Privacy Policy
1 Introduction
BatchBrain ("we," "our," or "us") operates an integrated online learning and productivity platform that provides AI-powered mentorship, structured courses, professional networking, a social content feed, real-time messaging, and productivity tools (collectively, the "Platform"). The Platform is designed to serve learners of all ages, including children, as well as adult professionals.
This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information when you access or use the Platform, including our website, mobile application, and any related services. It also explains your rights with respect to your personal data.
By creating an account or using the Platform, you — or, for child users, your parent or legal guardian — agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.
2 Information We Collect
We collect personal information in the following categories, depending on how you use the Platform.
2.1 Account and Registration Information
- Required: Username, email address, and password (stored in hashed and salted form using PBKDF2).
- Optional Profile: Profile picture, biography, location, date of birth, skills, interests, and professional role information.
- Social Links: GitHub and LinkedIn profile URLs, and optional public contact information.
- Social Authentication: If you register via Google, GitHub, or another OAuth provider, we receive the profile data you authorise — typically your name, email address, and avatar.
Date of birth is collected to enable age-appropriate access controls and to verify parental consent requirements where applicable.
2.2 Learning and Course Data
- Courses you enrol in, create, or teach.
- Quiz attempts, answers, scores, and mastery progress records.
- Course completion rates and certification records.
- Learning roadmaps you create or follow.
- Reading time and study session analytics.
2.3 AI Interaction Data
- Conversations with our AI assistant (powered by DeepSeek), including prompts and generated responses.
- AI Studio interactions and any content generated through those tools.
2.4 Social Feed and Messaging Data
- Posts, comments, reactions, and content you publish on the social feed.
- Direct messages and group chat messages exchanged with other users via our real-time messaging system (powered by Django Channels).
- Follower and following relationships, professional connections, and community memberships.
- Bookmarked content and saved articles.
- Blog posts and publications you author or interact with.
- Content moderation records, including user reports, blocks, and content flags (used solely for platform safety enforcement).
2.5 Productivity Data
- Tasks, to-do lists, and project boards you create.
- Calendar events and schedules.
- Productivity metrics and usage patterns derived from your Platform activity.
2.6 Payment and Subscription Data
- Subscription plan type and billing history, processed securely via Stripe.
- We do not store full payment card numbers. All payment card data is processed and held within Stripe's PCI DSS-compliant infrastructure. We retain only tokenised references and metadata necessary for subscription management.
2.7 Technical and Usage Data
- IP address, browser type, device type, and operating system.
- Pages visited, time spent on the Platform, click patterns, and feature usage logs.
- Device tokens for push notification delivery via Firebase Cloud Messaging (FCM).
2.8 User-Uploaded Content
- Files, images, and documents uploaded via the Platform's file browser or course creation tools (stored on Google Cloud Storage).
- Publication assets including eBooks, PDFs, and cover images.
- Profile pictures and course materials.
3 How We Use Your Information
We use the information we collect for the following purposes:
- Platform Operation: To create and manage your account and deliver all core Platform features, including courses, messaging, the social feed, and productivity tools.
- AI-Powered Services: To power the AI Brain and AI Studio features via DeepSeek. Prompts and responses are processed to generate real-time outputs.
- Personalisation: To recommend courses, mentors, content, and professional connections based on your skills, interests, and goals.
- Notifications: To send push notifications (via FCM) and emails regarding messages, course updates, task reminders, and platform announcements. You may adjust notification preferences in Account Settings.
- Analytics and Improvement: To analyse usage patterns, diagnose technical issues, and develop new features.
- Security: To protect against unauthorised access, fraud, and abuse, including through the use of Google reCAPTCHA.
- Communications: To send service-related emails (e.g. password resets and payment receipts) and, with your consent, marketing communications. You may unsubscribe from marketing at any time.
- Legal Compliance: To comply with applicable laws and respond to lawful requests from regulatory or law enforcement authorities.
- Child Safety: To apply age-appropriate content restrictions, parental controls, and enhanced moderation for child accounts.
4 Third-Party Services and Data Sharing
BatchBrain integrates with third-party service providers to deliver the Platform. We share only the minimum data necessary for each service to function.
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing and subscription management | Customer email, subscription metadata, tokenised payment reference (no full card numbers) |
| Firebase / FCM (Google) | Push notification delivery | Device token, notification interaction data |
| DeepSeek | AI Brain and AI Studio features | Conversation prompts and responses (real-time processing only) |
| Google Cloud Storage | File and media storage | Uploaded files, images, and course materials |
| Google reCAPTCHA | Bot detection and form security | Browser behaviour signals, anonymised IP address |
| Django Allauth | Social authentication (OAuth) | Profile data authorised by the user via their chosen OAuth provider |
| Redis | Caching, WebSocket, and task queuing | Session data, temporary cache, real-time message routing |
Data Sharing Principles
- We never sell, rent, or trade your personal information to third parties for their own commercial purposes.
- All third-party service providers operate under data processing agreements (DPAs) that prohibit unauthorised use of your data.
- We may share data when required by applicable law, regulation, court order, or lawful government request.
- Aggregated and de-identified data may be used for research and platform improvement, without identifying individual users.
- In the event of a merger, acquisition, or sale of assets, your data may be transferred to a successor entity, with prior notice provided to you.
5 Cookies and Tracking Technologies
BatchBrain uses cookies and similar technologies to support platform functionality and understand usage patterns.
- Essential Cookies: Session cookies required for authentication, CSRF protection, and core platform functionality. These are strictly necessary and cannot be disabled.
- Preference Cookies: Cookies that remember your settings, such as theme selection (light or dark mode) and language preferences.
- Analytics Cookies: Cookies that help us understand how users interact with the Platform, used to improve our services and content.
- Third-Party Cookies: Stripe uses cookies for fraud detection and payment processing. Google reCAPTCHA uses cookies for risk analysis. These operate under the respective providers' privacy policies.
You may control cookie settings through your browser. Disabling essential cookies may prevent the Platform from functioning correctly.
6 Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.
- Active Accounts: Personal data is retained for the duration of your account's active existence.
- Deleted Accounts: Upon account deletion, personal data is removed or anonymised within 30 days, except where retention is required by law.
- Payment Records: Billing and payment records are retained for seven (7) years to satisfy applicable tax and accounting obligations.
- Backups: Encrypted backups may retain deleted data for up to 90 days before full purging.
- Anonymised Data: Aggregated, de-identified analytics data may be retained indefinitely.
- Child Account Data: All personal data for child accounts is deleted within 30 days of a verified deletion request from a parent or guardian, with no extended retention beyond legal minimums.
7 Your Rights and Choices
For All Users
- Access and Update: View and edit your profile and account information at any time via Account Settings.
- Data Portability: Request a download of your personal data in a portable, machine-readable format.
- Account Deletion: Delete your account and associated data through Settings or by contacting us at privacy@batchbrain.com.
- Notification Preferences: Control push notification types and opt out of marketing communications at any time via Account Settings.
For EEA and UK Users (GDPR / UK GDPR)
If you are located in the European Economic Area or the United Kingdom, you have the following additional rights under applicable data protection law:
- Right to Erasure: Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected.
- Right to Restrict Processing: Request that we limit the processing of your data in certain circumstances.
- Right to Object: Object to processing based on legitimate interests, including direct marketing.
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on your consent, without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: File a complaint with your local supervisory authority. UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk.
For California Residents (CCPA / CPRA)
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete: Request deletion of personal information we have collected, subject to applicable exceptions.
- Right to Opt-Out of Sale: We do not sell personal information. You nonetheless retain the right to opt out of any future sale.
- Right to Non-Discrimination: We will not discriminate against you for exercising any rights under the CCPA or CPRA.
To exercise any of these rights, please contact us at privacy@batchbrain.com with the subject line "Privacy Request". We will respond within 30 days, or such shorter period as required by applicable law.
8 Push Notifications and Firebase Cloud Messaging
BatchBrain uses Firebase Cloud Messaging (FCM), provided by Google, to deliver push notifications to your device.
- When you grant notification permission, FCM generates a unique device token that we store to route notifications to your device.
- Notifications may include: direct messages, course updates, task reminders, community activity, and platform announcements.
- You may disable push notifications at any time via your device settings or within the BatchBrain notification preferences in Account Settings.
- FCM collects limited diagnostic data (such as delivery status and click rates) in accordance with Google's Privacy Policy. This data cannot be used to identify you individually.
- For child accounts, push notifications are limited to course and task-related content. Social and messaging notifications are subject to parental control settings.
9 Children's Privacy
BatchBrain provides educational content for learners of all ages, including children. We take children's privacy seriously and comply with the Children's Online Privacy Protection Act (COPPA) in the United States, and with the UK GDPR and EU GDPR as they apply to minors.
The following additional safeguards apply to all child accounts:
- Direct messaging and public social feed posting are disabled or restricted for users under 13.
- Child accounts are subject to enhanced content moderation and age-appropriate content filtering across all Platform areas, including the social feed and community sections.
- We do not serve targeted or behavioural advertising to child users.
- We do not share child users' personal data with third parties for marketing or profiling purposes.
- Parents and guardians may review, update, or request deletion of their child's personal data at any time by contacting privacy@batchbrain.com.
- We do not knowingly collect personal data from children without verifiable parental consent. If we become aware that such data has been collected, we will delete it promptly.
If you believe we may have collected personal data from a child without appropriate consent, please contact us immediately at privacy@batchbrain.com.
10 Data Security
We implement industry-standard administrative, technical, and physical security measures to protect your personal information.
- Encryption: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS). Passwords are stored using Django's PBKDF2 hashing algorithm with salt.
- Infrastructure: Our servers are hosted in secure data centres with physical access controls, network firewalls, and intrusion detection systems.
- Access Controls: Internal access to personal data is restricted to authorised personnel on a need-to-know basis, governed by role-based access controls.
- Security Audits: We conduct regular security audits, dependency vulnerability scans, and periodic penetration testing.
- Subprocessor Standards: All third-party subprocessors, including Stripe and Google Cloud, maintain SOC 2 or equivalent certifications.
No method of electronic transmission or storage is completely secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law and without undue delay.
11 Content Moderation and User Safety
BatchBrain is committed to maintaining a safe and respectful environment for all users. This section describes our content moderation practices and how they relate to your data.
11.1 Automated Content Filtering
We employ automated content filtering systems that scan user-generated content for prohibited material, including but not limited to: hate speech, harassment, spam, inappropriate content, and content promoting violence or self-harm. Filtered content may be flagged for human review.
11.2 User Reporting
Users can report objectionable content via the Report functionality available on all posts, comments, and chat messages. When you submit a report, we collect:
- The type of content being reported
- The reason for the report (selected from predefined categories)
- Any additional description you choose to provide
All reports are reviewed by our moderation team within 24 hours. We retain report records for as long as necessary to enforce our Terms of Service and for legal compliance.
11.3 User Blocking
When you block another user:
- Their content is immediately removed from your feed and views
- Their recent posts and comments are automatically flagged for moderation review
- We record the block in our system to maintain the block across sessions
- Blocked user data is retained only for the purpose of maintaining your blocking preferences and for moderation review
11.4 Enforcement Actions
In response to confirmed violations, we may take the following actions:
- Content removal
- Warning notifications
- Account restriction or suspension
- Permanent account termination (for severe or repeated violations)
Enforcement records are retained for audit and safety purposes. Accounts terminated for policy violations may have their data retained for up to 30 days before deletion to allow for appeal processes.
12 International Data Transfers
BatchBrain operates globally. Your personal data may be transferred to, stored in, and processed in countries other than your country of residence, including the United States and countries within the European Union.
When we transfer personal data from the EEA or UK to countries not deemed to provide an adequate level of data protection by the European Commission or UK Information Commissioner, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK equivalent approved transfer mechanisms.
- Data Processing Agreements (DPAs) with all third-party subprocessors, incorporating appropriate transfer mechanisms.
- Stripe, Google Cloud, and Firebase each maintain SCC-compliant or UK GDPR-compliant data processing terms, available on their respective websites.
By using the Platform, you acknowledge that your personal data may be transferred internationally subject to the safeguards described above.
13 Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, technology, legal obligations, or other operational factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page and publish the revised policy on the Platform.
- Send an email notification to the address associated with your account for significant changes.
- Display a prominent notice on the Platform for a reasonable period following any material update.
We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after any changes have been published constitutes your acceptance of the revised policy. If you do not agree with a revised policy, you should discontinue use of the Platform and may delete your account.
14 Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our privacy team:
BatchBrain — Privacy Team
Email: privacy@batchbrain.com
For data subject access requests (DSARs), GDPR or CCPA rights requests, or security concerns, please use the subject line "Privacy Request" for faster processing. We are committed to responding to all enquiries within 30 days, or within such shorter period as required by applicable law.