Privacy Policy
Effective Date: November 1, 2025
Last Updated: November 7, 2025
Version: 1.0
1. Introduction
Welcome to BrainUs LK, a gamified learning platform for Sri Lankan A/L and O/L students. This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the Personal Data Protection Act No. 9 of 2022 as amended by Act No. 22 of 2025 ("PDPA"), GDPR principles, and international child privacy standards.
Data Controller:
- Name: BrainUs LK
- Email: privacy@brainus.lk
- Location: Colombo, Sri Lanka
- Data Protection Officer: To be designated (may be external third-party contractor per PDPA 2025 Section 20)
2. Information We Collect
2.1 Information You Provide During Registration
Account Creation:
- Email address
- Password (encrypted)
- Display name
Student Profile (During Onboarding):
- Username
- First name and last name
- Date of birth (to verify age and provide age-appropriate content)
- Gender (optional)
- WhatsApp number (optional, for notifications only)
- District and school
- Grade (6-13)
- Education medium (Sinhala/English)
- Selected subjects
2.2 Automatically Collected Information
Usage Data:
- Quiz attempts and scores
- Time spent on questions and papers
- Learning progress and completion rates
- Login patterns and streak tracking
- XP, level, and cookie balance
- Achievement unlocks
Technical Data:
- IP address
- Browser type and version
- Device type
- Operating system
- Page views and navigation patterns
Social Features:
- Friend connections
- Leaderboard participation (if opted in)
Financial Data:
- Subscription plan details
- Payment history (processed securely by our payment processor)
3. How We Use Your Information
3.1 Primary Purposes
- Educational Services: Provide personalized quiz content, track progress, recommend papers
- Account Management: Create and maintain your account, authenticate logins
- Gamification: Calculate XP, levels, cookies, streaks, and achievements
- Social Features: Enable friendships and leaderboard participation (with your consent)
- Communication: Send important updates, password resets, and notifications
- Platform Improvement: Analyze usage patterns to improve educational content and user experience
3.2 Legal Basis for Processing (GDPR)
- Contract Performance: Processing necessary to provide our services
- Consent: For optional features (analytics, marketing, social features)
- Legitimate Interest: Platform security, fraud prevention, service improvement
- Legal Obligation: Compliance with tax, accounting, and regulatory requirements
4. Data Sharing and Third-Party Processors
We share your data with the following trusted third-party service providers:
4.1 Supabase (Database & Authentication)
- Purpose: Secure storage of your account and educational data
- Data Shared: All user data stored in our database
- Location: United States (check your Supabase project region in dashboard for exact location)
- Safeguards: Standard Contractual Clauses, Data Processing Agreement, encryption
- Privacy Policy: https://supabase.com/privacy
4.2 PostHog (Analytics)
- Purpose: Understand platform usage to improve educational experience
- Data Shared: Usage patterns, educational events, pageviews (pseudonymized where possible)
- Location: United States
- Opt-Out: You can disable analytics in your privacy settings
- Safeguards: Data Processing Agreement, encryption in transit
- Privacy Policy: https://posthog.com/privacy
4.3 Paddle (Payment Processor)
- Purpose: Process subscription payments securely
- Data Shared: Name, email, payment information
- PCI DSS Compliant: Yes
- Location: United Kingdom / United States
- Privacy Policy: https://www.paddle.com/legal/privacy
We do NOT:
- Sell your personal data to third parties
- Use your data for advertising purposes
- Share your data with schools or educational institutions without consent
5. Children's Privacy
5.1 Age Requirements
Our platform is designed for students in grades 6-13 (ages 11-18). We take children's privacy seriously.
For Users Under 13:
- We require verifiable parental consent before collecting personal information
- Parents must review this Privacy Policy and actively consent
- Parents can review, modify, or delete their child's information at any time
For Users 13-15:
- We encourage parental involvement and provide parental notification options
- Enhanced privacy protections apply
For Users 16+:
- Standard consent procedures apply
5.2 Parental Rights
If you are a parent or guardian, you have the right to:
- Review your child's personal information
- Request deletion of your child's data
- Refuse further collection of your child's information
- Manage your child's privacy settings
- Access a parent dashboard showing your child's activity
Parent Contact: parents@brainus.lk
6. Your Privacy Rights
6.1 Under GDPR and Sri Lankan Law
You have the following rights:
Right to Access:
- Request a copy of all personal data we hold about you
- Download your data in a portable format (Account Settings > Download My Data)
Right to Rectification:
- Correct inaccurate personal information
- Update your profile in Account Settings
Right to Erasure ("Right to be Forgotten"):
- Request deletion of your personal data
- Use Account Settings > Privacy > Delete Account
- Note: We may retain some data for legal compliance (e.g., payment records for tax purposes)
Right to Restriction:
- Limit how we use your data in certain circumstances
Right to Data Portability:
- Receive your data in a machine-readable format
- Transfer your data to another service
Right to Object:
- Object to processing based on legitimate interests
- Opt out of marketing communications
- Disable analytics tracking
Right to Withdraw Consent:
- Withdraw consent for optional features at any time
- Managed in Account Settings > Privacy
Right to Lodge a Complaint:
- Contact your local data protection authority
- [Sri Lankan DPA contact when established]
6.2 How to Exercise Your Rights
- Account Settings: Most rights can be exercised directly in your account settings
- Email: privacy@brainus.lk
- Response Time: We will respond within 1 month of your request. In complex cases, we may extend this to 3 months and will notify you of the extension and reasons within the initial 1-month period (PDPA 2025 Section 17).
6.3 Right to Appeal
If you are dissatisfied with our response to your privacy rights request:
- You have the right to appeal to the Data Protection Authority of Sri Lanka
- We will inform you of this right and provide the Authority's contact details with our response
- You can also lodge a complaint with the Authority if you believe we have violated your data protection rights
- Data Protection Authority Contact: [To be added when established]
7. Data Retention
We only keep your data as long as necessary:
| Data Category | Retention Period | After Retention |
|---|---|---|
| Active user profiles | Duration of account | Delete on request |
| Inactive accounts | 3 years of inactivity | Anonymize or delete |
| Quiz history | 2 years | Aggregate/anonymize |
| Real-time quiz sessions | 7 days after completion | Delete |
| Cookie transactions | 2 years | Anonymize |
| Payment receipts | 7 years (tax law requirement) | Secure archive |
| Friendships | Duration of friendship | Delete on request |
| Analytics data | 18 months | Auto-purge |
| Parental consent records | Until child turns 20 | Archive then delete |
| Audit logs | 5 years | Secure archive |
Account Deletion:
- You can delete your account anytime in Account Settings
- We offer two options: (1) Anonymize data, (2) Permanent deletion
- 30-day grace period before permanent deletion
- For users under 13: Parental authorization required for deletion
8. Data Security
We implement industry-standard security measures:
- Encryption: All data encrypted in transit (TLS) and at rest
- Access Controls: Row Level Security (RLS) ensures you can only access your own data
- Authentication: Secure password hashing, email verification, optional OTP
- Monitoring: Automated breach detection and suspicious activity alerts
- Regular Audits: Quarterly security and compliance reviews
In Case of Data Breach:
- We will notify you within 72 hours if your data is compromised
- We will notify relevant authorities as required by law
- We will provide guidance on protective steps you can take
9. Contact Us
For privacy questions, concerns, or to exercise your rights:
- Email: privacy@brainus.lk
- Parent Support: parents@brainus.lk
- Location: Colombo, Sri Lanka
Data Protection Officer: To be designated (as permitted under PDPA 2025 Section 20, may be external contractor)
Note: Under PDPA 2025 Section 20, our Data Protection Officer may be an external third-party contractor specialized in data protection compliance.
Appeal Rights: If you are not satisfied with our response to your privacy request or complaint, you have the right to appeal to the Data Protection Authority of Sri Lanka. We will provide the Authority's contact information with any decision you may wish to appeal.
10. PDPA 2025 Compliance Statement
BrainUs LK is committed to full compliance with the Personal Data Protection Act No. 9 of 2022 as amended by Act No. 22 of 2025. Key compliance measures include:
- Data Protection Officer: Designated DPO (may be external contractor per Section 20)
- Lawful Processing: All data processing has a lawful basis (consent, contract, legitimate interest)
- Cross-Border Transfers: Section 26 compliant with explicit consent and safeguards
- Response Timelines: 1-3 month response to rights requests per Section 17
- Appeal Rights: Clear procedures to appeal to Data Protection Authority per Section 19
- Breach Notification: 72-hour notification to authorities and affected individuals
- Children's Privacy: Enhanced protections for users under 18
- Data Minimization: Only essential data collected
- Retention Limits: Clear retention periods with automatic deletion
- Security Measures: Encryption, access controls, regular audits
Compliance Timeline: The PDPA 2025 amendments provide a 36-month compliance timeline (Section 52). We are committed to achieving full compliance well before this deadline.
Acknowledgment: By creating an account, you confirm that you have read, understood, and agree to this Privacy Policy.