Privacy Policy

This Privacy Policy applies to all information collected through the Service, including through the Website and any related web or mobile applications; in email, text, or other electronic communications between you and us; through connected third-party integrations you authorize; and when you interact with our advertising or applications on third-party platforms that link to this Privacy Policy.

This Privacy Policy does not apply to information collected offline or through means not described above, or to third-party websites, services, or applications that may be linked from the Service.

“User”

means any individual who creates an account or otherwise accesses or uses the Service.

“User Content”

means any documents, files, data, prompts, queries, voice inputs, or other information uploaded, submitted, or generated by a User through the Service.

“AI Systems”

means the artificial intelligence, machine learning, large language models, agentic frameworks, and automated technologies used to power or support the Service, including models provided by third-party AI providers.

“AI-Generated Output”

means any response, summary, recommendation, prediction, note, report, or other content generated by AI Systems in connection with the Service.

“Training Data”

means Personal Data or User Content used to train, fine-tune, validate, or otherwise improve AI Systems.

“Third-Party AI Providers”

means external AI model providers whose large language models or related technologies are integrated into or used to power the Service, including but not limited to OpenAI, Anthropic, Google, Mistral, and Microsoft Azure OpenAI.

“Connected Accounts”

means third-party enterprise systems, platforms, and collaboration tools voluntarily connected by a User or their organization, including but not limited to ServiceNow, Salesforce, Jira, Confluence, Microsoft Outlook, Microsoft Teams, and Slack. Access is initiated and controlled by the User or their organization and may be revoked at any time.

“Processing”

means any operation performed on Personal Data or User Content, including collection, storage, use, modification, and deletion.

“Security Incident”

means any confirmed unauthorized access, disclosure, alteration, or destruction of Personal Data or User Content.

“Separate Agreement”

means a separate written agreement with the Company governing your use of Company products or services (including, without limitation, a Master Services Agreement, Software License Agreement, Subscription Agreement, Data Processing Agreement, or Business Associate Agreement).

We collect information that identifies, relates to, describes, or could reasonably be linked to you (“Personal Data”). This includes information you provide directly to us, such as your name, email address, phone number, mailing address, account credentials, billing and payment information, and any communications you send to us. Depending on the nature of the services you use, we may also collect professional or employment-related information such as job title, organizational role, work history, or similar details.

We also collect User Content, including documents, prompts, queries, voice inputs, and other information you submit through the Service, as well as your interactions with AI Systems, feedback you provide on AI-Generated Outputs, and any corrections or modifications you make to those outputs. This information is used to provide the Service and, where applicable and in accordance with this Privacy Policy, to improve our AI Systems.

We collect certain information automatically when you use the Service, including your IP address, device identifiers, browser type, general location data, and usage information such as pages visited, time spent, and referring URLs.

Where you connect third-party enterprise systems or collaboration tools through Connected Accounts, we collect the data and metadata necessary to facilitate those integrations, limited to what is explicitly authorized by you or your organization.

In connection with certain products, particularly those serving healthcare, clinical, HR, and financial use cases, we may collect sensitive information such as clinical documentation, government-issued identification, financial data, or workforce-related data. Protected health information (PHI), as defined under the Health Insurance Portability and Accountability Act (HIPAA), is processed only where a separately executed Business Associate Agreement (BAA) is in place with the Company and the applicable product is configured to operate under that BAA. Sensitive information is collected only to the extent required for the applicable service and is handled in accordance with applicable law and any applicable Separate Agreement. The Service includes automatic PII and PHI detection and redaction capabilities to help limit unnecessary exposure of sensitive data.

We collect Personal Data directly from you, automatically through your use of the Service, and in some cases from Connected Accounts or third parties such as business partners or service providers where permitted by law. We collect only what is reasonably necessary to fulfill the purposes described in this Privacy Policy and do not collect Personal Data for purposes incompatible with those disclosed at the time of collection.

We use Personal Data and User Content to:

• Provide, operate, maintain, and improve the Service and all products within the Brightcone Product Suite;
• Process transactions and fulfill service requests;
• Respond to inquiries and communicate with you regarding your account;
• Personalize and optimize your experience with the Service, including tailoring AI-Generated Outputs to your role, organization, and use case;
• Send administrative or service-related communications;
• Send marketing communications where permitted by law and subject to your opt-out rights;
• Monitor, analyze, and improve usage, performance, and AI System accuracy;
• Enforce our Terms of Use;
• Comply with legal obligations and respond to lawful requests; and
• Detect, prevent, and address fraud, security issues, or technical problems.

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your Personal Data based on one or more of the following legal grounds: contractual necessity, to provide the Service you have requested; legitimate interests, such as improving the Service and preventing fraud; your consent, for marketing or optional data collection; and compliance with legal obligations. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing. Withdrawal of consent for the use of your Personal Data as Training Data will not affect your ability to use the Service, though certain AI-powered features may perform differently or be less personalized as a result.

We do not sell your Personal Data. We may share Personal Data in the following circumstances:

• With Third-Party AI Providers whose large language models power or support the Service, including OpenAI, Anthropic, Google, Mistral, and Microsoft Azure OpenAI, solely as necessary to provide AI-powered functionality and subject to contractual data protection obligations;
• With cloud infrastructure providers on whose platforms the Service is deployed, including Amazon Web Services, Microsoft Azure, and Google Cloud, as applicable based on your deployment configuration;
• With identity and access management providers such as Okta, Azure Active Directory, and Ping Identity, as necessary to authenticate and authorize users;
• With AI governance and observability partners, as necessary to ensure responsible and compliant AI operation;
• With Connected Account providers and enterprise application platforms you authorize, including ServiceNow, Salesforce, Jira, Confluence, Microsoft Outlook, Microsoft Teams, and Slack, limited to what is necessary to provide the requested integration;
• With other service providers and vendors who perform services on our behalf;
• To comply with legal obligations or respond to lawful requests;
• To protect the rights, property, or safety of the Company, Users, or others; and
• In connection with a merger, acquisition, restructuring, or sale of assets, in which case the acquiring entity will be required to honor this Privacy Policy or provide comparable protections.

All third-party service providers and AI providers are contractually required to protect Personal Data in accordance with applicable law and to process it only as directed by us. We do not use or disclose sensitive Personal Data for purposes other than those permitted by applicable law. You may exercise your opt-out rights through any “Do Not Sell or Share My Personal Information” link or similar mechanism made available on our Services, where applicable.

The Service is available in multiple deployment configurations, including fully managed SaaS, isolated virtual private cloud (VPC), on-premises deployment within your own data center, and hybrid configurations. The configuration selected by your organization determines where your Personal Data and User Content are stored and processed.

In certain deployment configurations, including VPC and on-premises deployments, your data is stored and processed entirely within your organization’s own environment and does not leave that environment unless you choose to enable integrations that require data transfer. In SaaS deployments, data is stored on secure cloud infrastructure operated by or on behalf of the Company. Regardless of deployment model, the Company implements the security and access controls described in this Privacy Policy.

Where your organization has specific data residency requirements, including requirements that data remain within a particular geographic region or jurisdiction, those requirements should be addressed in your agreement with the Company.

We implement enterprise-grade administrative, technical, and physical safeguards to protect Personal Data and User Content. Our security measures include:

• Role-based access control (RBAC) with granular permissions and multi-tenant isolation;
• Single sign-on (SSO) integration with enterprise identity providers including Okta, Azure Active Directory, and Ping Identity;
• SCIM provisioning for automated user lifecycle management;
• Automatic PII and PHI detection and redaction;
• End-to-end encryption for data in transit and at rest;
• Memory encryption to protect sensitive context;
• Data residency controls that can be configured to prevent data from leaving your environment;
• Comprehensive audit logging and observability aligned with HIPAA and SOC 2 Type II frameworks;
• Zero Trust architecture principles;
• AI-specific safeguards including protections against prompt injection, unauthorized model access, and adversarial inputs; and
• Incident response procedures with defined escalation and notification timelines.

No system is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for ensuring appropriate access controls are configured within your organization’s deployment.

In the event of a Security Incident affecting your Personal Data, we will notify affected Users and, where applicable, the relevant supervisory authority, in accordance with applicable law and the timelines required thereunder.

We retain Personal Data and User Content only as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, contractual, and operational requirements. In determining appropriate retention periods, we consider the nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, and applicable legal requirements. When Personal Data is no longer needed, we will delete or anonymize it in accordance with our internal policies. In deployment configurations where data resides within your organization’s own environment, retention and deletion of that data is subject to your organization’s own policies and controls.

Given the industries we serve, the Service may process sensitive Personal Data including protected health information, clinical documentation, financial account data, government-issued identification numbers, biometric information, neural data, precise geolocation, and workforce-related information. We process such data only as necessary to provide the Service, comply with legal obligations, or for other purposes permitted by applicable law. We do not use or disclose sensitive Personal Data beyond those purposes unless we obtain your consent where required. California residents have the right to limit the use and disclosure of sensitive Personal Data under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and we honor such requests in accordance with applicable law. The Service is not directed to consumers under the age of 18, and where Personal Data of a consumer known to be under 18 is processed, we obtain affirmative opt-in consent before any sale or sharing as required by California law. The Service includes automatic PII and PHI detection and redaction capabilities; however, the Service is not designed for the processing of Protected Health Information under HIPAA unless a separate Business Associate Agreement has been executed with the Company.

We do not offer financial incentives, price differences, or service differences in exchange for the retention, sale, or sharing of Personal Data.

The Service uses essential cookies necessary for operation and performance monitoring, and may use optional cookies to support analytics and marketing. Users may manage cookie preferences through their browser settings or any cookie consent tools we make available. Disabling certain cookies may affect the functionality of the Service. Where required by law, we obtain your consent before placing non-essential cookies.

Depending on your location, you may have the right to access, correct, delete, restrict, or object to the processing of your Personal Data, and to request data portability. Where automated processing, including AI-driven decision-making, produces decisions with a legal or similarly significant effect on you, you may have the right to request human review of such decisions, object to the outcome, or obtain an explanation of the basis for the decision. We may take reasonable steps to verify your identity before fulfilling a request. To submit a request, contact us at hello@brightcone.ai.

Your information may be processed in the United States or other countries where we or our service providers operate. Where required by applicable law, we implement appropriate safeguards for cross-border transfers, including Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms. Organizations with specific data residency requirements should address those requirements in their agreement with the Company.

Nevada residents may opt out of the sale of certain Personal Data by contacting us at hello@brightcone.ai with the subject line “Nevada Do Not Sell Request.” We do not currently sell Personal Data as defined under Nevada Revised Statutes Chapter 603A.

If you are located in the European Union, United Kingdom, or Switzerland, you have the right to access, rectify, or erase your Personal Data; restrict or object to processing; request data portability; and, where processing is based on consent, withdraw that consent at any time. You also have the right to object to solely automated decision-making, including AI-driven processing, that produces legal or similarly significant effects, and to request human review of such decisions. You have the right to lodge a complaint with the supervisory authority in your country of residence. We require only the information reasonably necessary to provide the Service and retain Personal Data only as long as necessary to fulfill the purposes described in this Privacy Policy or to comply with legal obligations.

The Service is not directed to children under the age of 13, and we do not knowingly collect Personal Data from children under 13. If we become aware that we have collected such data, we will take prompt steps to delete it. If you believe we may have inadvertently collected information from a child under 13, please contact us immediately at hello@brightcone.ai.

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

You may opt out of marketing communications at any time by clicking the “unsubscribe” link in any marketing email or by contacting us at hello@brightcone.ai. Opting out of marketing communications does not affect our ability to send transactional or account-related communications.

We may update this Privacy Policy from time to time. Updates will be posted with a revised “Last Updated” date. Your continued use of the Service after such posting constitutes your acceptance of the updated Privacy Policy.

If you believe the Company has not adhered to this Privacy Policy, please notify us at hello@brightcone.ai and we will investigate and address the matter in accordance with applicable law.