Privacy Policy

1. Introduction

Brightvale Technologies, Inc. ("Brightvale," "we," "us") respects your privacy. This Privacy Policy describes how we process personal information when you visit brightvale.co, contact us, or use Brightvale-operated products hosted on Brightvale subdomains.

Individual products may publish supplemental notices. Where a product-specific policy conflicts with this document for that product's processing, the product policy controls for that product only.

2. Data controller & contact

Controller: Brightvale Technologies, Inc., 1200 Beacon Street, Suite 400, Boston, MA 02215.

Privacy inquiries: privacy@brightvale.co. EU/UK representatives may be appointed and listed here when required.

3. Information we collect

We collect information in the following categories:

• Account & profile: name, business email, role, organization, authentication identifiers.
• Usage & telemetry: feature usage, device/browser metadata, performance logs, crash reports.
• Content you submit: files, tickets, configuration, and workflow data processed on your behalf.
• Communications: support messages, survey responses, and sales correspondence.
• Marketing site: cookies and similar technologies as described in our Cookie Policy.
• Payment: billing contact and transaction metadata via our payment processor (we do not store full card numbers).

4. How we use information

We process personal information to:

• Provide, secure, and improve our services.
• Authenticate users and enforce access controls.
• Respond to support requests and communicate service changes.
• Comply with law, prevent fraud, and protect rights and safety.
• Analyze aggregated usage to improve reliability (where permitted).
• Market Brightvale corporate services with consent or legitimate interest, subject to opt-out.

5. Legal bases (EEA/UK)

Where GDPR applies, we rely on contract performance, legitimate interests (balanced against your rights), legal obligation, and consent where required — for example, non-essential cookies.

6. Sharing & subprocessors

We share information with service providers bound by contract to protect data and use it only for our instructions. A current list of subprocessors is published at /subprocessors.

We may disclose information if required by law, in connection with mergers or acquisitions, or to protect Brightvale, customers, or the public.

7. Customer data & data processing

When customers use Brightvale products to process personal data about their end users or employees, Brightvale generally acts as a processor (service provider) and the customer acts as controller. Processing is governed by our Data Processing Addendum (DPA), available on request at compliance@brightvale.co.

Customers are responsible for providing lawful notices and obtaining required consents for data they submit to our systems.

8. Retention

We retain personal information for as long as needed to provide services, meet legal obligations, resolve disputes, and enforce agreements. Backup retention may extend up to 35 days after deletion requests for disaster recovery.

Aggregated or de-identified data may be retained longer where it cannot reasonably identify individuals.

9. Security

We implement administrative, technical, and organizational measures including encryption in transit, access controls, logging, vulnerability management, and employee training. See /security for an overview. No method of transmission is 100% secure.

10. International transfers

Data may be processed in the United States and other countries where we or subprocessors operate. We use appropriate safeguards such as Standard Contractual Clauses where required.

11. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, port, or object to certain processing, and to withdraw consent. California residents may have additional rights under the CCPA/CPRA.

Submit requests to privacy@brightvale.co. We may verify your identity before responding. You may lodge a complaint with your local supervisory authority.

12. Children

Brightvale corporate services and B2B products are not directed to children under 16. We do not knowingly collect children's personal information.

13. Changes

We may update this policy. Material changes will be posted here with an updated date. Continued use after changes constitutes acceptance where permitted by law.