Privacy Notice

At Bright, we are committed to protecting your privacy and this Privacy Notice sets out how we process your personal and financial data, and applies to all Services offered by us.

Version 1.5: This notice was last updated June 2024.


We are the Bright Software Group of companies (“Bright”, “we”, “us”, “our”) providing both desktop and online software-as-a-service solutions (“Services”) to businesses, bureaus and accountants across Ireland and the United Kingdom.

Bright comprises the following companies (and any other wholly owned legal entities):

  • Bright Software Group Ltd (Reg. in UK: 14811663)
  • Thesaurus Software Ltd (Reg. in Ireland: 186005)
  • Surf Accounts Ltd (Reg. in Ireland: 328091)
  • Relate Software Development Ltd (Reg. in Ireland: 315134)
  • Ardbrook Ltd (Reg. in Ireland: 120141)
  • Thesaurus Software Ltd (Reg. in UK: 04664435)
  • Accountancy Manager (AM) Ltd (Reg. in UK: 10658933)
  • BTC Software Ltd (Reg. in UK: 04539303)
  • Irish Payroll Associated Ltd (Reg. in Ireland: 327011)


In full compliance with our obligations under the European Union and United Kingdom General Data Protection Regulations (“GDPR”), the purpose of this notice is to provide you with full transparency about how Bright collects and processes your personal data when you browse our websites and use our Services, or otherwise provide personal data to us. This also includes detailing your rights under GDPR.

This notice applies where you have, directly or indirectly, provided us with your personal data through any of the methods of collection listed below in Section 4 and how and why we process that data according to the required legal bases listed in Section 5.

It is important that you read and understand this Privacy Notice so that you are fully aware as to how and why we are using your data.


Bright customers

Bright shall be the Data Controller of information provided to us about a Customer purchasing our Services for the purposes of maintaining any contract of engagement and subsequent billing.

Bright shall be the Data Processor of Customer accounting, payroll and tax information and the personal data of employees and/our your customers that you provide to us through our Services, and you shall remain the Data Controller with responsibility for that data. Bright will process this personal data in accordance with the terms of this Privacy Notice and the Master Service Agreement and/or Terms & Conditions currently applicable to the Service or Services we supply.

If you are using Bright Services as an employee

Your employer shall remain the Data Controller of the personal information you have provided to them. They will have their own associated Privacy Notice and will have appointed Bright as a subprocessor.

Bright’s Privacy Notice sets out how we process your data on behalf of your employer and the rights that you have in relation to that information.


In the following situations, we will collect the listed personal data:

  • When you purchase or register to use our Services. This may include your name, business name, address, email, telephone number, billing and payment information, business registered number and/or IP address of the computer using our Services.
  • When you contact us with a support query, either through phone, email or our chatbot. This will primarily include your name and contact details, and/or IP address.
  • When you request or download a demo or copy of our Services (including free trials), attend a webinar, sign-up to our mailing list, submit an online query, or complete any surveys, provide a testimonial, or enter any competition. Details gathered may include your name, business name, address, email, telephone number and/or IP address.
  • When you interact with us using social media. This may include name, social media handle, email address and/or business name.
  • When you apply for a job posting. This may include your curriculum vitae, details of qualifications and experience, or any other application form detail that you have provided.
  • When you or your organisation provide(s) services to us. In this context, we may collect basic personal data about you (mainly professional contact details). 
  • When third parties provide us with personal data about you. This may happen where we work with a business partner that has an existing relationship with you or where personal details are provided to us by marketing companies. 
  • When you contact us and speak to us, such as by telephone or other verbal communication platform, voice recordings for training and quality purposes. Call recordings are kept for up to six (6) months, unless specifically stated otherwise. 

Additional data we may collect about you if you are an employee and where provided by your employer:

  • Identity Data. This may include your national insurance number, company identifier, profile images and/or gender.
  • Financial / Employment Data. This may include your tax code, salary, payroll details and identifier, worksheets, expenses, job details, historic payroll figures, pension scheme details, employment start and leave dates, performance review notes, training records and/or employment contracts.
  • Medical Data. This may include any sickness and maternity records. Your employer will maintain the relevant consent in place to allow this information to be processed by us.

At Bright, we do not process any special categories of personal data as defined under GDPR. Additionally, we do not knowingly collect any personal data from anyone under the age of 16, or knowingly allow such persons to register or use our Services. If we learn that we have collected personal data from a person under the age of 16, and without verification of parental consent, we will endeavour to delete that information as quickly as possible.

We may obtain information through our Services that you or your users install or access. We may gather information related to a user’s use of that Service, and use of specific features within that Service.

Providing us with information about others

Should you give us personal data about someone else, you are responsible for ensuring that you comply with all applicable data protection laws. In advance of submitting any information to us, you should have notified them that their data is shared with Bright and detailed how we collect, use and retain their personal data by drawing their attention to this Privacy Notice.


We undertake to design our Services in such a way as to minimise the use of personal data. For any processing, we must have a valid lawful basis that is specific and necessary, and these reasons are outlined below. We will not use your information for any other purpose.

Please be aware that, should you refuse to provide us with certain mandatory information, it may not be possible for us to provide that Service to you.

Contractual Necessity

We will process data where it is necessary to enter into a contract with you for provision of a Bright Service and to perform our obligations under that contract. Examples include:

  • Processing and reviewing applications for your use of the requested Service;
  • Providing the information and Service that you have requested from us;
  • Managing and maintaining our relationship with you and for ongoing customer service;
  • Providing software support for our Service and to manage our relationship with you, either through telephone, email, or other online support mechanisms. This may include queries, requests and or/complaints related to the Service;
  • Managing software usage and to ensure compliance with the terms of your contract with us;
  • Processing your payments to us and/or managing payments you make through our Service;
  • Sending essential communication to you about the Service.

Legal Obligation

When you use a Bright Service, we are required by law to collect and process certain personal information about you. Examples include:

  • Confirming your identity and helping to protect against abuse and fraud as part of a model to ensure sure access to our Services;
  • Performing checks on our Services and monitoring transactions and location data for the purpose of preventing and detecting crime and to comply with the laws relating to money laundering, fraud, terrorist financing, bribery, and corruption;
  • Sharing information with police, law enforcement, tax authorities or other government and fraud prevention agencies, where we have a legal requirement to do so, including reporting suspicious activity and complying with production and court orders;
  • Delivering essential communications to Service users, including revised disclosures and/or terms and conditions;
  • Investigating and resolving complaints or actions, where we may need to exercise or defend our legal rights or uphold your rights under law;
  • Performing assessments and analysing customer information for the purposes of managing, improving and fixing data quality where necessary;
  • Providing assurance that we have effective processes to identify, manage, monitor, and report on the risks Bright might be exposed to (e.g., security; fraud; and client confidentiality).

Legitimate Interest

We will process your personal data within Bright where it is in our legitimate interests to do so, and without prejudicing your interests or fundamental rights and freedoms. Examples include:

  • Providing you with updates about Bright Services and functionality, including product developments, new features, essential maintenance, upgrades, and releases;
  • Assist in our sales cycle for the onboarding of new customers;
  • Analysing your data so that we can administer, support, improve and develop our business, customer service and features of the Service;
  • Improving your use and experience of Bright by:
  1. Gathering feedback from you on your use of, and interactions with our Service;
  2. Tracking your interactions with our Service to tailor content within the Service;
  3. Reporting at an aggregate level on the user experience, utilisation, and performance of the Service;
  4. Performing research and trend analysis to optimise your experience of our Service;
  5. Record and monitoring calls to our telephone and online help facilities;
  6. Providing you with detailed information on your account activity if requested.
  • Using your personal information in an anonymised and aggregated form to create content, including:
  1. Infographics, industry reports and media campaigns;
  2. Blog posts, videos and webinars on the nature and use of Bright Services;
  3. Social media content, owned and operated by Bright.
  • Conduct our internal recruitment processes.


Where we have your explicit consent, we may use your information for the following purposes. You will always have the option to opt-out on any related correspondence from us. Examples include:

  • Receiving requested email communications from us;
  • Marketing new products, features, or Services;
  • Inviting you to provide answers to a questionnaire, research, or survey, or enter any competition;
  • Delivering invitations to events including webinars, seminars, or videos.

We do not employ any automated decision-making processes in relation to your personal data.


Bright stores your data within the European Union (EU) in secure data centre facilities meeting the strictest security standards and in compliance with GDPR.

Where we use third party service providers, some of these may be located outside the EU. Please see our list of Subprocessors detailing who we use, what purpose we use them for, where they store the data we share with them, and the adequacy mechanism(s) we rely on to ensure compliance with data protection requirements.


We will retain your personal data for as long as we have a relationship with you and for a period of time afterwards where we have an ongoing business need to retain it, in accordance with our data retention policies and practices.  

We will maintain a record of our Service customers to meet our legal and regulatory business requirements, including for the purpose of fraud prevention, for up to six (6) years following discontinuation of the Service.

As a Connect user, should you opt to discontinue using the Service, we will retain your Connect data for a period of three (3) months.

Your data that we use for marketing purposes will be kept until you notify us that you no longer wish to receive such information. The option to opt-out of marketing messages is available on all related correspondence from us.

To ensure continuity and transparency in our recruitment campaigns, all applicant details will be kept after the end of the recruitment process for at most twelve (12) months.


We will contact you regarding purchases (such as invoices and renewal notifications) as well as emails relating to essential software maintenance, including upgrades and releases, where applicable. We may contact you for this purpose by SMS, WhatsApp or email. These “servicing messages” will be delivered under the legal basis of Legitimate Interests and you cannot unsubscribe from them unless disengaging with our Service(s).

We may contact users and prospective users with additional “marketing messages”, such as free webinars, CPD events, special offers and newsletters from our Group of companies, where you have explicitly opted-in to receive this information. We may contact you for this purpose by telephone, post, SMS, WhatsApp or email. You will always have the ability to unsubscribe from these types of communications at any time by visiting our Preference Centre.

Alternatively, you can let us know your preference by contacting us (see Section 19 below).


In the following circumstances, we may send your personal data to other parties:

  • Where we have obtained your express consent to share that information;
  • Where we need to share information within the Bright group of companies to provide a Service to you, whether paid or unpaid;
  • Where we need to send the information to others who work on behalf of Bright to provide a Service to you;
  • Where we find that your actions violate the terms of our Master Service Agreement (MSA) or Service Terms & Conditions, or any of our usage guidelines;
  • Where Bright is subject to a takeover or merger, in which case the information will be disclosed to the new owners on the understanding that they will protect the information and only use the information in the same way as previously disclosed;
  • Where we must respond to court orders and any other legitimate request made by relevant authorities, and with which we must comply.

We will not sell, trade, or rent any personal data to any other third party not connected with Bright or part of the normal operation of the Service we provide to you.

We limit access to personal information only to those Bright employees who need access to that data as part of our providing our Services to you.

Third Party Service Providers (Subprocessors)

In providing you with our Service, we may use carefully selected third party service providers (subprocessors) to help us deliver that Service to you. Such providers may be located outside the EU/UK, in which case the data will only be transferred to countries that have either been identified as providing adequate protection or to a third party where we have approved transfer mechanisms in place, for example, by entering into the European’s Commission’s Standard Contractual Clauses. This may require us to share your data with them. We will always take steps to ensure that the safety and security of your information is considered, implementing and maintaining necessary technical and organisational measures over each transfer of personal information, and mandating that our third parties maintain a similar level of duty and care.

These subprocessors are only permitted to use the information in accordance with our instructions and are not permitted to further transfer your data, nor permitted to use your data for their own business purposes.

Please see our list of Subprocessors detailing who we use, what purpose we use them for, where they store the data we share with them, and the adequacy mechanism(s) we rely on to ensure compliance with data protection requirements.


We measure visitors to our website using Google Analytics using Cookies. This records how you arrived at our site, what pages you view on our site, and some basic information about your computer. The information we record is anonymous – we do not know who you are, only that you have visited our site – and we use this to help make our website better.

You can learn more about Google Analytics, or opt-out if you wish.


Cookies are small text files that are placed on your computer by websites that you visit. Cookies help make a website work and can provide information to us about how our users interact with our online Services, including this website, to help us improve the Service to our users.

For full details of the cookies we use and what they do, please view our Cookies Policy.


We never store your credit card details on our systems. Where such information is provided, it is passed directly to our payment service provider solely for the purpose of processing the payments you make via our Service.


Bright has no control over the authority, quality of safety of the data you input into our Service. You, and you alone, are responsible for the accuracy and completeness of your records.

Where applicable, you are responsible for keeping your user details and any passwords confidential. Our staff have no access to passwords which are stored encrypted on our Service. We will never ask you for your password, so please do not trust anybody asking you for it.

Customers using a desktop service

Bright does not have access to your data files, except where they have been submitted by you, or you have otherwise provided access, to our Support Team.

While we have implemented necessary measures to protect your data, it remains your responsibility to keep your sign-in credentials safe and secure and to sign off from the Service when you are not using it, and to ensure there is no unauthorised access to your computer.

Customers using a cloud service

You acknowledge that, apart from data format validation checks, we do not monitor, edit, or review whether the data you enter into the Service is accurate.

You can edit your stored data at any time by signing into your Service account and making any necessary changes. We reserve the right to delete any data that is deemed out of date or no longer required, in line with applicable data protection legislation and/or our data retention schedule, or where you cease to be a contracted user of that Service.


Occasionally, to resolve a customer query, it may be necessary for us to request a backup of your data file or payroll related information from our Service deployed on your desktop. We are extremely mindful that this information contains sensitive personal data, and we take numerous steps to ensure and maintain the security of this data.

Data received by us is processed only for the purposes of resolving your query, as requested by you, and is done by suitably qualified Bright staff. Your backup will never be shared externally without prior approval from you. Such data will be retained for the minimum amount of time necessary to resolve the support issue.

If you are providing data to us in a bureau capacity, you are responsible for ensuring that you comply with all necessary security and data protection laws, and that you have prior approval to send that data to us.  


Should you make use of our Service’s email functionality, your employee payslips will be sent through our selected email service provider. Emails are not retained by us or the email service provider, only a record of the sending and successful, or otherwise, delivery of those emails.

To help protect the security of your emailed files, we highly recommend that you utilise the files password functionality provided within the Service.


The security of your data is of utmost important to us at Bright. We have a number of technical and organisational measures in place to protect against unauthorised access, disclosure, loss, misuse or malicious alteration of your personal information.

For further details of the security measures we have implemented, please see the Security section of our website.

Whilst we undertake to maintain the highest possible levels of security practicable to protect your data while using our Service, no system or storage technology can be guaranteed to be 100% secure. Any such transmission of data over the internet is at your own risk.


Under current data protection laws, you have certain rights in relation to your personal data:

Access to your personal data

You can confirm if we are processing your personal data and obtain a copy of that data by accessing the Service for which you hold an account, or please contact us.

Right to change or withdraw your consent

Where you have given your consent to us to process your data in line with this Privacy Notice, you may withdraw that consent by contacting us. If you wish to change your contact preferences, or no longer wish to be contracted for marketing purposes, please contact us or use our Preference Centre to opt-out.

Right to rectification

If you need to update incorrect information we hold about you, please log in to your Service account to update your personal data or contact us.

Right to erasure

You are free to delete your data at any point, through functionality directly provided by our Service, or by contacting us.

Right to data portability

You may request us to provide you with the personal data that we hold about you in a structured, commonly used, machine-readable format, or ask us to send such personal data to another Data Controller. If this is the case, please contact us.

Right to object

In certain circumstances, you may object to our processing of your data. If this is the case, please contact us.

Right to restrict processing

You can ask us to restrict the processing of the personal data we hold about you in some circumstances. If this is the case, please contact us.

Making a complaint

If you wish to raise a complaint on how we process your personal data, please contact us in the first instance and we will investigate the matter.

Contacting us

Please see Section 19 below.

We may need to request specific information from you to help us confirm your identity to ensure your right to access your personal data, or to exercise any of your other rights. This is a security measure to ensure that personal data is not disclosed to any other person who has no right to receive it. We also contact you to ask you for further information in relation to your request to help speed up our response to you.

We try to respond to all legitimate requests within one month. Occasionally, it may take us longer if your request is particularly complex or you have multiple requests. In such cases, we will notify you within one month and keep you updated on progress.

If you exercise a particular right outlined above or opt not to provide the requested personal information for the purposes set out in this Privacy Notice, we may not be able to provide you with access to the related Service. In such cases, we may have to delete any associated Service accounts. Where a Service contains your business financial data, it is your responsibility to maintain the appropriate records for your legal, regulatory and compliance requirements. Bright is under no obligation to retain any data on your behalf if you are no longer subscribed to our Service.


Bright may modify or update the content of this Privacy Notice from time to time to reflect changes in our business and/or in line with continuing or improving industry best practice. We will post any changes here on our website, updating the version and date, so you are always aware of what information we collect, how we use it, and under what circumstances we may share or disclose it. We recommend checking the Privacy Notice on a regular basis.


If you have any queries relating to this Privacy Notice, Bright’s use of your data or concerns in relation to the Digital Services Act (Regulation (EU) 2022/2065) (DSA), please contact our Privacy Officer via email at [email protected], or through our office address below.

Thesaurus Software Ltd. (t/a Bright Software Group)
Unit 35, Duleek Business Park
Co. Meath
A92 N15E

Please note that phone calls to Bright may be recorded for monitoring, training and security purposes.

If you are not satisfied with our response or believe our processing of your personal data is not in accordance with applicable data processing legislation, you can raise a concern with the Irish Data Protection Commissioner (DPC) or the UK Information Commissioner’s Office (ICO).