Privacypolicy.
BurnBright (“BurnBright”, “we”, “us” or “our”), a digital growth studio based in Tel Aviv, Israel, operates the website and platform at burnbright.click. This Privacy Policy explains what personal data we collect, how and why we use it, who we share it with, and the rights you have over it. We act as the data controller for the personal data described here, and where we process data on behalf of a client we act as their processor under our engagement agreement.
We comply with the EU General Data Protection Regulation (“GDPR”) where it applies and with Israel’s Protection of Privacy Law, 5741-1981 and its regulations.
1. Scope
This policy covers personal data we collect through our website, our platform and client portal, our marketing and communications, and our delivery of Services. It does not cover third-party websites or services that we link to, which have their own policies.
2. Information we collect
Information you give us
- Contact & identity data — name, email, phone, company and role when you contact us, request a proposal or sign up.
- Account data — credentials and profile details if you are given access to the platform or client portal.
- Engagement data — the content, materials, brand assets and instructions you share with us for a project.
- Billing data — the details needed to invoice and take payment (payment card data is handled by our payment processor, not stored by us).
- Communications — messages, support requests and feedback you send us.
Information we collect automatically
- Usage & device data — IP address, browser and device type, pages viewed, referring URLs and interactions, collected via cookies and similar technologies.
- Analytics — aggregated statistics about how the website and platform are used.
Information from third parties
We may receive data from analytics and advertising providers, and from platforms you connect to your account (for example, advertising or social networks), strictly to provide the Services you have requested.
3. How we use your data & legal bases
Under the GDPR we rely on the following legal bases:
- To provide the Services and perform our contract with you — performance of a contract.
- To respond to enquiries and manage our relationship — legitimate interests or steps prior to a contract.
- To send service updates and, where permitted, marketing — consent or legitimate interests; you can opt out at any time.
- To improve, secure and analyse the website and platform — legitimate interests.
- To take payment and keep records — contract and legal obligation.
- To comply with law and protect our rights — legal obligation and legitimate interests.
Where we rely on consent, you may withdraw it at any time without affecting processing already carried out.
4. Cookies & tracking
We use cookies and similar technologies that are strictly necessary to run the site and, with your consent where required, for analytics and marketing measurement. You can control cookies through your browser settings; disabling some cookies may affect how the site works. Where required by law, we ask for your consent before setting non-essential cookies.
5. How we share your data
We do not sell your personal data. We share it only with:
- Service providers (sub-processors) who help us run the Services, under contracts that require them to protect your data — see Section 6.
- Professional advisers such as accountants and lawyers, where necessary.
- Authorities or third parties where required by law, to enforce our terms, or to protect rights, safety and property.
- A successor entity in connection with a merger, acquisition or sale of assets, subject to this policy.
6. Our sub-processors
We use trusted providers to deliver the Services. Our principal sub-processors are:
- Supabase — database, authentication and storage (EU region).
- Vercel — website and application hosting.
- Resend — transactional and marketing email delivery.
- PayPal — payment processing.
- Vapi — voice/telephony for opted-in calling features.
Each provider processes data only on our instructions and under appropriate data- protection terms. This list may change as our stack evolves; the current set always reflects providers actually in use.
7. International transfers
We aim to store and process personal data within the EU/EEA where practical (our primary database region is the EU). Where data is transferred outside the EEA or Israel, we rely on lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses or an adequacy decision, so your data remains protected.
8. Data retention
We keep personal data only for as long as necessary for the purposes described in this policy — for the life of our relationship and engagements, and afterwards as needed to meet legal, accounting, tax or dispute-resolution obligations. When data is no longer needed, we delete or anonymise it.
9. Security
We use appropriate technical and organisational measures to protect personal data, including access controls, role-based permissions, encryption in transit and storage with reputable providers. No method of transmission or storage is completely secure, but we work to protect your data and to respond promptly to any incident, including notifying you and the relevant authority where the law requires.
10. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data in certain circumstances.
- Restrict or object to certain processing, including direct marketing.
- Portability — receive your data in a portable format.
- Withdraw consent where processing is based on consent.
To exercise any right, email privacy@burnbright.click. We will respond within the timeframes required by law. You may also lodge a complaint with your local data-protection authority (in Israel, the Privacy Protection Authority).
11. Marketing communications
We send marketing only where permitted by law. Every marketing email includes an unsubscribe link, and you can opt out at any time by using it or by contacting us. We honour applicable anti-spam rules, including Israel’s Communications (Amendment No. 40) provisions.
12. Children
The Services are intended for businesses and adults. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us and we will delete it.
13. Changes to this policy
We may update this policy from time to time. We will revise the effective date above and, where changes are material, take reasonable steps to notify you. Please review it periodically.
14. Contact us
For any privacy question or request, contact us at privacy@burnbright.click.