Privacy Notice
BrightCarbon is committed to protecting your privacy. This Privacy Notice is designed to help you understand what information we gather, how we use it, what we do to protect it, and to assist you in making informed decisions when using our products and services.
BrightCarbon Ltd (registered in England and Wales) is the data controller responsible for deciding how and why your personal data is processed.
In some cases, contracts may be entered into with BrightCarbon Inc (a US‑based group company). However, BrightCarbon Ltd remains responsible for determining the purposes and means of processing personal data in all cases.
BrightCarbon Inc may process personal data on behalf of BrightCarbon Ltd for operational, sales, support, and service‑delivery purposes, including where staff are based outside the UK.
For further information, please contact the Data Protection Officer on dpo@brightcarbon.com
What information we collect, use and why
To provide and improve products and services for clients
- Names and contact details
- Occupation
- Purchase/account history
- Payment details
- Account information
- Records of meetings and decisions including call recordings
- Information relating to compliments or complaints
For the operation of client accounts
- Names and contact details
- Payment details
- Purchase history
- Account information
For information updates or marketing purposes
- Names and contact details
- Profile information
- Marketing preferences
- Records of consent, where appropriate
For recruitment purposes
- Contact details (including name, address, telephone number and/or personal email address)
- Education and employment history
- Other personal details provided via CV.
When you apply for a role with us, the information you choose to include in your CV or application may reveal special category personal data (for example, information about religious beliefs, trade union membership, health, or sexual orientation).
We do not ask for, require, or encourage the inclusion of this type of information as part of our recruitment process. Where such information is included voluntarily, we do not use it in our decision‑making and access is restricted to those involved in the recruitment process.
Where special category data is incidentally received, we process it only to the extent necessary for recruitment administration and in line with our obligations under employment and equality law, applying appropriate safeguards to protect your rights and freedoms.
Further information may be collected at a later point in the recruitment process – you will be informed about your data protection rights at this point.
For dealing with queries or complaints
- Names and contact details
- Payment details
- Account information
- Purchase history
- Records of meetings and decisions, including call recordings
- Client accounts and records
- Correspondence
Lawful bases and data protection rights
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.
Which lawful basis we rely on may affect your data protection rights which are set out in brief below.
- Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.
- Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.
- Your right to erasure – You have the right to ask us to delete your personal information.
- Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information.
- Your right to object to processing – You have the right to object to the processing of your personal data.
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.
- Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.
If you make a request, we will respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us at dpo@brightcarbon.com
Our lawful bases for the collection and use of your data
To provide and improve products and services for clients
- Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
For the operation of client or customer accounts
- Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
For information updates or marketing purposes
- Legitimate interests – we’re collecting or using your information to provide useful resources and information about relevant products and services. Only names, job titles, organisation names and email addresses are collected, limiting the risk for subscribers. All of your data protection rights may apply, except the right to portability.
For more information on our use of legitimate interests as a lawful basis you can contact us at dpo@brightcarbon.com
For recruitment purposes
- Legitimate interests – We process applications and manage our recruitment process in a fair and proportional way.
For dealing with queries or complaints
- Legitimate interests – We collect necessary information from customers so that we can address your concerns. Collection is limited to only what is required to address that specific concern. All of your data protection rights may apply, except the right to portability.
For more information on our use of legitimate interests as a lawful basis you can contact us at dpo@brightcarbon.com
Where we get personal information from
- Directly from you
How long we keep information
BrightCarbon Ltd. will not retain data longer than is necessary to fulfil the purposes for which it was collected or as required by applicable laws or regulations. In practice, this means we retain client and financial records for as long as required by tax and accounting law, recruitment data for a limited period after a role is filled, and marketing data until you opt out or withdraw consent.
Who we share information with
Data subprocessors
| Name | Service provided | Data categories processed | Processing purposes | Processing location |
| Microsoft Corporation | Business operations | Contact info (name, email). | Account lifecycle communications, project management. | Western Europe & UK West |
| SendGrid (Twilio) | Email delivery | Contact info (name, email). | Account lifecycle communications via email. | United States |
| Freshworks (Freshdesk) | Customer support ticketing | Contact info (name, email). | Customer communications. | EU |
| Active Campaign | Customer success and engagement platform | Contact info (name, email). | Service disruption communication, external change management, customer success, marketing. | EU |
| DigitalOcean | Website hosting | Contact info (name, email) | Customer success, service disruption communication. | United States |
| Google Workspace | Business operations and customer engagement | Contact info (name, email) | Account lifecycle communications, project management, marketing. | EU |
Others we may share personal information with
- Professional or legal advisors
- External auditors
- Organisations we’re legally obliged to share personal information with
- Debt collection agencies
Sharing information outside the UK
Where necessary, our data processors may share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.
For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.
Digital Ocean
Category of recipient: Website hosting
Country the personal information is sent to: United States of America
How the transfer complies with UK/EU/Swiss data protection law: DigitalOcean is certified under the UK Extension to the EUU.S. Data Privacy Framework and is therefore recognised as providing an adequate level of protection for such transfers under that framework.
Twilio
Category of recipient: Email delivery
Country the personal information is sent to: United States of America
How the transfer complies with UK/EU/Swiss data protection law: Twilio is certified under the UK Extension to the EUU.S. Data Privacy Framework and is therefore recognised as providing an adequate level of protection for such transfers under that framework.
Freshworks
Category of recipient: Customer support ticketing
Country the personal information is sent to: EU
How the transfer complies with UK data protection law: The EU is recognised by the UK government as providing an adequate level of protection for personal data, and such transfers are therefore permitted under Article 45 of the UK GDPR without the need for additional safeguards.
ActiveCampaign
Category of recipient: Customer success and engagement platform
Country the personal information is sent to: EU
How the transfer complies with UK data protection law: The EU is recognised by the UK government as providing an adequate level of protection for personal data, and such transfers are therefore permitted under Article 45 of the UK GDPR without the need for additional safeguards.
Google Workspace
Category of recipient: Business operations
Country the personal information is sent to: EU
How the transfer complies with UK data protection law: The EU is recognised by the UK government as providing an adequate level of protection for personal data, and such transfers are therefore permitted under Article 45 of the UK GDPR without the need for additional safeguards.
Links to notices for specific products
- Christmas Cards Add-In Privacy Policy
- BrightSlide Privacy & Security
- BrandIn Data Privacy Policy
- BrandIn InfoSec
- BrandIn SaaS Agreement
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us at dpo@brightcarbon.com
If you remain unhappy with how we’ve used your data after raising a complaint with us you can also complain to the ICO (Information Commissioner’s Office).
Last updated 20th March 2026.