Brainwize

Privacy Policy

Last updated: 1 April 2026

1. Who We Are

BrainWise Ltd ("BrainWise", "we", "us") operates brainwise.org. We are the data controller for personal data collected through the Platform. This Policy explains how we collect, use, and protect your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Contact us at privacy@brainwise.org for any data-related enquiries.

2. Data We Collect

Account data

Name, email address, password (hashed), role (student/teacher), date of account creation.

Usage data

Topics practised, questions attempted, answers given, mastery scores, session attendance, time spent on platform.

Payment data

Subscription status, transaction IDs. Card details are processed by Stripe and never stored on our servers.

Technical data

IP address, browser type, device type, referring URL, and pages visited (via Supabase analytics).

Tutor data

DBS certificate number, subjects taught, availability, bank account details (processed via Stripe Connect).

3. How We Use Your Data

  • To create and manage your account
  • To provide adaptive practice questions and track your progress
  • To facilitate session booking between students and tutors
  • To process payments and payouts
  • To send service-related notifications and updates
  • To improve the Platform and personalise your experience
  • To comply with legal obligations

4. Legal Basis for Processing

Contract performance: Account management, session booking, and payment processing.

Legitimate interests: Platform improvement, fraud prevention, and security.

Legal obligation: Tax records, safeguarding compliance.

Consent: Marketing communications (you may withdraw at any time).

5. Data Sharing

We share your data only with:

  • Supabase — database and authentication infrastructure
  • Stripe — payment processing and tutor payouts
  • Vercel — hosting and CDN
  • Tutors — your name and progress summary when you book a session
  • Legal authorities — where required by law

We do not sell your personal data to third parties.

6. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where retention is required by law (e.g., financial records are kept for 7 years per HMRC requirements).

7. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Portability — receive your data in a machine-readable format
  • Restriction — restrict processing in certain circumstances
  • Objection — object to processing based on legitimate interests

To exercise any of these rights, email privacy@brainwise.org. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Security

We use industry-standard security measures including encrypted connections (TLS), hashed passwords, and row-level security in our database. However, no method of transmission over the internet is 100% secure. We encourage you to use a strong password and not share your account credentials.

9. Children's Privacy

We are aware that many of our users are under 18. We do not knowingly collect data from children under 13 without parental consent. If you believe a child under 13 has registered without parental consent, please contact us immediately and we will delete the account.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email. The date at the top of this page indicates when it was last revised.

Terms of ServiceCookie PolicySafeguarding