Last Updated: 04 / 2025
Bright collects different types of Personal Data from data subjects through its Website, Platform, and related services. This data may be provided directly by the data subject or collected automatically, depending on the context of the interaction. The following table outlines the categories of data collected, purposes of collection, lawful basis, third parties involved, and data retention periods.
Scenario | Personal Data Collected | Purpose of Processing | Legal Basis | Third Parties | Retention Period | Consequences of Non-Provision |
Browsing the Website | Cookies | Marketing, analytics, statistics | Legitimate interest (essential cookies) | LinkedIn, Google, Facebook, Hubspot, CookieYes | Refer to Cookie Policy | Certain features may not be available |
Requesting a Product Demo | Name, email, phone number, company name, job title, country, any other data provided | To schedule demo, respond to requests, customize experience | Performance of contract; Legitimate interest | Google, Facebook, LinkedIn, Hubspot | 6 months or until consent revoked for marketing | Cannot schedule demo or respond to requests |
Subscribing to Marketing | Email address | Send marketing communications | Consent | N/A | 6 months or until consent revoked | Cannot receive marketing communications |
Job Applications | Name, email, CV, any other provided data | To process and analyze application; communicate regarding job | Performance of contract; Legitimate interest | Google, Hubspot | 6 months or until deletion requested | Cannot assess candidacy or respond |
Customer Support | Email, message content, any other data provided | Provide support and respond to inquiries | Performance of contract; Legitimate interest | Hubspot | 1 year for non-users; varies for users based on activity | Cannot assist or respond to inquiries |
Platform Use (Signup/Login) | Name, email, company name | Account creation, login, platform access | Performance of contract; Legitimate interest | Hubspot | 1 year from account deletion or inactivity | Cannot access platform |
Marketing Events or Business Card Exchange | Name, email, company, title, phone number, any other provided data | Business contact, send marketing | Consent; Legitimate interest (soft opt-in) | Hubspot | 1 year or until consent revoked | Cannot initiate business contact or send marketing |
Social Media Interaction | Name, email, phone, company, title, country, any public or provided data | Respond to inquiries, initiate business connection | Performance of contract; Legitimate interest | N/A | 1 year or until deletion requested | Cannot respond or initiate business interaction |
Use of Partner/ Customer Data | Contact and billing details, job title, company, etc. | Perform agreements, communicate, send contract notices | Performance of contract; Legal obligation; Legitimate interest | Hubspot | Up to 7 years depending on legal requirements | Cannot perform agreement or communicate |
In addition, certain Personal Data may be used to detect, prevent, and prosecute fraud or illegal activity, ensure security, conduct audits, comply with laws, and anonymize for research and service improvement purposes.
“Anonymous Information” refers to information that does not enable identification of a data subject, such as aggregated usage statistics. Bright may use and share Anonymous Information without restriction.
Further information on cookies is available in our Cookie Policy.
2.1 Security Measures Bright implements appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and other unlawful forms of processing. These measures are designed and maintained in alignment with the requirements of the ISO/IEC 27001 standard and the Trust Services Criteria defined under the SOC 2 framework.
Technical measures include, but are not limited to:
Organizational measures include:
While Bright maintains a high standard of security, no method of transmission over the internet or electronic storage is entirely secure. Data subjects are responsible for protecting their account credentials and are encouraged to maintain appropriate security measures on their personal systems and devices.
2.2 Retention of Personal Data Personal Data will be retained only for as long as necessary to fulfill the purpose for which it was collected, as outlined in Section 1.1, unless a longer retention period is required by law. Bright retains Personal Data:
For cookie-related data, please refer to Bright’s Cookie Policy for more detailed retention timelines.
Bright may share Personal Data with third parties only in the following limited circumstances:
3.1 Legal and Regulatory Disclosures To the extent necessary, Personal Data may be disclosed to regulatory authorities, courts, law enforcement bodies, or other competent government entities, where required by applicable law, regulation, legal process, or enforceable governmental request.
3.2 Business Transfers In the event of a merger, acquisition, bankruptcy, reorganization, or sale of all or a portion of Bright’s assets, Personal Data may be transferred to the acquiring entity as part of the transaction. Data subjects will be notified, where required, of any such change in ownership or control of their Personal Data.
3.3 With Consent Where data subjects have provided specific consent for a particular processing activity or disclosure, Bright may share Personal Data with the designated third party or service provider for that purpose.
3.4 Law Enforcement Requests In circumstances where law enforcement requests information, Bright will evaluate the request for legality and necessity before disclosing any Personal Data. Only the minimum necessary data will be shared, and Bright will document such disclosures in accordance with its internal compliance practices.
4.1 Storage Locations Bright stores Personal Data with trusted infrastructure providers, including Amazon Web Services (AWS) and Hubspot. Data may be stored in multiple jurisdictions, including the United States (e.g., AWS N. Virginia) and the European Union (e.g., AWS Ireland), but the storage location is aligned with the customers and their reasonable regional requirements.
4.2 Intra-Group Transfers Internal data transfers within Bright’s corporate group are governed by an intra-group data processing agreement. This agreement ensures that all Personal Data transferred internally receives an adequate and consistent level of protection, in accordance with applicable data protection laws.
4.3 Transfers to External Parties When transferring Personal Data to third parties located outside of the European Economic Area (EEA) or other jurisdictions with applicable restrictions, Bright relies on:
Bright regularly monitors the legal landscape and the conditions surrounding such transfers to ensure they maintain an equivalent level of protection to that guaranteed under the General Data Protection Regulation (GDPR).
5.1 Data Subject Rights Data subjects may have the following rights under applicable data protection laws, including the GDPR and other global privacy frameworks:
Please note that these rights may be subject to certain exemptions or limitations under applicable law.
5.2 How to Exercise Your Rights To exercise any of these rights, data subjects may initiate the process by clicking “Data Subject Request” button available in Section 10 of this Policy.Data subjects may authorize an agent to submit a request on their behalf, provided that the agent presents a valid written authorization signed by the data subject. Bright may require verification of identity before responding to a request. This verification may include confirming certain account or transactional information. Bright will respond within the timeframe required by applicable law. If additional time is required, Bright will notify the data subject of the delay and its reasons.
Where applicable, data subjects may be charged a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive. If Bright determines that it cannot comply with a request, a justification will be provided, along with information on how to challenge or appeal the decision.
Bright does not knowingly offer its products or services to, or collect Personal Data from, individuals under the age of eighteen (18). The Website, Platform, and related services are not intended for or directed at children. If you are under the age of 18, do not provide any Personal Data to Bright without the involvement and consent of a parent or legal guardian.
If Bright becomes aware that Personal Data has been collected from a child without appropriate authorization or in violation of applicable data protection laws, such information will be promptly deleted.
If you believe that Bright may have collected Personal Data from a child, please contact us immediately at [email protected] so that appropriate action can be taken.
Bright’s services may contain links to or allow interaction with third-party websites, applications, or services that are not owned or controlled by Bright (collectively, “Third-Party Services”). These may include widgets, integrations, plug-ins, or external authentication providers.
Bright is not responsible for the privacy practices, security policies, or content of any Third-Party Services. Data subjects are encouraged to review the privacy notices of all such services before interacting with them or disclosing any Personal Data.
Please be aware that if you choose to engage with a Third-Party Service – for example, by clicking a link or using an embedded application – such Third-Party Service may independently collect Personal Data from you, in accordance with its own policies. Your use of any Third-Party Services is entirely at your own risk.
Bright uses various analytic tools and services to understand usage patterns, improve its services, and enhance user experience. These tools may use cookies or other tracking technologies to collect information such as IP addresses, browser types, visited pages, session durations, and referring URLs. Data collected through analytics is typically aggregated and anonymized.
8.1 Google Analytics Bright uses Google Analytics, a web analytics service provided by Google LLC, to collect and analyze usage data. Google Analytics may collect information about how users interact with the Website and how often they return. Google’s ability to use and share information is governed by the Google Analytics Terms of Service and the Google Privacy Policy.
Google Analytics may collect data such as:
Bright does not combine this information with other Personal Data it collects. Users can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
8.2 Hubspot Bright also uses Hubspot for customer relationship management and marketing analytics. Hubspot may collect user interactions with emails, forms, and browsing behaviors to help Bright tailor communication and services.
Users can control their preferences for tracking and cookies through Bright’s Cookie Policy.
9. Specific Provisions Applicable Under California Privacy Law
Pursuant to California Civil Code Section 1798.83 (also known as the “Shine the Light” law), California residents who are customers of Bright may request certain information regarding the disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please contact Bright at [email protected]. Please note that Bright is only required to respond to one request per customer per calendar year.
9.2 California Do Not Track Notice
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Bright does not currently respond to DNT signals or similar mechanisms transmitted by web browsers. However, Bright may allow third parties, such as analytics providers, to collect information about a data subject’s online activities over time and across different websites when using the services.
9.3 California Consumer Privacy Act (CCPA/CPRA) Disclosures
California residents have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”). These include the right to:
Bright does not sell or share Personal Information for cross-context behavioral advertising, as defined under California law.
To exercise these rights, California residents may use the mechanisms described in Section 5 of this Privacy Policy. Verification of identity may be required before processing a request.
For additional information on the categories of Personal Information collected and the purposes of use, please refer to Section 1.1 of this Privacy Policy.
If you have any questions, concerns, or complaints regarding this Privacy Policy, Bright’s handling of Personal Data, or if you wish to exercise your rights as a data subject, please contact Bright’s Data Protection Officer (DPO):
Bright Security
26 Hashachar Street
Rishon Lezion, Israel
DPO: Amir Drenger
Privacy Contact: Loris Gutic, CISO
Email: [email protected]
All communications will be handled confidentially and in accordance with applicable data protection laws. Bright endeavors to respond to all valid inquiries within the timeframes required by applicable regulations.
If you believe that Bright has not complied with your data protection rights, you also have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.
If you want to submit Data Subject Request, please initiate the process by clicking the button “Data Subject Request”.
11.1 Additional Information for Users in Switzerland
For data subjects located in Switzerland, the following applies:
Requests related to these rights can be submitted using the contact details provided in Section 10 of this Privacy Policy.
11.2 Additional Information for Users in Brazil
For data subjects located in Brazil, Bright processes Personal Data in accordance with the Lei Geral de Proteção de Dados (LGPD).
To exercise these rights, Brazilian data subjects may contact Bright using the details provided in Section 10 of this Privacy Policy. Bright will respond within the timeframes established under Brazilian data protection law.
11.3 Additional Information for Users in the United States (Non-California)
Residents of certain U.S. states may have specific privacy rights under applicable state laws, including but not limited to those in Colorado, Connecticut, Utah, Virginia, Texas, Oregon, and Montana. These rights may include:
Bright does not sell Personal Data or share it for cross-context behavioral advertising as defined under applicable state laws.
To exercise these rights, individuals may contact Bright using the details provided in Section 10. Identity verification may be required to fulfill certain requests, and Bright will respond in accordance with the timeframes mandated by applicable state law.
11.4 Additional Information for Users in the United Kingdom
For data subjects located in the United Kingdom, Bright processes Personal Data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data subjects in the UK have rights equivalent to those under the EU GDPR, including:
Requests to exercise these rights should be submitted using the contact information provided in Section 10. Bright will respond in accordance with its obligations under UK data protection law.
11.5 Additional Information for Data Subjects in Canada
For data subjects located in Canada, Bright processes Personal Data in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.
Data subjects in Canada have the following rights:
Bright collects, uses, and discloses Personal Data solely for purposes that are identified and necessary, and obtains meaningful consent where required. Personal Data may be stored or processed outside Canada, including in the United States and the European Union, and may be subject to the legal requirements of those jurisdictions.
Requests regarding privacy rights under Canadian law may be submitted using the contact details provided in Section 10.
For the purposes of this Privacy Policy, the following definitions apply:
13.1 Legal Action and Requests from Authorities Bright may use or disclose Personal Data in legal proceedings or in preparation for such proceedings arising from misuse of its services. Data may also be disclosed upon lawful request by public authorities, including to meet national security or law enforcement requirements.
13.2 System Logs and Maintenance For operation and maintenance purposes, Bright’s services and third-party providers may collect system logs that record interactions with the services (e.g., IP address, access timestamps) or use other Personal Data for diagnostic purposes.
13.3 Anonymous and Aggregated Data Bright may anonymize or de-identify Personal Data and use it for internal and external purposes, including service improvement and research. Anonymous Information does not allow for the identification of individual data subjects and may be disclosed to third parties without restriction.
13.4 Processing for Fraud Prevention and Security Bright processes Personal Data to detect, prevent, and investigate fraud, abuse, security threats, and technical issues, and to enforce this Privacy Policy and other legal terms.
13.5 Conflicts with Local Law Where applicable law provides data subjects with stronger rights than this Privacy Policy, Bright will honor the higher standard.
Bright reserves the right to update this Privacy Policy at any time. If material changes are made, Bright will notify data subjects by posting a notice on its Website, updating the “Last Updated” date at the top of this policy, or by other legally acceptable means.
Data subjects are encouraged to review this Privacy Policy periodically to stay informed about how Bright protects Personal Data. Continued use of the services after any changes signifies acceptance of the revised policy.
If changes materially affect the processing of Personal Data previously collected based on consent, Bright will seek renewed consent where required by law.