Brightway Cloud Brightway Cloud
Back to site

Brightway Cloud Privacy Notice

Last updated: March 19, 2026

This Privacy Notice explains how Brightway Labs GmbH ("Brightway," "we," "us," or "our") handles personal data in connection with Brightway Cloud and our business operations related to Brightway Cloud. It is designed for Brightway Cloud's early access launch and is intended for business customers and their authorized users in Swiss and European markets.

This notice focuses on Brightway's own processing as controller: for example, when we manage customer accounts, administer billing, provide support, protect the service, communicate with business contacts, and comply with legal obligations.

Where Brightway processes customer content or other personal data submitted to Brightway Cloud on a customer's behalf, Brightway generally acts as a processor or similar service provider. That processing is governed by the applicable data processing agreement ("DPA") and the customer contract, not by this notice alone.

1. Who Brightway is

Brightway Labs GmbH
Dorfsteig 8
5223 Riniken
Switzerland
Email: [email protected]

Brightway provides Brightway Cloud, a hosted software platform for lifecycle assessment and related sustainability, modeling, data, workflow, and reporting use cases for business customers.

2. Scope of this notice

This notice applies to personal data processed by Brightway when Brightway acts as a controller in connection with Brightway Cloud, including in connection with:

  • enquiries, demos, sales discussions, and business communications relating to Brightway Cloud
  • customer onboarding and account creation
  • account administration and user management
  • billing, payments, renewals, and commercial administration
  • support requests and service communications
  • service security, logging, fraud prevention, and incident management
  • product telemetry, usage analytics, and service improvement for Brightway Cloud
  • compliance, legal claims, and corporate transactions

This notice does not primarily govern personal data contained in:

  • customer-uploaded files, models, assumptions, inputs, datasets, reports, or other Customer Data
  • personal data that a customer directs Brightway to host, process, analyze, or make available through Brightway Cloud for the customer's own purposes

For that type of data, the customer generally decides the purposes and means of processing and remains responsible for ensuring that its use of Brightway Cloud is lawful and appropriate.

3. Controller vs. processor: how Brightway Cloud works

Because Brightway Cloud is a B2B SaaS service, Brightway may process personal data in more than one role.

A. Where Brightway acts as controller

Brightway acts as controller for personal data it uses for its own business and operational purposes, such as:

  • handling enquiries relating to Brightway Cloud
  • evaluating and responding to sales requests
  • creating and managing customer and admin accounts
  • authenticating users and securing access
  • billing, invoicing, payment administration, and renewals
  • support operations and service communications
  • telemetry, logs, and usage data used for security, support, analytics, billing, improvement, and product development
  • legal compliance, recordkeeping, and exercise or defense of claims

B. Where Brightway acts as processor

Brightway generally acts as processor where it handles Customer Data or other personal data that a customer submits to the service and instructs Brightway to process on the customer's behalf.

Examples may include:

  • information uploaded by a customer into Brightway Cloud
  • personal data included in customer-managed projects, models, reports, or files
  • data contained in support materials provided by the customer where Brightway is assisting with the customer's use of the service

In those cases:

  • the customer is generally the controller
  • Brightway processes the data only to provide, maintain, support, secure, and improve the service, and otherwise in accordance with the customer contract and DPA
  • customer instructions, subprocessors, security measures, deletion/return, and transfer safeguards are addressed in the applicable DPA

4. Categories of personal data we process

The categories of personal data Brightway processes depend on how you interact with us.

A. Website and inquiry data

We may process, where relevant to Brightway Cloud enquiries and related business interactions:

  • name
  • business email address
  • job title
  • company name
  • message contents and enquiry details
  • event or contact preferences relating to Brightway Cloud communications
  • IP address and browser/device information

B. Account and administration data

We may process:

  • name and business contact details
  • username and login-related information
  • organization name and account identifiers
  • role, permissions, and administrator details
  • records of subscription, seat allocation, and account configuration
  • communications relating to onboarding, account changes, and renewals

C. Billing and commercial data

We may process:

  • billing contact details
  • company and invoicing information
  • subscription plan, order, and renewal information
  • transaction and payment status information
  • records needed for accounting, tax, and audit purposes

Brightway may use payment processors. Brightway does not need to store full payment card details in order to administer subscriptions.

D. Support and communications data

We may process:

  • support requests and related correspondence
  • diagnostic information needed to investigate bugs, performance issues, misuse, or security incidents
  • records of customer communications, notices, and feedback
  • materials voluntarily shared with us in connection with support or onboarding

E. Security, telemetry, and usage data

We may process:

  • technical logs
  • device, browser, and connection information
  • IP address and timestamps
  • authentication and access logs
  • product usage statistics
  • service performance and error data
  • telemetry and analytics relating to operation, support, billing, security, improvement, and product development

F. Legal and compliance data

We may process:

  • records required to comply with law
  • sanctions/export review information where relevant
  • records relating to disputes, claims, incidents, or investigations
  • internal approvals, audit trails, and governance records

5. Sources of personal data

We collect personal data from the following sources in connection with Brightway Cloud and related business operations:

Source Examples
Directly from you When you contact us, request a demo, create an account, administer a subscription, submit a support request, or communicate with us
From your organization When a customer administrator creates or manages user access, assigns seats, or provides account and billing contacts
Automatically from your use of Brightway Cloud or related support and security interactions Technical logs, usage data, device/browser details, IP address, authentication records, and service telemetry
From service providers or business partners For example, payment status, infrastructure events, support tooling, or communication delivery information
From public or professional sources Business contact details or company information used for B2B sales and account management

6. Why we process personal data and our legal bases

Brightway processes personal data only where there is an appropriate legal basis under applicable law.

Purpose Typical personal data Legal basis typically relied on
Respond to enquiries and support pre-contractual steps relating to Brightway Cloud Contact details, enquiry content, and related technical information Legitimate interests; pre-contractual steps
Create and manage customer accounts and authorized users Names, business email, account role, admin details Contract; legitimate interests
Provide service-related communications Contact details, account information, notices Contract; legitimate interests
Administer subscriptions, billing, payments, and renewals Billing contacts, order records, payment status, invoicing details Contract; legal obligations; legitimate interests
Deliver support and troubleshooting Contact details, support records, logs, diagnostic data Contract; legitimate interests
Maintain service security and prevent misuse or fraud Access logs, IP address, telemetry, security events Legitimate interests; legal obligations
Operate, analyze, and improve Brightway Cloud Usage data, technical logs, telemetry, product interaction data Legitimate interests
Send limited B2B marketing or product updates Business contact details, interaction history Legitimate interests; consent where required
Comply with legal, regulatory, tax, accounting, and recordkeeping duties Account records, transaction records, communications, audit trails Legal obligations
Establish, exercise, or defend legal claims and manage corporate transactions Relevant account, support, billing, and communication records Legitimate interests; legal obligations

Notes on legal bases

  • Contract / pre-contractual steps: where processing is necessary to provide Brightway Cloud, administer a subscription, or take requested steps before entering into a contract.
  • Legitimate interests: where processing is necessary to run and improve a secure B2B SaaS service, manage commercial relationships, support customers, protect Brightway, and prevent misuse.
  • Legal obligations: where Brightway must retain or disclose information to comply with applicable law.
  • Consent: where required for specific activities, such as certain website cookies or communications.

7. Recipients of personal data

Brightway may share personal data with the following categories of recipients where necessary for the purposes above:

  • contractors, subcontractors, and other service providers engaged to support Brightway Cloud, where relevant
  • hosting, cloud, and infrastructure providers
  • authentication, security, and monitoring providers
  • billing and payment service providers
  • support, communications, and ticketing providers
  • analytics and product operations providers
  • professional advisers, including legal, audit, accounting, and insurance advisers
  • courts, regulators, public authorities, or counterparties where disclosure is required by law or reasonably necessary to protect rights
  • transaction counterparties in connection with a merger, financing, reorganization, or sale of assets, subject to appropriate confidentiality and legal safeguards

Where Brightway uses third-party service providers to process personal data on its behalf, Brightway requires them to act under appropriate contractual restrictions and security obligations.

8. Subprocessors and service providers

For processing carried out by Brightway on behalf of customers, Brightway may use infrastructure providers, subcontractors, and other service providers to provide and support Brightway Cloud.

Brightway will maintain a subprocessor list or annex describing relevant subprocessors and, where appropriate, the nature of their services and transfer arrangements. That information should be read together with the DPA.

9. International transfers

Brightway is based in Switzerland and may process personal data in Switzerland and other jurisdictions in which Brightway or its service providers operate.

Where personal data is transferred outside the jurisdiction in which it was collected, or otherwise outside the country in which the relevant controller processing occurs, Brightway will use an appropriate transfer mechanism where required by applicable data protection law, such as:

  • an adequacy decision
  • the EU Standard Contractual Clauses or equivalent recognized contractual safeguards
  • the Swiss addendum or equivalent Swiss transfer mechanism, where applicable
  • other lawful transfer safeguards permitted under applicable data protection law

Because Brightway Cloud is a hosted service, support, hosting, storage, telemetry, and operational access may involve cross-border processing. More detailed processor-side transfer terms are addressed in the DPA and transfer annex where applicable.

10. Retention

Brightway retains personal data for as long as reasonably necessary for the purposes described in this notice, including to:

  • provide and administer Brightway Cloud
  • maintain business and contract records
  • comply with legal, tax, accounting, and audit obligations
  • investigate incidents and enforce contractual rights
  • improve and secure the service

Retention periods vary depending on the type of data and the context. In general:

Category Typical retention approach
Brightway Cloud enquiry and related business communication data Kept for as long as needed to respond, follow up, and maintain relevant business records
Account and customer administration data Kept during the subscription term and for a reasonable period afterward for renewals, audit trail, dispute handling, and legal compliance
Billing and transaction records Kept as required by accounting, tax, and legal retention obligations
Support records and operational logs Kept for as long as needed for support, security, service integrity, and incident investigation, then deleted or de-identified where appropriate
Customer Data processed on behalf of customers Kept according to the customer contract, DPA, and Brightway's standard retention/deletion practices; after termination, Brightway may make Customer Data available for export or retrieval for up to 30 days and may then delete it unless otherwise agreed or required by law

Where feasible, Brightway may anonymize or de-identify information and retain it in that form for analytics, security, and service improvement.

11. Security

Brightway implements reasonable technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, loss, and misuse.

These measures may include, as appropriate:

  • role-based access controls
  • authentication and account security controls
  • logging and monitoring
  • encryption in transit and, where appropriate, at rest
  • vendor management and contractual controls
  • confidentiality obligations for personnel and contractors
  • incident response processes
  • secure development and operational practices appropriate to the nature of the service

No system can be guaranteed to be completely secure. Users and customers are also responsible for maintaining the confidentiality of credentials and using the service in a secure manner.

12. Data subject rights

Depending on applicable law and your location, you may have rights including:

  • the right to request access to your personal data
  • the right to request correction of inaccurate or incomplete data
  • the right to request deletion of personal data in certain circumstances
  • the right to request restriction of processing
  • the right to object to certain processing
  • the right to data portability, where applicable
  • the right to withdraw consent where processing is based on consent
  • the right not to be subject to certain automated decision-making, where applicable

Important distinction for Brightway Cloud users

If your personal data is included in Customer Data that Brightway processes on behalf of a customer, Brightway may not be the party that decides how that data is used. In that case, you should usually direct your request to the relevant customer first. Brightway will assist customers with such requests where required by applicable law and contract.

To exercise rights relating to personal data for which Brightway acts as controller, contact:

[email protected]

We may ask for information necessary to verify identity and process the request lawfully and securely.

13. Complaints

If you believe Brightway has processed your personal data unlawfully, you may contact us first at [email protected] and we will try to address your concerns.

You may also have the right to lodge a complaint with the relevant data protection authority in your place of residence, place of work, or the place of the alleged infringement, including in Switzerland or the EEA, as applicable.

14. Cookies and website technologies

Brightway websites may use cookies and similar technologies for:

  • core website functionality
  • security and fraud prevention
  • analytics and performance measurement
  • remembering settings and preferences

Where required by law, Brightway will ask for consent before using non-essential cookies or similar technologies in connection with Brightway Cloud.

This Privacy Notice is intended primarily for Brightway Cloud and related B2B operations. Website-specific cookie and privacy details are addressed separately in the applicable marketing website Privacy Policy, cookie banner, or cookie settings tool.

15. Communications

Brightway may send:

  • Service and account communications, such as onboarding, support, billing, renewal, technical, and legal notices.
  • Business communications, such as product updates, event invitations, or other B2B outreach, subject to applicable law and your preferences.

You cannot opt out of essential service or account communications where those messages are necessary to administer the relationship or provide the service.

16. Children and consumer use

Brightway Cloud is intended for business use only. It is not designed as a consumer service or for use by children. Brightway does not knowingly market Brightway Cloud to children.

17. Changes to this notice

Brightway may update this Privacy Notice from time to time to reflect changes to Brightway Cloud, legal requirements, or Brightway's data practices.

The updated version will be posted with a revised "Last updated" date. Where required, Brightway will provide additional notice of material changes through the service, by email, or by other reasonable business communication methods.

18. Contact details

For questions about this Privacy Notice or Brightway's privacy practices, please contact:

Brightway Labs GmbH
Dorfsteig 8
5223 Riniken
Switzerland
[email protected]
© Brightway Labs GmbH