Legal · 02 · Privacy Notice

Privacy Notice.

BRMSTE LTD identifies visitors by silicon-DNA, not by login. No analytics. No third-party trackers. No cross-border transfers by default. Every personal-data interaction is bounded — what we collect, why, for how long, and what your rights are.

UK GDPR · DPA 2018 · DUAA 2025 · version v1.2026.05.15 · block 946,772

The facts

Data controller: BRMSTE LTD · London · registered in England & Wales
Data Protection Officer: hello@shravanbansal.com · founder-reviewed
Governing law: UK GDPR + Data Protection Act 2018 + Data (Use and Access) Act 2025
ICO complaint route: ico.org.uk/make-a-complaint
Cookie scope: Essential only · entry-consent + display + theme
Retention: 90 days for form submissions · 30 days for the entry-consent cookie
Cross-border transfers: None by default · sovereign deployments on operator-controlled silicon

What we process · the entire list

Three categories. No others.

01 · Silicon-DNA at /entry
A one-way SHA-256 hash of your browser environment (WebGPU adapter + screen + timezone + language). Captured once on accept. Stored in the brmste-entry cookie (HttpOnly · SameSite=Lax · 30-day TTL). No GPU model name, no IP, no user-agent string is retained — only the hash.
02 · Form submissions
When you submit a use-case brief, sovereign enquiry, framework-licence request, or App waitlist, your email + the line you wrote are forwarded to the founder mailbox by your own mail client (mailto: opens locally). BRMSTE LTD retains a copy for 90 days for processing; afterward, the submission is purged.
03 · API tenancy
If you become an operator under contract, the substrate logs SHA-256-chained StageRecords per call. The audit chain is the contract; the chain head is third-party-verifiable on mempool.space. No call content is retained beyond the audit record's hash + metadata. PII-redaction applies to any rendered ledger entry (see /register/terminations).

Your rights under UK GDPR + DUAA 2025

Seven rights. Invoke any of them by email.

Art. 15Right of access — ask what we hold; we return the audit record + cookie state
Art. 16Right to rectification — incorrect data corrected on request
Art. 17Right to erasure — your data purged on request, subject to legal retention duties
Art. 18Right to restriction — processing paused on request
Art. 20Right to portability — your data exported in a machine-readable format
Art. 22 (DUAA 2025)Right of challenge with safeguards — automated decisions reviewable by a human; invoke at /legal/data-protection
Art. 77Right to lodge a complaint with the ICO at any time

Reach · hello@shravanbansal.com · five working days · founder-reviewed

“We do not collect what we do not need. We do not retain what we do not use. We do not transfer what we do not have to. The cookie is the witness. The chain is the contract.”

Sealed-oath · Privacy v1.2026.05.15· block 946,772

← Back to the legal hub

BRM-loading · layering pigment…

Privacy Notice.

UK GDPR · DPA 2018 · DUAA 2025 · version v1.2026.05.15 · block 946,772

Three categories. No others.

01 · Silicon-DNA at /entry

A one-way SHA-256 hash of your browser environment (WebGPU adapter + screen + timezone + language). Captured once on accept. Stored in the brmste-entry cookie (HttpOnly · SameSite=Lax · 30-day TTL). No GPU model name, no IP, no user-agent string is retained — only the hash.

02 · Form submissions

When you submit a use-case brief, sovereign enquiry, framework-licence request, or App waitlist, your email + the line you wrote are forwarded to the founder mailbox by your own mail client (mailto: opens locally). BRMSTE LTD retains a copy for 90 days for processing; afterward, the submission is purged.

03 · API tenancy

If you become an operator under contract, the substrate logs SHA-256-chained StageRecords per call. The audit chain is the contract; the chain head is third-party-verifiable on mempool.space. No call content is retained beyond the audit record's hash + metadata. PII-redaction applies to any rendered ledger entry (see /register/terminations).

Seven rights. Invoke any of them by email.

Art. 15Right of access — ask what we hold; we return the audit record + cookie state

Art. 16Right to rectification — incorrect data corrected on request

Art. 17Right to erasure — your data purged on request, subject to legal retention duties

Art. 18Right to restriction — processing paused on request

Art. 20Right to portability — your data exported in a machine-readable format

Art. 22 (DUAA 2025)Right of challenge with safeguards — automated decisions reviewable by a human; invoke at /legal/data-protection

Art. 77Right to lodge a complaint with the ICO at any time

Reach · hello@shravanbansal.com · five working days · founder-reviewed