Privacy policy

Brightway respecte votre vie privée et ne collecte que les données strictement nécessaires à la gestion de vos demandes.

This website is operated under French law. The following legal notices apply to all users accessing this site.

Preamble

This privacy policy describes how Brightway collects, uses and protects the personal data of visitors to its website, in compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the amended French Data Protection Act (loi Informatique et Libertés).

Data controller

The data controller for personal data collected on this website is:

  • Brightway, 16 rue Troyon, 92310 Sèvres, France
  • General contact: contact@brightway.fr
  • Data Protection Officer (DPO): Brightway has designated a DPO, reachable at dpo@brightway.fr for any question relating to the protection of your personal data.

Data collected

Brightway collects the following categories of data:

  • Identification data: surname, first name, role, organisation — provided through our contact forms or during a commercial exchange.
  • Contact data: business email, phone.
  • Message content: free-text submitted through the contact form.
  • Browsing data: connection logs (IP address, browser type, pages visited, timestamp) for security and anonymised audience measurement purposes.
  • Cookie-related data: see our cookie policy.

Purposes and legal bases for processing

Data is processed for the following purposes:

  • Responding to contact requests — Legal basis: pre-contractual measures (Article 6.1.b GDPR) or the firm’s legitimate interest (Article 6.1.f) in handling incoming enquiries.
  • Managing the commercial relationship — Legal basis: performance of the contract for ongoing engagements, or legitimate interest for proportionate B2B prospecting.
  • Site and infrastructure security — Legal basis: legitimate interest in protecting our systems against abuse, intrusions and fraud attempts.
  • Anonymised audience measurement — Legal basis: explicit consent (Article 6.1.a) only if analytics cookies are enabled.

Data recipients

The data collected is intended for:

  • Brightway authorised employees (sales, consulting, technical teams) within the scope of their respective duties;
  • our technical sub-processors strictly required for the website’s operation: [To complete: hosting provider, email provider, CRM if any, backup provider]. Each sub-processor is bound by a sub-processing contract compliant with Article 28 GDPR.

No personal data is sold, rented or transferred to third parties for commercial purposes.

Retention periods

Brightway applies the following retention periods:

  • Contact form data: [To complete: duration, CNIL recommendation 3 years from the last contact].
  • Active client data: duration of the commercial relationship plus the applicable legal limitation periods.
  • Security logs: [To complete: duration, CNIL recommendation 12 months].
  • B2B prospecting data: [To complete: duration, CNIL recommendation 3 years after last contact without response].

At the end of these periods, data is deleted or irreversibly anonymised.

Transfers outside the European Union

[To complete: default statement “No personal data is transferred outside the European Economic Area.” If transfers occur, describe the safeguards in place: European Commission Standard Contractual Clauses, applicable adequacy decisions, relevant supplementary measures.]

Your rights

Under GDPR, you have the following rights over your personal data:

  • Right of access — obtain confirmation that your data is being processed and receive a copy;
  • Right to rectification — have inaccurate or incomplete data corrected;
  • Right to erasure — request the deletion of your data under the conditions provided by GDPR;
  • Right to restriction of processing — restrict processing in certain specific situations;
  • Right to object — object to processing on legitimate grounds, in particular for commercial prospecting;
  • Right to portability — receive your data in a structured, machine-readable format;
  • Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

Exercising your rights

To exercise any of these rights, contact us:

A response will be provided within one month of receipt of your request, in accordance with Article 12 GDPR. Proof of identity may be requested in case of reasonable doubt as to your identity.

Complaint with the CNIL

If, after contacting us, you consider that your rights are not respected, you can lodge a complaint with the French data protection authority (CNIL — Commission nationale de l’informatique et des libertés):

Security

Brightway implements appropriate technical and organisational measures to ensure the security and confidentiality of the data processed: encryption in transit (TLS 1.2 minimum), strengthened access control to systems, logging of personal data access, encrypted off-site backups, ongoing data protection awareness training for staff.

Amendments to this policy

This policy may be amended at any time to reflect a regulatory, technical or organisational change. The version in force is the one published on this page.

Last updated: [To complete: date].