Menu

Privacy Statement

 

Brightflag Privacy Notice

 

Last modified: November 2022

Welcome to Brightflag’s privacy notice. Brightflag respects your privacy and is committed to protecting your personal data. We are a “B2B” company, meaning our customers are businesses and not consumers. When we use the word “you”, we are referring both to people who interact with us as individuals or representatives of our customers.

It is important that you read this privacy notice together with our Terms of Service and any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements the other notices and is not intended to override them.

1 Important information and who we are

1.1 Purpose of this Privacy Notice

This privacy notice will inform you as to how we look after your personal data. It applies to your data when you visit our websites and online platform available at www.brightflag.com and our applications (the “Platform”), use our services made available by us from time to time via the Platform (“Services”), speak to our staff, apply for a job with us or when you otherwise interact with us or provide us with personal information on you or individuals connected with you. Where necessary, we will provide additional information in relation to specific services.

1.2 Children

Our websites are not intended for persons under the age of 18 years old and we do not knowingly collect data relating to persons under the age of 18 years old. If you have reason to believe that a child has provided personal information to us, please contact us at [email protected], and we will delete that information unless we are required, by law or in connection with the enforcement or defence of our rights, to retain this information.

1.3 Controller, Sub-Processors & Contact Us

The Brightflag group is made up of different legal entities, which are Shine Analytics Limited (t/a Brightflag), Brightflag Inc, and Brightflag Pty Ltd. This privacy notice is issued on behalf of all of the legal entities in the Brightflag group so when we mention “Brightflag” “we”, “us” or “our” in this privacy notice, we are referring to the relevant company in the Brightflag Group responsible for processing your data. We will let you know which entity will be the controller for your data when you purchase a product or service with us. Shine Analytics Ltd is the controller and responsible for our websites.

We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice or information we hold about you, including any requests to exercise your legal rights, please contact us at [email protected] or write to us at the appropriate office listed here.

1.4 Changes to this Privacy Notice

We may revise this privacy notice from time to time. We advise you to review this page regularly to stay informed of any changes and to make sure that you are happy with any changes. If we make material changes to this privacy notice we will notify our registered users by email or through posting a notification when you log into our Services. If any changes to this Privacy Notice are unacceptable to you, you must immediately contact us and stop using our services until the issue is resolved. Your continued use of our services following the posting of changes to this privacy notice or notification by us of material changes constitutes your acceptance of those changes.

This Privacy Notice was last updated on 22 November 2022 and is published in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

1.5 Children

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. If you are a representative of one of our customers and have account access credentials, you can always access the account and review the information you have provided, including name, address, email address, phone number, payment information and other relevant account information. You can update this information directly or contact us for assistance. If you delete some or all of this information, then you may be prevented from accessing your account or using any services. Data relating to device activity and to actions that have been authorised by an account representative regarding those devices that is intended for viewing by customers may be accessed at our customer portal.

1.6 Social media and third-party links

Our websites and Services may have social media features. These features, which are hosted by third parties, collect data similar to the Technical Data mentioned below, and set a cookie to enable the feature to function properly. They also contain links to websites operated by third parties that we believe may be of interest or that are relevant to one of our services. If you use these links, you will leave our site, and you should note that we do not have any control over that other website and cannot be responsible for the protection and privacy of any information that you provide while visiting such sites. Providing a link to third party websites does not mean that we endorse or warrant the Services provided by any third parties and this privacy notice does not govern such sites. These third parties and the social media providers will have their own privacy notices that will govern the data they collect.

1.7 Brightflag as Processor

While providing Services to customers, our customers may provide us with personal data, including inputting it into our Platform and engage us as a processor. Where we are engaged as a processor on behalf of our customers or where we engage sub-processors on our customers’ behalf, you should refer to our customer’s privacy notices.

2 The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data – first name, maiden name, last name, username or similar identifier, job title/position, date of birth, height and gender.
  • Contact Data – employer, work address, email address and telephone numbers.
  • Financial Data – transaction amount, payment method, payment date, bank account information, and cardholder details.
  • Profile Data – account password, account number and account age.
  • Technical Data – geolocation, internet protocol (IP) address, device identifier, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, crash data, hardware model, mobile network and connection information operating system and platform and other technology on the devices you use to access our websites and/or Services.
  • Customer Support Data – information you provide to us related to the use of our Services which may be used by us to help you resolve your query, information on the use of our customer support feature you use and any feedback you provide in respect of these features.
  • Cookies – information about your preferences and the way you use our Services is collected through cookies. We use cookies to provide and operate our services. See here.
  • Usage Data – information about how you use our websites and Services such as your geographical location, the time, frequency, and duration of your use of our Services, your internet service provider and your IP address. We also record information about the software you are using to browse our websites, such as the type of computer or device and the screen resolution.
  • Marketing Data – your preferences in relation to receiving [electronic] marketing from us and our third parties.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific service feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.

Unless required by law, or included in our agreement as a Processor, we will not, without your explicit consent, collect Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data) or information about criminal convictions and offences. If you believe any Brightflag website, app or employee has asked you for this information, please contact us at [email protected]

If you fail to provide personal data

We cannot provide our Services (as defined in the Terms of Service) to you or the organisation you represent without processing your Identity Data, Contact Data, Profile Data, Technical Data, Usage Data, Customer Support Data or the personal data contained within documentation you have provided through your use of our Services.

3 How is your personal data collected?

We use different methods to collect data from and about you through:

Direct interactions. You may give us your Identity, Contact and Marketing Data by filling in forms or by corresponding with us by post, phone, email, or otherwise. You provide personal data when you:

  • subscribe to our services, newsletters or mailing lists;
  • attend our webinars;
  • request information to be sent to you (e.g. when viewing demos);
  • enter a survey;
  • apply for a job with us;
  • give us some feedback; or
  • submit a query.

Automated technologies or interactions. As you interact with our websites, Services, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our Cookie Policy for further details.

Third parties or publicly available sources. We may receive personal data about you from various third parties, including Identity and Contact Data from your employer and/or publicly available sources like the Companies Registration Office in Ireland and Technical Data from analytics providers/advertising networks and search information providers.

4 How we use your personal data

We will only use your personal data when the law allows us to. We have set out a description of all the ways we plan to process your personal data and which of the legal bases we rely on to do so in a table format below. We have also identified what our legitimate interests are where appropriate.

Performance of a contract: where you are a party to the Terms of Service, we process your personal data where it is necessary in order to perform our obligations under our Terms of Service.

Consent: we generally do not rely on consent as a legal basis for processing your personal data other than in relation to sending, either from us or from third parties, direct marketing communications to you via email, text message or phone calls. Where we rely on your consent to process your personal data, you have the right to withdraw your consent at any time, although withdrawal of your consent to process your personal data may render us unable to provide services to you (or your employer). You have the right to withdraw consent at any time by following the unsubscribe instruction in the communication you have received, or by contacting us at [email protected]

Legitimate interests: we process your personal data where this is necessary for our legitimate interests as specified in the table below. Where we process personal data on the basis of our legitimate interests, we do so in a fair, transparent and accountable manner and take appropriate steps to prevent such activity having any unwarranted impact on you. We do not process your personal data where such legitimate interests are overridden by your interests, fundamental rights or freedoms. You have a right to object to processing of your personal data where we are relying on a legitimate interest (see further section 9). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Compliance with a legal obligation to which we are subject: we process your personal data to discharge a relevant EU or EU Member State legal or regulatory obligation to which we are subject, including in order to comply with obligations arising under specific legislation. We have included examples of the relevant laws in the table below.

 

Purpose/Activity

Processing Operations

Personal Data

Lawful basis

Service Provision: Providing of our Service to you including:

(a) registering you as a new customer or authorised user of one of our customers;

(b) assisting you in creating your account and in using your account across multiple devices;

(c) administering subscriptions;

(d) providing relevant information to you in connection with your use of our Services including transaction receipts, security alerts and support messages;

(e) encrypting messages exchanged on our platform;

(f) managing payments, fees and charges and collecting and recovering money owed to us; and

(g) hosting and analysing documents stored within our apps;

(h) where applicable, providing customer support.

Collection

recording

organisation

structuring

storage

adaptation or alteration

retrieval

consultation

use

disclosure

alignment or combination

restriction

(a) Identity

(b) Contact

(c) Technical

(d) Usage

(e) Marketing

(f) Customer Support

(g) Financial

(h) Cookies

(i) Profile

(j) Technical

Where you are our customer, this processing is necessary for the performance of our Terms of Service with you.

Where you are a representative of our customer this processing is necessary for our legitimate interests to enter into, perform and enforce our Terms of Service with our customer.

Marketing: Contacting you (by email, SMS, phone calls and video conferencing) about any promotions, incentives and rewards offered by us and/or our partners.

Collection

recording

organisation

structuring

storage

adaptation or alteration

retrieval

consultation

use

disclosure

alignment or combination

restriction

(a) Identity

(b) Contact

(c) Technical

(d) Usage

(e) Marketing

(f) Customer Support

(g) Financial

(h) Cookies

(i) Profile

(j) Technical

We rely on your consent as the legal basis for sending you marketing materials. Your consent to us processing information obtained through marketing can be withdrawn at any time.

Customer Relationship and Business Management: Managing our relationship with you and administering and protect our business, property, our websites and Services by:

(a) keeping our customer records up-to-date

(b) notifying you about changes to our terms or privacy policy;

(c) asking you to leave a review or take a survey;

(d) responding to emails or messages you have sent us which are reasonable to expect a reply to and responding to complaints made by you about us, our websites and/or Services;

(e) running webinars for customers and prospective customers;

(f) maintaining the integrity of our IT and network security including troubleshooting, testing, system maintenance, support, reporting, hosting data;

(g) using data analytics to (i) report on website visitors including demographics; (ii) study how customers (including those on trials) use our Services in order to make our Services more intuitive and better understand user preferences for the purposes of suggesting features which we believe customers would be interested in, and to target advertising on our website which is relevant to our customers’ interests (iii) analyse our sales, including our conversion rate from trials to sales; (iv) determine if there is information about patterns, correlations and trends that may be useful to us or to our customers or partners, (v) keep our websites and Services up-to-date, relevant and secure, (vi) run quality assurance tests, (vii) determine who to issue direct marketing, plan customer engagement and assess leads qualification;

(h) sharing and preserving information in the context of legal requests, litigation and other disputes; and

(i) managing our relationship with our suppliers;

Collection

recording

organisation

structuring

storage

adaptation or alteration

retrieval

consultation

use

disclosure

alignment or combination

restriction

[(a) Identity

(b) Contact

(c) Technical

(d) Usage

(e) Marketing

(f) Customer Support

(g) Financial

(h) Cookies

(i) Profile

(j) Technical

This processing is necessary for our legitimate interests to (i) study how customers use our Services in order to ensure our Services run optimally, and to promote those Services; (ii) inform our business development and marketing strategy including informing decisions on business reorganisation, group restructuring exercise or business transfer; (iii) maintain the integrity of our IT and network security and safety of our staff, customers and others; (iv) enforce and/or defend our rights under our Terms of Services and (v) prevent and address fraud, unauthorised use of Brightflag, violations of our Terms and policies, or other harmful or illegal activity.

EU and EU Member State Laws: To comply with obligations arising under EU or EU member state law.

Collection

recording

organisation

structuring

storage

adaptation or alteration

retrieval

consultation

use

disclosure

alignment or combination

restriction

(a) Identity

(b) Contact

(c) Technical

(d) Usage

(e) Marketing

(f) Customer Support

(g) Financial

(h) Cookies

(i) Profile

(j) Technical

Necessary to comply with our obligations arising under EU and EU Member State including (i) binding requests from regulatory bodies and law enforcement such as in relation to an information notice from the Data Protection Commission under the Data Protection Act 2018 or an investigation under the Criminal Justice (Miscellaneous Provisions) Act 1997 (as amended) and (ii) taxation obligations such as our obligations under the Taxes Consolidation Act 1997. Please contact us at [email protected] if you want further information on the specific legal obligations which it is necessary for us to process your personal data in connection with.

Job Applications: To consider any job applications.

Collection

recording

organisation

structuring

storage

adaptation or alteration

retrieval

consultation

use

disclosure

alignment or combination

restriction

(a) Identity

(b) Contact

(c) Technical

(d) Usage

(e) Marketing

(f) Customer Support

(g) Financial

(h) Cookies

(i) Profile

(j) Technical]

Necessary for our legitimate interests of hiring employees who satisfy our professional requirements and are aligned with our company values.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at [email protected]

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

5 Disclosures of your personal data

Access by Company Personnel. We allow access to personal data only to those of our employees, and consultants who have a need to access the information for a lawful purpose. We train our employees how to appropriately handle personal data and require that consultants do likewise.

Access by other third parties. Our third party service providers who provide us with website maintenance, database and cloud, customer support, customer analytics, payment processing, payroll and benefits management services have access to your personal data. Our contracts with these third party providers only allow use of your information to provide these services and require that they not disclose it unless required in special circumstances, like those described in the following paragraph. We review the security policies and practices of our third party service providers as appropriate as part of our own efforts to maintain the security of your information.

Law Enforcement, Court Orders and Protection of Our Rights. We may disclose any of your information to government officials as necessary to comply with applicable laws and orders if compelled to do so. If we receive a request to disclose any such information, we may do so if we believe in our reasonable discretion that such request is lawful and that disclosure is reasonably necessary to comply. We may also disclose your personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. In the event that we are legally compelled to disclose your personally identifiable information to a third party, we will attempt to notify you unless doing so would violate the law, court order or government instruction. Please see section 4 above.

Affiliates. We may disclose information (including personally identifiable information) about you to our Affiliates. Our “Affiliates” are any person or entity which directly or indirectly controls, is controlled by or is under common control with Brightflag whether by ownership or otherwise. Any information relating to you that we provide to our Affiliates will be treated by those Affiliates in accordance with the terms of this privacy notice.

Other Disclosures. We may also disclose your information if we believe it is necessary in order to protect our property rights or rights of a third party, to protect the safety of any person or of the public or to prevent any activity that we believe is harmful, illegal or unethical. For example, we may need to use personal data in order to enforce our Terms of Service with customers, or to engage in other business or corporate transactions. We will put in place appropriate security measures, such as non-disclosure agreements, whenever possible. See further section 4 above.

6 International transfers

We choose a location storage depending on the type of data:

Platform Information: When you open your account on our Platform you can choose to host the information you upload onto the Platform within the EEA.

Website and Account Information: Our websites are hosted in the European Economic Area (“EEA”) unless otherwise directed by our customer e.g. you have elected to have data hosted in the US. If you are located outside the EEA, such as in the US, and interact with Brightflag sites, including when you manage any account, you are effectively “visiting” an EEA website, and the data that you provide is stored in the EEA.

Marketing Information: We use a CRM service hosted in the US to help us manage our marketing and financial activities and some of your personal data may be kept on that system. In addition, our staff do share limited information, which may include your contact information, to coordinate marketing activities and to make sure that you are interacting with the correct entity and business function, such as finance, legal, support or engineering. There is no adequacy decision in place in respect of the US.

Data Relevant to Employment: If you apply for a position with any Brightflag company, generally, your information will stay in the country where you apply, although some data may be shared with Brightflag in the US especially for global positions.

Safeguards: We use standard contractual clauses approved by the European Commission for transfers to our CRM provided in the US and for intra-group transfers. Copies of these can be made available by contacting [email protected]

7 Data security

Security We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. We use industry-standard measures to safeguard all data and have a continuous process in place to test the effectiveness of these measures and to review the threat landscape and new tools available. You have a role to play in security as well, and we ask that you use prudent measures to protect against unauthorised access to your account information, including logging out of your account when finished, not sharing your login information and taking other customary security precautions appropriate for the situation. The type of organisational or technical measures we use to secure our systems and data may differ depending on the sensitivity of the data and our assessment of how accidental or unauthorised disclosure or use of the data could threaten the rights and freedoms of natural persons. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Phishing We are aware that there are people who may pose as legitimate businesses and try to trick you into disclosing personal information that can be used to steal your identity. We will not request your account login or password, your credit card information or any sensitive data that could be used to steal your identity, such as national identifying numbers, in an unsolicited or non-secure email or telephone call. If you believe that someone representing themselves as being associated with Brightflag has requested this information in a contact that you did not request or initiate, please contact us immediately at [email protected] so that we may verify the identity of the person contacting you and the validity of the request.

Special Laws. You must not store on our Services (as defined in the Terms of Service) or otherwise submit to the Services any (i) protected health information subject to the Health Insurance Portability and Accountability Act, or save to the extent required to pay for the Services, credit, debit or other payment card data subject to PCI DSS or any other credit card schemes or other data which requires, (iv) data similar to (i)-(iii) or (v) data which requires special protection pursuant to applicable law. If you pay us by credit card, we and our payment processors protect your payment information in accordance with local laws establishing standards for payment card information.

8 Data retention

We and our third party processors will keep personal data in our active operating systems only for as long as necessary to fulfil the purposes we collected it for, including for the purposes of providing services to you or a customer, satisfying any legal, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

  • For tax and other legal purposes, we keep basic information about our customers (Identity, Contact, Financial, Technical and Usage Data) for six years after our relationship with our customer ceases).
  • We keep your Profile Data for the duration of your account lifetime.
  • We keep Customer Support Data for the duration of your account lifetime.
  • We keep legal information relating to legal requests, litigation or regulatory matters for as long as necessary to investigate or resolve the matter.
  • If you send us information in connection with a job application, we may keep it for up to 2 years in case we decide to contact you at a later date. Thereafter, we and our duly authorised delegates will refrain from collecting any further personal data on you and shall take appropriate steps to dispose of any records containing your personal data to the extent this is operationally feasible and proportionate
  • Please see our Cookies Policy for details of our cookies.

We reserve the right to delete and destroy all of the information collected about you in accordance with our retention policies unless otherwise required by law.

9 Your legal rights

Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Opting out: You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a Service purchase, warranty registration, Service experience or other transactions.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

  • If you want us to establish the data’s accuracy.
  • Where our use of the data is unlawful but you do not want us to erase it.
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
  • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain Services to you. We will advise you if this is the case at the time you withdraw your consent.

Contact Us If you would like to exercise any of the above rights, please contact us at [email protected] with your request. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You have the right to make a complaint to a data protection supervisory authority at any time. The Data Protection Commission (“DPC”) is the Irish supervisory authority and can be contacted at [email protected] We would, however, appreciate the chance to deal with your concerns before you approach the DPC or another data protection supervisory authority so please contact us in the first instance.

Previous versions of the Privacy Notice are available on request.