Privacy Policy

1. Introduction

This Privacy Policy describes how Brightbox Systems Ltd (“Brightbox”, “we”, “us”, “our”) processes Personal Data.

This policy, together with any other document referred to within it, is incorporated into and governed by the Terms and Conditions of Service (“Customer Terms”) located at: https://www.brightbox.com/legal/terms.

This Policy applies only to Personal Data of users of the Services (“Customers”) and visitors to our Website.

This Policy does not apply to:

  • Customer Personal Data which is provided by Customers in connection with their use of the Services. Please refer to the Data Processing Agreement (“DPA”) for information about how Customer Personal Data is processed.
  • Third party websites, not controlled by Brightbox, which may be linked to via our Website or via The Services.

2. Definitions

All definitions set out in the Customer Terms shall also apply in this document.

Capitalised terms, unless defined within this document, shall have the meaning given to them in the Customer Terms.

“Personal Data”, “Data Subject”, “Processing”, “Processor”, “Controller”, “Supervisory Authority” where used within this DPA have the meanings given to them in the Applicable Data Protection Legislation.

3. Personal Data we collect

We collect Personal Data in the following ways:

(3.1) Information you provide to us

Personal Data that you provide to us through your use of the Services or our Website or otherwise communicate with us may include:

  • User information such as your name, email address, password, preferences;
  • Contact information such as your physical address, email address and telephone number;
  • Business information such as your company name and VAT registration number;
  • Support information such as information you provide when reporting a problem with the Services, request support from us or otherwise correspond with us;
  • Feedback information such as information you provide in feedback correspondence, survey responses and comments on our website;
  • Billing information such as your credit card or other payment card details;
  • Marketing information such your preferences for receiving marketing communications and information about how you engage with them;

(3.2) Information we collect automatically

When you use the Services or our Website, we may automatically collect information including:

  • Browser information such as information sent from your browser whilst using our Website or the Services including your IP address, browser type, browser language, device type, operating system, unique device identifiers and referring URL;
  • Cookie information we, and our third party service providers, may use cookies, beacons, tags or other similar technologies when you use our Website or the Services to help us to analyse trends, improve performance, improve the user experience, improve our marketing and to advertise more effectively. You can control the use of cookies and other similar technologies using the settings in your browser or by using “ad blocker” tools, but blocking all cookies may negatively affect your experience of using our Website or the Services.
  • Usage information such as information about your interactions with the Services and our Website including pages visited, actions taken, features used, search queries, errors, click data and the date and time of such interactions;
  • Geographic information we may calculate your approximate geographic location such as country, city or geographic coordinates based on your IP address;

(3.3) Information we may receive from other sources

We may receive information from other sources, including:

  • Third party service providers we may receive information about you from third party partners such as payment processing services, analytics services, fraud analysis services and credit reference agencies.
  • Publicly accessible data we may receive or collect publicly accessible data about you to improve your experience; to improve the Services or our Website; or to reduce or prevent fraud;
  • Identify verification data we may receive additional information about you so that we can protect, investigate and deter against fraudulent, harmful, unauthorised, unethical or illegal activity.

4. How we use Personal Data

We may use Personal Data for the following purposes:

(4.1) To provide the Service

We may use Personal Data to:

  • Operate, maintain, administer and improve the Services;
  • Communicate with you regarding your use of the Services including by sending you Service announcements, technical notices, updates, security notices, administrative messages and responding to support and Service-related requests and feedback;
  • Verify your identity when you sign up as a customer;
  • Process payments you make in respect of your use of the Services;
  • Improve the Services and the Website by better understanding your needs and experience;

(4.2) To create anonymous data for analytics

We may create anonymous data from your Personal Data and other individuals whose Personal Data we collect. In such a case, we will make Personal Data anonymous by excluding information that makes the data personally identifiable to you, and use that anonymous data only for lawful business purposes.

(4.3) For marketing and advertising

If you request information from us, sign up for the Services or participate in our surveys or promotions, we may send you marketing communications as permitted by Applicable Data Protection Regulations. When we send you marketing communications, we will always provide you with the ability to opt-out immediately so you will not receive marketing communications in future. You may still, however, receive Service-related communications such as security or maintenance notifications and billing emails.

We may also use Personal Data to show you personalised adverts about our Services on other websites or social media platforms and to improve the effectiveness of our online advertising. You can opt-out of personalised advertising here.

(4.4) For protection, enforcement and fraud prevention

We may use your Personal Data as we believe necessary or appropriate to:

(a) enforce the Customer Terms that govern the use of the Services;
(b) protect our rights, privacy, safety or property, and/or that of you or others; and
(c) protect, investigate and deter against fraudulent, harmful, unauthorised, unethical or illegal activity.

(4.5) To comply with applicable law

We may use your Personal Data as we believe necessary or appropriate to comply with applicable law, lawful requests and legal process.

We may use your Personal Data with your consent, such as when you consent to us posting your testimonials or endorsements on the Website or when you choose to opt-in to our marketing communications.

5. Lawful bases for processing

(5.1) Purposes and lawful bases for processing

We will only use your Personal Data as permitted by Applicable Data Protection Regulations. The following table explains the purposes and lawful bases upon which we rely to process your Personal Data.

Purpose of processing Lawful basis
(4.1) To provide the Service This processing is necessary for the performance of the contract which governs our provision of, and your use of, the Services or in order to take steps at your request prior to signing up to the Services.
(4.2) To create anonymous data for analytics;
(4.3) For marketing and advertising;
(4.4) For protection, enforcement and fraud prevention;
These processing activities constitute our legitimate interests. Where we process your Personal Data in pursuit of our legitimate interests we will assess and balance any potential negative impact on your interests and rights. We will not use your Personal Data where our legitimate interests are overridden by your rights and interests. You have the right to object to our processing where we rely on our legitimate interests as the lawful basis for processing. Please see (11.5) for more information.
(4.5) To comply with applicable law Processing is necessary for compliance with our legal obligations.
(4.6) With your consent Processing is based on your consent. Where we rely on your consent as the lawful basis for processing you have the right to withdraw it anytime by unsubscribing or contacting us as appropriate.

(5.2) Use of Personal Data for new purposes

We may use your Personal Data for purposes not described in this Privacy Policy where:

  • Permitted by Applicable Data Protection Regulation; and
  • The new purpose is compatible with the purpose for which we originally collected it. If we need to use your personal information for an unrelated purpose, we will notify you and explain the applicable legal basis.

6. How we may share Personal Data

We neither rent nor sell your Personal Data to anyone. However, in accordance with Applicable Data Protection Regulation, we may share Personal Data as described below:

(6.1) Trusted third party partners

We may share information about you with trusted third party partners and service providers such as subcontractors, payment processing services, analytics services, fraud analysis services and credit reference agencies.

(6.2) Business transfers

In the event of a proposed merger, acquisition, financing, sale of assets or in the event of insolvency, bankruptcy, receivership or other change of control, your Personal Data may be disclosed to a potential acquirer, successor or assignee as part of our business assets. In such a case, you will be notified about the change of ownership or control and will be able to exercise your rights regarding your Personal Data.

(6.3) Marketing and advertising

We may use third party advertising networks to show you adverts about our Services, which we believe may be of interest to you.

Advertising networks may use cookies or other similar technologies to collect anonymous data about your activity on our Website and other websites to provide you with personalised advertising. We may share limited information in a hashed, non-human readable format for the purposes of personalising our advertising.

(6.4) For the protection of Brightbox or others

We may share Personal Data that we reasonably believe is necessary to comply with applicable law, legal process, court order or government agency request or to enforce the Customer Terms.

We may share Personal Data if we reasonably it is necessary or appropriate to:

  • Enforce or apply the Customer Terms which govern the use of the Services, including investigations of potential violations;
  • Protect, investigate and deter against fraudulent, harmful, unauthorised, unethical or illegal activity;
  • Comply with applicable law, legal process or court order;
  • Comply with a lawful request for Personal Data by public authority, government agency or law enforcement;
  • Protect the rights, property or safety of Brightbox, our employees, customers or others.

(6.5) Professional advisors

We may disclose Personal Data to professional advisors, such as lawyers, accountants, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

Except as described above, we may share your information with your explicit consent.

7. Data retention

We will only retain Personal Data for as long as necessary to fulfil the purposes for which it was collected unless a longer retention period is required for legal, tax or regulatory reasons, or for any other lawful legitimate business purpose.

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the data and whether we can achieve those purposes through other means and applicable legal requirements.

In some circumstances we may anonymise Personal Data so that it can no longer be associated with an identifiable person, in which case we may use this information indefinitely without further notice.

8. Data security

Brightbox is committed to keeping your Personal Data secure. We employ a number of organisational, technical and physical measures to protect the Personal Data we collect.

You must also help prevent unauthorised access to your Personal Data by choosing strong passwords where appropriate and protecting your password and other access credentials from unauthorised access or use.

If you have any questions about our security practices, or advice on keeping your account secure please contact us.

9. Sensitive data

We do not knowingly collect sensitive Personal Data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal convictions and offences, genetic data, biometric data, health data or data concerning a person’s sex life or sexual orientation.

We request that you do not send or disclose to us any sensitive Personal Data through the Services or otherwise. If you do send or disclose any sensitive Personal Data to us (for example, within an email to us), you are consenting to our processing and use of such sensitive Personal Data in accordance with this Privacy Policy and Applicable Data Protection Regulation.

10. Privacy of children

We do not knowingly collect or receive Personal Data from children. The Customer Terms require that customers must be at least 18 years of age to use the Services.

If we are made aware that a user of the Services is under 16 years old we will take appropriate steps to remove that individual’s information from our systems and restrict that individual from future access to the Services.

11. Your rights

If you are an EU resident, you have certain rights regarding your Personal Data:

(11.1) Access, update or correct your Personal Data

You can access, update or correct any of the Personal Data you have provided to us by logging into your account. Please contact us if you experience any problems or have any questions about our processing of your Personal Data.

(11.2) Delete Personal Data

You can request your Personal Data is deleted and we will comply without undue delay unless we are required to retain such data for legal, tax or regulatory reasons, or for any other lawful legitimate business purpose. Please contact us if you wish to request that we delete your Personal Data.

(11.3) Data portability

You can request that we provide a machine-readable copy of the Personal Data you have provided to us. You can contact us if you wish to arrange this.

Where our processing of Personal Data is based on consent, you may withdraw your consent at any time. To opt out of receiving marketing communications, please click the “unsubscribe” link at the bottom of any recent marketing email, or log into your account and change your email preferences.

You can also opt out of receiving personalised online advertising here.

You can contact us if you wish to withdraw your consent to any other use of your Personal Data which you may have previously consented to.

Withdrawing consent will not affect other data processing where we rely on other lawful bases for processing, such as those described in (5.1).

(11.5) Object to processing

You have the right to object to our processing of Personal Data where we rely on our legitimate interests as the lawful basis for processing. Please contact us if you wish to object to processing in such cases.

12. Cross-border data transfer

We will only transfer Personal Data of EU residents to trusted third parties in countries outside of the EEA, where:

  • we have ensured that appropriate safeguards for the protection of Personal Data are in place; and
  • enforceable rights and effective legal remedies for data subjects are available.

The “appropriate safeguards” referred to in the previous paragraph will be one of the following safeguards recognised by the European Commission as providing adequate protection for Personal Data:

  • The European Commission has decided that the third country ensures an adequate level of protection (an “adequacy decision”); or
  • The transfer is governed by a legal contract which includes standard data protection clauses approved by the European Commission; or
  • For transfers to the United States, ensuring participation of the third party in the E.U.-U.S. Privacy Shield Framework

13. Complaints

If you have any complaints about our use of your Personal Data please contact us as described below.

You can also contact The Information Commissioner’s Office (ICO) which is the Supervisory Authority for data protection in the UK.

Website: https://ico.org.uk
Telephone: 0303 123 1113

14. Contact us

If you have any questions, concerns or complaints about this Privacy Policy, please email us at privacy@brightbox.com

Our physical office address is:

Brightbox Systems Ltd
Tower Works
Globe Road
Leeds
LS11 5QG
United Kingdom

15. Changes to this policy

We may update this Privacy Policy from time to time, so we encourage you to periodically review it for current information regarding our privacy policies and practices.

If we make significant changes to this Privacy Policy we will notify you via email (if you are a Customer).

Any changes to this Privacy Policy will be effective upon our posting of the new policy and/or upon implementation of the new changes in the Services (or as otherwise indicated at the time of posting). In all cases, your continued use of the Services after the posting of any modified Privacy Policy indicates your acceptance of the updated Privacy Policy.


Previous versions:

Last updated: 24 May 2018 at 12:35 UTC