Privacy Policy

Effective Date: July 20, 2023

I. Overview

This Privacy Policy states Brightmetrics’ practices with respect to personal data, including its collection, processing, transfer, sharing and security.  It also states your rights in in regard to personal data about you that Brightmetrics maintains and processes, and how you can exercise those rights.

II.  EU-U.S. Data Privacy Framework (EU-U.S. DPF), UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)

Brightmetrics, Inc. (“Brightmetrics”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Brightmetrics has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Brightmetrics has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

III. Definitions

For the purposes of this Privacy Policy:

“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Customer” means any entity that purchases the Service.

“Customer Data” means the electronic data uploaded into the Service by or for a Customer or its Users.

“EU” means the European Union and Iceland, Liechtenstein and Norway

“Personal Data” means any information, including Sensitive Data, that is (i) about an identified or identifiable individual and (ii) received by Brightmetrics in the U.S. from the EU, UK, or Switzerland in connection with the Service.

“Processor” means any natural or legal person, public authority, agency or other body that processes Personal Data on behalf of a Controller.

“Sensitive Data” means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.

“Standard Contractual Clauses” are standard sets of contractual terms and conditions which the sender and the receiver of personal data both sign up to, aimed at protecting personal data transferred internationally from the European Economic Area.

“UK” means the United Kingdom

“U.S.” means the United States

“User” means an individual authorized by Customer to access and use the Service.

IV. Types of Personal Data Collected and Purpose

Brightmetrics hosts and processes Personal Data to carry out functions and activities at the direction of and pursuant to the instructions of Brightmetrics Customers or Users when they purchase our products, register with our website, log-in to their account, request information from us, or otherwise communicate with us. The types of Personal Data from Customers or Users Brightmetrics may collect or have access to in connection with include:

  • Name
  • Email address
  • Business address
  • Business phone number
  • Username
  • Password
  • Job title
  • Performance data

In addition, data collection also occurs, for example, when a Customer visits Brightmetrics’ website.

  • Contact data, such as name, company, email address, and telephone number; and
  • Personal Data in content Customers provide on Brightmetrics’ website and other data collected automatically through the website (such as IP addresses, browser characteristics, device characteristics, operating system, language preferences, referring URLs, data on actions taken on our website, and dates and times of website visits).

Brightmetrics may also obtain Personal Data, such as contact data, of its Customer’s representatives.

Brightmetrics uses this data to manage relationships with its customers, process payments, expenses, and reimbursements, and carry out Brightmetrics’ obligations under its contracts with Customers.

V. Notice

Brightmetrics notifies Customers and Users about its privacy practices, including the purposes for which it collects and uses Personal Data, the types of Personal Data Brightmetrics collects, the types of third parties to which Brightmetrics discloses the Personal Data and the purposes for doing so, the rights and choices Customers and Users have for limiting the use and disclosure of their Personal Data, and how to contact Brightmetrics about its practices concerning Personal Data.

VI. Third Party Disclosures

Brightmetrics discloses Personal Data only to Third Parties that include web hosting, payment processors, data analytics, document collaboration services, communication, and survey who reasonably need to know such data. Such recipients must agree to abide by confidentiality obligations. All Third Parties receiving personal data must have a written confidentiality agreement in place between Customer and Third Party and Brightmetrics and Third Party.

Brightmetrics may disclose Personal Data that our Customers and Users provide to our Service:

  • To contractors, business partners, and service providers we use to support our Service;
  • In the event Brightmetrics sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation), in which case Personal Data held by us about our Customers will be among the assets transferred to the buyer or acquirer;
  • If required to do so by law or legal process;
  • In response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements.

For more information, please refer to our Data Processing Agreement’s Sub-Processor list.

VII. Access

Customers and users in the EU, UK, and Switzerland have the right to access their Personal Data. If such Personal Data is inaccurate or processed in violation of the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles, a Customer or User may also request that the Personal Data be corrected, amended, or deleted.

EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal data relating to you in the United States.  Upon request, we will provide you with access to the personal data that we hold about you. You may also correct, amend, or delete the personal data we hold about you.  An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, should direct their query to privacy@brightmetrics.com.  If requested to remove data, we will respond within a reasonable timeframe.

VIII. Choice

Brightmetrics offers Customers and Users the opportunity to choose whether their Personal Data may be (a) disclosed to third-party Controllers or (b) used for a purpose that is materially different from the purposes for which the data was originally collected or subsequently authorized by the relevant Customers or Users. To the extent required by the EU-U.S. DPF Principles, the UK extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles, Brightmetrics obtains opt-in consent for certain uses and disclosures of Sensitive Data. Unless Brightmetrics offers Customers or Users an appropriate choice, the company uses Personal Data only for purposes that are materially the same as those indicated in this Policy. To exercise their choices, Customers and Users may contact Brightmetrics as indicated in this Policy or the other Privacy Policies.

Brightmetrics may disclose Employee Personal Data and Consumer Personal Data without offering an opportunity to opt-out, and may be required to disclose the Personal Data, (c) to third-party Processors the company has retained to perform services on its behalf and pursuant to its instructions, (d) if it is required to do so by law or legal process, or (e) in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. Brightmetrics also reserves the right to transfer Personal Data in the event of an audit or if the company sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution, or liquidation).

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized.  To request to limit the use and disclosure of your personal data, please submit a written request to privacy@brightmetrics.com

IX. Liability for Onward Transfers

Brightmetrics accountability for personal data that it receives in the United States under the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, and subsequently transfers to a third party is described in the EU-U.S. DPF Principles, the UK extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles. In particular, Brightmetrics remains responsible and liable under the EU-U.S. DPF Principles, the UK extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles unless Brightmetrics proves that it is not responsible for the event giving rise to the damage.

X. Recourse

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Brightmetrics, Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

EU, UK, and/or Swiss individuals with DPF inquiries or complaints should first contact Brightmetrics at:

Address:   Brightmetrics

                   PO Box 750789

                   Petaluma, CA 94975

Email address: privacy@brightmetrics.com

Phone number: 707-238-4455

Brightmetrics has further committed to refer unresolved privacy complaints under the EU-U.S. DPF Principles, the UK extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers  for more information and to file a complaint. This service is provided free of charge to you.

If your  DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke “last resort” binding arbitration for some residual claims not resolved by other redress mechanisms.  See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2

XI. Changes to this Policy

This Policy may be amended from time to time, consistent with the requirements of the EU-U.S. DPF principles, the UK extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles. Appropriate public notice will be given concerning such amendments.