Privacy Policy.

Brightflag is a new way for organizations to manage and control legal spend. Next generation analytics without any integration or process changes.

Data Protection Policy

1 Overview and Objectives

Brightflag is registered with the Data Protection Commissioner as a data processor. Brightflag respects each individual’s privacy and data protection rights and complies with its obligations under the Data Protection Act 1988 and Data Protection (Amendment) Act 2003 (together the “Data Protection Acts”). The Data Protection Acts lay down strict rules about the way in which personal data and sensitive personal data are collected, accessed, used and disclosed. The Data Protection Acts also permit individuals to access their personal data on request, and confer on individuals the right to have their personal data amended if found to be incorrect.

This document outlines Brightflag’s Policy for compliance with the Data Protection Acts. The Brightflag COO is Brightflag’s Data Protection Officer. This Policy is a statement of Brightflag’s commitment to protect the rights and privacy of individuals in accordance with the Data Protection Acts.

2 Scope and Applicability

This Policy applies to all employees (including contractors and temporary personnel) of Brightflag who process personal data/sensitive personal data of individuals including clients.

3 Data Protection Policy

It is Brightflag’s Policy to protect the rights and privacy of individuals in accordance with the Data Protection Acts.

3.1 Collecting information about individuals, including clients

We collect and use information to provide the following online services: • Invoice review and analysis; • Dashboards aggregating legal bill information; and • Reports providing strategic analysis and recommendations in respect of external legal spend.

3.2 Data Protection Principles

Brightflag performs its responsibilities under the Data Protection Acts in accordance with the following eight Data Protection principles: A. Obtain and process information fairly Brightflag obtains and processes personal data fairly and in accordance with statutory and other legal obligations. B. Keep it only for one or more specified, explicit and lawful purposes Brightflag retains personal data for purposes that are specific, lawful and clearly stated. Personal data is only processed in a manner compatible with these purposes. C. Use and disclose only in ways compatible with these purposes Brightflag discloses personal data only in circumstances that are necessary for the purposes for which the data is collected. Where personal data is used for marketing purposes, appropriate consents must be obtained from the clients/potential clients. Where prior notification and/or consent (where required) is provided by the data subject, Brightflag may disclose information to our agents, advisors, service providers and contractors for the following: • Meeting Brightflag’s legal and compliance obligations • Quality control and reporting and management • Marketing purposes, if appropriate consent is received D. Keep it safe and secure Brightflag takes appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of personal data and against it accidental loss or destruction. This includes adopting enhanced security measures where personal data is being stored or processed outside of a secure Brightflag office location (e.g. encryption of laptops etc.). E. Keep it accurate, complete and up-to-date Brightflag adopts procedures that ensure high levels of data accuracy, completeness and ensure that personal data is up-to-date. Where there has been a contravention in relation to section 2(1) of the Data Protection Acts, Brightflag acknowledges the right of the data subject, to having his/her personal data rectified, blocked or erased. F. Ensure it is adequate, relevant and not excessive Brightflag only requests and retains personal data to the extent that it is adequate, relevant and not excessive. G. Retain for no longer than is necessary Brightflag maintains retention schedules which document the retention period for all data (including personal data). Retention schedules are reviewed on an annual basis and approved by the COO. H. Give a copy of his/her personal data to that individual, on request Brightflag also adopts procedures to ensure that data subjects can exercise their rights under the Data Protection Acts to access their data. Brightflag also adopts procedures to ensure that where requested in writing, data subjects will be informed of the data that is processed on his/her behalf, a description of the data and the reason for the processing.

3.3 Sensitive Personal Data

Sensitive personal data will be held, only where necessary and Brightflag staff members’ sensitive personal data may also be held for employment purposes. Except in the narrow exceptional cases set out in the Data Protection Acts, explicit consent is obtained from clients in line with the Data Protection Acts in order to process such data.

3.4 Privacy Statement

Brightflag’s Privacy statement can be found on our website www.Brightflag.com.

4 Responsibility

Brightflag staff members and contractors of Brightflag who separately collect, control or process the content and use of personal data are individually responsible for compliance with the Data Protection Acts and this Policy and any related procedures. The COO of Brightflag co-ordinates the provision of support, assistance, advice and training throughout Brightflag and to ensure compliance with the Data Protection Acts, this Policy and related procedures.

5 Enforcement

This Policy applies to all employees (including contractors and temporary personnel) of Brightflag. In the event that any change is made to Data Protection legislation or regulation, this Policy will be reviewed, updated and ratified. Adherence to this Policy is the responsibility of Brightflag management and will be subject to review by the COO of Brightflag.

Get started with BrightFlag, schedule a demo today