product analytics, we integrate the following third-party SDKs on iOS. Each is used on a “minimum necessary” basis, and each third party is required to protect the data it processes to a standard consistent with this policy. See Appendix II for the full list.

Sign in with Apple
Provider
Apple Inc.
Use case
Apple account sign-in within the iOS app
Data collected
A stable Apple user identifier and, if you allow it, your name and email (which may be a private relay address)
Privacy policy
https://www.apple.com/legal/privacy/
Google Sign-In SDK
Provider
Google LLC
Use case
Google account sign-in within the iOS app
Data collected
Google account identifier and basic profile information you authorize (name, email, profile picture)
Privacy policy
https://policies.google.com/privacy
Sensors Analytics SDK
Provider
Sensors Data Co., Ltd.
Use case
Behavioral event tracking and analytics within the iOS app
Data collected
Anonymous device ID (IDFV), operating system, app version, event name and time, page path
Privacy policy
https://manual.sensorsdata.cn/sa/docs/tech_sdk_client_privacy_policy/v0300

The Global iOS build uses Sensors Analytics and does not integrate Google Analytics or Firebase. This SDK list may change as the Product evolves; when we add or replace an SDK, we will describe the change in §9 (Updates).

5.2 Sharing

We do not sell your personal information to any third party. We share your personal information only in the following situations:

  • With your prior explicit consent or authorization;
  • As necessary to provide a feature you actively initiate (e.g. verifying your identity with Apple or Google at sign-in);
  • Sharing the minimum information necessary with the third-party SDK providers listed in §5.1 and Appendix II, each of which is bound by confidentiality obligations;
  • Where required by applicable law, regulation, government order, or judicial process. In such cases we require valid legal documentation and, where permitted by law, will inform you.

5.3 Transfer

Except with your explicit consent, we will not transfer your personal information to any company, organization, or individual. If a merger, acquisition, reorganization, or bankruptcy results in your personal information being transferred, we will inform you of the recipient’s name and contact details before the transfer and require the new holder to continue to be bound by this policy; if the recipient changes the original purpose or method of processing, we will seek your consent again.

5.4 Public disclosure

We disclose your personal information publicly only with your explicit consent, or where mandated by applicable law, regulation, government order, or judicial process.

6. Storage & Security

6.1 Where your information is stored

Your personal information is stored on servers operated by, or on behalf of, the Operator. The specific data-hosting region(s) for the Global release and — where your data is transferred out of the EU/EEA or UK — the cross-border transfer mechanism we rely on (for example, the EU Standard Contractual Clauses or an applicable adequacy decision) are [to be confirmed before launchto be confirmed before launch] and will be stated here once finalized by legal counsel.

6.2 Retention

  • Account identity information: retained while your account exists; deleted from the database after account deletion.
  • Training results and questionnaire answers: retained while your account exists, to keep generating your training plan.
  • Access logs and error stack traces: retained for 90 days by default, then archived or deleted.
  • After account deletion, a 14-day retention window applies for anti-abuse and incident investigation, after which the data is permanently deleted.

6.3 Security measures

We apply industry-standard security measures to protect your personal information:

  • All client–server communication is encrypted in transit via HTTPS/TLS
  • Session credentials are signed and time-limited to prevent forgery
  • Database access requires authentication and least-privilege authorization
  • Internal staff who handle personal information are granted least necessary access and are audited regularly
  • We continuously monitor for anomalous requests and incidents

Please understand that no method of transmission or storage is 100% secure. In the event of a personal-data breach, we will notify you and the relevant supervisory authorities as required by applicable law, describing the nature of the incident, its impact, our response, and recommended precautions.

7. Your Rights

You have full control over your personal information. Depending on where you live, you may have the rights described below; you can exercise them through the channels in §10.

7.1 Access and portability

You can view your training records, ability map, and streaks on the “Profile” page in the app. To obtain a full export of your data, contact us via §10; we will respond within 30 days (or the period required by applicable law).

7.2 Rectification

You can update your training preferences at any time by retaking the questionnaire in the app; for other fields, contact us via §10.

7.3 Erasure

You can delete the local cache, cookies, and session credential on your device at any time. To delete specific server-side data (such as training history), contact us via §10; we will respond within 30 days.

7.4 Delete your account

You can delete your account from “Profile → Settings → Delete account” in the app. Deletion is irreversible. After deletion:

  • Your training results, questionnaire answers, and ability map are deleted from our database
  • The link between your account and your Apple/Google identity is severed
  • Aggregated, anonymized data already used for statistics (which cannot be associated with you) may be retained

7.5 Additional rights (GDPR / CCPA)

  • GDPR (EU/EEA/UK): rights to access, rectification, erasure, restriction of processing, data portability, objection, and the right to withdraw consent at any time; you also have the right to lodge a complaint with your local supervisory authority.
  • CCPA/CPRA (California): the right to know what personal information we collect and how it is used, the right to delete it, the right to correct it, and the right to opt out of the sale or sharing of personal information. We do not sell or share your personal information as those terms are defined under the CCPA. We will not discriminate against you for exercising any of these rights.

To protect your information, we verify your identity before acting on a request — typically by confirming control of the email address or the Apple / Google identity associated with your account, and, for sensitive requests, by asking for additional confirmation. You may use an authorized agent to submit a request on your behalf, provided the agent supplies proof of your authorization and we can verify your identity. If we decline a request, we will explain why; you may appeal by replying to our response or contacting us again through §10, and if you remain dissatisfied you may contact your local supervisory authority (under the GDPR) or the relevant authority in your jurisdiction.

7.6 Withdrawing consent

You can withdraw consent for a specific authorization at any time via iOS Settings or in-app settings. We will then stop the processing based on that consent, without affecting the lawfulness of processing carried out before the withdrawal.

7.7 California disclosures (CCPA/CPRA)

For California residents, the categories of personal information we have collected in the past 12 months — mapped to the categories defined in Cal. Civ. Code §1798.140 — are:

  • Identifiers: your Apple or Google account identifier and our internal account ID. Source: you and your sign-in provider. Business purpose: account creation, sign-in, and cross-device sync.
  • Internet or other electronic network activity: page views, taps, training start/completion events, and access logs. Source: your use of the app. Business purpose: diagnostics and product improvement.
  • Device and usage information: device model, OS version, screen resolution, IP address, time zone, and an anonymous vendor identifier (IDFV). Source: your device. Business purpose: reliability, security, and anonymized analytics.
  • Information you provide: your training-preference questionnaire answers and training results. Source: you. Business purpose: generating and saving your personalized training plan.

We disclose these categories only to the service providers listed in Appendix II (such as Apple, Google, and our analytics provider) for the business purposes above. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, and we therefore do not provide a separate “Do Not Sell or Share My Personal Information” link. To exercise any California privacy right, contact us at 3rd@silverdragonltd.com; we will not discriminate against you for exercising your rights.

8. Children & Minors

We take the protection of minors’ personal information seriously. The Product is not directed to children, and the minimum age to use it is the age of digital consent in your jurisdiction — for example, 13 in the United States (COPPA) and 16, or a lower age set by your member state, in the EU/EEA (GDPR).

  • Where the GDPR applies, we do not knowingly process the personal information of a child below the applicable age of digital consent (16, or a lower age set by your member state) without verifiable parental consent. Where COPPA applies (United States), we do not knowingly collect personal information from children under 13.
  • If you are a parent or guardian and have questions about a minor’s use of the Product, contact us via §10 and we will address them.
  • We do not profile minors for advertising or precise marketing.

9. Updates to This Policy

We may update this policy from time to time. For material changes (for example, changes to the purpose, method, or scope of processing; changes to the parties with whom we share, transfer, or disclose information; material changes to your rights or how you exercise them; or changes to the contact details of our data-protection function), we will notify you through prominent means such as an in-app push, an in-app banner, or email.

Non-material changes will be reflected by updating this page; please review it periodically.

Version history

  • v1.0-draft (2026-05-28): first draft.

10. Contact Us

If you have any questions, comments, or complaints about this policy or our processing of your personal information, you can reach us at:

Operator
SILVERDRAGON TECH PTE. LTD.
Company registration (UEN)
202223550W
Registered address
Nexus @one-north, 3 Fusionopolis Link, #06-07, Singapore 138543
Data Protection Officer
[Data Protection Officer contact, if required by the GDPRto be confirmed before launch]
EU/UK representative
[Art. 27 GDPR representative, if applicableto be confirmed before launch]
Support
3rd@silverdragonltd.com
Privacy / complaints
3rd@silverdragonltd.com

We will respond within 30 days of receiving your request. If you are in the EU/EEA or UK and are not satisfied with our response, you also have the right to lodge a complaint with your local data-protection supervisory authority.

Appendix I · Personal Information Collection List

For the categories and purposes of the personal information the BrainBay iOS app collects across scenarios, see the separate Personal Information Collection List. In summary: we collect only your sign-in identity (Apple / Google), your training-preference answers, your training results, device and log information, and anonymized behavioral analytics events.

Appendix II · Third-Party Sharing List

For the third-party SDKs the BrainBay iOS app integrates and the information shared with them, see the separate Third-Party Information Sharing List. Currently integrated: Sign in with Apple, Google Sign-In, and Sensors Analytics (anonymized usage statistics).