Privacy Notice

Last Updated: October 22, 2025
Controller: Brainsome Ltd (“Brainsome,” “we,” “us,” “our”), a company registered in Cyprus
Registered Address: 6 Themistokli Dervi, Flat/Office 4D, 1066 Nicosia, Cyprus
Contact for privacy matters: legal@brainsome.com

1.What this notice covers

This notice explains how we process personal data when you:

visit Brainsome.com (we do not use cookies or tracking tools), and/or
contact us about career opportunities (e.g., by emailing hr@brainsome.com or messaging our recruiters on Telegram), and/or
contact us with General & Sales enquiries at contact@brainsome.com, and/or
contact us with Privacy & legal enquiries at legal@brainsome.com, and/or
send us postal correspondence to our physical address, and/or
visit our offices (if applicable).

This site is intended for adults and is not directed to children.

2. What data we collect

2.1. Recruitment (when you contact us)

Identification & contact: name, email/Telegram handle, phone (if provided).
Application materials: CV/resumé, cover letters, portfolio links, experience, education, references, and any information you choose to include.
Recruitment records: interview notes, communications, scheduling information, outcome.

We do not request special-category data (e.g., health, ethnicity, religion). Please do not include such information in your CV or messages. If a role requires us to process limited special data (e.g., for legal obligations), we’ll inform you separately.

2.2. Website security (no cookies)

Server logs generated by our hosting/CDN when you access the site: IP address, date/time, requested URL, user-agent, referrer, and error codes. We do not set analytics, advertising, or other non-essential cookies.

We collect only what is necessary in each context:

2.3 General & Sales enquiries

Contact details and message content sent to contact@brainsome.com.

2.4. Privacy and legal enquiries

Contact details and message content sent to legal@brainsome.com (including data‑protection questions and GDPR rights requests).

2.5 Postal correspondence

Sender/return details and the contents of your letter/documents.

2.6 Visitors (if applicable)

Visitor log (name, time, host) and, if posted, CCTV images for security.

3. Why we use your data (purposes & legal bases)

Activity	Purpose	Legal basis	Typical recipients
Recruitment (2.1)	Assess application, arrange interviews, make an offer; keep basic records of a fair process	Pre‑contract steps (Art. 6(1)(b)); Legitimate interests in hiring (Art. 6(1)(f))	HR/recruiting; hiring managers; authorised execs; email/IT providers (processors)
Talent pool (similar/equivalent roles)	Consider you for future similar roles	Legitimate interests (Art. 6(1)(f)); opt‑out anytime	HR/recruiting; secure ATS/drive (processors)
Website/server logs (2.2)	Site delivery, security, abuse prevention, troubleshooting	Legitimate interests in secure operation (Art. 6(1)(f))	Host/CDN; security tooling (processors)
General & Sales enquiries (2.3)	Respond and follow‑up; manage relationship and sales pipeline	Legitimate interests (Art. 6(1)(f)); and Art. 6(1)(b) where acting on your request	Sales/ops team; email/IT providers (processors)
Privacy & legal enquiries (2.4)	Handle privacy/DP queries, GDPR rights requests, legal notices; maintain accountability records	Legal obligation for rights requests (Art. 6(1)(c)); Legitimate interests for other legal enquiries (Art. 6(1)(f))	Privacy/legal team; authorised execs; email/IT providers; external counsel (processors or independent controllers as applicable)
Postal correspondence (2.5)	Handle correspondence; basic record‑keeping	Legitimate interests (Art. 6(1)(f)); Art. 6(1)(b)/(c) as applicable	Relevant team; scanning/storage providers; couriers (processors)
Visitors/CCTV (2.6)	Site security & compliance	Legitimate interests (Art. 6(1)(f)); legal obligations as applicable	Facilities/security; CCTV vendor (processor)

4. Where your data comes from

Directly from you (email, LinkedIn, Instagram or Telegram message).
Public sources you share (e.g., LinkedIn/GitHub) when relevant to your application.

5. Who sees your data (recipients)

Internal teams involved in hiring (HR/recruiting, team leads, senior management).
Service providers (processors): website hosting/CDN, email provider, cloud storage/IT support, and (if used) scheduling/video-meeting tools — all under written data-processing terms.
Telegram: when you choose to contact us via Telegram, your messages are processed by Telegram under its own terms and policies; Telegram may process data on servers outside the EEA. On Telegram, Telegram is typically an independent controller of that messaging data.

We do not sell your personal data.

6. International transfers

If any service provider stores or accesses data outside the EEA/UK, we use appropriate safeguards (e.g., European Commission Standard Contractual Clauses) and assess the transfer risks. When you use Telegram, transfers may occur under Telegram’s own arrangements beyond our control.

7. How long we keep your data

We delete or anonymise data when it is no longer needed. Typical retention periods are:

Recruitment records (unsuccessful candidates): 6 months after the process ends (to address questions or legal claims).
Talent pool (similar/equivalent roles): up to 12 months after the process based on our legitimate interests in efficient hiring. You can object at any time (email HR), and we’ll delete your data unless we have compelling legitimate grounds or need it to establish, exercise, or defend legal claims. This does not affect any live application.
Website/server logs: 30–90 days for security/troubleshooting, unless longer is needed to investigate an incident.
General & Sales enquiries: up to 6 months, longer if a matter is ongoing or required by law.
Privacy & legal enquiries: records of rights requests and legal queries kept for up to 3 years after closure to demonstrate compliance (Art. 5(2) GDPR – accountability) or longer where required by law or necessary to establish, exercise, or defend legal claims.
Postal correspondence: up to 6 months, longer if ongoing/contractual or required by law.
Visitor logs/CCTV (if applicable): visitor logs 30–90 days; CCTV up to 30 days unless required longer for an incident.

8. Your rights

You have the rights below under the GDPR. To use any of them, email legal@brainsome.com. We’ll respond within one month (we may extend by up to two more months for complex requests, but we’ll tell you why).

Access (get a copy of your data) – confirmation we process your data; a copy of the personal data we hold; key info about how we use it. We may redact third‑party details or confidential business info to protect others’ rights.
Correction (rectification) – tell us what’s inaccurate or incomplete (e.g., wrong contact details).
Erasure (“right to be forgotten”) – ask us to delete your data when it’s no longer needed, you’ve successfully objected, or processing was unlawful. We may keep what’s needed to comply with law or to establish, exercise or defend legal claims.
Restriction of processing – temporarily pause most uses while we verify accuracy, assess legality, retain for your legal claims, or check our grounds after an objection.
Objection (to legitimate interests) – when we rely on legitimate interests (e.g., keeping your details for similar roles up to 12 months), you can object at any time. We will stop unless we have compelling legitimate grounds that override your interests/rights, or we need the data for legal claims. (We do not use your data for direct marketing via this site.)
Withdraw consent – if you provide consent for any optional processing, you can withdraw at any time. This won’t affect processing already performed.
Data portability – receive the data you provided (e.g., CV, contact details) in a structured, commonly used, machine‑readable format, or have it sent to another controller. Applies where processing is automated and based on consent or contract; not to our internal notes.
Right to complain – to the Office of the Commissioner for Personal Data Protection (Cyprus). We’d appreciate the chance to resolve issues first—please contact us.

Identity & fees: We may ask for information to confirm your identity. Exercising your rights is free, except for manifestly unfounded or excessive requests (in which case we may charge a reasonable fee or refuse the request, with reasons).

9. Do we use automated decision-making?

No. We do not use automated decision-making or profiling to make hiring decisions.

10. Security

We apply technical and organizational measures appropriate to the risk, including access controls, encryption in transit, and restricted retention. Access to recruitment data is limited to staff who need it for hiring.

11. Changes to this notice

We may update this notice to reflect changes in our practices or legal requirements. The “Last Updated” date will tell you when it was last revised.

12. How to contact us

Controller: Brainsome Ltd
Email: legal@brainsome.com (you can also contact hr@brainsome.com, contact@brainsome.com accordingly)
Postal address: Maximos Plaza at 18 Maximos Michailidis street, 3106, Limassol, Cyprus