BrightPlans Kft. ("we", "us", "the Company") is committed to protecting your personal data. This Privacy Policy (the "Policy") details how we collect, use, share, and protect your personal data when you use our services (the "Service").
Our Service is primarily provided to healthcare providers ("Clients") to enable them to create and manage treatment plans for their own patients ("Patients"). This Policy covers our data processing practices related to both our Clients and, through our Clients, the Patients.
Under data protection laws, particularly the General Data Protection Regulation (GDPR), it is important to clarify our role:
We process data falling into two main categories:
3.1. Client Data (data about you, the clinic)
3.2. Patient Data (which you, as the clinic, record)
We conduct all data processing activities for a clear purpose and with an appropriate legal basis.
Processing Activity | Data Categories Processed | Legal Basis (under GDPR) |
---|---|---|
Account creation and provision of the Service | Client identifier and contact data. | Article 6(1)(b) of the GDPR: necessary for the performance of a contract. |
Managing payments and subscriptions | Client financial and transaction data. | Article 6(1)(b) (performance of a contract) and (c) (compliance with a legal obligation, e.g., accounting regulations) of the GDPR. |
Storing and managing Patient data | Patient identification and health data. | Article 9(2)(a) of the GDPR: the explicit consent of the data subject (Patient), which the Data Controller (the Client) is obligated to obtain. |
Sending newsletters and marketing communications | Client name and email address. | Article 6(1)(a) of the GDPR: the consent of the data subject (Client). |
Ensuring system security and technical operation | Technical data (e.g., IP address, log files). | Article 6(1)(f) of the GDPR: our legitimate interest to protect the security and integrity of the service. |
Important Note on Patient Data: We declare that we process the special category health data of Patients exclusively as a Data Processor, on your (as the Data Controller's) behalf. It is your responsibility to obtain the appropriate, documented, and explicit consent from your Patients for the processing of this data within the BrightPlans system.
We never sell your personal data. However, to provide the Service, we use trusted third-party service providers (sub-processors).
Partner | Service | Data Shared | Data Center Location |
---|---|---|---|
Linuxweb Kft. | VPS Hosting | Encrypted client and patient databases. | Hungary (EU) |
Amazon Web Services (AWS) | File Storage (S3) | Encrypted, user-generated files (e.g., treatment plans, X-rays). | Ireland (EU) / Global |
Paddle.com Market Ltd. | Payment Processing and Invoicing | Client billing and contact details. | United Kingdom / Ireland (EU) |
Brevo | Marketing Communications, Newsletter | Client name and email address. | France (EU) / Global |
As we have a global client base, it may be necessary to transfer personal data outside the European Economic Area (EEA). In such cases, we ensure that the data is protected at the level required by the GDPR through mechanisms such as European Commission adequacy decisions (e.g., the EU-U.S. Data Privacy Framework) or Standard Contractual Clauses (SCCs).
We take the security of your data extremely seriously and apply state-of-the-art technical and organizational measures to protect it:
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with our legal obligations.
Under the GDPR and other data protection laws, you (and your Patients) have the following rights:
To exercise these rights, please contact us at privacy@bright-plans.com. In the case of Patients, requests should primarily be submitted to the Data Controller (i.e., your clinic), but we will cooperate with you in every way to fulfill these requests.
For our Clients in the United States who are "Covered Entities" under the Health Insurance Portability and Accountability Act (HIPAA), BrightPlans acts as a "Business Associate." We are committed to protecting Protected Health Information (PHI) and adhere to the administrative, physical, and technical safeguards required by the HIPAA Security Rule. Our Business Associate Agreement (BAA) with Amazon Web Services ensures infrastructure-level compliance.
We reserve the right to update this Privacy Policy from time to time. We will notify you of any material changes via email or through the Service.
If you have any questions or comments about our privacy practices, please contact us at the following email address:
privacy@bright-plans.com