Brights Logo

Privacy Policy

Last updated: April 8, 2026

1. Data Controller

The data controller responsible for your personal data is:

Brights Sp. z o.o.
ul. Bartycka 55/1, 00-716 Warszawa, Poland
KRS: 0001197581 | NIP: 5214135237 | REGON: 542865045

2. What Data We Collect

We collect and process the following categories of personal data:

  • Account information — name, email address, profile photo (provided via Google OAuth sign-in).
  • Employment information — position, department, manager, engagement type, and other HR-related data entered by your organization.
  • Time-off and attendance data — leave requests, balances, and working-time records.
  • Usage data — timestamps of access, pages visited, and actions performed within the platform.

3. Purpose and Legal Basis

We process personal data for the following purposes:

  • Providing the service — to operate and maintain the Bureau HR management platform (contractual necessity).
  • Authentication — to verify your identity via Google OAuth (contractual necessity).
  • HR management — to manage employee records, organizational structure, time-off, and workflows on behalf of your employer (legitimate interest of your employer).
  • Security and audit — to maintain system logs and protect against unauthorized access (legitimate interest).

4. Data Sharing

We do not sell your personal data. We may share data with:

  • Your employer — the organization that manages your account in Bureau.
  • Infrastructure providers — hosting, database, and storage services necessary to operate the platform (e.g., cloud providers).
  • Google — as part of the OAuth authentication flow.
  • Legal authorities — when required by applicable law.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the service. When your account is deactivated, we retain data only as required by applicable law or legitimate business purposes.

6. Your Rights

Under applicable data protection laws (including GDPR), you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Object to or restrict processing.
  • Data portability.
  • Lodge a complaint with a supervisory authority (in Poland: Prezes Urzędu Ochrony Danych Osobowych).

To exercise these rights, contact your organization's administrator or reach out to us directly.

7. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (HTTPS), access controls, and regular security reviews.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes through the platform.

Terms & Conditions