// Trust & Security Report

    Brainly Sp. z o.o. logo

    Brainly Sp. z o.o.

    AI Learning Companion platform offering AI tutoring, live expert support, and collaborative homework help for students in 35+ countries. Primary products: Brainly Premium (paid subscription), AI Tutor, Test Prep, parent account linking.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR Compliance
    HELD

    Homepage lists 'GDPR' under its 'Secure by Design' compliance commitments ('we maintain the highest security and data privacy standards. COPPA GDPR CPRA'). A Google Cloud case study identifies 'Michał Leszek, Director of Information Technology and Data Protection Officer at Brainly.' Note: GDPR is a regulation, not a formal certification; the compliance claim is self-reported, and no DPO contact email could be verified on a vendor-domain source.

    Verify on brainly.com
    COPPA Compliance
    HELD

    Lists 'COPPA' as compliance standard on homepage. Platform serves users under 13 with parental control features and parental account linking capabilities.

    Verify on brainly.com
    CPRA Compliance
    HELD

    Lists 'CPRA' (California Privacy Rights Act) as a compliance standard on the homepage, under the 'Secure by Design' section.

    Verify on brainly.com
    > Show 5 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence of SOC 2 Type 1 certification found on vendor domain

    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of SOC 2 Type 2 certification found on vendor domain

    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on vendor domain

    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification. Brainly is not a HIPAA-covered entity; serves K-12 education market, not healthcare.

    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS compliance. Handles subscription payments but no public compliance documentation.

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Global distribution (North America, Europe, Asia, Latin America via Google Cloud). Data NOT limited to EU regions despite GDPR compliance claims.

    Brainly builds its AI Learning Companion on its corpus of user-generated questions and answers. A Forbes profile (third-party, not a vendor-domain statement) describes Brainly 'leveraging its trove of authentic user data' and a 'massive trove of authentic student data' to develop the product. Brainly does not publicly document an opt-out mechanism or explicit AI-training consent. This is a data governance concern for a K-12 platform, though the training corpus is largely the platform's public Q&A community content rather than private tutoring data.

    // Security controls

    Data Protection Officer

    Appointed. Google Cloud case study identifies 'Michał Leszek, Director of Information Technology and Data Protection Officer at Brainly.' Public DPO contact email not verified on vendor domain.

    cloud.google.com

    Bot Detection

    Implemented using DataDome. 'Slashes time spent on bot management by more than 90 percent'

    Encryption in Transit

    Implied through HTTPS and standard authentication (not publicly detailed)

    brainly.com

    Encryption at Rest

    No public details available

    Offline Data Processing

    Uses Google ML Kit for offline OCR processing (ML Kit) to avoid transmitting sensitive data to cloud where possible, complemented by online processing (Google Vision AI) where needed

    Responsible Disclosure Program

    Program exists at https://brainly.com/app/responsible-disclosure-program

    brainly.com

    Data Anonymization

    Privacy policy states data is aggregated, de-identified, or anonymized for research and marketing purposes

    // Products & data scope

    Brainly Premium (Paid Subscription)K-12 Learning / Tutoring

    data: Student educational profile, homework questions/answers, learning progress, parent monitoring data

    Less than $1/day subscription. Includes AI Tutor, 24/7 live expert access, guaranteed results or money-back guarantee.

    AI TutorAI-Powered Educational Tool

    data: Student homework, learning patterns, grade level, subject performance

    AI-powered explanations at student's pace. Age-appropriate, grade-level adjusted responses. Trains on student data.

    Live Expert TutoringHuman-Delivered Tutoring

    data: Student questions, interactions with tutors, learning history

    Human tutors complement AI. Available 24/7, no booking required.

    Test PrepAI-Powered Test Preparation

    data: Student test performance data, learning patterns by subject

    AI-powered test preparation. Helps students prepare for classroom exams and standardized tests.

    Parent Account LinkingParental Controls

    data: Child's account, educational progress, learning analytics

    Parents can monitor child's learning progress, strengths, challenges. Parental privacy controls available.

    // What to watch

    • NO_FORMAL_SECURITY_CERTS: Lacks SOC 2, ISO 27001, or other third-party security certifications typical of enterprise EdTech platforms. This is unusual for a company serving millions of K-12 students globally.
    • AI_TRAINING_DATA_UNCLEAR: Leverages student-generated content for AI training without clear evidence of opt-out mechanism or explicit student/parent consent. This is a significant concern for a K-12 platform and potential COPPA/GDPR violation risk.
    • NO_TRUST_CENTER: Despite serving 15+ million users across 35+ countries, no public trust center or detailed security/compliance documentation available.
    • COMMON_SENSE_MEDIA_CONCERNS: Independent review indicated platform 'does not have a privacy policy and/or does not use encryption' (though privacy policy exists; review may be outdated). Privacy/security ratings below standards for K-12 platforms.
    • DATA_RESIDENCY_MISMATCH: Claims GDPR compliance but data 'might be transferred anywhere' globally per privacy policy. Not EU-exclusive data storage despite European operations and serving EU students.
    • BROKEN_PRIVACY_PAGES: Privacy policy and terms pages return 403 Forbidden errors when accessed directly, preventing independent verification of terms.
    • PAYMENT_SECURITY_UNKNOWN: Handles subscription payments but no PCI DSS certification or payment security details published.
    • DPA_UNAVAILABLE: No public Data Processing Agreement template available despite serving EU customers under GDPR. DPA availability not confirmed.
    • UNDERAGE_USER_CONCERNS: Serves users under 13 but lacks formal COPPA Safe Harbor certification. Relies on parental consent model with unclear enforcement mechanisms.

    // At a glance

    Pricing model

    Freemium (free Q&A community + paid Premium subscription) or direct subscription

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Brainly Sp. z o.o.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    brainly.com

    > Browse all vendor trust reports