BRASIBack to BRASI

Legal & data

Privacy Policy

BRASI is built on a single non-negotiable principle: your information belongs to you. This policy explains what we collect, how we protect it, and the rights you hold over it — in plain language.

Effective date: 1 May 2026Last reviewed: May 2026Version: 1.2
Privacy-first platformTrauma-informed designUser-controlled data
01

Introduction

BRASI Ltd (“BRASI”, “we”, “us”, or “our”) operates a trauma-informed, privacy-first survivor support and student wellbeing platform. We are the data controller for personal information processed through this platform.

This Privacy Policy explains what information we collect, why we collect it, how we protect it, and the rights you hold over your own data. It applies to all users of the BRASI platform, including students, survivors, service providers, and institutional partners.

Our core commitment

BRASI is built on a single non-negotiable principle: your information belongs to you. Privacy is not a feature we added — it is the architectural foundation on which the entire platform is built.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU GDPR. Our registered data protection lead can be contacted at privacy@brasi.io.

02

Information we collect

We collect the minimum information necessary to provide a safe, functional platform. We deliberately avoid collecting information that would allow us — or anyone else — to identify you without your explicit consent.

Information you provide

InformationPurpose
Private alias or usernameAllows you to maintain an account without disclosing your real identity. A real name is never required.
Email address (optional)Used only if you choose to enable account recovery or receive platform notifications. You can use BRASI without providing an email.
Journal entriesStored encrypted and accessible only to you. Never shared with any third party, institution, or BRASI staff without your explicit consent.
Support conversation contentEncrypted messages between you and a verified support provider. Inaccessible to BRASI staff, institutions, or third parties.
Provider application informationProfessional credentials, registration numbers, and verification documents submitted by providers during the vetting process.
Demo request informationInstitution name, contact details, and role submitted via the Request a Demo form. Used only to arrange the requested demo.

Information collected automatically

InformationHow it is used
Anonymised usage analyticsAggregate platform engagement data (page visits, feature usage) — never linked to individual accounts.
Session identifiersTemporary tokens to maintain secure sessions. Expire on logout or inactivity.
Device type / browserUsed to ensure platform compatibility. Not stored persistently or linked to identity.

What we deliberately do not collect

  • Real name, government-issued identification, or institutional student number
  • Precise geolocation or IP address (beyond basic spam prevention)
  • Biometric data of any kind
  • Social media profiles or external account data
  • Sensitive personal data beyond what you directly provide to a support provider
03

Anonymous usage

Anonymity is the default

You can use BRASI — including journaling, browsing verified providers, and accessing support resources — without providing any identifying information. A private alias is all that is required.

BRASI is intentionally designed so that you do not need to disclose your identity to benefit from the platform. This is not a simplified mode or a limited version — it is the full platform experience.

What anonymous usage means in practice

  • You choose your own private alias. It does not need to reflect your real name.
  • No institutional email or student ID is required at any point.
  • Your institution cannot determine whether you have a BRASI account.
  • Verified support providers see only the information you choose to share with them.
  • If you are enrolled through an institutional partner, your usage is never reported back to that institution.
  • You may contact support providers anonymously. Your real identity is only shared if you explicitly choose to provide it.

Optional identity disclosure

Some features — such as scheduling a formal appointment with a provider or receiving email confirmations — may require you to share additional information. These are always optional and are always clearly marked. You are never obligated to identify yourself to access core platform functionality.

04

How we use your information

We use information collected through BRASI only for the purposes described in this policy. We do not sell your data. We do not use it for advertising. We do not share it with commercial third parties.

PurposeLegal basis (UK GDPR)
Providing the journaling and support platformPerformance of contract (Article 6(1)(b))
Connecting you with verified support providersPerformance of contract (Article 6(1)(b))
Maintaining platform security and preventing misuseLegitimate interests (Article 6(1)(f))
Generating anonymised aggregate institutional insightsLegitimate interests (Article 6(1)(f)) — individual data is never used
Responding to demo and partnership enquiriesLegitimate interests (Article 6(1)(f))
Sending platform notifications (if opted in)Consent (Article 6(1)(a))
Complying with legal obligationsLegal obligation (Article 6(1)(c))

What we will never do

  • Sell or license your personal data to any third party
  • Use your journal entries or conversations for training AI systems
  • Share your information with your institution without your explicit consent
  • Use your data for advertising, profiling, or commercial purposes
  • Transfer your data to a country without adequate data protection unless safeguards are in place
05

Data protection & encryption

We use industry-standard security measures to protect your information at every layer of the platform. Our security architecture is designed so that even BRASI staff cannot access your private journal entries or support conversations.

Encryption

  • Journal entries are encrypted at rest using AES-256 encryption. Your encryption key is derived from your session credentials — BRASI does not hold it.
  • All data transmitted between your device and BRASI servers is protected by TLS 1.3.
  • Support conversations are encrypted in transit and at rest. Only the participants in a conversation can access its content.
  • Passwords (where applicable) are hashed using bcrypt with a per-user salt and are never stored in recoverable form.

Infrastructure security

  • All production infrastructure is hosted within the UK and EEA on SOC 2 certified cloud providers.
  • Access to production systems is restricted to named personnel with multi-factor authentication required.
  • Independent penetration testing is conducted at least annually by an accredited third-party security firm.
  • Security incident response procedures are documented and tested regularly.

ISO 27001 alignment

Our information security management practices are aligned with ISO/IEC 27001 standards. We are committed to achieving formal certification during 2026.

Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware, and will notify affected individuals without undue delay where required by law.

06

Your rights

Under UK GDPR and the Data Protection Act 2018, you hold the following rights over your personal data. We are committed to honouring these rights promptly and without unnecessary friction.

RightWhat it means
Right of accessYou may request a copy of all personal data we hold about you (a Subject Access Request). We respond within one calendar month.
Right to rectificationIf any information we hold about you is inaccurate or incomplete, you may request that we correct it.
Right to erasureYou may request that we permanently delete your account and all associated personal data. Deletion is completed within 72 hours with no backup retention.
Right to portabilityYou may request an export of your data in a structured, machine-readable format (JSON or CSV). This includes your journal entries and account information.
Right to restrictionYou may request that we restrict processing of your data in certain circumstances — for example, while a complaint is being investigated.
Right to objectYou may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consentWhere processing is based on your consent (e.g. notifications), you may withdraw that consent at any time without affecting the lawfulness of prior processing.

How to exercise your rights

Submit any data rights request to privacy@brasi.io. We acknowledge all requests within 5 working days and complete them within one calendar month. There is no charge for exercising your rights.

Right to complain

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk  |  0303 123 1113. We would always encourage you to contact us first so we can attempt to resolve the issue directly.

07

Cookies & analytics

BRASI uses the minimum number of cookies necessary to provide a functional, secure experience. We do not use advertising cookies, behavioural tracking cookies, or third-party analytics that identify individuals.

Cookie typePurpose
Strictly necessarySession management, CSRF protection, and authentication state. These cannot be disabled as the platform cannot function without them.
PreferenceRemembers your accessibility or display preferences (e.g. text size). Set only if you adjust a preference setting.
SecurityRate-limiting and abuse prevention. Not used for tracking or profiling.

What we do not use

  • Third-party advertising cookies or tracking pixels
  • Google Analytics or any analytics service that processes personally identifiable data
  • Social media tracking or sharing cookies
  • Cross-site tracking or fingerprinting technologies

Platform analytics

We collect anonymised, aggregate analytics about how the platform is used — for example, which support categories are most browsed, or overall session duration distributions. This data is never linked to individual accounts and cannot be de-anonymised. It is used solely to improve the platform experience.

08

Institutional access limitations

Critical privacy boundary

If you access BRASI through an institutional partner (e.g. your university), your institution has no access to your individual data — not your journal entries, not your support conversations, not your identity, not your usage history. This is a hard architectural constraint, not a policy choice.

What institutional partners can access

Institutional partners receive access to an anonymised, aggregate dashboard only. This shows platform-level engagement metrics — such as total active users (count only) and broad usage trends — with no ability to drill down to individuals.

  • Aggregate count of platform activations during a given period
  • Broad usage trend data (e.g. "support category browsing increased this term")
  • Platform availability and incident status information

What institutional partners cannot access

  • Your journal entries, notes, or private records — under any circumstances
  • Your support conversations or message content
  • Your real identity, name, or any information that would identify you
  • Your specific usage history, session dates, or activity log
  • Which students from their institution are registered on BRASI
  • Anything that could link a BRASI account to a specific enrolled student

Architecture enforces this — not just policy

Institutional access restrictions are enforced at the database and API level. It is technically impossible for an institutional administrator to retrieve individual student data through the BRASI platform, regardless of their account permissions. This protection cannot be overridden by contract, request, or administrative action.

Legal demands and court orders

If we receive a lawful court order or statutory demand requiring us to disclose specific user data, we will comply with our legal obligations. Where we are legally permitted to do so, we will notify the affected user before disclosing. We will always challenge demands we believe to be unlawful, disproportionate, or beyond their stated scope.

09

Data retention

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law. The table below summarises our retention periods by data category.

Data categoryRetention period
Account data (alias, email)Retained for the life of the account. Permanently deleted within 72 hours of an account deletion request.
Journal entriesRetained for the life of the account. Permanently deleted within 72 hours of a deletion request. No backup retention after deletion.
Support conversationsRetained for the life of the account unless deleted earlier by either participant. Permanently deleted within 72 hours of a full account deletion request.
Session tokensExpire on logout or after 24 hours of inactivity, whichever is sooner.
Anonymised analyticsRetained indefinitely in aggregate form. Cannot be linked to individual users.
Demo / partnership enquiriesRetained for 12 months from the date of enquiry, or until the enquiry is resolved, whichever is longer.
Provider verification recordsRetained for the duration of the provider's active listing plus 3 years, in accordance with safeguarding best practice.

Deletion is permanent

When you delete your account or request data erasure, your data is permanently and irreversibly removed from our systems within 72 hours. We do not retain backup copies of deleted user data. There is no recovery period or cooling-off delay — deletion is final.

10

Contact information

If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to raise a concern about how we have handled your personal data, please contact us using the details below.

Data controller
BRASI Ltd
Data protection lead
privacy@brasi.io
Partnerships enquiries
partnerships@brasi.io
General contact
hello@brasi.io
Supervisory authority
Information Commissioner's Office (ICO) — ico.org.uk

We acknowledge all privacy-related correspondence within 5 working days and aim to resolve all queries within one calendar month. If your matter is urgent, please indicate this clearly in the subject line of your email.

Changes to this policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify registered users by email (if provided) and display a prominent notice on the platform for at least 30 days. The effective date at the top of this page will always reflect the most recent revision.

BRASI Ltd · Privacy Policy · Version 1.2 · Effective 1 May 2026

privacy@brasi.io