At Bright, we are committed to protecting your privacy and this Privacy Notice sets out how we process your personal and financial data, and applies to all Services offered by us.
Version 1.6: This notice was last updated July 2024.
1. WHO WE ARE
We are the Bright Software Group of companies (“Bright”, “we”, “us”, “our”) providing both desktop and online software-as-a-service solutions (“Services”) to businesses, bureaus and accountants across Ireland and the United Kingdom.
Bright comprises the following companies (and any other wholly owned legal entities):
Bright SG Ltd is an agent of Plaid Financial Ltd., an authorised payment institution regulated by the Financial Conduct Authority under the Payment Services Regulations 2017 (Firm Reference Number: 804718). Plaid provides you with regulated account information services through Bright SG Ltd as its agent.
2. UNDERSTANDING OUR PRIVACY NOTICE
In full compliance with our obligations under the European Union and United Kingdom General Data Protection Regulations (“GDPR”), the purpose of this notice is to provide you with full transparency about how Bright collects and processes your personal data when you browse our websites and use our Services, or otherwise provide personal data to us. This also includes detailing your rights under GDPR.
This notice applies where you have, directly or indirectly, provided us with your personal data through any of the methods of collection listed below in Section 4 and how and why we process that data according to the required legal bases listed in Section 5.
It is important that you read and understand this Privacy Notice so that you are fully aware as to how and why we are using your data.
3. DATA CONTROLLER / DATA PROCESSOR
Bright customers
Bright shall be the Data Controller of information provided to us about a Customer purchasing our Services for the purposes of maintaining any contract of engagement and subsequent billing.
Bright shall be the Data Processor of Customer accounting, payroll and tax information and the personal data of employees and/our your customers that you provide to us through our Services, and you shall remain the Data Controller with responsibility for that data. Bright will process this personal data in accordance with the terms of this Privacy Notice and the Master Service Agreement and/or Terms & Conditions currently applicable to the Service or Services we supply.
If you are using Bright Services as an employee
Your employer shall remain the Data Controller of the personal information you have provided to them. They will have their own associated Privacy Notice and will have appointed Bright as a subprocessor.
Bright’s Privacy Notice sets out how we process your data on behalf of your employer and the rights that you have in relation to that information.
4. PERSONAL DATA WE COLLECT
In the following situations, we will collect the listed personal data:
Additional data we may collect about you if you are an employee and where provided by your employer:
At Bright, we do not process any special categories of personal data as defined under GDPR. Additionally, we do not knowingly collect any personal data from anyone under the age of 16, or knowingly allow such persons to register or use our Services. If we learn that we have collected personal data from a person under the age of 16, and without verification of parental consent, we will endeavour to delete that information as quickly as possible.
We may obtain information through our Services that you or your users install or access. We may gather information related to a user’s use of that Service, and use of specific features within that Service.
Providing us with information about others
Should you give us personal data about someone else, you are responsible for ensuring that you comply with all applicable data protection laws. In advance of submitting any information to us, you should have notified them that their data is shared with Bright and detailed how we collect, use and retain their personal data by drawing their attention to this Privacy Notice.
5. HOW WE USE YOUR DATA
We undertake to design our Services in such a way as to minimise the use of personal data. For any processing, we must have a valid lawful basis that is specific and necessary, and these reasons are outlined below. We will not use your information for any other purpose.
Please be aware that, should you refuse to provide us with certain mandatory information, it may not be possible for us to provide that Service to you.
Contractual Necessity
We will process data where it is necessary to enter into a contract with you for provision of a Bright Service and to perform our obligations under that contract. Examples include:
Legal Obligation
When you use a Bright Service, we are required by law to collect and process certain personal information about you. Examples include:
Legitimate Interest
We will process your personal data within Bright where it is in our legitimate interests to do so, and without prejudicing your interests or fundamental rights and freedoms. Examples include:
Consent
Where we have your explicit consent, we may use your information for the following purposes. You will always have the option to opt-out on any related correspondence from us. Examples include:
We do not employ any automated decision-making processes in relation to your personal data.
6. DATA LOCATION
Bright stores your data within the UK and/or European Union (EU) in secure data centre facilities meeting the strictest security standards and in compliance with GDPR.
Where we use third party service providers, some of these may be located outside the UK/EU. Please see our list of Subprocessors detailing who we use, what purpose we use them for, where they store the data we share with them, and the adequacy mechanism(s) we rely on to ensure compliance with data protection requirements.
7. DATA RETENTION
We will retain your personal data for as long as we have a relationship with you and for a period of time afterwards where we have an ongoing business need to retain it, in accordance with our data retention policies and practices.
We will maintain a record of our Service customers to meet our legal and regulatory business requirements, including for the purpose of fraud prevention, for up to six (6) years following discontinuation of the Service.
As a Connect user, should you opt to discontinue using the Service, we will retain your Connect data for a period of three (3) months.
Your data that we use for marketing purposes will be kept until you notify us that you no longer wish to receive such information. The option to opt-out of marketing messages is available on all related correspondence from us.
To ensure continuity and transparency in our recruitment campaigns, all applicant details will be kept after the end of the recruitment process for at most twelve (12) months.
8. EMAILS FROM US
We will contact you regarding purchases (such as invoices and renewal notifications) as well as emails relating to essential software maintenance, including upgrades and releases, where applicable. We may contact you for this purpose by SMS, WhatsApp or email. These “servicing messages” will be delivered under the legal basis of Legitimate Interests and you cannot unsubscribe from them unless disengaging with our Service(s).
We may contact users and prospective users with additional “marketing messages”, such as free webinars, CPD events, special offers and newsletters from our Group of companies, where you have explicitly opted-in to receive this information. We may contact you for this purpose by telephone, post, SMS, WhatsApp or email. You will always have the ability to unsubscribe from these types of communications at any time by visiting our Preference Centre.
Alternatively, you can let us know your preference by contacting us (see Section 19 below).
9. DISCLOSURE AND SHARING OF YOUR DATA
In the following circumstances, we may send your personal data to other parties:
We will not sell, trade, or rent any personal data to any other third party not connected with Bright or part of the normal operation of the Service we provide to you.
We limit access to personal information only to those Bright employees who need access to that data as part of our providing our Services to you.
Third Party Service Providers (Subprocessors)
In providing you with our Service, we may use carefully selected third party service providers (subprocessors) to help us deliver that Service to you. Such providers may be located outside the EU/UK, in which case the data will only be transferred to countries that have either been identified as providing adequate protection or to a third party where we have approved transfer mechanisms in place, for example, by entering into the European’s Commission’s Standard Contractual Clauses. This may require us to share your data with them. We will always take steps to ensure that the safety and security of your information is considered, implementing and maintaining necessary technical and organisational measures over each transfer of personal information, and mandating that our third parties maintain a similar level of duty and care.
These subprocessors are only permitted to use the information in accordance with our instructions and are not permitted to further transfer your data, nor permitted to use your data for their own business purposes.
Please see our list of Subprocessors detailing who we use, what purpose we use them for, where they store the data we share with them, and the adequacy mechanism(s) we rely on to ensure compliance with data protection requirements.
10. MEASURING OUR VISITORS
We measure visitors to our website using Google Analytics using Cookies. This records how you arrived at our site, what pages you view on our site, and some basic information about your computer. The information we record is anonymous – we do not know who you are, only that you have visited our site – and we use this to help make our website better.
You can learn more about Google Analytics, or opt-out if you wish.
11. USE OF COOKIES
Cookies are small text files that are placed on your computer by websites that you visit. Cookies help make a website work and can provide information to us about how our users interact with our online Services, including this website, to help us improve the Service to our users.
For full details of the cookies we use and what they do, please view our Cookies Policy.
12. PAYMENTS
We never store your credit card details on our systems. Where such information is provided, it is passed directly to our payment service provider solely for the purpose of processing the payments you make via our Service.
13. DATA FILES
Bright has no control over the authority, quality of safety of the data you input into our Service. You, and you alone, are responsible for the accuracy and completeness of your records.
Where applicable, you are responsible for keeping your user details and any passwords confidential. Our staff have no access to passwords which are stored encrypted on our Service. We will never ask you for your password, so please do not trust anybody asking you for it.
Customers using a desktop service
Bright does not have access to your data files, except where they have been submitted by you, or you have otherwise provided access, to our Support Team.
While we have implemented necessary measures to protect your data, it remains your responsibility to keep your sign-in credentials safe and secure and to sign off from the Service when you are not using it, and to ensure there is no unauthorised access to your computer.
Customers using a cloud service
You acknowledge that, apart from data format validation checks, we do not monitor, edit, or review whether the data you enter into the Service is accurate.
You can edit your stored data at any time by signing into your Service account and making any necessary changes. We reserve the right to delete any data that is deemed out of date or no longer required, in line with applicable data protection legislation and/or our data retention schedule, or where you cease to be a contracted user of that Service.
14. CUSTOMER SNAPSHOTS / BACKUPS
Occasionally, to resolve a customer query, it may be necessary for us to request a backup of your data file or payroll related information from our Service deployed on your desktop. We are extremely mindful that this information contains sensitive personal data, and we take numerous steps to ensure and maintain the security of this data.
Data received by us is processed only for the purposes of resolving your query, as requested by you, and is done by suitably qualified Bright staff. Your backup will never be shared externally without prior approval from you. Such data will be retained for the minimum amount of time necessary to resolve the support issue.
If you are providing data to us in a bureau capacity, you are responsible for ensuring that you comply with all necessary security and data protection laws, and that you have prior approval to send that data to us.
15. EMAILING OF PAYROLL DOCUMENTATION
Should you make use of our Service’s email functionality, your employee payslips will be sent through our selected email service provider. Emails are not retained by us or the email service provider, only a record of the sending and successful, or otherwise, delivery of those emails.
To help protect the security of your emailed files, we highly recommend that you utilise the files password functionality provided within the Service.
16. SECURITY
The security of your data is of utmost important to us at Bright. We have a number of technical and organisational measures in place to protect against unauthorised access, disclosure, loss, misuse or malicious alteration of your personal information.
For further details of the security measures we have implemented, please see the Security section of our website.
Whilst we undertake to maintain the highest possible levels of security practicable to protect your data while using our Service, no system or storage technology can be guaranteed to be 100% secure. Any such transmission of data over the internet is at your own risk.
17. YOUR RIGHTS
Under current data protection laws, you have certain rights in relation to your personal data:
Access to your personal data
You can confirm if we are processing your personal data and obtain a copy of that data by accessing the Service for which you hold an account, or please contact us.
Right to change or withdraw your consent
Where you have given your consent to us to process your data in line with this Privacy Notice, you may withdraw that consent by contacting us. If you wish to change your contact preferences, or no longer wish to be contracted for marketing purposes, please contact us or use our Preference Centre to opt-out.
Right to rectification
If you need to update incorrect information we hold about you, please log in to your Service account to update your personal data or contact us.
Right to erasure
You are free to delete your data at any point, through functionality directly provided by our Service, or by contacting us.
Right to data portability
You may request us to provide you with the personal data that we hold about you in a structured, commonly used, machine-readable format, or ask us to send such personal data to another Data Controller. If this is the case, please contact us.
Right to object
In certain circumstances, you may object to our processing of your data. If this is the case, please contact us.
Right to restrict processing
You can ask us to restrict the processing of the personal data we hold about you in some circumstances. If this is the case, please contact us.
Making a complaint
If you wish to raise a complaint on how we process your personal data, please contact us in the first instance and we will investigate the matter.
Contacting us
Please see Section 19 below.
We may need to request specific information from you to help us confirm your identity to ensure your right to access your personal data, or to exercise any of your other rights. This is a security measure to ensure that personal data is not disclosed to any other person who has no right to receive it. We also contact you to ask you for further information in relation to your request to help speed up our response to you.
We try to respond to all legitimate requests within one month. Occasionally, it may take us longer if your request is particularly complex or you have multiple requests. In such cases, we will notify you within one month and keep you updated on progress.
If you exercise a particular right outlined above or opt not to provide the requested personal information for the purposes set out in this Privacy Notice, we may not be able to provide you with access to the related Service. In such cases, we may have to delete any associated Service accounts. Where a Service contains your business financial data, it is your responsibility to maintain the appropriate records for your legal, regulatory and compliance requirements. Bright is under no obligation to retain any data on your behalf if you are no longer subscribed to our Service.
18. UPDATES TO OUR PRIVACY NOTICE
Bright may modify or update the content of this Privacy Notice from time to time to reflect changes in our business and/or in line with continuing or improving industry best practice. We will post any changes here on our website, updating the version and date, so you are always aware of what information we collect, how we use it, and under what circumstances we may share or disclose it. We recommend checking the Privacy Notice on a regular basis.
19. CONTACTING US
If you have any queries relating to this Privacy Notice, Bright’s use of your data or concerns in relation to the Digital Services Act (Regulation (EU) 2022/2065) (DSA), please contact our Privacy Officer via email at [email protected], or through our office address below.
Bright SG Ltd. (t/a Bright Software Group)
Unit 35, Duleek Business Park
Duleek,
Co. Meath
A92 N15E
Please note that phone calls to Bright may be recorded for monitoring, training and security purposes.
If you are not satisfied with our response or believe our processing of your personal data is not in accordance with applicable data processing legislation, you can raise a concern with the Irish Data Protection Commissioner (DPC) or the UK Information Commissioner’s Office (ICO).