Platform Frameworks Partners About Contact Login Request Demo

Privacy Policy

Last Updated: April 2026

Contents

  1. For Platform Customers
  2. For End Users
  3. Data Sharing & Sub-processors
  4. International Data Transfers
  5. Security Measures
  6. Data Retention Summary
  7. Your Rights (Customers)
  8. Children's Privacy
  9. California Residents (CCPA)
  10. Contact Information
  11. Changes to This Policy
  12. Supervisory Authority

Roshcomm Co WLL, doing business as brightGRC ("Company," "we," "us," "our"), is established in the Kingdom of Bahrain (Company Registration #: 71118-1) and provides a cloud-based GRC management platform that helps organisations manage data subject access requests (DSARs), consent records, breach notifications, data inventories, risk registers, compliance audits, policy libraries, and related compliance activities.

This Privacy Policy explains how we collect, use, disclose, and protect information when:

  1. Organisations sign up for and use our platform (our Customers).
  2. End users interact with cookie consent banners on our customers' websites.
  3. Website visitors visit brightgrc.com.

PART 1: FOR PLATFORM CUSTOMERS (ORGANISATIONS)

1.1 Information We Collect

Category Specific Data Why We Collect
Account Information Organisation name, registered address, billing address, VAT/tax number Account creation, invoicing, legal obligations
Seat (User) Data Name, work email address, job title, role within the platform, last login Authenticate users, enforce role-based permissions
Technical Data IP address, browser type, pages visited, session timestamps Platform security, fraud prevention, error diagnosis
Compliance Records DSARs, breach records, data inventory entries, risk register items, audit evidence Provide the Service; processed strictly on Customer instructions
Payment Information Processed entirely by Paddle — we NEVER store full card numbers Subscription billing

1.2 How We Use Your Information

  • Provide, maintain, and improve the platform and all its modules.
  • Authenticate users and enforce role-based access controls.
  • Send transactional messages: account activation, security alerts, invoices.
  • Process subscription payments and manage plan upgrades/downgrades.
  • Comply with legal obligations (e.g., tax record retention).

PART 2: FOR END USERS OF OUR CUSTOMERS' WEBSITES

This section applies when you interact with a cookie consent banner on a website that uses our consent management module.

Note: In this context, we act as a Data Processor on behalf of the website owner (our Customer), who is the Data Controller.
Data Point Purpose Retention
Consent choice Remember your preference on return visits Until you clear cookies or 12 months
Pseudonymised IP address Security and regional compliance verification 30 days
Timestamp of action Audit trail maintained for the website owner 12 months

PART 3: DATA SHARING AND SUB-PROCESSORS

We share data with the following service providers solely to operate the platform:

Provider Purpose Location Safeguard
PostgreSQL (EU host) Primary database — all platform data EU (EEA) EEA — no transfer
Cloudflare DDoS protection, CDN, DNS Global SCCs + DPF
Mailgun (EU region) Transactional and notification emails EU region SCCs
Paddle.com Merchant of Record / Payment processing Ireland / UK / US SCCs + DPF

PART 4: INTERNATIONAL DATA TRANSFERS

All Customer compliance data is stored on servers within the European Economic Area (EEA) or GCC. As a company established in the Kingdom of Bahrain, we address transfers by:

  1. Standard Contractual Clauses (SCCs) governing any access from Bahrain.
  2. Compliance with the Bahrain Personal Data Protection Law (PDPL).

PART 5: SECURITY MEASURES

Measure Implementation
Encryption at rest Sensitive credentials encrypted with AES-128-CBC; disk-level encryption provided by host.
Encryption in transit All traffic encrypted using TLS 1.2 or higher.
Access controls Role-based access control (RBAC) and Multi-factor authentication (MFA).
Audit logging All data access and administrative actions are logged and retained for 12 months.

PART 6: DATA RETENTION SUMMARY

Data Type Retention Period
End user consent records 12 months
Customer compliance records Until deleted by Customer or account closure + 30 days
Invoice / billing records 7 years (legal requirement)

PART 7: YOUR RIGHTS (FOR CUSTOMERS)

You have the right to access, correct, delete, or port your personal data. We respond to all valid requests within 30 days. Contact us at privacy@brightgrc.com to exercise these rights.

PART 10: CONTACT INFORMATION

Data Controller & Processor:
Roshcomm Co WLL, doing business as brightGRC
Manama, Kingdom of Bahrain
Email: privacy@brightgrc.com

PART 12: SUPERVISORY AUTHORITY

Regardless of our lead authority, you may lodge a complaint with the supervisory authority in your own EU/EEA or GCC Member State.