Privacy Policy

Last updated: March 7, 2026  |  Effective date: March 7, 2026

This Privacy Policy explains how BrainSumo ("Company", "we", "us", or "our") collects, uses, stores, shares, and protects your personal data when you use the BrainSumo platform at brainsumo.in. This Policy is issued in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and the Information Technology Act, 2000.

1. Who We Are (Data Fiduciary)

Under the Digital Personal Data Protection Act, 2023, BrainSumo is the Data Fiduciary — the entity that determines the purpose and means of processing your personal data. You are the Data Principal. By using the Platform, you provide free, specific, informed, and unambiguous consent to the processing described in this Policy.

2. Personal Data We Collect

We collect only the personal data necessary for the purposes described in this Policy (data minimisation principle under the DPDP Act, 2023).

2a. Account and Profile Data

  • Full name, email address, hashed password, and account role (Solver / Client)
  • Profile information: bio, skills, education, university, major
  • Company name, company website (Clients only)
  • Country of residence / business

2b. Sensitive Personal Data (SPDI)

The following data is classified as Sensitive Personal Data or Information under the SPDI Rules, 2011 and is treated with heightened protection:

  • Bank account number and IFSC code (Solvers — for prize payouts)
  • PAN (Permanent Account Number — required for TDS compliance under Section 194B)
  • Phone number (required for Cashfree Payouts KYC)
  • GSTIN (Indian business clients — optional, for GST invoice purposes)

2c. Usage and Technical Data

  • IP address, browser type, device information, and operating system
  • Pages visited, time spent, and navigation patterns (for platform improvement)
  • Login timestamps and session data

2d. Communication Data

  • Messages sent through the contact form
  • Emails sent to or received from BrainSumo support
  • Challenge briefs and submission content created on the Platform

3. Purpose and Legal Basis for Processing

We process your personal data only for specific, stated purposes. Under the DPDP Act, 2023, our legal basis for processing is your informed consent (provided at registration) and, where applicable, compliance with a legal obligation.

PurposeData UsedLegal Basis
Account creation and authenticationName, email, passwordConsent
Facilitating challenges and submissionsProfile, submissions, challenge dataConsent / Contract
Processing prize payouts via IMPSBank account, IFSC, PAN, phoneConsent / Legal obligation (TDS)
TDS deduction and Form 16A issuancePAN, prize amount, bank detailsLegal obligation (Section 194B, IT Act 1961)
GST invoice issuanceGSTIN, company name, addressLegal obligation (CGST Act 2017)
Sending challenge notifications (opted-in)EmailConsent (can be withdrawn)
Fraud prevention and securityIP, usage data, login historyLegitimate interest / Legal obligation
Grievance resolutionAll relevant dataLegal obligation (IT Rules 2021)
Compliance with law enforcementAs required by court/government orderLegal obligation

4. Information Sharing

We do not sell, rent, or trade your personal data. We share it only in the following limited circumstances:

  • Payment processors: We use Cashfree Payments (an RBI-licensed Payment Aggregator) to process client payments and solver payouts. Your bank details and PAN are shared with Cashfree solely for KYC, payout, and TDS compliance purposes. Cashfree's privacy policy governs their processing.
  • Other users (talent scouting): If you enable talent scouting in your Solver profile settings, your public profile (name, skills, university) may be visible to Clients. This is opt-in only and can be disabled at any time.
  • Service providers: We use third-party providers for cloud hosting (database and file storage), email delivery (transactional emails), and analytics. These providers are bound by contractual confidentiality obligations and may not use your data for their own purposes.
  • Tax authorities: TDS deducted under Section 194B is remitted to the Income Tax Department of India. TDS details are reported in Form 26Q.
  • Law enforcement / legal process: We disclose personal data when required by a valid court order, government directive, or where we have a good-faith belief that disclosure is necessary to prevent imminent harm, fraud, or a legal violation.

5. Data Retention

  • Active accounts: Personal data is retained for as long as your account is active and for a reasonable period thereafter.
  • Account deletion: Upon deletion, non-financial personal data is erased within 30 days. Financial records (transaction data, TDS records, payout history) are retained for 7 years in accordance with the Income Tax Act, 1961 and the Prevention of Money Laundering Act, 2002.
  • Communication records: Retained for 3 years for grievance and legal purposes.
  • Purpose fulfillment: When data is no longer required for the purpose for which it was collected, it is securely deleted or anonymised.

6. Security

We implement reasonable security practices and procedures as required by Section 43A of the Information Technology Act, 2000 and the SPDI Rules, 2011, including:

  • Encrypted HTTPS connections for all data transmission
  • Bcrypt hashing for all passwords (raw passwords are never stored)
  • Access controls and role-based permissions on the database
  • Regular security reviews of infrastructure and code
  • Sensitive financial data (bank accounts, PAN) stored encrypted at rest

In the event of a personal data breach, we will notify the affected Data Principals and the Data Protection Board of India within the timeframe prescribed by the DPDP Act, 2023 and applicable Rules.

7. Cookies

We use only essential session cookies required for platform functionality (authentication tokens, session state). We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. You may disable cookies in your browser settings; however, this will affect your ability to log in and use the Platform.

8. Children's Data

BrainSumo does not knowingly collect or process personal data of individuals under the age of 18. In accordance with Section 9 of the DPDP Act, 2023, we prohibit minors from registering. If we become aware that we have collected personal data from a person under 18, we will delete such data immediately and terminate the account.

9. Your Rights as Data Principal

Under the Digital Personal Data Protection Act, 2023 (Chapter III), you have the following rights:

  • Right to access (Section 11): You may request a summary of your personal data processed by us and information about the processing activities.
  • Right to correction and erasure (Section 12): You may request correction of inaccurate data and erasure of data that is no longer necessary, subject to legal retention obligations.
  • Right to grievance redressal (Section 13): You may file a grievance with our Grievance Officer. If unresolved, you may escalate to the Data Protection Board of India.
  • Right to withdraw consent: You may withdraw consent for processing at any time by contacting us. Withdrawal does not affect lawfulness of prior processing. Note that withdrawal may affect your ability to use certain Platform features.
  • Right to nominate (Section 14): You may nominate a person to exercise your rights in the event of death or incapacity.

To exercise any of these rights, contact our Grievance Officer at contact.brainsumo@gmail.com with the subject line "Data Principal Rights Request".

10. International Data Transfers

Your personal data is stored on servers located in Singapore (Koyeb cloud infrastructure). Transfers of personal data outside India are conducted in accordance with the DPDP Act, 2023 and applicable cross-border data transfer provisions. Our hosting provider is bound by contractual data processing agreements ensuring equivalent protection.

11. Grievance Officer

In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the DPDP Act, 2023, BrainSumo has designated a Grievance Officer to address data-related complaints.

Grievance Officer: BrainSumo Privacy Team

Email: contact.brainsumo@gmail.com

Acknowledgement: Within 24 hours of receipt

Resolution: Within 30 days of receipt

If your grievance is not resolved within 30 days, you may escalate to the Data Protection Board of India once it becomes operational under the DPDP Act, 2023.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or the regulatory environment. Significant changes will be communicated via email or a prominent platform notice at least 7 days before the change takes effect. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

13. Contact

For privacy-related questions or to exercise your rights, contact us at contact.brainsumo@gmail.com.