Brunelly — Privacy Policy

This Privacy Policy explains how Brunelly Limited (company number 17100826), a company registered in England and Wales whose registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ ("Brunelly", "we", "us", or "our") collects, uses, stores, shares, and protects your personal data when you visit our website and use our Service.

Brunelly is the data controller responsible for your personal data for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We are committed to protecting your privacy and processing your personal data in accordance with applicable data protection legislation.

1. Definitions

In this Privacy Policy, the following terms have the following meanings:

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in the UK GDPR.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, storage, adaptation, retrieval, use, disclosure, or erasure.

"Service" means the AI-native software development platform operated by Brunelly, including the website at brunelly.com and all associated tools, features, and services.

"Sub-processor" means a third-party service provider that processes Personal Data on our behalf.

"You" or "your" refers to the individual accessing or using the Service.

2. Personal Data We Collect

We collect the following categories of Personal Data:

2.1. Information You Provide Directly.

(a) Account information: your name, email address, and any other information you provide when creating an Account or updating your profile.
(b) Communications: any information you provide when contacting us via email at hello@brunelly.com or through any contact forms on the Service.
(c) Content: code, text, data, and other materials you upload, create, or generate through the Service. While Content may contain Personal Data, we process it solely for the purpose of providing the Service.

2.2. Information Collected Automatically.

(a) Usage data: information about how you interact with the Service, including pages visited, features used, actions taken, time spent on the Service, and referring URLs.
(b) Device information: your IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
(c) Log data: server logs recording access times, pages viewed, error reports, and other diagnostic data.
(d) Cookie data: information collected through cookies and similar tracking technologies. Please refer to our Cookie Policy for details on how we use cookies.

2.3. Payment Data.

Payment transactions are processed by our third-party payment processor, Stripe. When you make a payment through the Service, Stripe collects your payment card details and billing information directly. Brunelly does not directly collect or store your payment card data. We receive from Stripe only limited transaction information, such as confirmation of payment, transaction amount, and the last four digits of your card number. Please refer to Stripe's privacy policy at https://stripe.com/privacy for information about how Stripe processes your payment data.

3. Lawful Bases for Processing

We process your Personal Data on the following lawful bases under the UK GDPR:

3.1. Contract Performance (Article 6(1)(b)). We process Personal Data as necessary for the performance of our contract with you, including:

(a) creating and managing your Account;
(b) providing and maintaining the Service;
(c) processing payments and managing your subscription;
(d) communicating with you about your Account and the Service.

3.2. Legitimate Interests (Article 6(1)(f)). We process Personal Data where it is necessary for our legitimate interests or those of a third party, provided your interests and fundamental rights do not override those interests. Our legitimate interests include:

(a) improving and developing the Service;
(b) ensuring the security and integrity of the Service;
(c) analysing usage patterns to enhance user experience;
(d) preventing fraud and enforcing our Terms of Service.

3.3. Consent (Article 6(1)(a)). We process certain Personal Data based on your consent, including:

(a) sending marketing communications about our products and services;
(b) placing analytics and marketing cookies on your device (as described in our Cookie Policy);
(c) any other purpose for which we specifically request and obtain your consent.

You may withdraw your consent at any time by contacting us at hello@brunelly.com or by using the unsubscribe mechanism provided in marketing communications. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

3.4. Legal Obligation (Article 6(1)(c)). We may process Personal Data where it is necessary to comply with a legal obligation to which we are subject, such as tax, accounting, or regulatory reporting requirements.

4. Purposes of Processing

We use your Personal Data for the following purposes:

(a) Account management: to create, maintain, and administer your Account and provide customer support;
(b) Service delivery: to operate, maintain, and improve the Service, including developing new features and functionality;
(c) Payment processing: to process payments and manage billing through Stripe;
(d) Communications: to send you service-related notices, updates, security alerts, and support messages;
(e) Analytics: to analyse usage patterns, monitor Service performance, and generate aggregated statistical data to improve the Service;
(f) Marketing: to send you promotional communications about our products and services, where you have provided consent or where we have a legitimate interest in doing so (with an opt-out mechanism);
(g) Security: to detect, prevent, and address fraud, unauthorised access, and other illegal or harmful activities;
(h) Legal compliance: to comply with applicable laws, regulations, legal processes, or governmental requests.

5. Data Sharing and Third-Party Processors

5.1. We do not sell your Personal Data to third parties.

5.2. We share your Personal Data with the following categories of Sub-processors:

(a) Stripe (payment processing). Stripe processes payment transactions on our behalf. Stripe is located in the United States and is certified under the UK Extension to the EU-US Data Privacy Framework. Stripe's privacy policy is available at https://stripe.com/privacy.
(b) Google Analytics (analytics). Google Analytics processes usage and analytics data on our behalf. Google may transfer data to the United States. Google's privacy policy is available at https://policies.google.com/privacy. We have configured Google Analytics to anonymise IP addresses before storage.
(c) Microsoft Azure (cloud hosting and infrastructure). The Service is hosted on Microsoft Azure. Our primary Azure deployment uses UK and EU data centre regions. Microsoft's data protection terms are available at https://www.microsoft.com/licensing/terms.

5.3. We may also share your Personal Data:

(a) with professional advisers (such as lawyers and accountants) who are bound by professional duties of confidentiality;
(b) with law enforcement, regulators, or other authorities where required by applicable law or regulation;
(c) in connection with a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, in which case Personal Data may be transferred to the acquiring entity;
(d) with your consent or at your direction.

6. AI Processing and Third-Party Model Providers

6.1. The Service uses third-party artificial intelligence model providers to generate outputs in response to your inputs. To deliver this functionality, your Content (including prompts, code, and other materials you submit) may be transmitted to these third-party providers solely for the purpose of generating outputs requested by you.

6.2. We do not use your Content to train our own AI models. We select third-party model providers and configure their services in a manner intended to prevent the use of your Content for the training of their models.

6.3. Brunelly implements technical, organisational, and contractual security measures designed to protect Personal Data and Content processed through the Service, including in the course of interactions with third-party model providers. Further details of the safeguards in place are available on request at dhilushi@brunelly.com.

7. Data Processing Addendum

7.1. For business users who process personal data through the Service and require a Data Processing Addendum (DPA) for the purposes of the UK GDPR, a DPA is available on request at dhilushi@brunelly.com.

8. International Data Transfers

8.1. Your Personal Data is primarily processed and stored within the United Kingdom and the European Economic Area (EEA) using Microsoft Azure's UK and EU data centre regions.

8.2. Where your Personal Data is transferred outside the UK or EEA (for example, to Sub-processors located in the United States), we ensure that appropriate safeguards are in place in accordance with the UK GDPR, including:

(a) transfers to countries that the UK Secretary of State has determined provide an adequate level of data protection;
(b) the use of standard contractual clauses approved by the Information Commissioner's Office (ICO);
(c) the UK Extension to the EU-US Data Privacy Framework, where the recipient is certified under it;
(d) any other transfer mechanism permitted under the UK GDPR.

8.3. You may request further information about the safeguards we have in place for international transfers by contacting us at hello@brunelly.com.

9. Data Retention

We retain your Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.

9.1. Account data. We retain your Account information (name, email address, profile data) for the duration of your relationship with us. Following Account closure or deletion, we retain this data for a period of seven (7) years to comply with legal, tax, and accounting obligations.

9.2. Usage and analytics data. We retain analytics data collected through Google Analytics for a period of twenty-six (26) months from the date of collection. After this period, the data is automatically deleted.

9.3. Marketing data. We retain your marketing preferences and contact details for marketing purposes until you withdraw your consent or unsubscribe. Following withdrawal of consent, we retain a record of your opt-out preference to ensure we do not contact you again for marketing purposes.

9.4. Payment data. Transaction records are retained for seven (7) years following the transaction date to comply with tax and accounting requirements. Brunelly does not retain payment card details, which are held by Stripe in accordance with its own retention policies.

9.5. Legal and compliance data. Where Personal Data is required for the establishment, exercise, or defence of legal claims, we may retain it for the applicable limitation period (typically six (6) years under the Limitation Act 1980) plus a reasonable buffer period.

9.6. When Personal Data is no longer required, we shall securely delete or anonymise it in accordance with our data retention procedures.

10. Your Rights Under UK GDPR

Under the UK GDPR, you have the following rights in relation to your Personal Data:

10.1. Right of access (Article 15). You have the right to request confirmation of whether we process your Personal Data and, if so, to request a copy of your Personal Data together with information about how and why we process it.

10.2. Right to rectification (Article 16). You have the right to request the correction of inaccurate Personal Data or the completion of incomplete Personal Data.

10.3. Right to erasure (Article 17). You have the right to request the deletion of your Personal Data where there is no compelling reason for its continued processing, subject to certain exceptions provided by law.

10.4. Right to restriction of processing (Article 18). You have the right to request that we restrict the processing of your Personal Data in certain circumstances, such as where you contest the accuracy of the data or object to its processing.

10.5. Right to data portability (Article 20). You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to request that we transmit it to another controller where technically feasible.

10.6. Right to object (Article 21). You have the right to object to the processing of your Personal Data where we rely on legitimate interests as the lawful basis, including processing for direct marketing purposes.

10.7. Right to withdraw consent. Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

10.8. Right in relation to automated decision-making (Article 22). You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such processing is necessary for the performance of our contract with you, is authorised by law, or is based on your explicit consent.

10.9. To exercise any of these rights, please contact us at hello@brunelly.com. We shall respond to your request within one (1) month of receipt. In complex cases or where we receive a large number of requests, this period may be extended by a further two (2) months, in which case we shall inform you of the extension and the reasons for it within the initial one-month period.

10.10. We do not charge a fee for processing data subject requests unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

11. Data Security

11.1. We implement appropriate technical and organisational measures to protect your Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

(a) encryption of data in transit using TLS/SSL protocols;
(b) encryption of data at rest using industry-standard encryption;
(c) access controls to limit access to Personal Data to authorised personnel on a need-to-know basis;
(d) regular security assessments and monitoring of our systems;
(e) staff training on data protection and information security.

11.2. While we take all reasonable steps to protect your Personal Data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your Personal Data.

12. Complaints

12.1. If you are unhappy with how we have handled your Personal Data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.

12.2. The ICO can be contacted at:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: https://ico.org.uk

12.3. We would appreciate the opportunity to address your concerns before you contact the ICO. Please contact us first at hello@brunelly.com so that we can try to resolve the matter.

13. Changes to This Privacy Policy

13.1. We may update this Privacy Policy from time to time to reflect changes in our processing practices, legal requirements, or for other operational reasons.

13.2. The updated Privacy Policy shall be posted on our website and the "Last updated" date at the top of this policy shall be revised.

13.3. If we make material changes to this Privacy Policy, we shall use reasonable efforts to notify you by email or through a prominent notice on the Service prior to the changes taking effect.

13.4. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your Personal Data.

14. Contact Us

If you have any questions about this Privacy Policy or our data processing practices, please contact us at:

Brunelly Limited
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Email: hello@brunelly.com

For data protection matters, please contact dhilushi@brunelly.com.