Privacy Policy
Effective 2026-04-30
This Privacy Policy explains how Brightroom(“we”, “us”, “our”) processes personal data when you visit https://bright-room.com, create an account, or use our adaptive GMAT® preparation service (the “Service”). It is written to comply with the Swiss Federal Act on Data Protection (revFADP / FADP) and the EU General Data Protection Regulation (GDPR).
1. Controller
The data controller responsible for processing under Art. 4(7) GDPR and Art. 5(j) FADP is:
Brightroom
Rosenbergstrasse 4
9000 St.Gallen, Switzerland
UID: CHE-XXX.XXX.XXX
Email: privacy@bright-room.com
We have not appointed a Data Protection Officer; we are not required to under Art. 37 GDPR or Art. 10 FADP given our scale and the nature of our processing. For users in the EU, our representative under Art. 27 GDPR is the same controller above (we operate from Switzerland; if and when we appoint an EU representative, we will list them here).
2. What data we process
We process the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, password (hashed), account creation date | You, at sign-up |
| Study profile | Target GMAT score, target exam date, prior preparation level | You, during onboarding |
| Usage data | Exam sessions, answers, response times, score predictions, flags, lesson notes | Generated as you use the Service |
| Billing data | Subscription status, trial dates, Stripe customer ID, invoice history (we never see or store your card number) | Stripe, when billing is active |
| Technical data | IP address, browser, device, log timestamps, session cookies | Automatically, when you visit the Service |
We do not knowingly process special categories of personal data (Art. 9 GDPR) or data of children under 16. The Service is intended for adults preparing for graduate-school admissions tests.
3. Purposes and legal bases
| Purpose | Legal basis (GDPR / FADP) |
|---|---|
| Provide the Service (account, exam engine, results) | Performance of contract — Art. 6(1)(b) GDPR / Art. 31(2)(a) FADP |
| Process payments and prevent fraud | Performance of contract / legal obligation |
| Send transactional emails (verification, billing, security) | Performance of contract |
| Improve product quality, fix bugs, analyse usage | Legitimate interests — Art. 6(1)(f) GDPR |
| Marketing emails (if you opt in) | Consent — Art. 6(1)(a) GDPR / Art. 6(6) FADP |
| Comply with legal, tax, and accounting obligations | Legal obligation — Art. 6(1)(c) GDPR |
4. Recipients and subprocessors
We share personal data only with the processors listed below, each bound by a Data Processing Agreement (Art. 28 GDPR).
| Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Authentication, Postgres database hosting | European Union (Frankfurt) / United States |
| Stripe Payments Europe, Ltd. | Subscription billing, payment processing | Ireland (EU) / United States |
| Vercel, Inc. | Application hosting, edge delivery | European Union / United States |
We do not sell your personal data, and we do not use it to train third-party machine-learning models.
5. International data transfers
Some of our processors store or process data outside Switzerland and the EEA (notably in the United States). For transfers to a country without an adequacy decision under Art. 45 GDPR / Art. 16 FADP, we rely on:
- The EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework where the recipient is certified;
- Standard Contractual Clauses (Art. 46 GDPR) supplemented by technical and organisational measures where necessary; and
- Where appropriate, additional safeguards such as encryption in transit and at rest.
6. Retention
- Active account: we keep your data for as long as you maintain an account.
- After deletion: we erase or anonymise personal data within 30 days of deletion, except for records we are legally required to retain (e.g. invoices for 10 years under Swiss accounting law).
- Backups: automated database backups are retained for up to 30 days, after which they are overwritten.
7. Your rights
Under the GDPR (Art. 15–22) and the FADP (Art. 25 ff.), you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased (“right to be forgotten”);
- restrict or object to processing;
- receive your data in a structured, machine-readable format and transmit it to another controller (data portability);
- withdraw consent at any time, without affecting the lawfulness of prior processing;
- lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local EU supervisory authority.
You can exercise most of these rights directly from your account settings — including downloading a full copy of your data and deleting your account. For other requests, email privacy@bright-room.com and we will respond within 30 days.
8. Cookies and tracking
We use a small number of cookies to keep you signed in and to understand how the Service is used. You can manage your preferences at any time via the cookie banner or our Cookie Policy.
9. Security
We protect personal data with TLS in transit, encryption at rest, access controls, audit logging, and regular review of our processors. Despite reasonable measures, no system is 100% secure; we will notify you and the competent supervisory authority of any breach affecting your data within 72 hours, as required by Art. 33–34 GDPR.
10. Automated decision-making
Our adaptive engine personalises practice questions based on your responses. This is decision-making with legal or similarly significant effects only insofar as it tailors the difficulty and topic of practice items; it does not produce binding outcomes about you (Art. 22 GDPR does not apply). You can ask us for a manual review of any score prediction by emailing privacy@bright-room.com.
11. Changes to this policy
We will update this policy when our processing changes. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The current version is dated at the top of this page.
12. Contact
Questions about this policy? Write to privacy@bright-room.com or by post to the address in Section 1.