Your Privacy Choices
Effective 2026-06-17 · Last reviewed 2026-06-17
This notice describes how Brightroomhandles the personal information of consumers in the United States and the privacy rights available under U.S. state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the “CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and the Connecticut Data Privacy Act. It supplements, and should be read together with, our Privacy Policy, which is the primary description of how we process personal information for all users. Where this notice and the Privacy Policy differ on a U.S. state right, this notice governs for residents of the state in question.
Brightroom is an online preparation service for the GMAT Focus Edition. It is operated as a Swiss sole proprietorship based in St.Gallen, Switzerland; the registered legal name, business identification number and any required U.S. or EU representative are being finalised (see the Imprint).
1. Categories of personal information we collect
Over the preceding twelve months we have collected the following categories of personal information (as defined in Cal. Civ. Code § 1798.140(v)). For each category we set out the business or commercial purpose for which it is collected and the categories of third parties to whom it may be disclosed for those purposes. We do not collect the categories not listed below.
| Category | Examples | Business / commercial purpose | Disclosed to |
|---|---|---|---|
| Identifiers | Name, email address, account ID, and (in pseudonymous form) a salted SHA-256 hash of your IP address used as a security and rate-limit key | Creating and securing your account, authentication, sending transactional account, billing and security email, fraud and abuse prevention, and rate limiting | Hosting, authentication, email and security service providers (see Subprocessors) |
| Customer records / commercial information (Cal. Civ. Code § 1798.80) | Subscription plan, billing history, payment-card token held by our payment processor (we do not store full card numbers), referral code and referral activity | Processing payments, administering subscriptions and the free trial, operating the referral program, accounting and tax recordkeeping | Payment processor; hosting provider |
| Internet or other electronic network activity | Page views, UI interactions, the path you visit, browser user-agent, session durations, and diagnostic error and performance data | Operating and securing the Service, debugging, measuring and improving the product; non-essential analytics are used only with your consent | Hosting, analytics-infrastructure and error-monitoring providers |
| Geolocation data (coarse) | Approximate region inferred from IP address for security, fraud-prevention and rate-limiting purposes only | Securing the Service and preventing abuse | Hosting and rate-limiting providers |
| Inferences and professionally related information you provide | Study goals, target score, planned exam date, practice and exam responses, and the performance profile our adaptive engine and score predictor derive from them (see section 5) | Personalising your study plan, adapting question difficulty, and producing a non-binding estimated score | Hosting and database providers |
| Sensitive personal information | Your account login credentials in combination with the credentials needed to access the account (see section 6) | Authenticating you and securing access to your account only | Authentication provider |
We collect this information directly from you (when you register, set study goals, subscribe, or use the Service), automatically from your device as you use the Service, and, for referrals, from the person who invited you or whom you invited. We retain each category only for as long as needed for the purpose for which it was collected and as described in our Privacy Policy. We do not use or disclose personal information for purposes incompatible with those listed above without giving you notice.
2. Do Not Sell or Share My Personal Information
Brightroomdoes not sell your personal information, and has not sold any consumer’s personal information in the preceding twelve months. We do not exchange personal information for money or other valuable consideration.
We also do not “share” personal information for cross-context behavioral advertising, as that term is defined under the CCPA, and have not done so in the preceding twelve months. We do not load third-party advertising or audience-matching trackers, and we do not run targeted advertising based on your activity across other businesses’ sites.
Our referral program uses a first-party attribution cookie (br_ref, retained for 30 days) so that, when you follow a referral link, the friend discount and the referrer reward can be applied correctly. This attribution is a first-party operational function of our own Service, not advertising directed at you across other businesses. To avoid any doubt, you can switch it off using the opt-out methods in section 3, and we honour opt-out preference signals as described there.
Because we do not sell or share personal information as those terms are defined, you have nothing to opt out of for sale or sharing. If we ever begin to sell or share personal information, we will update this notice, provide a “Do Not Sell or Share My Personal Information” opt-out mechanism, and honour opt-outs before any such sale or sharing occurs.
3. Opt-out preference signals (Global Privacy Control)
We recognise and honour the Global Privacy Control (“GPC”) and other browser-level opt-out preference signals as a valid request to opt out of any sale or sharing of personal information and to opt out of non-essential analytics. When your browser or a browser extension sends a GPC signal, we treat it as an opt-out for that browser and device without requiring you to verify your identity. Because we already do not sell or share personal information, a GPC signal does not change whether your information is sold or shared; it does turn off non-essential analytics and the referral attribution cookie for that browser.
You can also exercise the same choices manually at any time:
- decline or withdraw consent for non-essential analytics through the cookie controls described in our Cookie Policy;
- email privacy@bright-room.com to ask us to apply an opt-out to your account; and
- decline to follow a referral link, which prevents the
br_refattribution cookie from being set.
4. Notice of Financial Incentive (referral program)
Our referral program is a financial incentive under the CCPA (Cal. Civ. Code § 1798.125(b)) because it offers a price benefit in connection with the collection and use of personal information. Participation is entirely voluntary.
Material terms. When you share your referral link, the friend who subscribes through it receives 20% off their first plan, and you, as the referrer, earn a reward equal to 10% of what your friend actually pays, delivered as account credit (or, where applicable, a payout). To operate the program we collect and use the referral code, referral link clicks, the attribution cookie, and the resulting subscription and reward records, and we disclose limited information between the two participants: the referrer can see the friend’s first name or a masked identifier, plan tier, dates and the resulting reward, and the friend can see the referrer’s first name at the point of signup. Full conditions are in the Affiliate Terms.
How to opt in and opt out. You opt in only by choosing to take part — by sharing your referral link, or, as a friend, by following a referral link and applying the discount at checkout. You can withdraw at any time, without penalty, by not sharing or using a referral link, by declining or removing the discount before you subscribe, or by emailing privacy@bright-room.com. Withdrawing does not affect access already granted.
Good-faith estimate of the value of the data.We have made a reasonable, good-faith estimate of the value of the personal information that is relevant to the incentive. The financial incentive is not based on the value of your personal information to us; it is a marketing benefit. For the purposes of Cal. Civ. Code § 1798.130(a)(5)(C), we estimate the value of the personal information involved (the referral and attribution data described above) to be no greater than the value of the incentive offered — that is, the 20% discount and the 10% reward measured against the applicable plan price. This estimate is based on the cost of the discount and reward we provide, which is the only consideration tied to the referral data; we do not otherwise monetise that data.
5. Profiling and automated processing
Our adaptive engine and score predictor profile you from your performance data — for example, by estimating your ability on each section, grouping topics into weaker and stronger areas, and producing a non-binding estimated score. This is profiling under privacy law, and we disclose it plainly. The score predictor is an estimate, not a promise of any result.
This profiling personalises your study experience only. It does not produce legal effects concerning you or similarly significant effects, and it has no bearing on pricing, eligibility, or any decision about you outside the Service. Residents of Virginia, Colorado and Connecticut may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects; because our profiling produces no such effects, there is no such decision to opt out of, but you may object to the personalisation by contacting us as described in section 6 (note that some adaptive features may not function without it).
6. Sensitive personal information and the right to limit
The only sensitive personal information we process is your account login credentials together with the information that allows access to your account. We use this solely to authenticate you and secure your account. We do not use or disclose sensitive personal information to infer characteristics about you, and we do not use it for any purpose beyond those permitted without a right to limit under 11 CCR § 7027(m). Because our use is limited to these permitted security and authentication purposes, the CCPA right to limit the use of sensitive personal information does not give you anything further to restrict; if you believe we are using sensitive personal information beyond these purposes, contact us and we will limit it.
7. Your rights and how to exercise them
Subject to your state of residence and to verification, you have the right to:
- Know and access the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of recipients;
- Delete personal information we have collected from you, subject to legal exceptions;
- Correct inaccurate personal information we maintain about you;
- Opt out of the sale or sharing of personal information and of profiling that produces legal or similarly significant effects (see sections 2, 3 and 5); and
- Not be discriminated or retaliated against for exercising any of these rights (see section 8).
The fastest way to exercise the rights to know, access, delete and correct is self-service in your account. From /account you can export a copy of your data and permanently delete your account and associated data; you can also edit your profile and study goals to correct them. You may also submit a request by emailing privacy@bright-room.com, which is our designated request method for residents without an account and for any request the self-service tools do not cover. Every plan begins with a 5-day free trial; exercising a privacy right does not affect your trial or subscription.
We will acknowledge a verifiable request within 10 business days and respond within 45 calendar days, extendable by a further 45 days where reasonably necessary, in which case we will tell you. To protect your account we may need to verify your identity, typically by confirming control of the account email. You may use an authorised agent to submit a request on your behalf; we may ask the agent for proof of authorisation and may ask you to verify your own identity directly.
Appeals
If we decline your request, you may appeal that decision. Residents of Virginia, Colorado, Connecticut and other states with an appeal right may appeal by replying to our decision or emailing privacy@bright-room.com with the subject “Privacy appeal”. We will respond to an appeal within 45 days (or as your state law requires) and explain the outcome. If we deny your appeal, you may contact your state attorney general; California residents may also contact the California Privacy Protection Agency.
8. Non-discrimination
We will not discriminate or retaliate against you for exercising any privacy right. We will not deny you the Service, charge you a different price, or provide you a different level or quality of service because you exercised a right. The only exception is the voluntary referral financial incentive in section 4, which offers a benefit reasonably related to the value of the personal information involved and which you may join or leave freely.
9. Children
The Service is directed to adults preparing for graduate-management admission and is not directed to children. We do not knowingly sell or share the personal information of consumers under 16, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, contact privacy@bright-room.com and we will delete it.
10. Review and updates
We review this notice at least once every twelve months and update it when our practices change. The effective and last-reviewed dates appear at the top of this page. Material changes will be reflected here and, for account holders, communicated as required by law.
11. Contact
Brightroom is the business responsible for the personal information described here. It is operated as a Swiss sole proprietorship based in St.Gallen, Switzerland; the registered legal name, business identification number and any required U.S. or EU representative are being finalised (see the Imprint). For any privacy request or question, email privacy@bright-room.com or write to us at Rosenbergstrasse 4, 9000 St.Gallen, Switzerland. For the full description of how we process personal information, see our Privacy Policy.