Skip to main content
···

Legal

Privacy Policy

Last updated: April 2026 · Effective immediately

1. Who we are

iBrain Gym is operated by iBrain LAB. We build cognitive performance tools that help people understand how their mind is performing day to day. Our registered contact for data matters is available at the address below.

2. What data we collect

We collect the following categories of data: • Phone number (hashed with SHA-256 — we never store the raw number) • Cognitive test results: reaction time, memory accuracy, flexibility scores • Session timestamps and computed cognitive state labels • Email address (only if you choose to save your pattern or subscribe) • Device type and browser (for performance diagnostics only) • Biometric data (facial images processed for liveness verification only — see Section 4) We do not collect your name or location.

3. Phone number and SMS communications

You are responsible for providing an accurate phone number, as it is used for account access and important notifications. When you provide a phone number, we verify it via a one-time SMS code (OTP) to confirm it is valid and belongs to you. This ensures your number is validated before use. SMS may be used for: • One-time verification codes (OTP) during account setup • Security notifications (e.g. new device access) • Session confirmations (if opted in) SMS is a support and notification channel only. It is not required to cancel your account or take any other account action. You can cancel your subscription directly within the app at any time without any SMS interaction. If you no longer have access to your registered phone number, please contact support at support@ibrainlab.de to verify your account through an alternative method.

4. Face verification and biometric data (GDPR Article 9)

When you choose to save or access your pattern, we use secure face verification to confirm it is really you. This process involves the processing of biometric data as defined under GDPR Article 9. What we process: • Your camera captures a brief sequence of frames during the verification step • A liveness check confirms that you are physically present — not a photo, video, or recording • Your face is converted into a secure mathematical representation (a numeric vector) by our verification provider, BioID • Facial images are processed only for verification and are not stored after the check completes • The mathematical representation is not retained on our servers after verification is complete Legal basis: Explicit consent under GDPR Article 9(2)(a). You must actively tick the biometric consent checkbox before face verification begins. You may withdraw this consent at any time by contacting privacy@ibrainlab.de — withdrawal does not affect the lawfulness of processing carried out before withdrawal. Face verification is required only for saving or accessing your pattern. You can complete a test without it. Data processor: BioID GmbH (Germany) processes verification requests under a Data Processing Agreement. BioID does not retain facial images after verification. We do not use your biometric data to train AI models or for any purpose other than liveness verification.

5. How we use your data

Your data is used exclusively to: • Compute your cognitive score and track how it changes over time • Personalise your session insights and coaching messages • Send you session summaries or streak reminders (only if you opt in) • Improve our scoring models using aggregated, anonymised signals We do not sell your data. We do not use it for advertising profiling.

6. Legal basis (GDPR)

For users in the European Economic Area, our legal basis for processing is: • Legitimate interest — to provide the core cognitive testing service • Consent — for email communications, optional analytics, and face verification • Explicit consent (Article 9(2)(a)) — for biometric data processing during face verification • Contract performance — when you purchase a premium subscription You may withdraw consent at any time without affecting the lawfulness of prior processing.

7. Data retention

Session data is retained for as long as your account is active, or for a maximum of 3 years from your last session. You may request deletion at any time. Anonymised aggregate data (no personal identifiers) may be retained indefinitely for research purposes.

8. Your rights

Under GDPR and applicable privacy laws, you have the right to: • Access the personal data we hold about you • Correct inaccurate data • Request deletion ("right to be forgotten") • Restrict or object to processing • Data portability • Lodge a complaint with your national supervisory authority To exercise any of these rights, contact us at privacy@ibrainlab.de

9. Cookies

We use strictly necessary cookies to maintain your session state. With your consent, we also use analytics cookies (Google Analytics) to understand how users interact with the app. You can manage your cookie preferences at any time using the banner at the bottom of this page.

10. Third-party services

We use the following third-party processors: • Supabase (database and authentication) — EU data residency • Stripe (payment processing) — PCI DSS compliant • Resend (transactional email) — GDPR compliant • We use BioID as a data processor for secure face verification — processes verification requests; images are not stored • Google Analytics (optional analytics) — only with your consent Each processor is bound by a Data Processing Agreement.

11. Security

Your phone number is never stored in plain text — it is hashed with SHA-256 before being written to our database. All data is transmitted over TLS 1.3. Access to production data is restricted to authorised personnel only. Face verification is designed to prevent unauthorised access and helps ensure only you can access your pattern.

12. Contact

For privacy enquiries: privacy@ibrainlab.de iBrain LAB, Germany