Privacy Policy

Brightcone AI (referred to herein as “the Company”, “Brightcone”, “we”, “us”, or “our”) is committed to maintaining the highest standards of confidentiality, privacy, and information security with respect to all data provided to, collected by, or generated in connection with the Company’s Products and operations.

This Confidentiality and Privacy Policy (the “Policy”) sets out the principles and practices governing the collection, processing, use, storage, disclosure, retention, and protection of information in connection with the Brightcone Platform and the Brightcone Product Suite (collectively referred to as the “Products”), as further defined in Section 2 of this Policy.

This Policy applies to all individuals and entities that interact with the Products and related services, including enterprise clients, their authorised users, website visitors, employees, contractors, and prospective customers.

In enterprise deployments, the client organisation generally determines the purposes and means of processing personal data and acts as the Data Controller, while Brightcone acts as a Data Processor on behalf of the client. In circumstances where Brightcone independently determines the purposes and means of processing including, without limitation, activities relating to marketing, recruitment, website administration, or internal business operations, Brightcone acts as a Data Controller. The allocation of roles and responsibilities shall in all cases be governed by the applicable service agreement, Data Processing Agreement, or other contractual documentation.

By accessing or using any of the Products, you acknowledge that you have read this Policy and understand that your use of the Products is subject to its terms. This Policy forms part of and should be read in conjunction with the Company’s Terms of Service, applicable enterprise agreements, and any executed Data Processing Agreement, which collectively govern the use of the Products.

Deployment Architecture Principle. Brightcone’s architecture is designed to enable client data to be processed within the client’s designated infrastructure environment, including on-premise environments or client-controlled cloud infrastructure (such as Amazon Web Services, Microsoft Azure or equivalent providers). Brightcone does not host or retain client business data on Company-owned infrastructure. To the extent that incidental, transient, or technically unavoidable processing occurs outside the client’s designated environment, including for purposes of secure transmission, system integrity, monitoring, compliance obligations, or contractual service delivery, such processing shall be limited in scope and duration and subject to appropriate technical and organisational safeguards consistent with this Policy and applicable law.

This Policy is effective as of February 26, 2026 and supersedes all prior versions. The Company reserves the right to amend or update this Policy at its discretion. Where required by applicable law or contract, material amendments will be communicated to registered users and enterprise clients in accordance with Section 15 of this Policy.

"Anonymised Data" means data that has been irreversibly altered in such a manner that a Data Subject can no longer be identified, directly or indirectly, and which therefore does not constitute Personal Data under Applicable Law. Anonymised Data is not subject to the protections afforded to Personal Data under this Policy.

"Authorised Users" means individuals permitted by a client organisation to access and use the Products under the terms of the applicable service agreement, including employees, contractors, and other personnel acting on behalf of the client.

"Client Data" means all data, documents, content, configurations, and information provided by or on behalf of a client, or generated through a client’s authorised use of the Products or Services, including without limitation business data, employee information, customer records, operational data, and AI-generated outputs produced within the client’s Deployment Environment.

"Confidential Information" means any non-public information disclosed by either party to the other in connection with the Products or Services, whether disclosed orally, in writing, electronically, or by any other means, and whether or not marked as confidential at the time of disclosure. Confidential Information does not include information that:

is or becomes publicly available through no act or omission of the receiving party;

was already lawfully known to the receiving party at the time of disclosure, as evidenced by contemporaneous written records;

is independently developed by the receiving party without reference to or use of the disclosing party’s Confidential Information; or

is required to be disclosed by Applicable Law, court order, or regulatory authority, provided that the receiving party gives prior written notice where legally permissible and reasonably cooperates with any effort to seek a protective order.

is lawfully obtained from a third party without restriction.

"Cookies" means small text files or similar tracking technologies placed on a user’s device by a website or application for purposes including authentication, session management, analytics, and system functionality, as further described in Section 11 of this Policy.

"Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Personal Data transmitted, stored, or otherwise processed by the Company or its Sub-Processors.

"Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, as defined under Applicable Law.

"Data Processing Agreement" or "DPA" means a legally binding agreement between the Company and a client governing the terms under which the Company processes Personal Data on behalf of the client in its capacity as a Data Processor.

"Data Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller pursuant to documented instructions and in accordance with Applicable Law.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Deployment Environment" means the technical infrastructure within which the Products are installed, operated, and maintained, which is owned or controlled by the client, including on-premise servers, the client’s cloud environment, Virtual Private Cloud (VPC), or equivalent private infrastructure.

"Personal Data" or "Personally Identifiable Information (PII)" means any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, to an identified or identifiable individual, as further defined under Applicable Law.

"Processing" means any operation or set of operations performed on data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction.

"Products" means the Brightcone Platform and the Brightcone Product Suite, including all associated software, applications, interfaces, APIs, AI components, dashboards, documentation, configurations, tools, and related services made available by the Company, as may be updated, modified, enhanced, or extended from time to time.

"Protected Health Information" or "PHI" means individually identifiable health information as defined by Applicable Law governing health data privacy, including where relevant the Health Insurance Portability and Accountability Act (HIPAA), applicable where the Products are deployed in healthcare or health-adjacent environments and the client qualifies as a Covered Entity or Business Associate.

"Services" means any implementation, integration, support, maintenance, advisory, configuration, hosting facilitation, or other professional or technical services provided by the Company in connection with the Products.

"Sub-Processor" means any third party engaged by the Company to process Personal Data on behalf of a client in accordance with documented instructions and applicable data protection obligations.

"Terms of Service" means the Company’s standard terms and conditions governing access to and use of the Products, as published on the Company’s website and as amended from time to time.

"Applicable Law" means all laws, regulations, regulatory requirements, and legally binding guidance applicable to the Processing of Personal Data, the protection of Confidential Information, and the performance of the Company’s obligations under this Policy.

references to a “Section” are to a section of this Policy;

the singular includes the plural and vice versa;

headings are for convenience only and shall not affect interpretation;

the words “include”, “includes”, and “including” shall be construed as if followed by “without limitation”;

references to Applicable Law include amendments, re-enactments, successor legislation, and subordinate regulations; and

in the event of any inconsistency between this Policy and a duly executed enterprise agreement or Data Processing Agreement, the terms of such agreement shall prevail to the extent of the inconsistency.

This Policy applies to the Processing of Personal Data and the handling of Confidential Information in connection with the Products and Services.

This Policy governs:

Client Data processed within the Deployment Environment;

Personal Data processed by the Company in its capacity as a Data Processor;

Personal Data processed by the Company in its capacity as a Data Controller;

Information collected through the Company’s website and marketing activities.

In enterprise deployments, the client organisation determines the purposes and means of Processing of Client Data and remains responsible for ensuring that such Processing complies with Applicable Law and the applicable Data Processing Agreement (as defined in Section 2.9).

Where the Company acts as a Data Processor, it processes Personal Data solely in accordance with documented instructions from the Data Controller and the applicable Data Processing Agreement.

This Policy does not apply to:

Third-party services not controlled by the Company;

Client-managed infrastructure or data processed independently by a client outside the scope of the Products;

Third-party applications or integrations configured independently by the client, unless expressly agreed in writing;

Data processed by Sub-Processors under their own privacy policies and contractual terms, except to the extent that the Company has entered into data protection obligations with such Sub-Processors under this Policy or an applicable Data Processing Agreement.

Organisation name, registered address, and primary contact details;

Billing contact information and payment details where applicable. Payment transactions are processed through authorised third-party payment processors (e.g., Stripe). Brightcone does not store full payment card details and relies on such providers to maintain compliance with PCI-DSS and other applicable standards;

Technical contact details for deployment, configuration, and support;

Project specifications, configuration settings, integration details, and implementation documentation necessary for the provision of Products and Services.

Name, business email address, and organisational role;

Authentication identifiers associated with the user’s account. User passwords and primary authentication credentials are managed within the client’s identity management system or chosen identity provider. Brightcone does not collect, store, or have access to user passwords or raw authentication tokens;

Access timestamps, session identifiers, usage metadata, and interaction logs generated in connection with Product usage.

Log files, access records, and error reports;

API call metadata and system diagnostic information;

Device and connection information required for secure transmission;

System-generated identifiers necessary to maintain session integrity.

Business documents, reports, structured and unstructured knowledge content;

Employee and customer records, depending on the client’s implementation;

AI prompts, contextual inputs, and generated outputs;

Clinical or health-related documentation in healthcare deployments (e.g., Bright Summarization);

IT service management records, tickets, and operational data (e.g., Bright Desk).

Certain deployments of the Products, including healthcare-related deployments, may involve the Processing of special categories of Personal Data or Protected Health Information as defined in Section 2.16.

Where such data is involved, Processing shall be subject to additional safeguards, contractual protections, and legal requirements under Applicable Law, including where relevant the execution of a Business Associate Agreement under HIPAA.

The Company does not seek to collect special categories of Personal Data through its website or general marketing activities.

IP address, browser type, device characteristics, and operating system;

Website usage analytics, including pages viewed, duration of visit, and referral sources;

Information voluntarily submitted through contact forms, demo requests, event registrations, or newsletter subscriptions;

Cookies and similar tracking technologies, as described in Section 11 of this Policy;

Website and marketing information is collected on the basis of the Company’s legitimate interests in operating and improving its digital presence and marketing activities, or on the basis of consent where required under Applicable Law.

Operating, maintaining, and improving the Products and Services;

Ensuring network and information security;

Preventing fraud, misuse, or unauthorised access;

Managing internal administration and business operations;

Conducting limited analytics using Anonymised Data (as defined in Section 2.2).

Deploy, configure, and maintain the Products within the client’s Deployment Environment;

Provide technical support, troubleshooting, and incident resolution;

Deliver software updates, security patches, and system enhancements;

Manage billing, invoicing, and payment processing through authorised third-party providers.

The Company may use aggregated and Anonymised Data (as defined in Section 2.2) to improve Product performance, reliability, and functionality.

Such Anonymised Data may be used to develop new features, conduct internal research, and evaluate system performance.

The Company does not use Client Data or Personal Data for training third-party AI models or for developing generalised AI models without the client’s explicit written consent and an appropriate contractual agreement.

Send service-related notices, updates, and security alerts;

Respond to inquiries, support requests, and operational communications;

Provide product updates, marketing information, or event invitations, subject to Applicable Law. Recipients of marketing communications may opt out at any time by following the unsubscribe instructions included in such communications or by contacting the Company as described in Section 17\.

Comply with Applicable Law, regulatory obligations, and lawful legal processes;

Protect the rights, property, and safety of the Company, its clients, and others;

Enforce the Terms of Service, Data Processing Agreements, and other contractual rights.

The Company uses automatically collected technical data and operational metadata to monitor system integrity, detect and prevent unauthorized access, investigate security incidents, and protect the Products, clients, and Data Subjects from fraud and misuse.

Such Processing is carried out on the basis of the Company’s legitimate interests as described in Section 5.3 and, where applicable, legal obligations under Section 5.4.

Brightcone's architecture is designed to enable Client Data to be processed primarily within the client's designated Deployment Environment.

Subject to the limited exceptions described in Section 1.6, Client Data is not transmitted to, hosted on, or persistently stored within Company-owned infrastructure.

AI models deployed for enterprise clients operate within the client's Deployment Environment or within infrastructure expressly designated and controlled by the client.

Data at rest and in transit is designed to remain within client-controlled systems, subject to the deployment configuration selected by the client and the limited exceptions described in Section 1.6.

Access by Brightcone personnel to client systems occurs only where expressly authorised for support, maintenance, or contractual service delivery purposes and is subject to confidentiality and access control safeguards. Such access shall be limited to the minimum scope necessary for the authorised purpose and shall not exceed the access permissions granted by the client under the applicable service agreement.

Each client deployment is logically and, where applicable, network-segregated from other client environments.

The Company does not commingle Client Data across deployments.

Model instances, configurations, and operational environments are provisioned on a per-client basis.

Encryption keys and access credentials are managed within the client's infrastructure in accordance with the client's security policies. The Company recommends that clients adopt encryption key management practices consistent with applicable industry standards and the sensitivity of the data processed.

Network-level isolation mechanisms, including Virtual Private Cloud (VPC) segmentation or equivalent on-premises controls, are implemented in accordance with the deployment model selected by the client.

The Company's internal corporate systems do not store Client Data, except where limited and incidental data may be processed in accordance with Section 1.6.

The Company's internal systems may store:

.1 Client account and contractual information;

.2 Billing and payment records processed via authorised third-party providers;

.3 Support ticket metadata and operational service records;

.4 Product licensing information and configuration references necessary for contract administration;

.5 Aggregated and Anonymised Data, where permitted by contract and Applicable Law.

The Company does not sell, rent, trade, or otherwise monetise Personal Data or Client Data to third parties for marketing or advertising purposes.

Service Providers and Sub-Processors: To trusted service providers and Sub-Processors (as defined in Section 2.18) who assist in providing the Products or operating the Company's corporate systems, including payment processors and professional advisors, subject to contractual confidentiality and data protection obligations consistent with this Policy and any applicable Data Processing Agreement. The Company maintains a list of current Sub-Processors, which is available upon written request or as otherwise made available through client documentation portals.

Legal and Regulatory Requirements: Where required by Applicable Law, regulation, subpoena, court order, or lawful request from a governmental authority. Where legally permissible, the Company shall provide the affected client or Data Subject with prior written notice of such disclosure and shall reasonably cooperate with any effort to seek a protective order or equivalent relief.

Protection of Rights: To protect the rights, property, or safety of the Company, its clients, Data Subjects, or others, including in connection with fraud prevention, security investigations, or enforcement of contractual rights.

Business Transactions: In connection with a merger, acquisition, restructuring, financing, or sale of assets, provided that affected clients are notified in accordance with Applicable Law and contractual obligations. Any successor entity shall be required to honour the obligations of this Policy with respect to Personal Data and Client Data, or affected Data Subjects and clients shall be notified in accordance with Applicable Law and provided with any rights required under such law.

With Explicit Consent: Where disclosure is made with the explicit prior written consent of the relevant client or Data Subject, as applicable.

To the extent Applicable Law includes the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA), California residents may have additional rights with respect to their Personal Data, including the right to know, right to delete, right to correct, and the right to opt out of the sale or sharing of Personal Data.

The Company does not sell or share Personal Data as those terms are defined under the CCPA and CPRA.

The Company will not discriminate against individuals for exercising their rights under applicable California privacy laws.

California residents may exercise their rights by contacting the Company as described in Section 17 of this Policy.

Encryption of data in transit using industry-standard transport layer security protocols;

Encryption of data at rest using strong cryptographic standards appropriate to the deployment configuration;

Access control mechanisms, including role-based access controls and least-privilege principles;

Support for multi-factor authentication for administrative access;

Audit logging and monitoring of system activities;

Automated detection or redaction mechanisms for sensitive data categories where such features are enabled as part of the Product configuration.

Confidentiality obligations for employees and contractors;

Security awareness training provided on a periodic basis;

Documented incident response procedures;

Periodic security assessments appropriate to the Company’s operational profile;

Background verification processes for personnel with access to sensitive systems, where permitted under Applicable Law.

Controlled access to office environments;

Encryption of Company-issued devices where applicable;

Device management controls, including remote access restriction or wipe capabilities where supported.

In the event of a confirmed Data Breach affecting Client Data for which the Company is responsible under Applicable Law or contract, the Company shall notify the affected client without undue delay and, where required under Applicable Law, within the time period prescribed by such law.

Such notification shall include, to the extent known at the time:

.1 The nature of the incident;

.2 The categories and approximate volume of data affected;

.3 The likely consequences of the incident;

.4 Measures taken or proposed to contain and remediate the incident.

The Company shall take reasonable steps to investigate, mitigate, and remediate the incident and shall cooperate with the client in fulfilling any regulatory or notification obligations required under Applicable Law.

Client Data and business information;

Product architecture, source code, and technical documentation;

Pricing, contractual terms, and commercial arrangements;

Business strategies, plans, and financial information;

Personal Data and employee or customer information.

Protect Confidential Information using at least the same degree of care it uses to protect its own confidential information of a similar nature, and in no event less than reasonable and appropriate technical and organisational measures having regard to the nature and sensitivity of the information;

Restrict access to Confidential Information to personnel with a legitimate business need to know;

Require personnel with access to be bound by confidentiality obligations;

Use Confidential Information solely for purposes authorised under the applicable agreement;

Not disclose confidential information to third parties except as permitted under Section 8 of this Policy or under an applicable agreement.

Is or becomes publicly available without breach of this Policy;

Was lawfully in the receiving party’s possession prior to disclosure;

Is independently developed without reference to the Confidential Information;

Is lawfully obtained from a third party without restriction;

Is required to be disclosed under Applicable Law, subject to prior notice where legally permissible.

This Section applies to all artificial intelligence components, machine learning models, natural language processing systems, and automated decision-support tools forming part of the Products.

The Company is committed to the responsible development and deployment of AI systems that respect privacy, operate with appropriate transparency, and are designed to minimise the risk of harmful or discriminatory outputs.

AI components deployed for enterprise clients operate within the client’s Deployment Environment in accordance with Section 7 of this Policy.

Model instances are provisioned on a per-client basis and are not shared across client environments.

Client Data processed by AI components does not leave the client’s designated infrastructure except as described in Section 1.6.

The Company does not use Client Data or Personal Data to train, fine-tune, or develop generalised AI models without the explicit written consent of the relevant client and an appropriate contractual agreement governing such use.

Where Anonymised Data (as defined in Section 2.2) is used for internal evaluation, testing, benchmarking, or product improvement, such data shall not reasonably permit identification of any individual or client.

The Company maintains internal documentation regarding AI model development and data sources to the extent required under Applicable Law.

AI-generated outputs are produced based on patterns in training data and client-provided inputs and may contain inaccuracies or limitations.

AI-generated outputs do not constitute professional advice, including legal, medical, financial, or clinical advice, and should not be relied upon without appropriate human review.

Clients and Authorised Users are responsible for reviewing and validating AI-generated outputs before acting upon them, particularly in regulated or high-impact contexts.

The Company does not guarantee the factual accuracy, completeness, or fitness for the purpose of AI-generated outputs.

The Products are not designed to make fully automated decisions that produce legal or similarly significant effects without human oversight.

The Company’s AI systems are designed to support human decision-making rather than replace it.

Clients deploying AI features in contexts involving significant decisions affecting individuals are responsible for implementing appropriate human oversight consistent with Applicable Law.

Upon reasonable request, the Company may provide high-level information regarding the general functioning of AI systems, including types of inputs, output categories, and known limitations.

Where required under Applicable Law, the Company shall reasonably cooperate with clients in providing meaningful information concerning automated processing that produces legal or similarly significant effects.

The Company monitors developments in AI-related regulatory frameworks and shall take reasonable steps to align its AI governance practices with Applicable Law.

Clients remain responsible for ensuring their use of AI-powered features complies with sector-specific regulatory obligations applicable to their organisation.

Where the Company acts as a Data Processor, Data Subject requests relating to Client Data must be directed to the relevant enterprise client acting as Data Controller.

The Company shall provide reasonable assistance to clients in responding to Data Subject requests within the timeframes required under Applicable Law.

Where the Company acts as a Data Controller, individuals may exercise their rights directly with the Company.

Right of Access

Right to Rectification

Right to Erasure

Right to Restriction of Processing

Right to Data Portability

Right to Object

Rights relating to Automated Decision-Making

Right to Withdraw Consent

Request account-level data summaries;

Request correction of organisational data;

Request deletion of account data subject to legal retention requirements;

Export Client Data from their Deployment Environment;

Conduct audits in accordance with the applicable service agreement.

California residents may exercise rights under the CCPA and CPRA.

The Company does not sell or share Personal Data as defined under the CCPA or CPRA.

The Company will not discriminate against individuals for exercising rights under California privacy law.

Standard Contractual Clauses;

Adequacy decisions;

Binding Corporate Rules;

Other recognised transfer mechanisms.

Client Data retention is primarily governed by the client.

Upon termination, residual copies within Company systems shall be deleted or rendered inaccessible within thirty (30) days unless retention is required by law or agreed in writing.

Written confirmation of deletion will be provided upon request.

The Company shall cooperate with reasonable transition or preservation requests during agreed transition periods.

Essential Cookies — Strictly necessary for the operation of the website and core Product functionality, including navigation, session management, authentication, and form submission.

Analytics Cookies — Used to collect aggregated information about how visitors interact with the website for performance and improvement purposes.

Marketing and Preference Cookies — Used to deliver relevant content and measure marketing effectiveness. These are deployed only with prior consent where required under Applicable Law.