Privacy Policy

Effective 2026-06-17

This Privacy Policy explains how Brightroom(“Brightroom”, “we”, “us”, “our”) collects, uses, shares, and protects personal data when you visit https://bright-room.com, create an account, or use our adaptive preparation service for the GMAT® Focus Edition (the “Service”). It is written to satisfy the information duties of the EU General Data Protection Regulation (GDPR, Art. 13–14), the Swiss Federal Act on Data Protection (revFADP / nFADP), the UK GDPR, and applicable US state privacy laws. A dedicated U.S. state privacy section appears below; a fuller US opt-out walkthrough lives at Your Privacy Choices.

1. Who is responsible (controller)

The controller responsible for processing under Art. 4(7) GDPR and Art. 5(j) revFADP is:

Brightroom (Sole proprietorship (registration pending))
Rosenbergstrasse 4
9000 St.Gallen, Switzerland
UID: CHE-XXX.XXX.XXX
Privacy contact: privacy@bright-room.com

Brightroom is currently operated as a Swiss sole proprietorship based in St.Gallen. Registration details (UID), the VAT number, and — where required — an EU representative are being finalised and will be published here.

We have not appointed a Data Protection Officer. We are not required to designate one under Art. 37 GDPR given our scale and the nature of our processing, and Swiss law (revFADP Art. 10) treats a data-protection adviser as optional rather than mandatory for us. For privacy matters, write to privacy@bright-room.com.

EU / UK representative. Because we are established in Switzerland (a country outside the EU and the UK) and offer the Service to people in the EU and the UK, Art. 27 GDPR and Art. 27 UK GDPR require us to designate a representative established in those territories. A representative is being appointed; until that is finalised, this section will name them with a full address. We do not claim to be our own representative. The converse Swiss-representative duty (revFADP Art. 14) does not apply to us, because the controller is itself established in Switzerland.

2. What data we process

We process the following categories of personal data. “You” means the source is information you give us; “generated” means the Service produces it as you use it.

Category	Examples	Source
Account data	Name, email address, password (stored only as a salted hash), account creation date, the Terms/Privacy version you accepted and when	You, at sign-up
Study profile	Target score, target exam date, prior preparation level	You, during onboarding
Learning & performance data	Exam and practice sessions, answers, response times, flags, lesson notes, roadmap progress, and the estimates our engine derives from them (ability estimates per section, topic strength buckets, a non-binding predicted score) — see §10 on profiling	Generated as you use the Service
Billing data	Plan, subscription status, trial dates, Stripe customer ID, invoice history (we never see or store your full card number)	You and Stripe, when billing is set up
Product analytics / event telemetry	Page views, in-app interactions and clicks, the path you visit, UI durations (dwell), a truncated browser user-agent string, and your IP address stored only as a salted SHA-256 hash (see the note below)	Generated automatically as you use the Service
Referral / affiliate data	Your referral code, referral-link clicks, conversions, reward balance, and the links between a referrer and the friend they referred (including plan and reward figures) — see §6	Generated when you join or use the referral programme
Guarantee / score-report data	For the ULTRA guarantee only: official GMAT Focus Edition score reports you email us (which carry your name and registration ID), used to administer the guarantee	You, if you claim the guarantee
Technical & security data	IP address used transiently as a rate-limiting key, the one-active-session identifier (`br_sid`), diagnostic error and performance data, server log timestamps	Automatically, when you use the Service
Communications	The content of support requests and issue reports you send us, and the email address and name we use to deliver transactional email	You, when you contact us

On the IP hash and user-agent. The salted SHA-256 IP hash and the user-agent string in our event telemetry are pseudonymous personal data, not anonymous data. A hash of an IP address can in principle be linked back to a person by someone with the salt and database, so we treat it as personal data with its own purpose, legal basis, and retention period (see §3 and §7). We store the IP only as this hash — we do not retain the raw IP in the event stream — and we reduce URLs to their path to avoid capturing query-string content.

We do not intentionally collect special categories of personal data (Art. 9 GDPR / Art. 5(c) revFADP). Please do not put health, political, biometric, or similar sensitive information into free-text notes or support messages.

3. Why we process it, and on what legal basis

Each purpose below rests on one lawful basis. Where we rely on legitimate interests, we have weighed those interests against your rights and will share our balancing assessment on request.

Purpose	Legal basis (GDPR / revFADP)
Provide the Service: your account, the exam engine, results, and personalised study recommendations	Performance of a contract — Art. 6(1)(b) GDPR; revFADP Art. 31(2)(a)
Process payments, manage subscriptions, and prevent fraud	Contract — Art. 6(1)(b); legal obligation — Art. 6(1)(c)
Send transactional email (verification, billing, trial, security, and account notices)	Contract — Art. 6(1)(b)
Run the referral / affiliate programme (attribution, reward calculation, payout)	Contract with the participant — Art. 6(1)(b); our legitimate interest in operating the programme — Art. 6(1)(f)
Product analytics / event telemetry (page views, interactions, dwell), including the salted IP hash and user-agent	Your consent — Art. 6(1)(a); ePrivacy Art. 5(3); revFADP Art. 6(6). Non-essential analytics fire only after you accept them.
Keep the Service available and safe: rate limiting (IP as a throttle key), security and audit logging of sensitive account actions, abuse prevention, and diagnostic error/performance monitoring	Legitimate interests in security and reliability — Art. 6(1)(f); legal obligation where applicable — Art. 6(1)(c)
Administer the ULTRA score guarantee	Contract — Art. 6(1)(b)
Marketing email, if and when offered (we do not currently send promotional email)	Consent — Art. 6(1)(a); ePrivacy Art. 13. Any such consent would be a separate, unticked opt-in, never bundled with accepting the Terms, and withdrawable at any time.
Comply with legal, tax, and accounting obligations	Legal obligation — Art. 6(1)(c)

A note on operational events: a small set of records (for example sign-in, sign-up, account deletion, and a referral-link click) is written to run and secure the Service itself rather than for analytics. These rest on contract and our legitimate interest in security, are kept for a limited period (see §7), and are not used to build a marketing profile of you.

4. Who we share data with (recipients & subprocessors)

We engage the processors below to run the Service. Each is bound by a data-processing agreement under Art. 28 GDPR and may process your data only on our instructions. We do not sell your personal data, and we do not share it with data brokers or advertising networks.

Processor	Purpose	Location	Transfer safeguard
Supabase, Inc.	Authentication, Postgres database hosting	European Union (Frankfurt) / United States	SCCs + Swiss addendum; primary EU (Frankfurt) residency
Stripe Payments Europe, Ltd.	Subscription billing, payment processing	Ireland (EU) / United States	DPF-certified, backed by SCCs
Vercel, Inc.	Application hosting, edge delivery	European Union / United States	DPF-certified, backed by SCCs
Resend (Plus Five Five, Inc.)	Transactional email delivery (account, billing and security messages — recipient name + email address)	United States	SCCs + Swiss addendum
Functional Software, Inc. (Sentry)	Error and performance monitoring (diagnostic data; PII scrubbed before send)	United States	SCCs + Swiss addendum
Upstash, Inc.	Redis-backed API rate limiting (uses the client IP as a throttle key)	European Union / United States	SCCs + Swiss addendum

A current list is also kept at our Subprocessorspage. Beyond these processors, we disclose personal data only to other users where you choose to use the referral programme (see §6), and to authorities or advisers where the law requires it or to establish, exercise, or defend legal claims. A copy of the relevant Standard Contractual Clauses is available on request to privacy@bright-room.com.

Diagnostic monitoring.Our error- and performance-monitoring provider (Sentry) receives technical diagnostic data so we can detect and fix faults. We configure it not to send personal data by default and scrub error payloads before they leave us; sampled performance traces may include the request path. We do not use your data to train third-party machine-learning models, and we do not sell it for that purpose. We do fit our own first-party models — per-user ability estimates and aggregate item calibration that power the adaptive engine (see §10) — on the basis of contract performance.

5. International data transfers

Some processors store or process data outside Switzerland and the EEA (notably in the United States). For each such transfer we map a specific safeguard, shown per processor in the table in §4:

Adequacy.Under the GDPR we rely on a Commission adequacy decision (Art. 45) where one exists; under Swiss law, adequacy is set by the Federal Council list (DSV Annex 1). For the United States, this covers only recipients certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework (“DPF”).
Standard Contractual Clauses (SCCs). Where a US recipient is not DPF-certified for the relevant data, we rely on the EU Standard Contractual Clauses (Art. 46 GDPR) together with the FDPIC-recognised Swiss addendum (revFADP Art. 16(2)(d)), supplemented by technical and organisational measures.
Supplementary measures. These include encryption in transit and at rest, pseudonymisation, EU-region data residency where available, and minimisation of what each processor receives.

We keep an internal transfer record and, for US importers, a short transfer-impact assessment. We do not currently rely on the EU Online Dispute Resolution platform for any of this, as that platform was shut down in July 2025.

6. The referral / affiliate programme

If you join the referral programme, you receive a shareable code and a public link (https://bright-room.com/r/<code>). When someone follows your link we set a first-party attribution cookie (br_ref) on their device for 30 days so we can credit the referral; their friend gets 20% off and you earn a 10% reward (a Stripe balance credit or payout). We process this in both directions, and you should understand what is shared:

If you refer someone: your first name is shown to people who use your referral link (for example on the sign-up screen), and your account identifier is passed to Stripe as transaction metadata so a reward can be calculated.
If you sign up through someone’s link:your status as a referred user, the plan you take, the date, and the resulting reward are recorded against the referrer, and a limited identifier (your first name or a masked email) is shown on the referrer’s dashboard. Because this information about you is obtained in connection with another user’s referral rather than directly from you for this purpose, this paragraph also serves as the Art. 14 GDPR notice for that processing.

The legal basis is the contract you enter when you join the programme (Art. 6(1)(b)) and our legitimate interest in operating it (Art. 6(1)(f)). US consumers should also see the financial-incentive notice in Your Privacy Choices and the Affiliate Terms.

7. How long we keep data (retention)

Account & learning data:kept while your account is active. On deletion (which you can trigger yourself — see §8) we erase or anonymise it within 30 days, except records we are legally required to keep.
Billing records & invoices: retained for up to 10 years to meet Swiss accounting and tax obligations, then deleted.
Product analytics / event telemetry (including the salted IP hash and user-agent): retained for up to 13 months from collection, after which it is deleted or aggregated. Anonymous event rows are subject to the same cut-off.
Security / audit log: de-identified records of sensitive account actions (deletions, admin actions, authentication events) are kept for up to 13 months on the basis of our legitimate interest in security and fraud prevention, and are no longer linked to your identity after account deletion.
Referral ledger: after a referred person deletes their account we retain only the minimum pseudonymised financial figures (plan, purchase and reward amounts, dates) needed to keep an accurate earnings record for the referrer, on the basis of our legitimate interest in an accurate ledger and our accounting obligations.
Backups: automated database backups are retained for up to 30 days, after which they are overwritten.

8. Your rights

Under the GDPR (Art. 15–22), the UK GDPR, and the revFADP (Art. 25 ff.), you have the right to:

access the personal data we hold about you, including the estimates our profiling produces (Art. 15(1)(h));
have inaccurate data corrected (rectification);
have your data erased(“right to be forgotten”);
restrict or objectto processing, including objecting to processing based on our legitimate interests and to the profiling described in §10 (Art. 21);
receive your data in a structured, machine-readable format and have it transmitted to another controller (portability);
withdraw consent at any time (for analytics, via the cookie controls), without affecting the lawfulness of processing before withdrawal;
lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC), your EU supervisory authority, or the UK Information Commissioner’s Office.

You can exercise the core rights yourself in your account settings: download a full copy of your data, edit your study profile, and delete your account (which also removes your data from Stripe and our database within 30 days). Editing your name or email and any other request can be made by emailing privacy@bright-room.com; we respond within 30 days (extendable for complex requests, and within 45 days for US requests — see the U.S. section).

9. Cookies and tracking

We use a small number of first-party cookies and similar storage to keep you signed in, to enforce one active session per account (br_sid), to remember your consent choices, to attribute referrals (br_ref), and — only after you accept them — for product analytics. Signing in on a new device ends the session on your other devices. You can review and change your choices at any time via the cookie controls or our Cookie Policy. We honour the Global Privacy Control (GPC) browser signal as an opt-out of non-essential analytics and of cross-context sharing.

10. Profiling and automated decisions

We profile you within the meaning of Art. 4(4) GDPR. Our adaptive engine analyses your answers, accuracy, and timing to estimate your ability per section and to sort topics into strength buckets, and it uses those estimates to choose which practice items to show you next. Our score predictor produces a non-binding estimated score from your recent results. This is an estimate, never a promise.

Logic, significance, and consequences (Art. 13(2)(f) / 15(1)(h)).The logic is item-response-theory difficulty selection plus an average of your recent mock results — not a separate “black-box” system. Its only effect is to tailor the difficulty, topic, and recommendations of your practice and to display an estimated score; it does not set your price, gate your eligibility, or make any other decision about you.

This profiling does notamount to a solely automated decision producing legal or similarly significant effects under Art. 22 GDPR. Where an outcome could be significant — in particular a determination under the ULTRA score guarantee — a human reviews the determination before it is finalised. You may object to the profiling under Art. 21, and you may ask us to review any score estimate or guarantee determination by emailing privacy@bright-room.com. The Swiss profiling rules (revFADP Art. 5(f)–(g), 19(3), 21) are addressed by the same disclosures and rights.

11. Security

We protect personal data with TLS encryption in transit, encryption at rest at our infrastructure providers, access controls, event logging of sensitive actions, and regular review of our processors. No system is completely secure. If a personal-data breach occurs, we will notify the competent supervisory authority within 72 hours where Art. 33 GDPR requires it (and the FDPIC as soon as possible where revFADP Art. 24 applies), and we will inform affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR).

12. Children

The Service is intended for adults preparing for graduate-management admissions tests and is not directed to children. You must be at least 16years old — or older where your country sets a higher age of digital consent under Art. 8 GDPR — to hold an account. We do not knowingly collect personal data from anyone below that age (and, for US users, we do not knowingly collect personal data from children under 13). Age is currently self-attested at sign-up. If you believe a minor has provided us with personal data, contact privacy@bright-room.com and we will delete it promptly.

13. U.S. state privacy rights

This section applies to residents of US states with comprehensive privacy laws, including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA). It supplements the rest of this policy and serves as our notice at collection. The categories of personal information we collect, our purposes, sources, and the recipients are described in §§2–4, and our retention periods in §7.

We do not sell or share your personal informationas those terms are defined under the CCPA (including for cross-context behavioural advertising), and we have not done so in the preceding 12 months. We load no third-party advertising or analytics trackers. If we ever introduced one, we would re-classify the activity, add a “Do Not Sell or Share My Personal Information” control, and honour the GPC signal as an opt-out.

We do not process sensitive personal information as defined by the CCPA.

Subject to your state’s law, you have the right to:

know about and access the personal information we hold;
delete and correct your personal information;
opt out of any sale or sharing, and of targeted advertising (we do none);
opt out of profiling in furtherance of decisions producing legal or similarly significant effects — our profiling (§10) does not produce such effects;
not be discriminated or retaliated against for exercising a right.

You can use two request methods: the self-service export and delete tools in your account settings, or email privacy@bright-room.com. We will verify your request against your account, respond within 45 days (with one permitted 45-day extension), and allow an authorised agent to act for you with proof of authorisation. If we deny a request, residents of Virginia, Colorado, and Connecticut may appeal by replying to our decision; we will respond to the appeal within the time their law allows. A fuller walkthrough — including the affiliate financial-incentive notice — is at Your Privacy Choices.

14. Changes to this policy

We update this policy when our processing changes and review it at least once every 12 months. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The effective date is shown at the top of this page.

15. Contact

For any privacy question or to exercise a right, write to privacy@bright-room.comor by post to the address in §1. Our company details are on the Imprint.

GMAT® is a registered trademark of the Graduate Management Admission Council™. The Graduate Management Admission Council does not endorse, and is not affiliated with the owner or content of Brightroom.