Privacy Policy

BRILLIANT LABS - PRIVACY POLICY

Date Last Updated: December 5, 2025

Brilliant Labs Pte. Ltd. (UEN: 202316146G), a company incorporated under the laws of Singapore (“Brilliant,” “Company,” “we,” “us,” or “our”), respects your privacy and is committed to safeguarding any information we collect from or about you.

This Privacy Policy, as amended from time to time (“Privacy Policy”), explains how Brilliant  collects, uses, discloses, and protects information when you use our AI smart glasses (including Halo, Frame, Monocle, and successor models) (the “Devices”), embedded AI agents (including Noa), mobile applications, and web-based services (collectively, the “Products and Services”). This Policy applies to both data collected through hardware devices and data processed through our cloud-based platform.

Brilliant seeks to comply with general principles of privacy, many of which have been reduced to laws in various jurisdictions. This Privacy Policy describes your rights under applicable laws, including the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA), and the Singapore Personal Data Protection Act of 2012 (PDPA) (“Applicable Laws”).

This Privacy Policy is a statement of principles and does not subject Brilliant to any jurisdiction that would not otherwise apply. Brilliant reserves all rights to object to application of any law to it as appropriate, and this Privacy Policy does not create in third parties any rights of enforcement.

This Privacy Policy is provided in a layered format so you can click through to the specific areas set out below.

1. [IMPORTANT INFORMATION AND WHO WE ARE]

2. [THE DATA WE COLLECT ABOUT YOU]

3. [HOW IS YOUR PERSONAL DATA COLLECTED?]

4. [HOW WE USE YOUR PERSONAL DATA]

5. [DISCLOSURES OF YOUR PERSONAL DATA]

6. [INTERNATIONAL TRANSFERS]

7. [DATA SECURITY]

8. [DATA RETENTION]

9. [YOUR LEGAL RIGHTS]

10. [EEA DATA SUBJECTS: YOUR RIGHTS UNDER THE EU GDPR]

11. [CALIFORNIA CONSUMERS: YOUR RIGHTS UNDER THE CCPA/CPRA]

12. [SINGAPORE USERS. YOUR RIGHTS UNDER THE SINGAPORE PDPA ]

13. [GOVERNING LAW AND DISPUTE RESOLUTION]

1. Important information and who we are

Purpose of this Privacy Policy

This Privacy Policy explains how Brilliant collects and processes your personal data through your use of our Products and Services, including our AI smart glasses, embedded AI agents, mobile applications, and web-based platforms.

It is important that you read this Privacy Policy together with any other privacy policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements other notices and privacy policies and is not intended to override them.

Our Products and Services, including this website, are intended for adults aged 18 and above. We do not knowingly collect personal data from anyone under 18 years of age, and any such data will be deleted once identified.

Controllers

Brilliant Labs Pte. Ltd. is the data controller responsible for personal information collected through the Products and Services.

We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Contact details

If you have any questions about this Privacy Policy or our privacy practices, please contact our DPO at hello@brilliant.xyz

You also have the right to make a complaint at any time to the data protection authority in your jurisdiction, though we would appreciate the opportunity to address your concerns first.

Third-party links

Our Products and Services may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites, plug-ins, or applications and are not responsible for their privacy practices or statements. When you leave our website or use a third-party application, we encourage you to review the privacy policy of every website or application you interact with.

1. The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We collect only the information necessary to deliver and improve our Products and Services, to communicate with you, to ensure system functionality and security, and to prevent misuse or fraud. Personally identifiable information may include data you provide to us, data generated through your use of the Products and Services, and data received from third parties who support our operations.

Data You Provide

Through your use of the Products and Services or creation of an account, you may provide personal data directly to us. This may include:

• Identity Data: name, username, and similar identifiers.
• Contact Data: billing address, email address, and telephone number.
• Credentials: account login information or authentication tokens.
• Content You Share: chat communications, uploaded images, recordings, or any media you choose to store or transmit through our applications.
• Financial and Transaction Data: payment-related information such as transaction details. Where applicable, payment card data may be processed directly by our authorized third-party payment providers; we do not store card details.
• Biometric and Sensory Data: facial recognition, voice recognition, and other biometric or environmental inputs (for example, spatial mapping). This data is processed only when you enable the relevant feature, and where required by law, we obtain your explicit consent before any biometric processing.
• Any other information you choose to submit.

Data Generated Through Your Use of the Products and Services

We and our service providers may automatically collect information about how you access and use our Services through cookies, web beacons, and similar technologies. This includes:

• Technical and Device Data: IP address, device identifiers, operating system, browser type and version, firmware version, battery status, connectivity data, crash logs, diagnostic data, and general geolocation.
• Usage and Interaction Data: session statistics, browsing history, page views, clicks, gestures, gaze tracking, and commands or voice inputs captured through the Device interface.
• Visual, Audio, and Environmental Data: recordings, images, or sound captured by the Device that enable features such as context-aware assistance, object recognition, speech transcription, or language translation.
• Log Information: pages visited, interaction times, error reports, and related analytics that help ensure the Services function properly.

For example, the Halo Device may collect gaze direction and gesture information to support hands-free control, while Frame may process contextual environmental data to display relevant information through its heads-up interface.

Most web browsers accept cookies automatically, but you can adjust your settings to refuse or delete them. Some features may not operate correctly if cookies are disabled. For more about cookies and similar technologies, see Cookies and tracking technologies in Section 3. If we publish a standalone Cookie Policy in the future, that policy will apply and is incorporated by reference.

Data Received from Other Sources

We may receive limited personal data from our partners and vendors who assist in providing or securing our Services, such as analytics, marketing, and payment service providers. These parties may supply technical or aggregated usage data to help us maintain system performance and optimize user experience.

Aggregated and Anonymized Data

We also create and use Aggregated Data such as statistical or demographic information for analysis and improvement of our Products and Services. Aggregated Data is not treated as personal data unless it can be used to identify you.

Visual, Audio, and Environmental Data and Bystander Data

Our Devices are equipped with cameras, microphones, and other sensors that may capture images, audio, or environmental information as part of normal operation. This includes speech inputs, environmental sounds, and contextual images that support features such as real-time translation, scene understanding, and AI-based interaction.

You can disable recording or mute microphones at any time through the Device or companion application settings. Where supported by hardware, the Device provides visual or audio indicators when a camera or microphone is active. You are responsible for ensuring that your use of recording and sensing features complies with all applicable recording and surveillance laws. Capturing or sharing the personal information, images, or voices of others without consent may violate privacy or data-protection requirements in your jurisdiction.

When using Halo or other Devices with the Noa AI Assistant, Brilliant may collect audio or visual data through the Device’s microphones and cameras. This may include voice inputs, ambient sound when the Device is activated, or images captured in response to your explicit requests. Audio and video data are collected only when you activate Noa by voice or touch command unless you have enabled the optional Memory mode described below.

When used in public or shared environments, recordings may incidentally capture other individuals. You remain responsible for ensuring your use of these features complies with local law, including obtaining consent where required.

Ambient Memory Capture (Optional Feature)

Certain Devices include an optional “Memory” feature that, only when you explicitly enable it, may continuously or intermittently capture ambient audio, visual, and sensor data such as microphone input, camera frames, inertial readings, and contextual environmental signals. This functionality operates solely when activated by you and may be paused or disabled at any time through the Device or companion application settings.

Any ambient data collected is processed strictly in accordance with this Privacy Policy and subject to your privacy controls. Processing occurs locally on the Device wherever possible, or under secure encryption when transmission to Brilliant’s servers is necessary to deliver the feature. Bystander or incidental content captured in ambient mode is handled under the same filtering, access-control, and deletion measures described in Section 7 (Data Security) and Section 8 (Data Retention).

You are responsible for ensuring that your use of ambient capture features complies with all applicable recording and surveillance laws in your jurisdiction.

AI-Generated Memory and Personal Profiles

Some Devices include embedded AI memory systems, such as Noa’s Narrative Memory, that provide personalized responses and recall context from prior interactions. These systems generate short summaries or “memories” from user input or environmental context to improve continuity and relevance in future interactions. Ambient Memory Capture, when enabled, may provide input for this feature.

Memories are processed locally on your Device or stored in encrypted form within your account. You may view, delete, or reset them at any time through your account settings. When you delete your account, related memories are automatically erased within 30 days.

Memories exist solely to support personalization and contextual recall. You may delete individual memories or your entire memory profile at any time using the available privacy controls. Brilliant does not retain raw audio, video, or full transcripts beyond the immediate processing required to provide a feature. Summarized memory data is stored privately in encrypted form and remains under your full control.

Biometric and Behavioral Data

To enable contextual AI functions, Devices may temporarily analyze certain biometric or behavioral information, such as facial expressions, voice patterns, gestures, or movement. This data is processed in real time to interpret intent and enhance responsiveness, but it is not used for identification or authentication, and no biometric templates or permanent identifiers are stored.

Halo’s AI features may process limited biometric and behavioral characteristics, including:

• Voice characteristics and speech patterns for transcription and natural language processing.

• Emotional tone and sentiment analysis derived from audio input.

• Visual cues and facial expressions analyzed transiently for context understanding (without generating biometric identifiers).

• Movement and orientation data collected from the 6-axis IMU sensor to support navigation and stability.

• Tap patterns and gesture interactions used to operate Device functions.

Important: Brilliant does not create, store, or maintain biometric identifiers such as faceprints or voiceprints for identification purposes. Biometric analysis is performed exclusively to support AI functionality and is not used to uniquely identify individuals within Brilliant’s systems.

Hardware Sensor Data

The Device may collect information from onboard sensors such as accelerometers, gyroscopes, optical depth sensors, and battery monitors to maintain stability, calibration, and performance. This data is processed locally on the Device where possible and is not used to track movement or behavior outside the intended functionality. For example, the 6-axis IMU supports orientation, tap detection, and gesture recognition.

If You Fail to Provide Personal Data

If you do not provide personal data that we need by law or under a contract with you, we may be unable to perform that contract or deliver the relevant Products or Services. In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

1. How is your personal data collected?

We use different methods to collect data from and about you including through:

• Direct interactions. You may provide data to us directly when you:
• purchase a Product or Service;
• create an account on our website or companion app;
• activate or register your Device;
• subscribe to newsletters or updates;
• request technical support or customer service; or
• communicate with us by email or other channels.

This information may include your Identity, Contact, Financial, and Account data, as well as any content you submit, such as messages, recordings, or media shared through our platforms.

• Device-Based Collection. Data may also be collected directly from your Device during use, including audio, video, and sensor data processed by built-in components. These inputs are used only to provide requested functionality, such as AI assistance, translation, or contextual awareness. Where supported, visual or audio indicators will activate when sensors are recording or transmitting data.

• Mobile Application Data. Our cross-platform mobile application (iOS and Android) collects:
• Device information (operating system, app version, device model, unique device identifiers)
• Location data (if you grant permission) for context-aware features and local search
• Account credentials and authentication tokens
• App usage analytics, feature interactions, and performance data
• Bluetooth connection logs for device pairing and communication

You can manage location permissions and other data collection settings through your mobile device settings and within the app's privacy controls.

• Automated Data Collection. When you use our Products or Services, certain data is automatically collected to ensure functionality, security, and performance. We collect this data through cookies, trackers, server logs, and other similar technologies. When we deliver firmware or over-the-air updates, diagnostic information and device identifiers may be transmitted temporarily to verify compatibility and confirm installation.

Automatically collected data may include:

• Usage and Technical Data, such as session statistics, browsing history, clicks, system logs, and diagnostic information.
• Device and Sensor Data, such as firmware version, connectivity logs, crash reports, and battery or hardware status.
• Voice, Image, and Camera Data collected from the Device to enable features like real-time assistance, translation, or contextual search.
• Environmental and Bystander Data that may be incidentally captured by Device sensors during normal operation (see Section 2).

We use this data to personalize your experience, enhance AI interactions, maintain system security, and prevent misuse or fraud. For more details on cookies and trackers, see Cookies and tracking technologies below. If we publish a standalone Cookie Policy in the future, that policy will apply and is incorporated by reference.

• Data from Third Parties and External Sources. We may receive personal data from third-party sources, including:
• Analytics Providers such as Google Analytics and HubSpot (both based in the United States);
• Advertising Networks such as Google Ads and Meta Ads (both based in the United States);
• Search and Information Providers such as Bing and DuckDuckGo;
• Hosting, Cloud, and Backend Providers such as Amazon Web Services;
• Payment Processors that handle financial transactions on our behalf; and
• Marketing and CRM Platforms such as HubSpot CRM, Tag Manager, or Segment (Twilio).

We may also obtain limited information from publicly available sources such as social-media profiles, company websites, and government registers.

Cookies and tracking technologies

We use cookies, SDKs, and similar technologies to operate our sites and apps, remember your settings, measure performance, and improve features. In the EEA and UK, we use non-essential cookies only with your consent. You can change your preferences at any time through our cookie banner or settings, or by adjusting your browser or device controls. If we publish a separate Cookie Policy later, it will provide additional detail on cookie types, purposes, durations, and how to manage your choices, and it will form part of this Privacy Policy by reference.

1. How we use your personal data

We will only use your personal data when the law allows us to. We will not use personal data for purposes beyond those stated in this Privacy Policy unless we have obtained consent or where an exception under Applicable Laws applies.

Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal obligation.

The following sets out the types of lawful basis on which we rely to process your personal data:

• Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
• Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
• Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

Generally, we do not rely on consent as a legal basis for processing your personal data, except where required by law , such as when sending third-party marketing communications by email or text message. You may withdraw your consent to marketing at any time by contacting us.

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

Purpose / Activity	Type of Personal Data	Lawful Basis for Processing (including legitimate interests)
To register you as a new customer	(a) Identity (b) Contact	Performance of a contract with you
To process and deliver your subscription, including managing payments, fees, and charges, and collecting outstanding amounts	(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications	(a) Performance of a contract with you (b) Legitimate interests (to manage billing and ensure timely payment)
To provide, administer, and maintain our Products and Services, including account setup, user authentication, troubleshooting, and support	(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile	(a) Performance of a contract with you (b) Legitimate interests (to deliver and support Products and Services efficiently)
To enable and personalize on-device AI features, such as real-time assistance, translation, contextual search, and interactive responses	(a) Usage (b) Technical (c) Device and Sensor (d) Visual and Audio (e) Interaction	(a) Performance of a contract with you (b) Legitimate interests (to provide AI-driven functionality and improve user experience)
To process commands locally where feasible, and in the cloud only when necessary	(a) Technical (b) Usage (c) Device and Sensor	Legitimate interests (to preserve privacy, improve performance, and reduce unnecessary transmission of personal data)
To use voice, image, and camera data from the Device to assist in enhancing AI interactions and user functionality	(a) Visual and Audio (b) Interaction (c) Usage	(a) Performance of a contract with you (b) Legitimate interests (to improve AI feature quality and personalization)
To train, test, and improve our AI and machine learning models using de-identified or aggregated data	(a) Usage (b) Technical (c) Aggregated	Legitimate interests (to improve and develop AI systems responsibly while maintaining privacy). (Note: We do not use User Content from Enterprise Customers for this purpose without express written consent).
To communicate with you about your account, updates, service notices, policy changes, and customer feedback.	(a) Identity (b) Contact (c) Profile (d) Marketing and Communications	(a) Performance of a contract with you (b) Legal obligation (c) Legitimate interests (to keep records current and maintain customer engagement)
To communicate with you, including to send you information about our Products, Services, and events	(a) Identity (b) Contact (c) Communication Information	(a) Performance of a contract with you (b) Legitimate interests (to inform you about relevant features or updates) (c) Consent (for marketing where required by law)
To conduct analytics and research, improve performance, and develop new features and capabilities	(a) Technical (b) Usage (c) Profile (d) Aggregated	Legitimate interests (to analyze trends, enhance service performance, and develop our business)
To prevent fraud, illegal activity, or misuse of our Services, and to protect the security of our systems, users, and assets	(a) Identity (b) Contact (c) Technical (d) Usage (e) Device and Sensor (f) Communication Information	(a) Legal obligation (b) Legitimate interests (to protect the integrity and security of our Services and users)
To conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities and manage compliance risks	(a) Identity (b) Technical (c) Usage (d) Aggregated	(a) Legal obligation(b) Legitimate interests (to assess and mitigate privacy risks proactively)
To comply with legal obligations and protect the rights, privacy, safety, or property of our users, Brilliant, or third parties	(a) Identity (b) Contact (c) Transaction (d) Usage (e) Communication Information	Legal obligation
To administer and protect our business and website, including data analysis, testing, system maintenance, and network security	(a) Identity (b) Contact (c) Technical	(a) Legal obligation (b) Legitimate interests (to operate our business effectively and securely)
To deliver relevant website content and advertisements, and to measure the effectiveness of marketing campaigns	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical	Legitimate interests (to understand user preferences, tailor content, and improve marketing strategy)
To make suggestions and recommendations about our Products or Services that may be of interest to you	(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications	Legitimate interests (to develop our offerings and grow our business)
To comply with consumer data-access regulations	(a) Identity (b) Contact (c) Transaction (d) Technical	Legal obligation

Environmental and Bystander Data

Environmental and bystander data, described in Section 2, are processed only to provide requested functionality such as real-time translation or contextual awareness. These data are filtered or deleted after the feature is delivered and are not retained or analyzed for unrelated purposes.

AI Features and Multimodal Processing

Our Devices and Services include artificial intelligence (“AI”) capabilities that process multimodal data, including text, voice, image, and environmental context—to generate responses, translations, and insights. Processing occurs primarily on the Device to protect privacy, with cloud transmission used only where additional computing resources are needed.

Certain features may rely on third-party model providers (such as OpenAI, Anthropic, or Whisper) to process anonymized or de-identified text and audio. These providers are contractually prohibited from using data for their own model training or unrelated purposes.

Users can manage AI feature preferences, including voice recognition, translation, and memory retention, through their Device or app settings.

No Professional Advice

The AI Assistant and other intelligent features are designed for general information and convenience. They do not provide medical, legal, financial, or other professional advice.

Transparency and Explainability

We aim to ensure that users understand when and how AI processing occurs. Devices include visual or audio indicators when cameras or microphones are active, and users are notified when AI features such as voice or image processing are engaged.

Scope of AI Assistant and Limitations

Brilliant’s AI Assistant and related artificial intelligence features are designed to provide contextual support, translation, and real-time assistance based on user input and environmental data processed through the Device. The AI Assistant is not a general-purpose recording tool and does not store or transmit full recordings of your surroundings beyond immediate processing.
All processing is limited to the functions necessary to deliver requested services and improve system performance, in accordance with this Privacy Policy.

The AI Assistant does not provide medical, legal, financial, or other professional advice, and any outputs should not be relied upon as such.

AI-Generated Content

Outputs generated by the AI Assistant are based on real-time processing of user input and environmental context. Brilliant does not claim ownership of such content but may retain de-identified usage statistics for feature improvement. Users remain responsible for the content they create or share using the Devices.

On-Device vs Cloud Processing

Brilliant processes data on the Device by default whenever feasible to minimize transmission of personal information. The Devices include embedded neural processors that handle speech, image, and sensor data locally wherever technically feasible.

Certain functions that require greater computational capacity or model access, such as language translation, contextual search, or retrieval-based responses, may temporarily transfer de-identified data to secure cloud servers operated by Brilliant or its service providers.

These transfers occur only when necessary to perform the requested feature, are encrypted during transfer, and are deleted once processing is complete. We do not record or store raw audio or video beyond immediate processing needed to provide a feature. Where cloud processing is required, we transmit only the minimum data needed, protect it in transit, and delete it after processing.

Third-Party Processors and Model Training

When providing AI functionality, Brilliant may use specialized third-party processors (for example, natural-language or vision-processing services). These processors act solely on Brilliant’s instructions and are contractually prohibited from using any data for their own purposes.

Data used to enhance or train Brilliant’s own AI models is aggregated or de-identified before analysis. Brilliant does not use identifiable personal information to train third-party AI models. Furthermore, Brilliant does not use User Content from Enterprise Customers to train its own general AI models without such customers’ express written consent.

Subscription and Usage Monitoring

For paid features such as Noa Plus, we process subscription and billing data to manage account entitlements, usage limits, and payment history. Usage analytics may be used to monitor service performance and detect fraudulent or abusive activity.

Marketing

Brilliant may contact you about updates, new features, or products that may interest you. You can opt out of marketing messages at any time by following the unsubscribe instructions in our communications or by contacting us directly.

For users in the EEA and UK, we will obtain your explicit consent before sending direct marketing communications. You have the right to object at any time to the processing of your personal data for direct marketing purposes.

Advertising and analytics

We use services such as Google Ads, Meta Ads, Google Analytics, HubSpot, and other providers to help us measure and improve the effectiveness of our communications. These services may use cookies and similar technologies. For more details or to manage your preferences, please review our [Cookie Policy].

U.S. state privacy choices

Where required by applicable U.S. state laws, you may opt out of targeted advertising and of the sale or sharing of personal information. We do not currently sell or share personal information as defined under applicable U.S. privacy laws. If this changes, we will provide a clear and accessible method to opt out, including a “Do Not Sell or Share My Personal Information” link, and will update this Privacy Policy accordingly. We process browser-based opt-out preference signals, such as Global Privacy Control, as required by law.

Change of purpose

We will only use your personal data for the purposes for which it was collected, unless we reasonably consider that another use is compatible with those purposes. If we need to use your data for a materially different purpose, we will notify you and explain the applicable legal basis.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

1. Disclosures of your personal data

Brilliant does not disclose users’ personal data to third parties except in the limited circumstances described below. We may disclose personal data: (a) where required to comply with applicable laws or regulations; (b) where we have a duty to disclose; (c) where our legitimate business interests require disclosure; (d) in accordance with our Terms of Service; (e) for safety and security purposes; (f) in connection with business changes, such as a merger, acquisition, bankruptcy, dissolution, reorganization, or sale of assets; (g) to service providers assisting in delivering or improving our Products and Services; or (h) at your direction or with your consent, or as otherwise described in this Privacy Policy.

Vendors and Service Providers

We may disclose personal data to vendors and service providers who support our business operations, such as payment processors, hosting providers, analytics partners, and customer-support platforms. These parties access and process data only on our instructions and solely to perform their contractual duties for Brilliant.
A representative list of processor categories is available on our website or upon request, and may include hosting, analytics, model hosting, content delivery, customer support, payment processing, and security services.

Third-Party AI and Language Model Providers

Some AI features rely on external providers such as OpenAI, Anthropic, Whisper, and Perplexity. These processors handle text or audio inputs solely for the purpose of generating responses requested by the user. They are bound by contractual restrictions that prohibit using or storing data for their own model training or unrelated commercial purposes.

Developer Access and Third-Party Applications

Brilliant provides an open-source software environment and SDK documentation that enables approved third-party developers to build applications and integrations for our Devices. Some Devices use open-source components, and approved third-party applications may interact with our Products through documented interfaces.

Brilliant does not currently operate a public developer marketplace or provide general access to user data. Access for approved developers, where applicable, is limited to integrations that meet Brilliant’s privacy and technical requirements. All developer access is permission-based, limited to the minimum necessary for functionality, and governed by contractual and technical safeguards.

Third-party applications are governed by their own privacy policies. Brilliant is not responsible for the data practices of independent developers or external services.

Business Transfers
If Brilliant is involved in a business transaction such as a merger, acquisition, or sale of assets, your personal data may be disclosed during due-diligence and transferred to the successor entity as part of that transaction.

Open-Source Hardware and Software

Brilliant’s firmware and selected software components are open-source and published through official Brilliant GitHub repositories linked from our developer documentation. This Privacy Policy applies only to official Brilliant builds and services. Installing modified, unofficial, or third-party firmware may alter how data is processed, and Brilliant cannot ensure compliance with this Policy in those cases.

Government Authorities and Legal Requirements

We may share personal data with government authorities or other third parties as required by law or in good-faith belief that such disclosure is necessary to: comply with legal obligations; protect and defend Brilliant’s rights or property; enforce our terms; prevent fraud or abuse; ensure the safety of our users or the public; or protect against legal liability.

Advertising and Analytics

While Brilliant does not currently engage in targeted advertising, we may use analytics providers to help us understand how users interact with our Products and Services. If Brilliant later introduces advertising, we will update this Policy and seek appropriate consent where required.

Transfers Directed or Permitted by You

We may disclose your personal data to third parties at your request or with your explicit consent.

Non-Identifiable or Aggregated Data

Where permitted by law, Brilliant may use or disclose information that does not personally identify you for any purpose. If we combine non-identifiable information with identifiable data, we treat the combined information as personal data while it remains combined.

Data Protection Measures

Noa acts as a privacy-preserving intermediary between you and these AI providers:

• Data is transmitted through encrypted connections

• We do not include personally identifiable information when not necessary for query context

• Where possible, we negotiate data processing agreements that limit how providers may use your data

• You can review and manage which AI providers Noa uses through your privacy settings

Important: Each AI provider operates independently with their own privacy policies and data practices. We encourage you to review their policies to understand how they handle your data. We select providers that demonstrate strong privacy commitments, but we cannot control their data processing practices.

1. International transfers

We operate globally and may transfer your personal data to countries outside of your country of residence, including outside the United States, the European Economic Area (EEA), and the United Kingdom (UK). This includes sharing your personal data with our affiliates and service providers, who may be located in other countries. These countries may have different data protection laws from those in your jurisdiction. Whenever we transfer your personal data internationally, we take steps to ensure it is treated securely and in accordance with this Privacy Policy and applicable law. Where an Enterprise Customer has negotiated specific data residency or localization requirements in a separate agreement, we will process and store data in accordance with those agreed-upon terms.

For residents of the United States, your personal data may be processed outside your state or country of residence as described in this policy.

For residents of the EEA and UK, whenever we transfer your personal data internationally, we ensure a similar level of protection is applied by implementing appropriate safeguards, which may include:

• Transferring personal data to countries that have been deemed to provide an adequate level of protection by the European Commission or UK Government.
• Using specific contracts approved by the European Commission or UK Government (such as Standard Contractual Clauses) that ensure personal data receives equivalent protection.

For transfers of personal data originating from Singapore, we ensure that such transfers comply with the Singapore Personal Data Protection Act (PDPA) by taking appropriate steps to ascertain that the recipient of the personal data outside Singapore is bound by legally enforceable obligations to provide a standard of protection to the personal data that is at least comparable to the protection under the PDPA. This may include, but is not limited to, relying on contractual clauses, binding corporate rules, or other recognized transfer mechanisms.

If you would like further information about how we protect your personal data during international transfers, please contact us.

Where required, we conduct and retain transfer risk assessments for international transfers.

1. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

• For users in the European Economic Area or the UK, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach where required under the GDPR, and inform affected individuals without undue delay if the breach is likely to put their rights or personal interests at significant risk
• For California residents, we will notify affected individuals, and if required, the California Attorney General, in the most expedient time possible and without unreasonable delay, consistent with California law.
• For users in Singapore, we will notify the Personal Data Protection Commission (PDPC) and affected individuals as soon as possible, and always within three days of determining that the breach is notifiable under the PDPA.

Handling of Environmental and Bystander Data

Brilliant applies privacy-by-design measures to limit the incidental capture of bystanders and surrounding environments. Whenever possible, data processing occurs locally on the Device rather than in the cloud. Users may disable or mute cameras, microphones, or sensors at any time through Device or app settings. Any incidental data that is captured is protected through strict access controls and is deleted once it is no longer required to perform the intended function.

Device loss safeguards

Where supported, users can sign out remotely or initiate remote wipe of cached data associated with their account if a Device is lost or stolen.

1. Data retention

How long will you use my personal data for?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. In general, this means we keep data for as long as you maintain an account with us or as needed to provide you with our services, and for a period after that where required for legal or operational reasons. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. For Enterprise Customers, data retention and deletion periods may be governed by the specific terms of the applicable enterprise master services agreement or addendum.

By law, we are required to keep basic information about our customers (including Contact, Identity, Financial, and Transaction Data) for a period required by applicable tax and legal obligations after they cease being customers.

In some circumstances you can ask us to delete your data: see [your legal rights] below for further information.

In some circumstances we will anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Retention and Deletion of AI “Memory” Data

Brilliant retains personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, including any legal, accounting, or reporting obligations.

For AI-generated “memory” or contextual data, such as summaries or compressed representations created by the AI Assistant, Brilliant uses technical and organizational measures to ensure that raw media, such as audio or video, are not retained beyond the immediate processing needed to provide a feature. After processing, these data are converted into non-reversible vector or summary forms that cannot reconstruct the original media.

Memories are stored privately in encrypted form and remain under your control. You can view or delete stored memories at any time through your device or account settings. Unless you choose otherwise, older memories may be periodically overwritten or anonymized to maintain system performance and privacy.

Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data.

You may request an export of your personal data, including available memory representations associated with your account, in a commonly used machine-readable format, subject to technical feasibility.

You have the right to:

• Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
• If you want us to establish the data's accuracy.
• Where our use of the data is unlawful but you do not want us to erase it.
• Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
• You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

• Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

• Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain applications or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out in this Privacy Policy, please contact our DPO at hello@brilliant.xyz.

Verification Process: We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any of your other rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. Any personal information we collect from you to verify your identity in connection with your request will be used solely for the purposes of verification. We may also contact you to ask for further information in relation to your request to speed up our response.

Response Time: We try to respond to all legitimate requests within one month. Occasionally, it could take us longer if your request is particularly complex or you have made a number of requests. In such cases, we will notify you and keep you updated.

User Controls and Data Rights

You may access, correct, or delete your personal data at any time, including any stored memory or contextual information generated by your Device. You can exercise these rights through the Device settings, the companion mobile application, or by submitting a request through our Data Rights Portal.

You may disable sensors, including the camera and microphone, at any time using device controls, voice commands, or a physical power switch where available. You can also pause processing for specific features through Device or app settings.

Brilliant will respond to verified requests within the time required by applicable laws and will not discriminate against users who choose to exercise their privacy rights.

1. EEA Data Subjects: Your Rights Under the EU GDPR.

As an EEA (European Economic Area) data subject, you have specific rights under the EU General Data Protection Regulation (EU GDPR). These rights are in addition to the general legal rights outlined in Section 9 ("Your Legal Rights") and are specifically tailored to the GDPR framework.

For further detailed information on each of these rights, including the circumstances in which they apply, please refer to the guidance from the UK Information Commissioner's Office (ICO) on individual rights under the EU General Data Protection Regulation.

Summary of Your GDPR Rights:

The following table summarizes your rights under the EU GDPR:

Right to Be Informed	The right to know or be notified about the collection and use of your personal information
Right to Access	The right to be provided with a copy of your personal information (the right of access)
Right to Rectification	The right to require us to correct any mistakes in your personal information
Right to be Forgotten	The right to require us to delete your personal information—in certain situations
Right to Restriction of Processing	The right to require us to restrict processing of your personal information—in certain circumstances, e.g., if you contest the accuracy of the data
Right to Data Portability	The right to receive the personal information you provided to us, in a structured, commonly used, and machine-readable format and/or transmit that data to a third party—in certain situations
Right to Object	The right to object: At any time to your personal information being processed for direct marketing (including profiling) In certain other situations to our continued processing of your personal information, e.g., processing carried out for our legitimate interests
Right Not to be Subject to Automated Individual Decision-Making	The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you

EEA Data Subjects: Transferring Your Personal Information Out of the EEA. As detailed in Section 6 ("International Transfers"), it is sometimes necessary to share your personal information outside the EEA to provide services to you. This may occur when we share data with our offices or service providers located outside the EEA, or if you are based outside the EEA. These transfers are subject to special rules under European and UK data protection law. We will ensure the transfer complies with data protection law and all personal information will be secure. Our standard practice is to use standard data protection contract clauses that have been approved by the European Commission.

Keeping Your Personal Information Secure. We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

EEA Data Subjects: How to File a GDPR Complaint. We hope that we can resolve any query or concern you raise about our use of your information. The GDPR also grants you the right to lodge a complaint with a supervisory authority in the European Union (or EEA) state where you work, normally live, or where any alleged infringement of data protection laws occurred. For contact details of the relevant supervisory authority in your country, please visit the European Data Protection Board's website: [https://edpb.europa.eu/about-edpb/about-edpb/members_en]

1. California Consumers: Your Rights Under the CCPA/CPRA.

You have the right under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and certain other privacy and data protection laws, as applicable, to exercise free of charge:

Disclosure of Personal Information We Collect About You	You have the right to know, and request disclosure of: The categories of personal information we have collected about you, including sensitive personal information The categories of sources from which the personal information is collected The categories of third parties to whom we disclose personal information, if any –and– The specific pieces of personal information we have collected about you Please note that we are not required to: Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information –or– Provide the personal information to you more than twice in a 12-month period
Disclosure of Personal Information Sold, Shared, or Disclosed for a Business Purpose	In connection with any personal information we may sell, share, or disclose to a third party for a business purpose, you have the right to know: The categories of personal information about you that we sold or shared and the categories of third parties to whom the personal information was sold or shared –and– The categories of personal information that we disclosed about you for a business purpose and the categories of persons to whom the personal information was disclosed for a business purpose You have the right to opt-out of the sale of your personal information or sharing of your personal information for the purpose of targeted behavioral advertising. If you exercise your right to opt-out of the sale or sharing of your personal information, we will refrain from selling or sharing your personal information, unless you subsequently provide express authorization for the sale or sharing of your personal information. To opt-out of the sale or sharing of your personal information, click on the Do Not Sell or Share My Personal Information link here: [URL].
Right to Limit Use of Sensitive Personal Information	You have the right to limit the use and disclosure of your sensitive personal information to the use which is necessary to: Perform the services or provide the products reasonably expected by an average consumer who requests those products or services To perform the following services: (1) Helping to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for these purposes; (2) Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer's current interaction with the business, if the consumer's personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business; (3) Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business; and (4) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business –and– As authorized by further regulations You have a right to know if your sensitive personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes. To limit the use of your sensitive personal information, click on the "Limit the Use of My Sensitive Personal Information" link here: [URL].
Right to Deletion	Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will: Delete your personal information from our records –and– Direct third parties to whom the business has sold or shared your personal information to delete your personal information unless this proves impossible or involves disproportionate effort Please note that we may not delete your personal information if it is reasonably necessary to: Complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us Help to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for those purposes Debug to identify and repair errors that impair existing intended functionality Exercise free speech, ensure the right of another consumer to exercise their right of free speech, or exercise another right provided for by law Comply with the California Electronic Communications Privacy Act Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us Comply with an existing legal obligation –or– Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information
Right of Correction	If we maintain inaccurate personal information about you, you have the right to request us to correct that inaccurate personal information. Upon receipt of a verifiable request from you, we will use commercially reasonable efforts to correct the inaccurate personal information.
Protection Against Retaliation	You have the right to not be retaliated against by us because you exercised any of your rights under the CCPA/CPRA. This means we cannot, among other things: Deny products or services to you Charge different prices or rates for products or services, including through the use of discounts or other benefits or imposing penalties Provide a different level or quality of products or services to you –or– Suggest that you will receive a different price or rate for products or services or a different level or quality of products or services Please note that we may charge a different price or rate or provide a different level or quality of products and/or services to you, if that difference is reasonably related to the value provided to our business by your personal information. We may also offer loyalty, rewards, premium features, discounts, or club card programs consistent with these rights or payments as compensation, for the collection of personal information, the sale of personal information, or the retention of personal information.

1. Singapore Users: Your Rights Under the Singapore PDPA

• Right of Access – you may request access to your personal data and information on how it has been used or disclosed in the past year.
• Right of Correction – you may request that we correct any errors or omissions in your personal data.
• Right to Withdraw Consent – you may withdraw consent that you previously gave, subject to legal or contractual restrictions.
• Right to Data Portability – you may request a copy of your personal data in a commonly used machine-readable format and have it transmitted to another organisation, where this right applies under the Singapore PDPA.

These rights are subject to exemptions under the Singapore PDPA.

1. Governing Law and Dispute Resolution

The governing law and dispute resolution provisions applicable to this Privacy Policy are set forth in our Terms of Service. All disputes arising in connection with this policy shall be handled in accordance with the arbitration and jurisdiction provisions stated therein.

Brilliant will notify users of any material updates to this Privacy Policy, including those related to new AI capabilities or developer integrations, before such changes take effect.

 

Brilliant Labs - Data Processing Agreement

Date Last Updated: December 5, 2025

This Data Processing Agreement and its Annexes (“DPA”) is incorporated into and part of the Terms of Service ("TOS") (as defined below) between the Controller and Processor (collectively, the "Parties"). This DPA reflects the parties' rights and obligations with respect to Personal Data processed as part of the Services (all as defined below). In the event of a conflict between the terms of this DPA and the TOS with respect to the subject matter herein, the terms of this DPA govern. Any prior data protection agreements between the Parties are superseded and replaced by this DPA in their entirety. All capitalized terms not defined in this DPA will have the meaning given to them in the TOS. This DPA forms part of the Brilliant Labs Terms of Service and Privacy Policy. In the event of any conflict, the terms of this DPA prevail solely with respect to data protection obligations.

1. Definitions. For the purposes of this DPA, the following terms shall have the meanings specified below:

• "Breach Event" means any incident where security is compromised, resulting in unintentional or illegal destruction, misplacement, modification, or unauthorized sharing or access to Personal Data that has been transmitted, stored, or otherwise processed.
• "Controller” means the customer who is accessing and using the Services.
• "Data Privacy Laws" means all applicable data protection and privacy laws, regulations, codes, and regulatory requirements relating to the collection, use, disclosure, or other processing of Personal Data, as applicable to either party or the Services. This includes, without limitation, EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), the Singapore Personal Data Protection Act of 2012 (PDPA), and other applicable laws.
• "Data Subject" refers to the identified or identifiable natural person whose Personal Data is processed.
• “Enterprise Customer” means a User who accesses or uses the Product and Service for commercial business purposes pursuant to a separate written agreement with Company (such as a master services agreement, enterprise addendum, or similar business contract) or who has been expressly designated by the Company in writing as an enterprise account.
• "Personal Data" refers to any information that is tied to an identified or identifiable natural person (Data Subject) that is protected as personal data, personal information, or personally identifiable information under applicable Data Privacy Laws.
• "Personnel" refers to the employees or other individuals who are in a contractual relationship with the Processor, including employees or other individuals who are in a contractual relationship with the Sub-Processor.
• "Processing" means actions performed by the Processor on the Personal Data whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Processor” means Brilliant Labs Pte. Ltd. (UEN: 202316146G), a company incorporated in Singapore, and its affiliates (collectively, "Brilliant"). For clarity, this DPA applies only where Brilliant processes Personal Data on behalf of a Controller as part of its enterprise or developer services.
• "Services" means any products or services provided by the Processor pursuant to the TOS.
• "Subprocessor" or "Subcontractor" refers to any third party appointed by the Processor to assist in fulfilling its obligations in providing Services to the Controller.

2. Purpose. The purpose of this DPA is to define the conditions under which the Processor shall process Personal Data on behalf of the Controller. This DPA applies only to enterprise or developer integrations where Brilliant acts as a data processor for the Controller. For consumer use of Brilliant’s devices or applications, Brilliant acts as a data controller, and processing is governed by the Privacy Policy.

3. Compliance with Laws. The Processor warrants that any Processing activities performed on behalf of the Controller will be conducted in accordance with all applicable Data Privacy Laws. The Processor must notify the Controller if it is no longer able to meet its obligations under applicable Data Privacy Laws.

The Controller has sole responsibility for the quality and accuracy of the Personal Data and how it acquired such data. The Controller is also responsible for complying with transparency and consent requirements for the collection, use, and transfer of the Personal Data under applicable Data Privacy Laws.

4. Ownership of Data. All Personal Data processed by the Processor in performing the Services shall remain the property of the Controller.

5. Duration of Processing. Processing obligations under this DPA will run until the end of the Processor's provision of Services to the Controller.

6. Types of Data. The Processor will process the categories of Personal Data provided by the Controller as set forth in Schedule 1.

7. Instructions for Processing. The Processor shall only process Personal Data in accordance with this DPA, including specific instructions set forth in Schedule 2, except where otherwise required by applicable law (and in such a case, shall inform the Controller of that legal requirement before processing, unless applicable law prevents it from doing so on important grounds of public interest). The Processor shall immediately inform the Controller if any instruction relating to the Personal Data infringes or may infringe any Data Privacy Laws.

AI Processing Notice

Brilliant shall not use identifiable Personal Data for AI model training without explicit authorization from the Controller. Brilliant may, however, use aggregated or de-identified data to train, test, or improve its AI systems and machine learning models in accordance with its Privacy Policy (provided that Brilliant shall not use Personal Data or User Content from Enterprise Customers for such purposes without express written authorization). Certain AI functions may involve third-party model providers (e.g., OpenAI, Anthropic, Whisper) under written data processing agreements restricting data use to the delivery of requested features. Brilliant warrants that its AI systems are designed and operated in accordance with responsible AI principles, including fairness, transparency, and accountability.

8. Data Subject's Rights. The Processor shall promptly notify the Controller of any requests from a Data Subject to exercise their rights under applicable Data Privacy Laws and shall assist the Controller in responding to a Data Subject's request as provided in the processing instructions, Schedule 2.

9. Data Protection Impact Assessments. The Processor shall assist the Controller in performing data protection impact assessments. At the Controller's request, the Processor shall provide all necessary information the Controller needs to meet their data protection assessment obligations, including but not limited to information about data transmittal, data storage, methods of processing, encryption, and data destruction.

10. Confidentiality. Both Parties agree to maintain the confidentiality of Personal Data and not to disclose such data except as expressly permitted under the terms of this Agreement. The Processor shall ensure that all personnel authorized to process Personal Data are subject to binding confidentiality obligations.

11. Liability. The Parties agree to indemnify one another against any claims, including but not limited to damages and fines, arising out of their respective breaches of this Agreement. Each Party’s liability shall be determined in accordance with applicable Data Privacy Laws, including any obligations to indemnify for administrative fines or data subject claims arising from their respective breaches of such laws, subject to the limitations of liability under the TOS.

12. Data Security. The Processor shall, at all times, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risk to protect the Personal Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access. Such measures shall be at least equivalent to the technical and organizational measures set out in Schedule 3.

13. Breach Notification. The Processor shall notify the Controller without undue delay and, where feasible, within the timeframe required by applicable Data Privacy Laws (e.g., within 72 hours under the EU/UK GDPR, or within three (3) calendar days under the Singapore PDPA) of becoming aware of a Breach Event. The Processor will provide the Controller with all information reasonably available to assist the Controller in assessing the breach and in complying with its notification obligations under applicable Data Privacy Laws.

14. Limitations on Use. The Processor shall not use or authorize the use of the Personal Data for any purpose other than those outlined in this Agreement or for purposes other than performing its obligations under the TOS.

15. Subcontractor Requirements. The Processor may engage Subprocessors to process Personal Data on its behalf, provided that: (a) each Subprocessor is subject to obligations equivalent to those set out in this DPA, in accordance with applicable Data Privacy Laws; (b) the Processor shall notify the Controller in advance of any intended changes concerning the addition or replacement of Subprocessors, thereby giving the Controller the opportunity to object on reasonable grounds.

Brilliant may engage subprocessors, including hosting, analytics, and AI model providers such as Amazon Web Services, OpenAI, Anthropic, and Whisper, to support delivery of the Services. Each subprocessor is bound by a written agreement imposing data protection obligations equivalent to this DPA. A current list of subprocessors is available upon request.

16. International Data Transfers. Brilliant may transfer and process Personal Data in jurisdictions including Singapore, the United States, the European Economic Area, the United Kingdom, and other countries where Brilliant or its service providers operate. All such transfers shall be made pursuant to appropriate safeguards recognized under applicable law, such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms. For transfers from Singapore, Brilliant ensures compliance with Section 26 of the PDPA by implementing legally enforceable obligations to provide a comparable standard of protection. Brilliant conducts and maintains transfer risk assessments for cross-border data transfers as required by applicable Data Privacy Laws.

17. Destruction or Return of Data. Brilliant shall securely delete or return Personal Data within 30 days of the Controller’s request or termination of Services, except where retention is required by law. Data shall be retained only as long as necessary to fulfill legal or operational requirements, consistent with the Privacy Policy. AI-generated contextual or memory data shall be anonymized or deleted within 30 days of account deletion. For further details on Brilliant’s data retention practices, including specific timelines and lawful bases for retention, please refer to our Privacy Policy.

18. Audits and Compliance. The Processor shall permit the Controller, or an independent auditor appointed by the Controller, to conduct audits or inspections with reasonable notice during regular business hours to ensure compliance with the terms of this DPA, and applicable Data Privacy Laws. The scope of the audit shall be limited by the Parties to the systems, procedures, and documentation relevant to the processing of Personal Data. The Processor agrees to provide the Controller with all necessary cooperation, access, and support to conduct such audits. The Parties shall consider the findings of any such audit confidential information subject to the terms of this agreement.

19. Recordkeeping Obligations. The Processor shall maintain records of processing activities carried out on behalf of the Controller as required under applicable Data Privacy Laws. Such records shall be made available to the Controller upon request within a reasonable period.

20. Governing Law and Dispute Resolution. This DPA shall be governed by and construed in accordance with the laws of Singapore, without regard to conflict-of-law principles. Any dispute arising in connection with this DPA shall be submitted to and finally resolved by arbitration administered by the Singapore International Arbitration Centre (SIAC) in accordance with the SIAC Rules. The seat of arbitration shall be Singapore, and the proceedings shall be conducted in English.Schedule 1.

The types of Personal Data processed under the DPA and the categories of Data Subjects are as follows:

Categories of Personal Data:

• Contact information (e.g., name, email address)
• Device and technical identifiers (e.g., IP address, device ID, operating system, browser type)
• Usage and interaction data (e.g., app activity, preferences, diagnostic logs)
• Transaction and payment data (e.g., purchase history, subscription status)
• Location and language data (e.g., country, language setting)

Categories of Data Subjects:

• End users of the Brilliant products or services
• Customers or clients of the Controller
• Employees or contractors of the Controller (if applicable)

Schedule 2.

Specific Processing Instructions:

These measures are consistent with the technical and organizational safeguards described in Brilliant’s Privacy Policy.

The Processor shall:

• Process Personal Data only as necessary to provide the Services described in the TOS
• Assist the Controller in responding to Data Subject requests as required by applicable Data Privacy Laws
• Refrain from using Personal Data for its own purposes
• Limit access to Personal Data to authorized personnel only
• Implement appropriate security measures as set out in Schedule 3
• Notify the Controller of any Breach Event in accordance with Clause 13 • Schedule 3.

Minimum Technical and Organizational Security Measures.

The Processor shall implement appropriate measures to ensure the confidentiality, integrity, availability, and resilience of Personal Data. These measures include, at a minimum:

• Encryption of data in transit and at rest
• Role-based access controls and authentication mechanisms
• Regular vulnerability and patch management
• Secure data backup and recovery processes
• Monitoring and logging of access and use
• Privacy-by-design measures to minimize incidental capture of bystander or environmental data.
• Local device processing wherever feasible, with encryption for data transmission to cloud servers.
• User controls to disable cameras, microphones, and sensors.