1.1. This Privacy Notice is issued by Brighter Technology Ltd (Company No. 07736426). We are a specialist consultancy firm providing Cloud Architecture, Infrastructure Automation, and Security Auditing services.

1.2. We respect your privacy and are committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data when you visit our website, purchase our fixed-term consultancy services, or engage with us for infrastructure audits.

1.3. Important Note on Corporate Structure: Brighter Technology Ltd operates independently from its sister entity, Brighter Applications Ltd (trading as Goxhill IT). This policy applies specifically to the high-level consultancy and auditing services provided by Brighter Technology Ltd. Data collected via Goxhill IT for web hosting or app development is subject to a separate policy.

2.1. Personal data means any information about an individual from which that person can be identified. We collect, use, store and transfer different kinds of personal data which we have grouped together as follows:

• Identity Data: First name, last name, username, title, and role within your organisation.
• Contact Data: Billing address, corporate email address, and telephone numbers.
• Financial Data: Bank account and payment card details. Note: Full payment card details are tokenised and processed directly by our payment provider (Stripe); we do not store raw credit card numbers on our servers.
• Transaction Data: Details about payments to and from you and other details of the Audit or Consultancy services you have purchased from us.
• Technical Data: IP address, login data, browser type and version, time zone setting, and operating system.
• Client Infrastructure Data: In the course of an Infrastructure Appraisal, we may collect non-personal but highly sensitive technical data regarding your network topology, security groups, IAM users, and resource configurations (AWS/Azure/GCP). While this is often business data rather than personal data, we treat it with the highest classification of security.

3.1. We use different methods to collect data from and about you including through:

• Direct Interactions: You may give us your Identity, Contact and Financial Data by filling in forms on our website (e.g., booking an Audit) or by corresponding with us by post, phone, email or otherwise.
• Automated Technologies: As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns via cookies.
• Third Parties: We may receive personal data about you from third parties, including:
  • Stripe: Payment and transaction status.
  • Google Analytics: Anonymised usage data.
  • Companies House: Publicly available identity data for due diligence.

4.1. Our website uses cookies to distinguish you from other users. This helps us to provide you with a good experience and allows us to improve our site.

4.2. The Types of Cookies We Use

• Strictly Necessary Cookies: Required for the operation of our website. They include cookies that enable you to log into secure areas or make use of e-billing services.
  Specific Examples: Stripe Session Tokens (for secure checkout), CSRF tokens (security).
• Analytical/Performance Cookies: Allow us to recognise and count the number of visitors and to see how visitors move around our website.
  Specific Examples: Google Analytics.
• Functionality Cookies: Used to recognise you when you return to our website to remember your preferences.

4.3. Third-Party Cookies

Please note that third parties (including advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control.

4.4. Blocking Cookies

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site, and specifically, you will be unable to complete the checkout process for Fixed-Price Audits.

5.1. We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Performance of Contract: Where we need to perform the consultancy contract we are about to enter into or have entered into with you (e.g., delivering the Expert Report).
• Legitimate Interests: Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (e.g., Fraud prevention, Network Security).
• Legal Obligation: Where we need to comply with a legal or regulatory obligation (e.g., retaining financial records for HMRC).

6.1. As a Cyber Essentials Certified consultancy, we have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.

• Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.2/1.3.
• Access Control: We limit access to your personal data and infrastructure credentials to those employees and contractors who have a strict business need to know.
• Credential Management: Any AWS/Azure/GCP credentials provided to us for the purpose of an audit are stored in ephemeral, encrypted vaults and are purged immediately upon completion of the engagement.

6.2. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

7.1. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for.

• Financial & Transaction Data: Retained for 7 years in accordance with UK tax law (HMRC).
• Contractual Data: Retained for 6 years plus current year following the end of our relationship, in line with the Limitation Act 1980 for legal claims.
• Infrastructure Audit Reports: Retained for 3 years to protect against Professional Indemnity claims, unless otherwise stipulated by a Non-Disclosure Agreement (NDA).
• Technical Access Credentials: Deleted immediately upon project completion.

8.1. We may have to share your personal data with the parties set out below for the purposes set out in Section 5:

• Stripe: Our payment processor. When you pay for an audit, your data is passed directly to Stripe. We do not store card details.
• Cloud Service Providers: AWS, Google Cloud, and Microsoft Azure, who provide the infrastructure for our own internal systems.
• Professional Advisers: Including lawyers, bankers, auditors and insurers based in the United Kingdom who provide consultancy, banking, legal, insurance and accounting services.
• HM Revenue & Customs: Regulators and other authorities acting as processors or joint controllers based in the United Kingdom.

9.1. Many of our external third parties (such as Google and AWS) are based outside the UK and European Economic Area (EEA).

9.2. Whenever we transfer your personal data out of the UK/EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
• Where we use certain service providers, we may use specific contracts approved for use in the UK (Standard Contractual Clauses / IDTA) which give personal data the same protection it has in the UK.

10.1. Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to:

• Request access to your personal data.
• Request rectification of your personal data.
• Request erasure of your personal data.
• Object to processing of your personal data.
• Request restriction of processing your personal data.
• Request transfer of your personal data.
• Right to withdraw consent.

10.2. If you wish to exercise any of the rights set out above, please contact us. You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).

11.1. If you have any questions about this privacy notice or our privacy practices, please contact our Data Privacy Manager.

Legal Entity: Brighter Technology Ltd
Postal Address: Arkle House, Chapel Street, Goxhill, Barrow-Upon-Humber, DN19 7JJ, UK
Telephone (Accounts/Admin): 01469 56 48 48
Telephone (Direct Architecture Line): 07734 800 778