1. Types of Data Collected and Purposes of Processing

Bright collects different types of Personal Data from data subjects through its Website, Platform, and related services. This data may be provided directly by the data subject or collected automatically, depending on the context of the interaction. The following table outlines the categories of data collected, purposes of collection, lawful basis, third parties involved, and data retention periods.

1.1 Personal Data We Collect, Why We Collect It, and How It Is Used

In addition, certain Personal Data may be used to detect, prevent, and prosecute fraud or illegal activity, ensure security, conduct audits, comply with laws, and anonymize for research and service improvement purposes.

“Anonymous Information” refers to information that does not enable identification of a data subject, such as aggregated usage statistics. Bright may use and share Anonymous Information without restriction.

Further information on cookies is available in our Cookie Policy.

2. How We Protect and Store Your Personal Data

2.1 Security Measures Bright implements appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and other unlawful forms of processing. These measures are designed and maintained in alignment with the requirements of the ISO/IEC 27001 standard and the Trust Services Criteria defined under the SOC 2 framework.

Technical measures include, but are not limited to:

• Encryption of Personal Data in transit and at rest using industry-standard cryptographic protocols
• Role-based access controls (RBAC), with enforcement of strong authentication mechanisms including multi-factor authentication (MFA)
• Regular vulnerability assessments and independent penetration testing to validate system resilience
• Hardening of systems and networks, endpoint protection, and secure configuration baselines
• Continuous monitoring, centralized logging, and alerting for suspicious activity

Organizational measures include:

• An established Information Security Management System (ISMS) governed by ISO/IEC 27001 controls
• Regular employee security awareness and privacy training
• Defined policies and procedures for data handling, incident response, access management, and acceptable use
• Formal third-party risk management, including due diligence and contractual safeguards with data processors and subprocessors
• Business continuity and disaster recovery plans regularly tested and reviewed

While Bright maintains a high standard of security, no method of transmission over the internet or electronic storage is entirely secure. Data subjects are responsible for protecting their account credentials and are encouraged to maintain appropriate security measures on their personal systems and devices.

2.2 Retention of Personal Data Personal Data will be retained only for as long as necessary to fulfill the purpose for which it was collected, as outlined in Section 1.1, unless a longer retention period is required by law. Bright retains Personal Data:

• To comply with legal, regulatory, tax, or accounting obligations;

• To maintain records for legitimate business needs, including dispute resolution or enforcement of agreements;
• To address complaints or potential litigation;
• As otherwise communicated to data subjects at the time of collection.

For cookie-related data, please refer to Bright’s Cookie Policy for more detailed retention timelines.

3. How We Share Your Personal Data

Bright may share Personal Data with third parties only in the following limited circumstances:

3.1 Legal and Regulatory Disclosures To the extent necessary, Personal Data may be disclosed to regulatory authorities, courts, law enforcement bodies, or other competent government entities, where required by applicable law, regulation, legal process, or enforceable governmental request.

3.2 Business Transfers In the event of a merger, acquisition, bankruptcy, reorganization, or sale of all or a portion of Bright’s assets, Personal Data may be transferred to the acquiring entity as part of the transaction. Data subjects will be notified, where required, of any such change in ownership or control of their Personal Data.

3.3 With Consent Where data subjects have provided specific consent for a particular processing activity or disclosure, Bright may share Personal Data with the designated third party or service provider for that purpose.

3.4 Law Enforcement Requests In circumstances where law enforcement requests information, Bright will evaluate the request for legality and necessity before disclosing any Personal Data. Only the minimum necessary data will be shared, and Bright will document such disclosures in accordance with its internal compliance practices.

4. Additional Information Regarding Transfers of Personal Data

4.1 Storage Locations Bright stores Personal Data with trusted infrastructure providers, including Amazon Web Services (AWS) and Hubspot. Data may be stored in multiple jurisdictions, including the United States (e.g., AWS N. Virginia) and the European Union (e.g., AWS Ireland), but the storage location is aligned with the customers and their reasonable regional requirements.

4.2 Intra-Group Transfers Internal data transfers within Bright’s corporate group are governed by an intra-group data processing agreement. This agreement ensures that all Personal Data transferred internally receives an adequate and consistent level of protection, in accordance with applicable data protection laws.

4.3 Transfers to External Parties When transferring Personal Data to third parties located outside of the European Economic Area (EEA) or other jurisdictions with applicable restrictions, Bright relies on:

• Adequacy decisions issued by the European Commission;
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Other legally recognized safeguards under applicable data protection regulations.

Bright regularly monitors the legal landscape and the conditions surrounding such transfers to ensure they maintain an equivalent level of protection to that guaranteed under the General Data Protection Regulation (GDPR).

5. Your Privacy Rights and How to Exercise Them

5.1 Data Subject Rights Data subjects may have the following rights under applicable data protection laws, including the GDPR and other global privacy frameworks:

• The right to access the Personal Data Bright holds about them;
• The right to request rectification of inaccurate or incomplete Personal Data;
• The right to request erasure (“right to be forgotten”) of their Personal Data, subject to certain exceptions;
• The right to restrict or object to processing of their Personal Data in certain circumstances;
• The right to data portability, enabling transfer of Personal Data to another controller;
• The right to object to profiling and automated decision-making;
• The right to withdraw consent at any time (where processing is based on consent);
• The right to request information about cross-border data transfers and safeguards used;
• The right to lodge a complaint with a competent data protection authority.

Please note that these rights may be subject to certain exemptions or limitations under applicable law.

5.2 How to Exercise Your Rights To exercise any of these rights, data subjects may initiate the process by clicking “Data Subject Request” button available in Section 10 of this Policy.Data subjects may authorize an agent to submit a request on their behalf, provided that the agent presents a valid written authorization signed by the data subject. Bright may require verification of identity before responding to a request. This verification may include confirming certain account or transactional information. Bright will respond within the timeframe required by applicable law. If additional time is required, Bright will notify the data subject of the delay and its reasons.

Where applicable, data subjects may be charged a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive. If Bright determines that it cannot comply with a request, a justification will be provided, along with information on how to challenge or appeal the decision.

6. Use by Children

Bright does not knowingly offer its products or services to, or collect Personal Data from, individuals under the age of eighteen (18). The Website, Platform, and related services are not intended for or directed at children. If you are under the age of 18, do not provide any Personal Data to Bright without the involvement and consent of a parent or legal guardian.

If Bright becomes aware that Personal Data has been collected from a child without appropriate authorization or in violation of applicable data protection laws, such information will be promptly deleted.

If you believe that Bright may have collected Personal Data from a child, please contact us immediately at privacy@brightsecurdev.wpenginepowered.com so that appropriate action can be taken.

7. Interaction with Third-Party Products

Bright’s services may contain links to or allow interaction with third-party websites, applications, or services that are not owned or controlled by Bright (collectively, “Third-Party Services”). These may include widgets, integrations, plug-ins, or external authentication providers.

Bright is not responsible for the privacy practices, security policies, or content of any Third-Party Services. Data subjects are encouraged to review the privacy notices of all such services before interacting with them or disclosing any Personal Data.

Please be aware that if you choose to engage with a Third-Party Service – for example, by clicking a link or using an embedded application – such Third-Party Service may independently collect Personal Data from you, in accordance with its own policies. Your use of any Third-Party Services is entirely at your own risk.

8. Analytic Tools

Bright uses various analytic tools and services to understand usage patterns, improve its services, and enhance user experience. These tools may use cookies or other tracking technologies to collect information such as IP addresses, browser types, visited pages, session durations, and referring URLs. Data collected through analytics is typically aggregated and anonymized.

8.1 Google Analytics Bright uses Google Analytics, a web analytics service provided by Google LLC, to collect and analyze usage data. Google Analytics may collect information about how users interact with the Website and how often they return. Google’s ability to use and share information is governed by the Google Analytics Terms of Service and the Google Privacy Policy.

Google Analytics may collect data such as:

• Frequency and duration of website visits
• Pages visited
• Referring URLs
• Device and browser types

Bright does not combine this information with other Personal Data it collects. Users can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

8.2 Hubspot Bright also uses Hubspot for customer relationship management and marketing analytics. Hubspot may collect user interactions with emails, forms, and browsing behaviors to help Bright tailor communication and services.

Users can control their preferences for tracking and cookies through Bright’s Cookie Policy.

9. Specific Provisions Applicable Under California Privacy Law

9.1 Other California Privacy Rights

Pursuant to California Civil Code Section 1798.83 (also known as the “Shine the Light” law), California residents who are customers of Bright may request certain information regarding the disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please contact Bright at privacy@brightsecurdev.wpenginepowered.com. Please note that Bright is only required to respond to one request per customer per calendar year.

9.2 California Do Not Track Notice

Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Bright does not currently respond to DNT signals or similar mechanisms transmitted by web browsers. However, Bright may allow third parties, such as analytics providers, to collect information about a data subject’s online activities over time and across different websites when using the services.

9.3 California Consumer Privacy Act (CCPA/CPRA) Disclosures

California residents have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”). These include the right to:

• Know what categories of Personal Information Bright collects and how it is used;
• Request access to specific pieces of Personal Information collected about them;
• Request deletion of Personal Information, subject to certain exceptions;
• Request correction of inaccurate Personal Information;
• Opt out of the sale or sharing of Personal Information;
• Limit the use of sensitive Personal Information to that which is necessary to provide requested services;
• Not be discriminated against for exercising any of their rights under the CCPA.

Bright does not sell or share Personal Information for cross-context behavioral advertising, as defined under California law.

To exercise these rights, California residents may use the mechanisms described in Section 5 of this Privacy Policy. Verification of identity may be required before processing a request.

For additional information on the categories of Personal Information collected and the purposes of use, please refer to Section 1.1 of this Privacy Policy.

10. Contact Information

If you have any questions, concerns, or complaints regarding this Privacy Policy, Bright’s handling of Personal Data, or if you wish to exercise your rights as a data subject, please contact Bright’s Data Protection Officer (DPO):

Bright Security
26 Hashachar Street
Rishon Lezion, Israel

DPO: Amir Drenger
Privacy Contact: Loris Gutic, CISO
Email: privacy@brightsecurdev.wpenginepowered.com

All communications will be handled confidentially and in accordance with applicable data protection laws. Bright endeavors to respond to all valid inquiries within the timeframes required by applicable regulations.

If you believe that Bright has not complied with your data protection rights, you also have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.

If you want to submit Data Subject Request, please initiate the process by clicking the button “Data Subject Request”.

11. Regional Addenda

11.1 Additional Information for Users in Switzerland

For data subjects located in Switzerland, the following applies:

• References to the GDPR in this Privacy Policy should be understood as references to the Swiss Federal Act on Data Protection (FADP).
• Bright processes Personal Data in compliance with the principles and requirements of the FADP.
• Data subjects have the right to access, rectify, erase, restrict, and object to the processing of their Personal Data, as well as the right to data portability, consistent with applicable Swiss law.

Requests related to these rights can be submitted using the contact details provided in Section 10 of this Privacy Policy.

11.2 Additional Information for Users in Brazil

For data subjects located in Brazil, Bright processes Personal Data in accordance with the Lei Geral de Proteção de Dados (LGPD).

• Bright ensures that Personal Data is processed based on lawful grounds under the LGPD, including consent, performance of a contract, legal obligations, and legitimate interest.
• Brazilian data subjects have the right to:
  • Access their Personal Data;
  • Request correction of inaccurate, incomplete, or outdated data;
  • Request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in violation of the LGPD;
  • Withdraw consent at any time;
  • Receive information about public and private entities with which their data is shared;
  • Request data portability;
  • Object to the processing of Personal Data when noncompliant with the LGPD;
  • File a complaint with the National Data Protection Authority (ANPD).

To exercise these rights, Brazilian data subjects may contact Bright using the details provided in Section 10 of this Privacy Policy. Bright will respond within the timeframes established under Brazilian data protection law.

11.3 Additional Information for Users in the United States (Non-California)

Residents of certain U.S. states may have specific privacy rights under applicable state laws, including but not limited to those in Colorado, Connecticut, Utah, Virginia, Texas, Oregon, and Montana. These rights may include:

• The right to know what Personal Data is collected, used, or disclosed;
• The right to access and obtain a copy of their Personal Data;
• The right to correct inaccuracies in their Personal Data;
• The right to request deletion of their Personal Data, subject to applicable legal exceptions;
• The right to opt out of the sale or sharing of Personal Data and the use of Personal Data for targeted advertising;
• The right to appeal decisions related to privacy rights requests.

Bright does not sell Personal Data or share it for cross-context behavioral advertising as defined under applicable state laws.

To exercise these rights, individuals may contact Bright using the details provided in Section 10. Identity verification may be required to fulfill certain requests, and Bright will respond in accordance with the timeframes mandated by applicable state law.

11.4 Additional Information for Users in the United Kingdom

For data subjects located in the United Kingdom, Bright processes Personal Data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data subjects in the UK have rights equivalent to those under the EU GDPR, including:

• The right to access the Personal Data held about them;
• The right to request correction or deletion of inaccurate or outdated Personal Data;
• The right to restrict or object to certain types of processing;
• The right to data portability;
• The right to withdraw consent at any time where processing is based on consent;
• The right to lodge a complaint with the Information Commissioner’s Office (ICO).

Requests to exercise these rights should be submitted using the contact information provided in Section 10. Bright will respond in accordance with its obligations under UK data protection law.

11.5 Additional Information for Data Subjects in Canada

For data subjects located in Canada, Bright processes Personal Data in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

Data subjects in Canada have the following rights:

• The right to access Personal Data held by Bright;
• The right to request the correction of inaccurate or incomplete Personal Data;
• The right to withdraw consent to the processing of Personal Data, subject to legal or contractual restrictions;
• The right to challenge Bright’s compliance with applicable Canadian privacy legislation, including by submitting a complaint to the Office of the Privacy Commissioner of Canada (OPC).

Bright collects, uses, and discloses Personal Data solely for purposes that are identified and necessary, and obtains meaningful consent where required. Personal Data may be stored or processed outside Canada, including in the United States and the European Union, and may be subject to the legal requirements of those jurisdictions.

Requests regarding privacy rights under Canadian law may be submitted using the contact details provided in Section 10.

12. Definitions and Legal References

For the purposes of this Privacy Policy, the following definitions apply:

• Personal Data (or Data): Any information that directly, indirectly, or in connection with other information  –  including a personal identification number  –  allows for the identification or identifiability of a natural person.
• Sensitive Personal Information: Any Personal Information that is not publicly available and reveals information considered sensitive under applicable privacy laws.
• Usage Data: Information collected automatically through the Website (or third-party services employed), including IP addresses, browser types, device details, pages visited, time spent, and interactions.
• User: The individual using the Website who, unless otherwise specified, coincides with the Data Subject.
• Data Subject: The natural person to whom the Personal Data refers.
• Data Controller (or Owner): The entity which determines the purposes and means of the processing of Personal Data. Unless otherwise specified, Bright Security is the Data Controller.
• Data Processor: Any third party that processes Personal Data on behalf of Bright Security, under contractual obligation.
• Service: The platform and services provided by Bright Security through its Website and related applications.
• Sale: Any exchange of Personal Information for monetary or other valuable consideration, as defined by applicable U.S. state laws.
• Sharing: The disclosure or transfer of Personal Information to a third party for cross-context behavioral advertising purposes.
• Targeted Advertising: Displaying advertisements to a consumer based on Personal Data obtained from that consumer’s activities over time and across non-affiliated websites or apps.
• Cookie: A small set of data stored on the User’s device used to track behavior, preferences, and enhance performance.
• Tracker: Technologies such as cookies, web beacons, embedded scripts, fingerprinting, or similar tools used to track Users.
• European Union (EU): For the purposes of this document, all references to the EU include current member states of the European Union and the European Economic Area (EEA).

13. Additional Information

13.1 Legal Action and Requests from Authorities Bright may use or disclose Personal Data in legal proceedings or in preparation for such proceedings arising from misuse of its services. Data may also be disclosed upon lawful request by public authorities, including to meet national security or law enforcement requirements.

13.2 System Logs and Maintenance For operation and maintenance purposes, Bright’s services and third-party providers may collect system logs that record interactions with the services (e.g., IP address, access timestamps) or use other Personal Data for diagnostic purposes.

13.3 Anonymous and Aggregated Data Bright may anonymize or de-identify Personal Data and use it for internal and external purposes, including service improvement and research. Anonymous Information does not allow for the identification of individual data subjects and may be disclosed to third parties without restriction.

13.4 Processing for Fraud Prevention and Security Bright processes Personal Data to detect, prevent, and investigate fraud, abuse, security threats, and technical issues, and to enforce this Privacy Policy and other legal terms.

13.5 Conflicts with Local Law Where applicable law provides data subjects with stronger rights than this Privacy Policy, Bright will honor the higher standard.

14. Changes to This Policy

Bright reserves the right to update this Privacy Policy at any time. If material changes are made, Bright will notify data subjects by posting a notice on its Website, updating the “Last Updated” date at the top of this policy, or by other legally acceptable means.

Data subjects are encouraged to review this Privacy Policy periodically to stay informed about how Bright protects Personal Data. Continued use of the services after any changes signifies acceptance of the revised policy.

If changes materially affect the processing of Personal Data previously collected based on consent, Bright will seek renewed consent where required by law.