Privacy Policy

1. Introduction and Scope

BrainLake ("BrainLake", "we", "our", or "us") is committed to protecting your privacy and handling personal data transparently and responsibly.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you access or use our AI training and continuous learning platform for finance professionals, including learning tracks, prompt tools, sandbox exercises, gamification features, and associated services (collectively, the "Platform").

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

2. Who This Policy Applies To

This Privacy Policy applies to the following categories of individuals ("Data Subjects"):

• Individual learners – individuals who create accounts on the Platform directly.
• Enterprise learners – individuals whose accounts are provisioned by their employer or organisation through an enterprise subscription.
• Enterprise administrators – designated managers, team leads, or administrators within an organisation who have visibility into learner progress and platform usage within their team.
• Website visitors – individuals who visit the BrainLake website, where only limited technical data may be processed.

3. Personal Data We Process

Depending on how the Platform is used, we may process the following categories of personal data:

BrainLake does not intentionally collect special category data (such as health, biometric, or government-issued identifiers).

4. How We Collect Personal Data

We collect personal data through:

• Direct interactions, when users create accounts, complete exercises, submit prompts, or communicate with us.
• Automated means, such as logs and system-generated usage data.
• Enterprise provisioning, when an employer provides employee details (such as name and email address) to set up accounts under an enterprise subscription.
• Third-party payment processors, which process billing transactions on our behalf.

5. How We Use Personal Data

We process personal data to:

• Provide, operate, and improve the Platform
• Deliver and personalise learning content, including placing learners into appropriate tracks and brackets based on employer, team, and role data
• Manage lesson unlock schedules and cohort-based learning cadences
• Generate and display gamification data, including XP, streaks, leaderboard rankings, and ranks
• Process and store AI interactions (prompt inputs and outputs) to display recent prompt history to the user and, in anonymised form, to improve the prompt library and recommendation engine
• Provide enterprise administrators with individual and aggregated learner progress data (see Section 9)
• Process subscription payments
• Send onboarding, engagement, and administrative communications via email
• Maintain security, prevent abuse, and monitor performance
• Comply with legal obligations and enforce our agreements

6. Legal Bases for Processing

Under UK GDPR and GDPR, we rely on the following legal bases:

• Performance of a contract, where processing is necessary to provide the Platform and its features.
• Legitimate interests, such as improving services, ensuring security, supporting business operations, and improving the prompt library using anonymised data.
• Consent, where required (for example, for certain communications or optional features).
• Legal obligations, where processing is required by law.

7. Enterprise Account Provisioning

Where an employer purchases an enterprise subscription, the employer (or its designated administrator) may provide employee names and email addresses to BrainLake for the purpose of provisioning accounts.

In such cases:

• The employer confirms that it has a lawful basis to provide employee data to BrainLake for this purpose.
• BrainLake processes this data to create accounts, assign learners to the appropriate team and learning bracket, and deliver the Platform's services.
• Learners are notified at account creation that their account has been provisioned by their employer and that certain activity data will be visible to their enterprise administrator (see Section 9).

8. AI Processing and Data Use

The Platform includes AI-powered features such as the prompt scorer, sandbox exercises, and prompt library. The following applies to the use of these features:

• User inputs submitted to AI features are sent to third-party AI providers (currently Anthropic) for processing. Anthropic's data processing terms govern their handling of this data.
• The five most recent prompt inputs and outputs are stored in identifiable form against your account so that you can review your recent activity.
• Beyond the five most recent prompts, AI interaction data may be retained by BrainLake in anonymised and aggregated form only. This anonymised data is used to improve the Platform's prompt library, scoring models, and learning content.
• AI-generated outputs (including scores, feedback, and suggestions) are automated and may be inaccurate or incomplete. They should not be relied upon as professional advice.
• Users should not submit sensitive personal data, confidential business information, or personal data of third parties into AI features. BrainLake is not responsible for data voluntarily submitted by users into these features.
• Team prompt libraries (future feature): BrainLake may introduce the ability for users to share prompts with colleagues within their organisation via a team prompt library. If this feature is introduced, prompts shared to a team library will be accessible to authorised members of the same organisation. Users will be clearly informed before any prompt is shared, and sharing will require explicit action by the user.

9. Enterprise Data Visibility

Where a learner's account has been provisioned under an enterprise subscription, designated enterprise administrators within the learner's organisation may have access to the following data:

• Streak status and history
• XP totals
• Number of lessons completed
• Track and course focus areas
• Improvement trends and progress over time
• Leaderboard position within the team

Enterprise administrators do not have access to the content of a learner's AI interactions (such as prompt text, sandbox inputs, or scorer submissions). AI interaction content is visible only to the individual learner.

Learners are informed at account creation that their employer has visibility into the activity data listed above.

10. Third-Party Services

We use the following categories of third-party service providers to operate the Platform:

• AI processing: Anthropic (for prompt scoring, sandbox exercises, and AI-powered features). Anthropic's privacy policy and data processing terms apply to data processed by their services.
• Payment processing: Stripe (or equivalent provider) for subscription and billing transactions. We do not store full payment card details.
• Email services: Third-party email providers for onboarding, engagement, and administrative communications.
• Hosting and infrastructure: Cloud hosting providers for Platform infrastructure and data storage.

Each third-party provider operates under its own privacy policy and data processing agreements.

11. Data Sharing

We may share personal data with:

• Service providers supporting infrastructure, AI processing, payments, email delivery, and analytics
• Enterprise administrators within a learner's organisation, as described in Section 9
• Professional advisors or authorities where required by law
• Third parties in connection with corporate transactions (e.g. merger or acquisition)

We do not sell personal data.

12. International Data Transfers

Personal data may be processed outside the UK or EEA, including in the United States (for example, where AI processing is performed by Anthropic). Where this occurs, we rely on appropriate safeguards, such as standard contractual clauses, to protect personal data.

13. Data Retention

Personal data is retained as follows:

• Account and profile data is retained until the account is deleted or terminated.
• Learning activity data is retained for the duration of the account and may be retained in anonymised form thereafter for analytical purposes.
• The five most recent AI interactions are retained in identifiable form against the user's account. Older AI interaction data is anonymised.
• Billing records are retained as required by applicable tax and accounting laws.
• Technical and usage logs are retained for a reasonable period for security and operational purposes.

14. Security Measures

BrainLake implements appropriate technical and organisational measures to protect personal data, including access controls, encryption where appropriate, and secure infrastructure.

Access to personal data is limited to authorised personnel with a legitimate business need.

15. Cookies and Analytics

[This section will be updated to reflect the specific cookies and analytics tools used by BrainLake once finalised.]

The Platform uses cookies for authentication and session management. We may also use analytics tools to understand how the Platform is used and to improve the user experience. Where cookies require consent, this will be obtained through a cookie banner or equivalent mechanism.

16. Content and Intellectual Property

All course content, learning materials, theory cards, exercises, prompt templates, and other educational content delivered through the Platform is proprietary to BrainLake and protected by copyright and other intellectual property rights.

Users may not reproduce, distribute, publicly display, or commercially exploit any Platform content without BrainLake's prior written consent.

Prompts and content created by users remain the intellectual property of the user. However, BrainLake may use anonymised and aggregated prompt data to improve the Platform, as described in Section 8.

Where a user shares a prompt to a team prompt library (if and when this feature is available), the user grants BrainLake and authorised team members a licence to use that prompt within the Platform for collaborative purposes.

17. Your Rights

Depending on your location, you may have the right to:

• Access your personal data
• Correct inaccurate or incomplete data
• Request deletion of personal data
• Object to or restrict certain processing
• Request portability of your data
• Withdraw consent where processing is based on consent

Requests can be made by contacting us at asher@brainlake.io.

18. Children

The Platform is not intended for individuals under the age of 18, and we do not knowingly collect personal data from children.

19. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on the Platform and become effective upon publication. Where changes are material, we will notify users by email or through the Platform.

20. Governing Law

This Privacy Policy is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

21. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact:

BrainLake Privacy Officer

Email: asher@brainlake.io