Privacy Policy

You may know that there are laws about how businesses can collect and use information from their customers, app users, or anyone visiting their website.  These laws set different requirements, but they all relate to the same idea, which is that you have the right to know what information you’re sharing with us, what we’re doing with it, and why.  When the information we collect identifies you or your household — or if it could identify you or your household — it’s called “personal data.”  We want to, and have to, protect your personal data.  Our Privacy Policy explains how we try to do so, but it’s a long document with a lot to discuss.  So, you can:

  1. Go to the section that has the topic you’re interested in in the table of contents;

  2. Search (Control-F or Command-F) to look for a keyword or phrase; or

  3. Get in touch with us to ask a question, ask us to show you the data we have about you, or ask us to delete your personal data.

 

 

+1. General Statements

1.1 This is the Privacy Policy for Bright App Enterprises Limited, but we’ll refer to ourselves as “Bright,” or “the Company,” or use “we/us/our” pronouns.

1.2 We have a Privacy Policy for a few reasons.  First: it’s required by law.  Second, and more importantly, we want you to understand how we use data so you can make an informed decision about how you share with us, what you share with us, and how we use your information. Finally, our privacy policy sets internal rules for how we use data and holds us accountable: if we don’t tell you what we’re doing here, in the Privacy Policy, we won’t do it at all.

1.3 We want this Privacy Policy to be understandable on its own, but there are concepts, terms, and phrases that have specialized meaning because they come directly from privacy laws.  You can look at the “Further Reading” section to get a clearer idea of what these terms mean.

1.4 Our sites, our app, our newsletter, and everything else we produce is not intended for anyone under the age of 18, at least for now. Please don’t use our sites, app, or services if you’re under 18.

+2. Information About Bright and this Privacy Policy

2.1 This Privacy Policy outlines how we collect and processes your personal data through your use of the Bright app, our newsletter, our Bright website or any other website we operate, and any other services sponsored or controlled by the Company.  In other words, if we’re processing personal data in any form, this Privacy Policy applies.

2.2 Along those lines, we are the “Controller” of the personal data we collect, which means we are the entity that decides how to collect, process, and use personal data.  But we are only the controller for personal data that we use for our purposes – you are the controller of the personal data you share on Bright, and we are a processor.  That means we don’t decide what you will post, when, how, with whom you share, the reactions you receive, etc.

2.3 We’ll provide links to this Privacy Policy wherever we can – on our websites, in the app, on another website before you take a survey, etc. You should read this Privacy Policy, think about it, ask questions, and decide if you’re comfortable with it. Also read our Terms and Conditions, which control how we provide our services, and any other notices or policies we post so that you can make an informed decision about interacting with us.

2.4 When we make a change to this Privacy Policy, we’ll post a notice for you to review.  This Privacy Policy was last changed on 29/03/2021.

2.4 We are not responsible, though, for links to third-party sites that we present to you, either on this website or in the app.  Once you access sites or apps via those links, our Privacy Policy no longer applies, and so you’ll need to read their privacy policies as well.

2.5 Our full contact information is

Bright App Enterprises Limited
52 Cornmarket St
Clarendon House
Oxford
OX1 3HJ

UK Company No. 13205018

If you have questions about our privacy policy please contact us at privacy@TheBrightApp.com

+3. What Data Are We Collecting About You?

3.1 Not all data is “personal data” under the law, but a lot of it is, and more than you might think.  We’re a UK-based company, but we operate globally, and so we’ve taken the approach that the broadest definition of personal data is best, because it allows us to explain what we collect more simply.  And so, for our purposes, personal data is:

Any information that can, either alone or with other information, be used to identify an actual human person or their household.

3.2 These are the categories of personal data that we collect:

These are the categories and types of data we collect:

  • “Basic Data” means your name, your email address, your physical address, your phone number, your account Member ID, your account password.

  • “Purchase and Warranty Data” is all Basic Data plus credit card or payment information, verification information, and any ID you’ve used to verify your account.  Note that we do not keep images of your ID or the materials you submit to our third-party ID validation vendors after you have been verified.

  • “Technical Data” means any information we collect as we operate our websites and apps, like your IP address, your mobile device identifier, what browser you used to access our site and what operating system you’re using, the movement of your mouse on the screen (mouse hovers and clicks, for example) the length of time you spend on our website or app, any extensions or apps you pair with ours.

  • “Profile Data” means the more detailed Bright profile information that you’ve set up and shared with us.  Your profile data includes your account id, your password, your activity while logged in (including submissions, comments, activity, and feedback).

  • “Feedback Data” means information that we collect to suggest new products or services that you might find interesting or to create an internal profile of you for improving our services.  Feedback and Marketing data is not for advertisement.  We’ll collect information about what kind of topics you find interesting, how you engage with posts, what time of day you’re active, and use it to build that profile.  Feedback Data also means all other forms of Personal Data, your preferences when it comes to how, when, and why we communicate with you about our products and services, and any interactions you have with our materials.

  • “Member Generated Content” or “MGC” means anything that you make publicly available on Bright, including posts, comments, reactions, questions, or activity logs.  Almost everything you do on Bright is MGC, and that includes when you created it, whether you’ve edited it, and whether you are the original poster.  Anyone with whom you have a direct connection with will be able to see what you post; to get broader exposure for your MGC, your content will go through a vetting/review process for quality, content, and accuracy.  But you should know that the vetting/review process is not about your viewpoint or what you say, but rather when it’s said honestly, clearly, and in keeping with community standards.

You’re responsible for your MGC but not for what other people post in response to your MGC (comments on your posts, for instance).  And, because people will be able to see what you post on Bright, you should understand that your posting can have consequences.  If you violate the Terms and Conditions or Community Standards you could be banned from the network; if you violate the law you could be prosecuted.  In other words: make good choices.

3.4 Importantly, as part of our management of the Company, we do not collect any “Special Categories” of Personal Data about you. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data, or information about criminal convictions or offenses.  However, if you post “Special Category” information on Bright you’re telling anyone – including us – that you are willing to let them use it.  (More on how we use data below).

+4. Identity Verification

4.1 Our services require that we verify your identity before you can use Bright.  That is because we believe that the key to promoting a healthy dialogue and a connected community is that we face each other as real people.  It helps us keep out bots, too.

4.2 We utilize trusted verification services to verify the information that you provide and ensure. This process has been developed with the customer’s privacy in mind with detailed information neither shared nor accessible.

4.3 Not everyone has a photo ID, which is why we also have a manual verification process in addition to our automated practice.  In those instances, Bright team members will conduct the actual verification that anyone seeking a Bright membership is a real person.  Whether verification is automated or manual, we never keep the underlying verification data.

+5. How We Collect Personal Data

We collect personal data in a variety of ways, depending on how you interact with us, including:

5.1 Direct interactions. You may give us your Basic, Purchase and Warranty, Device, Usage, Technical, Profile, Feedback Data, or Member Generated Content, by interacting with us, as when you:

  • create an account or profile;

  • engage in activity on Bright;

  • download or update our app;

  • sign up to receive information from us;

  • make a claim based communicate with us about your use of our services;

  • contact customer support or request technical assistance;

  • access Bright via other social media accounts;

  • enter a promotion or survey; or

  • give us feedback or reviews.

5.2 Through automated technologies or interactions. As you interact with our website, we automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies, server logs, and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies.

+6. Why (and How) We Use Personal Data

6.1 We only use personal data when we have a lawful basis for doing so.  Sometimes, but not usually, we rely on your consent to use personal data.  When we do, we will always give you the option to withdraw your consent at any time.

6.2 The following list sets out how we use personal data, and the lawful basis for doing so:

  • Verifying your identity.  We need to verify that you are who you claim to be to use our products, and so we collect Basic Data to do so.  We need this information in order to be able to fulfill our part of our contract with you, and so collecting this data is necessary to the performance of our contract with you (GDPR art. 6(1)(b)).

  • Allowing you to access and use Bright. We need Basic, Purchase and Warranty, Technical, and Profile Data in order for you to use our Service, including logging in, posting, interacting with others, asking questions, etc. We need this information in order to be able to fulfill our part of our contract with you, and so collecting this data is necessary to the performance of our contract with you (GDPR art. 6(1)(b)).

  • Providing customer service. Depending upon what you contact us for and request, we will use any and all categories of Personal Data we have in order to provide you with customer service.  For instance, if you call us to discuss a problem with your account, we’ll use Basic Data, Purchase and Warranty Data, and likely also and Technical Data to be able to respond to your query.  We need this information in order to be able to fulfill our part of our contract with you (GDPR art. 6(1)(b)), and because we have a legitimate interest in being able to respond to your questions (GDPR art. 6(1)(f)).

  • Managing our website and apps. We’ll use Basic Data, Technical Data, Purchase and Warranty Data, Feedback Data, and Profile Data to keep our website and app operating properly (fraud detection and prevention, site maintenance and updates, app maintenance and updates, IP logs).  We use this data because we have a legitimate interest in administering/improving our site and apps, running IT services, ensuring network security, preventing fraud (GDPR art. 6(1)(f), and because we need to demonstrate our compliance with data security obligations both as a legal matter and if we are involved in a business reorganization (a merger or acquisition) (GDPR art. 6(1)(c), GDPR art. 6(1)(f)).

  • Delivering ads.  If you have opted in to advertisements, we’ll use Basic Data, Technical Data, Purchase and Warranty Data, Profile Data, and Member Generated Content to create a profile of you that serves as the basis for the kind of ads you’ll receive.  You decide whether you want ads delivered to you, and so we use your data based on your consent, which you can withdraw at any time.  (GDPR art. 6(1)(a)).

  • Creating and managing your profile. When you create a profile on our website or in our app, you agree to share Basic Data, Technical Data, Member Generated Content, and Profile Data with us so that we can provide you with a tailored, custom experience (use metrics, recommendations, trends, etc).  We need this information in order to be able to fulfill our part of our contract with you, and so collecting this data is necessary to the performance of our contract with you (GDPR art. 6(1)(b)).

6.3 We will only keep your Personal Data for as long as necessary under the circumstances in which we collected it, including our obligation to hold onto it for legal, regulatory, or accounting purposes. If we are able to make data completely anonymous (that is, it can’t be used to identify you), we may keep that data indefinitely for statistical or analytic purposes.

  • If you create an Account with us, we will retain your Personal Data for as long as you have that Account.

  • If your account becomes inactive for 18 months, your account will be treated as expired. If we do not hear from you after sending you a reminder, we will delete your account within 90 days

  • Should you delete or request deletion of your Account, we will only retain and use your Personal Data to the extent necessary to comply with our legal obligations (if we are required to retain your data to comply with applicable laws), detect and prevent fraud, resolve disputes and enforce our legal agreements and policies. All requests for deletion of accounts will be actioned after 48 hours of the request.

  • We will retain personal data in relation to customer, supplier, other data subjects’ transactions for 10 years from the date of the transaction where they are deemed to be part of the financial records of the business.

+7. Marketing our Products

7.1 There are no ads on Bright — not in the app, not in the newsletter, not anywhere. We don’t want to make our services ad-based because we think it creates a cluttered experience. And, because we’re a paid service, we think it should be an ad-free experience. Eventually, some Members may decide that they’d like to see ads based on things they find relevant, but even then, the companies  won't get to see any personal data that hasn't already been shared on the network -- we'd just make it possible for them to show ads to the Members who want them.  But for now: no ads at all.

7.2 Third-party marketing
We do not sell, lease, rent, license, or otherwise transmit or transfer your data to outside parties for marketing purposes.

7.3 Opting out
You can ask us or third parties to stop sending you marketing messages at any time by contacting us at any time.

Where you opt-out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience, or other transactions.

7.4 Cookies
We only use functional cookies (the kind that allows you to stay logged in or keep the site running) and never tracking cookies, pixels, or beacons.

7.5 Website analytics

We use a plugin called Matomo to help us understand how members and visitors use our site.  Matomo is an open-source web analytics platform, and we use it to measure, collect, analyse and generate reports about visitor data.  We do this so that we can make our website better and understand how people interact with what’s posted.  Our version of Matomo doesn’t use cookies, doesn’t track you across sites, and can’t be used to identify you in any way.

+8. Disclosures of your personal data

8.1 Sometimes, we will share your Personal Data with outside third parties. As explained above, we use outside vendors and service providers to enable our company to function.  Our third party vendors are:

  • our data processors who provide services in relation to the provision of app products and services, computer systems used for the maintenance of customer subscription accounts (Apple, Apple Store In-App Payments, Stripe, Google Play In-App Payments, Microsoft),

  • our data processors who provide identity verification services to protect your account. We use two companies for this specific service (Yoti and Onfido),

  • our data processors who provide the dark web search service to check if your email address and related personal data have been breached. We use a number of companies to provide this specific service (Dehashed, HaveIbeenpwned, WeLeakInfo, Snusbase),

  • our SMS service providers to send notifications to you regarding your requests (SendGrid, Gmail)

  • our email manager provider to manage and deliver our email communications (Google)

We’ll also share Personal Data if we buy, sell, transfer, or merge parts of our business with another company, but only if the other company agrees to terms that are as protective of your privacy as these.

  • Regulators. If we are subject to an audit, review, or other inquiry by a properly constituted regulatory agency (like the ICO, for instance), they may require us to share the data we have, including Personal Data.

  • Subpoenas and legal demands. We will not share your data with government agencies or law enforcement unless we are served with a subpoena or other lawful command which we would have to obey.

8.2 We share your Personal Data outside third parties only to enable us to fulfil our part of our contract with you (GDPR art. 6(1)(b)), because you have consented to it (GDPR art. 6(1)(a)), or because it’s necessary for a legal or regulatory requirement (GDPR art. 6(1)(c)).  None of these third parties are allowed to use your Personal Data in any way that is different from the reasons we outline here.

+9. International transfers

9.1 We are based in the United Kingdom and will transfer data from other parts of the world only as outlined in this Privacy Policy.

9.2 For those present in the EU, we won’t transfer your Personal Data outside of the European Economic Area unless the place we are transferring it has a similar degree of protection for personal data as the EEA. If we transfer data to the United States, it will be pursuant to the Standard Contractual Clauses or any approved regulatory scheme for data transfers.

9.3 If you have questions about transferring data out of the EEA, please contact us and we’ll provide you with more information.

+10. Data security

10.1 We work hard to keep your data (and ours) safe.  We use a variety of tools – technological, administrative, and physical – to keep data secure.  These safeguards are designed to ensure that whatever Personal Data we keep is protected against unlawful access or use.

10.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

11.1 When you provide us with personal data, you have rights about how we use it, and why.  In some circumstances, those rights are set out in specific legislation like the European Union’s GDPR, Canada’s PIPEDA, or California’s Consumer Privacy Act.  In general, you have the right to:

  • Request access to your personal data.

  • Request correction of your personal data.

  • Request erasure of your personal data.

  • Object to processing of your personal data.

  • Request restriction of processing your personal data.

  • Request transfer of your personal data.

  • Right to withdraw consent.

If you wish to exercise any of the rights set out above, please contact us.

11.2 No fee usually required
In some rare circumstances, you may have to pay a fee regarding a request, but in general, you don’t have to pay anything to exercise these data rights.

11.3 What we may need from you
In order to make sure that you’re the person entitled to exercise the rights listed above, we’ll sometimes request information to verify your identity.  We will not ask for more data than is necessary to confirm your identity.

11.4 Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

+12. Third-Party Services

As explained above, we may provide links to websites or services operated by third parties. This Privacy Policy does not apply to these third-party websites or services.  If you follow a link to any of these websites or services, please note that these websites or services have their own privacy policies and terms & conditions and that we do not accept any responsibility or liability for their policies.

+13. Contact Us

If you have any questions about this Privacy Policy, please contact us:

By email: privacy@TheBrightApp.com.

+14. Further Reading

Privacy rights are very complicated.  We want you to be able to make informed choices about how and why you share your data with us.  Here are some links to important guidance and documents from governments and policy groups that talk about key issues.  We’ve outlined key rights under the GDPR and CCPA below, but here are some other helpful links:

Key Terms

The European Commission provides a good explanation of what “personal data” is, and you can read the entire GDPR here.

Your EU Rights

If you’re present in the European Union, the Information Commissioner’s Office in the UK provides a succinct explanation of the rights you have when it comes to data.

FTC Principles

The Federal Trade Commission is the main agency that handles privacy issues. They have a series of posts about consumer privacy rights that you can read here.

PIPEDA

Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) covers privacy rights as well, and the Office of the Privacy Commissioner offers its explanation of rights here.

 

YOUR RIGHTS

Rights for EU Residents

If you are present in the EU, you have the right to:

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.  We’ll also maintain a record of your email address in a master list of deletion requests to demonstrate that we have complied with your request and will not contact you in the future.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.  Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Your California Privacy Rights

If you are a California customer, you have the right to receive, once per year, free of charge, 1) the identity of any third party company to which we have disclosed your personal information as defined by California’s “Shine the Light” law for that company’s own direct marketing purpose; and 2) a description of the categories of personal information disclosed.  To request this information, please contact us at privacy@thebrightapp.com or the mail address set forth in the section entitled “Contact Us”. Requests must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are not required to respond to requests made by means other than through the provided email or mail address.

Another note – we don’t "sell" your data as that term is understood under CCPA or CPRA, which is why we don't have a "do not sell my data" button.  Those weren't scare quotes, either: we really don't sell, share, lease, rent, or license your data to anyone for money or anything else of value (or for free, for that matter).