Privacy policy

Privacy policy

Privacy policy

  1. Introduction

BRAIN.ONE, Inc. (“BRAIN.ONE,” “we,” “us,” or “our”) provides a brain fitness, neurotechnology, and digital wellness platform that may include self-guided assessments, neural/EEG data collection tools, educational protocols, wearable and device integrations, and, where available, a client portal that may connect users with independent licensed clinicians or other health care providers (collectively, the “Services”). BRAIN.ONE is not a medical provider, is not a mental health platform, and does not itself provide medical, clinical, therapeutic, counseling, telehealth, emergency, or crisis-response services. This Privacy Policy explains what personal information we collect, how we use and share it, and the choices and rights available to you. It is incorporated into, and forms part of, our Terms of Service.


If you are using the Services on behalf of a minor with your consent as a parent or legal guardian, you agree to this Privacy Policy on that minor’s behalf.


If you are a resident of California, Colorado, Connecticut, Virginia, Nevada, Maryland, Maine, or another U.S. state with consumer privacy protections, please see Section 10 (Your Privacy Rights) below. For information specifically about health-related data — including neural data — please also see our separate Consumer Health Data Privacy Policy.


Where the law requires your affirmative, opt-in consent before we collect or use sensitive categories of information, including neural data and other consumer health data, we ask for that consent separately and specifically, rather than relying on your general use of the Services as consent.


This Privacy Policy does not apply to information we collect offline, through other companies’ websites or applications, or through third-party content or advertising that may link to or be accessible from the Services.

BRAIN.ONE, Inc. (“BRAIN.ONE,” “we,” “us,” or “our”) provides a brain fitness, neurotechnology, and digital wellness platform that may include self-guided assessments, neural/EEG data collection tools, educational protocols, wearable and device integrations, and, where available, a client portal that may connect users with independent licensed clinicians or other health care providers (collectively, the “Services”). BRAIN.ONE is not a medical provider, is not a mental health platform, and does not itself provide medical, clinical, therapeutic, counseling, telehealth, emergency, or crisis-response services. This Privacy Policy explains what personal information we collect, how we use and share it, and the choices and rights available to you. It is incorporated into, and forms part of, our Terms of Service.


If you are using the Services on behalf of a minor with your consent as a parent or legal guardian, you agree to this Privacy Policy on that minor’s behalf.


If you are a resident of California, Colorado, Connecticut, Virginia, Nevada, Maryland, Maine, or another U.S. state with consumer privacy protections, please see Section 10 (Your Privacy Rights) below. For information specifically about health-related data — including neural data — please also see our separate Consumer Health Data Privacy Policy.


Where the law requires your affirmative, opt-in consent before we collect or use sensitive categories of information, including neural data and other consumer health data, we ask for that consent separately and specifically, rather than relying on your general use of the Services as consent.


This Privacy Policy does not apply to information we collect offline, through other companies’ websites or applications, or through third-party content or advertising that may link to or be accessible from the Services.

2. Scope; Updates to This Policy

This Privacy Policy applies to all individuals who use the Services, including visitors to our website, registered users, and individuals who access the client portal. We may update this Privacy Policy from time to time. If we make material changes — including changes to how we use neural data or other consumer health data — we will provide advance notice (such as by email or an in-product notice) and, where required by law, obtain your renewed consent before the changes take effect. The “Last Updated” date at the top of this document reflects the most recent revision. Your continued use of the Services after a non-material update takes effect constitutes acceptance of that update.
This Privacy Policy applies to all individuals who use the Services, including visitors to our website, registered users, and individuals who access the client portal. We may update this Privacy Policy from time to time. If we make material changes — including changes to how we use neural data or other consumer health data — we will provide advance notice (such as by email or an in-product notice) and, where required by law, obtain your renewed consent before the changes take effect. The “Last Updated” date at the top of this document reflects the most recent revision. Your continued use of the Services after a non-material update takes effect constitutes acceptance of that update.

3. Personal Information We Collect

We collect the following categories of personal information about you, depending on how you use the Services:


• Identifiers: name, email address, phone number, account username, and device or IP address identifiers.

• Account & Profile Information: date of birth or age range, self-reported demographic information, state of residency, and emergency contact information.


• Neural and Biometric Data (Sensitive): EEG readings, brainwave patterns, and other data generated by neurotechnology devices or sensors used with the Services, as well as other biometric identifiers if you enable biometric login.


• Consumer Health Data (Sensitive): self-assessment responses, health history, symptoms, medications, self-reported diagnoses, clinician-provided information where authorized, and other information related to your physical, cognitive, emotional, or mental health. See our Consumer Health Data Privacy Policy for more detail.


• Client Portal & Communications: messages, appointment records, and other communications exchanged with independent licensed clinicians through the client portal, to the extent BRAIN.ONE has access to them.


• Payment Information: billing name, billing address, and payment card information, processed by our third-party payment processor. We do not store full payment card numbers.


• Device, Wearable & Usage Data: browser type, operating system, pages viewed, session duration, referring URLs, wearable or device data you authorize, and similar analytics collected automatically through cookies and similar technologies.


• Precise Geolocation Data (Sensitive): only if you enable location services.


• Inferences: inferences we draw from the categories above to personalize the Services, such as engagement patterns or suggested content.


We collect this information directly from you, automatically from your device, wearable, or neurotechnology hardware, and, in limited cases, from third parties such as a clinician you have separately authorized to share information with us, or our service providers.

We collect the following categories of personal information about you, depending on how you use the Services:


• Identifiers: name, email address, phone number, account username, and device or IP address identifiers.

• Account & Profile Information: date of birth or age range, self-reported demographic information, state of residency, and emergency contact information.


• Neural and Biometric Data (Sensitive): EEG readings, brainwave patterns, and other data generated by neurotechnology devices or sensors used with the Services, as well as other biometric identifiers if you enable biometric login.


• Consumer Health Data (Sensitive): self-assessment responses, health history, symptoms, medications, self-reported diagnoses, clinician-provided information where authorized, and other information related to your physical, cognitive, emotional, or mental health. See our Consumer Health Data Privacy Policy for more detail.


• Client Portal & Communications: messages, appointment records, and other communications exchanged with independent licensed clinicians through the client portal, to the extent BRAIN.ONE has access to them.


• Payment Information: billing name, billing address, and payment card information, processed by our third-party payment processor. We do not store full payment card numbers.


• Device, Wearable & Usage Data: browser type, operating system, pages viewed, session duration, referring URLs, wearable or device data you authorize, and similar analytics collected automatically through cookies and similar technologies.


• Precise Geolocation Data (Sensitive): only if you enable location services.


• Inferences: inferences we draw from the categories above to personalize the Services, such as engagement patterns or suggested content.


We collect this information directly from you, automatically from your device, wearable, or neurotechnology hardware, and, in limited cases, from third parties such as a clinician you have separately authorized to share information with us, or our service providers.

4. How We Use Personal Information

We use personal information to:


• Provide, maintain, and improve the Services, including performing and scoring selfassessments, displaying educational information, supporting protocol tracking, and facilitating the client portal where available;


• Enable independent licensed clinicians you choose to work with to review your assessment results and neural/health data for treatment or care-related purposes at your direction;


• Communicate with you, including account, security, and appointment-related messages;


• Process payments;


• Detect, investigate, and prevent fraud, abuse, and security incidents;


• Comply with our legal obligations; and


• With your separate, opt-in consent where required by law, improve our algorithms, conduct research, or use neural data or consumer health data for other secondary purposes.


We do not use neural data or other sensitive or consumer health data for advertising, and we do not use it to make decisions that produce legal or similarly significant effects about you without appropriate human review.

We use personal information to:


• Provide, maintain, and improve the Services, including performing and scoring selfassessments, displaying educational information, supporting protocol tracking, and facilitating the client portal where available;


• Enable independent licensed clinicians you choose to work with to review your assessment results and neural/health data for treatment or care-related purposes at your direction;


• Communicate with you, including account, security, and appointment-related messages;


• Process payments;


• Detect, investigate, and prevent fraud, abuse, and security incidents;


• Comply with our legal obligations; and


• With your separate, opt-in consent where required by law, improve our algorithms, conduct research, or use neural data or consumer health data for other secondary purposes.


We do not use neural data or other sensitive or consumer health data for advertising, and we do not use it to make decisions that produce legal or similarly significant effects about you without appropriate human review.

5. How We Share Personal Information

We do not sell neural data, biometric data, or consumer health data, and we do not share that data for cross-context behavioral advertising. We may disclose personal information as follows:

• Service Providers: companies that host our infrastructure, process payments, provide customer support, or send communications on our behalf, under contracts that restrict their use of your information to providing services to us.

• Licensed Clinicians: if you use the client portal, information you submit is shared with the clinician(s) you choose to connect with, for treatment or care-related purposes, at your direction.

• Business Transfers: if BRAIN.ONE is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. Where required by law, we will maintain consumer-health-data-specific protections regardless of the transaction and, where feasible, provide notice and choices to affected individuals.

• Legal & Safety: to comply with a subpoena, court order, or other legal process; to protect the rights, property, or safety of BRAIN.ONE, our users, or the public; or where we have a good-faith belief that disclosure is necessary to prevent harm, including imminent risk of self-harm or harm to others.

• Aggregated/De-Identified Data: information that has been aggregated or de-identified such that it can no longer reasonably be used to identify you.

• With Your Direction or Consent: for any other purpose disclosed to you at the time of collection, or with your consent.

We do not knowingly permit any third party to collect precise geolocation, neural data, or other sensitive personal information through the Services except as described in this Privacy Policy.

We will not attempt to re-identify de-identified data, and we contractually require service providers and other recipients of de-identified data not to attempt re-identification, except as permitted by law for testing the effectiveness of de-identification safeguards.
We do not sell neural data, biometric data, or consumer health data, and we do not share that data for cross-context behavioral advertising. We may disclose personal information as follows:

• Service Providers: companies that host our infrastructure, process payments, provide customer support, or send communications on our behalf, under contracts that restrict their use of your information to providing services to us.

• Licensed Clinicians: if you use the client portal, information you submit is shared with the clinician(s) you choose to connect with, for treatment or care-related purposes, at your direction.

• Business Transfers: if BRAIN.ONE is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. Where required by law, we will maintain consumer-health-data-specific protections regardless of the transaction and, where feasible, provide notice and choices to affected individuals.

• Legal & Safety: to comply with a subpoena, court order, or other legal process; to protect the rights, property, or safety of BRAIN.ONE, our users, or the public; or where we have a good-faith belief that disclosure is necessary to prevent harm, including imminent risk of self-harm or harm to others.

• Aggregated/De-Identified Data: information that has been aggregated or de-identified such that it can no longer reasonably be used to identify you.

• With Your Direction or Consent: for any other purpose disclosed to you at the time of collection, or with your consent.

We do not knowingly permit any third party to collect precise geolocation, neural data, or other sensitive personal information through the Services except as described in this Privacy Policy.

We will not attempt to re-identify de-identified data, and we contractually require service providers and other recipients of de-identified data not to attempt re-identification, except as permitted by law for testing the effectiveness of de-identification safeguards.

6. Cookies, Analytics, and Tracking Technologies

We and our service providers use cookies, pixels, and similar technologies to operate the Services, remember your preferences, and understand usage patterns. We honor recognized optout preference signals, including the Global Privacy Control (“GPC”), as a valid method of exercising your right to opt out of the sale or sharing of personal information and targeted advertising, where required by applicable state law. Our systems do not currently treat legacy browser “Do Not Track” signals as distinct from GPC, so we do not respond to Do Not Track signals separately, but we do honor GPC.


App Tracking Transparency and Cross-App Tracking: To the extent we or our service providers use tracking technologies that track your activity across other companies’ apps or websites for cross-app tracking or advertising purposes, we will request your permission through Apple’s App Tracking Transparency framework, where applicable, before doing so, and we will provide equivalent notice and choice mechanisms on other platforms, such as Android, consistent with that platform’s requirements. As described in Section 5 above, we do not currently sell or share personal information for cross-context behavioral advertising.

We and our service providers use cookies, pixels, and similar technologies to operate the Services, remember your preferences, and understand usage patterns. We honor recognized optout preference signals, including the Global Privacy Control (“GPC”), as a valid method of exercising your right to opt out of the sale or sharing of personal information and targeted advertising, where required by applicable state law. Our systems do not currently treat legacy browser “Do Not Track” signals as distinct from GPC, so we do not respond to Do Not Track signals separately, but we do honor GPC.


App Tracking Transparency and Cross-App Tracking: To the extent we or our service providers use tracking technologies that track your activity across other companies’ apps or websites for cross-app tracking or advertising purposes, we will request your permission through Apple’s App Tracking Transparency framework, where applicable, before doing so, and we will provide equivalent notice and choice mechanisms on other platforms, such as Android, consistent with that platform’s requirements. As described in Section 5 above, we do not currently sell or share personal information for cross-context behavioral advertising.

7. Data Retention

We retain personal information for as long as needed to provide the Services, comply with legal, regulatory, tax, or accounting requirements, resolve disputes, and enforce our agreements. Health-related and neural data submitted through the client portal may be retained for longer periods consistent with medical recordkeeping requirements applicable to the clinicians you work with. When information is no longer needed, we delete, de-identify, or anonymize it.
We retain personal information for as long as needed to provide the Services, comply with legal, regulatory, tax, or accounting requirements, resolve disputes, and enforce our agreements. Health-related and neural data submitted through the client portal may be retained for longer periods consistent with medical recordkeeping requirements applicable to the clinicians you work with. When information is no longer needed, we delete, de-identify, or anonymize it.

8. Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including encryption of neural and health data in transit and at rest, access controls, and employee training. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
We maintain administrative, technical, and physical safeguards designed to protect personal information, including encryption of neural and health data in transit and at rest, access controls, and employee training. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

9. Children’s Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 without verifiable parental consent, consistent with the Children’s Online Privacy Protection Act (“COPPA”). If you believe we have collected information from a child under 13 without appropriate consent, contact us at hello@brain.one and we will investigate and delete the information as appropriate.

Separately, our Terms of Service require that individuals using assessment or client-portal features involving independent licensed clinicians be at least 18 years old, or have the consent of a parent or legal guardian who agrees to these policies on the minor’s behalf, consistent with applicable state law governing minors’ consent to health care. For California and Colorado residents under 16 (and their parents or guardians, for those under 13), we do not sell or share personal information, or use it for targeted advertising, without opt-in consent, as described in Section 10 below.
The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 without verifiable parental consent, consistent with the Children’s Online Privacy Protection Act (“COPPA”). If you believe we have collected information from a child under 13 without appropriate consent, contact us at hello@brain.one and we will investigate and delete the information as appropriate.

Separately, our Terms of Service require that individuals using assessment or client-portal features involving independent licensed clinicians be at least 18 years old, or have the consent of a parent or legal guardian who agrees to these policies on the minor’s behalf, consistent with applicable state law governing minors’ consent to health care. For California and Colorado residents under 16 (and their parents or guardians, for those under 13), we do not sell or share personal information, or use it for targeted advertising, without opt-in consent, as described in Section 10 below.

10. Your Privacy Rights

Depending on where you live, you may have some or all of the rights described below. To exercise any of these rights, contact us at hello@brain.one. We will verify your identity before responding and will respond within the time period required by applicable law (generally 45 days, extendable once by an additional 45 days where permitted). You will not receive discriminatory treatment for exercising your privacy rights.

• 10.1 California: Under the CCPA, California residents have the right to know and access their personal information, delete it, correct inaccuracies, opt out of data sales/sharing, limit the use of sensitive personal information, request data portability, and appeal denied requests. “Sensitive personal information” includes neural data (per California Senate Bill 1223). We only use this data to provide requested Services and do not sell or share it without opt-in consent for users under 16. You may designate an authorized agent to submit requests on your behalf, and we honor Global Privacy Control signals as a valid opt-out request.

• 10.2 Colorado: The CPA grants Colorado residents the right to access, correct, delete, port data, and opt out of targeted advertising, sales, or profiling. Under Colorado House Bill 24-1058, neural data is treated as sensitive “biological data,” requiring opt-in consent prior to processing. You may appeal a denied request by contacting hello@brain.one; if we deny your appeal, you may contact the Colorado Attorney General.

• 10.3 Connecticut: The CTDPA gives Connecticut residents standard access, correction, deletion, and portability rights, alongside strict opt-in consent rules for sensitive data (including health and neural data). You may appeal a denied request by contacting hello@brain.one; if unresolved, you may contact the Connecticut Attorney General.

• 10.4 Virginia: The VCDPA provides Virginia residents with rights to access, correct, delete, and port personal data, alongside required opt-in consent for processing sensitive data. You may appeal a denied request by contacting hello@brain.one; if unresolved, you may contact the Virginia Attorney General.

• 10.5 Nevada: Nevada residents have the right to opt out of the sale of “covered information” under NRS Chapter 603A. We do not currently sell covered information.

• 10.6 Maryland: Effective October 1, 2025, MODPA requires data minimization and prohibits the sale of sensitive health and neural data regardless of consent.

• 10.7 Other State Privacy Laws: Residents of Utah, Texas, Oregon, Montana, Delaware, New Jersey, Nebraska, New Hampshire, Minnesota, Rhode Island, Iowa, Kentucky, Indiana, Tennessee, and other states with comprehensive frameworks are afforded core rights of access, correction, deletion, portability, and sensitive data opt-in protections.

• 10.8 Maine: We voluntarily extend core consumer privacy rights (access, deletion, correction, and portability) to Maine residents.

• 10.9 Illinois and Other Biometric Privacy Laws: For data capturing biometric identifiers under frameworks like Illinois’ BIPA or Texas’ CUBI, we provide explicit notice regarding storage timelines and obtain written consent/releases before data collection. We do not sell biometric information.

• 10.10 Do Not Track: Our Services do not currently respond to browser “Do Not Track” signals separately from the Global Privacy Control described in Section 6.
Depending on where you live, you may have some or all of the rights described below. To exercise any of these rights, contact us at hello@brain.one. We will verify your identity before responding and will respond within the time period required by applicable law (generally 45 days, extendable once by an additional 45 days where permitted). You will not receive discriminatory treatment for exercising your privacy rights.

• 10.1 California: Under the CCPA, California residents have the right to know and access their personal information, delete it, correct inaccuracies, opt out of data sales/sharing, limit the use of sensitive personal information, request data portability, and appeal denied requests. “Sensitive personal information” includes neural data (per California Senate Bill 1223). We only use this data to provide requested Services and do not sell or share it without opt-in consent for users under 16. You may designate an authorized agent to submit requests on your behalf, and we honor Global Privacy Control signals as a valid opt-out request.

• 10.2 Colorado: The CPA grants Colorado residents the right to access, correct, delete, port data, and opt out of targeted advertising, sales, or profiling. Under Colorado House Bill 24-1058, neural data is treated as sensitive “biological data,” requiring opt-in consent prior to processing. You may appeal a denied request by contacting hello@brain.one; if we deny your appeal, you may contact the Colorado Attorney General.

• 10.3 Connecticut: The CTDPA gives Connecticut residents standard access, correction, deletion, and portability rights, alongside strict opt-in consent rules for sensitive data (including health and neural data). You may appeal a denied request by contacting hello@brain.one; if unresolved, you may contact the Connecticut Attorney General.

• 10.4 Virginia: The VCDPA provides Virginia residents with rights to access, correct, delete, and port personal data, alongside required opt-in consent for processing sensitive data. You may appeal a denied request by contacting hello@brain.one; if unresolved, you may contact the Virginia Attorney General.

• 10.5 Nevada: Nevada residents have the right to opt out of the sale of “covered information” under NRS Chapter 603A. We do not currently sell covered information.

• 10.6 Maryland: Effective October 1, 2025, MODPA requires data minimization and prohibits the sale of sensitive health and neural data regardless of consent.

• 10.7 Other State Privacy Laws: Residents of Utah, Texas, Oregon, Montana, Delaware, New Jersey, Nebraska, New Hampshire, Minnesota, Rhode Island, Iowa, Kentucky, Indiana, Tennessee, and other states with comprehensive frameworks are afforded core rights of access, correction, deletion, portability, and sensitive data opt-in protections.

• 10.8 Maine: We voluntarily extend core consumer privacy rights (access, deletion, correction, and portability) to Maine residents.

• 10.9 Illinois and Other Biometric Privacy Laws: For data capturing biometric identifiers under frameworks like Illinois’ BIPA or Texas’ CUBI, we provide explicit notice regarding storage timelines and obtain written consent/releases before data collection. We do not sell biometric information.

• 10.10 Do Not Track: Our Services do not currently respond to browser “Do Not Track” signals separately from the Global Privacy Control described in Section 6.

11. Consumer Health Data

Much of the information you provide is also “consumer health data” under Washington’s My Health My Data Act, Nevada’s Consumer Health Data Privacy Act, and similar laws. Please see our Consumer Health Data Privacy Policy, available as a separate document, for full disclosures.
Much of the information you provide is also “consumer health data” under Washington’s My Health My Data Act, Nevada’s Consumer Health Data Privacy Act, and similar laws. Please see our Consumer Health Data Privacy Policy, available as a separate document, for full disclosures.

12. HIPAA Notice

BRAIN.ONE is not a health care provider. For self-guided independent assessment tools and digital wellness features, we are not regulated as a HIPAA “covered entity.” If you use the client portal to connect with a licensed clinician, that clinician is independently responsible for complying with HIPAA, and BRAIN.ONE may act as that clinician’s “business associate” under a separate business associate agreement. Where we do not act as a business associate, health-related information is protected under this Privacy Policy, our Consumer Health Data Privacy Policy, and the FTC Health Breach Notification Rule.

Enterprise customers, licensed clinicians, or covered entities may be required to enter into a separate Business Associate Agreement, Data Processing Addendum, or services agreement before using certain features.
BRAIN.ONE is not a health care provider. For self-guided independent assessment tools and digital wellness features, we are not regulated as a HIPAA “covered entity.” If you use the client portal to connect with a licensed clinician, that clinician is independently responsible for complying with HIPAA, and BRAIN.ONE may act as that clinician’s “business associate” under a separate business associate agreement. Where we do not act as a business associate, health-related information is protected under this Privacy Policy, our Consumer Health Data Privacy Policy, and the FTC Health Breach Notification Rule.

Enterprise customers, licensed clinicians, or covered entities may be required to enter into a separate Business Associate Agreement, Data Processing Addendum, or services agreement before using certain features.

13. FTC Health Breach Notification Rule

To the extent any health information you provide through the Services is not otherwise protected by HIPAA, it may be subject to the Federal Trade Commission’s Health Breach Notification Rule. If we experience a security breach involving unsecured identifiable health information, we will notify affected individuals, the FTC, and the media as required by law.
To the extent any health information you provide through the Services is not otherwise protected by HIPAA, it may be subject to the Federal Trade Commission’s Health Breach Notification Rule. If we experience a security breach involving unsecured identifiable health information, we will notify affected individuals, the FTC, and the media as required by law.

14. Research Participation

From time to time, BRAIN.ONE may invite users to participate in research, pilot programs, validation studies, or product-improvement studies. Participation is voluntary and subject to separate disclosures and consent. Declining research participation will not limit access to the core Services unless the user is specifically enrolling in a research-only program.
From time to time, BRAIN.ONE may invite users to participate in research, pilot programs, validation studies, or product-improvement studies. Participation is voluntary and subject to separate disclosures and consent. Declining research participation will not limit access to the core Services unless the user is specifically enrolling in a research-only program.

15. Contact Us

Questions about this Privacy Policy, or requests to exercise your privacy rights, can be sent to hello@brain.one.
Questions about this Privacy Policy, or requests to exercise your privacy rights, can be sent to hello@brain.one.