Privacy Policy
Last updated: February 23, 2026
TL;DR - not the legal terms, just the gist
- We collect the minimum data needed to run the service - email, display name, and the content you create.
- We do not sell your data. We do not show ads.
- We do not use your data for AI training.
- Core application hosting and storage are in the EU (Hetzner, Helsinki). If you sign in via Google or Microsoft, those providers process authentication data under their own policies.
- Our analytics tool (Plausible, self-hosted) uses no cookies and collects no personal identifiers.
- You can export, correct, or delete your data anytime.
- We are Unique Prime GmbH, Vienna, Austria - your data controller under GDPR.
1. Who We Are
BrighterWorks is operated by Unique Prime GmbH, a company registered in Vienna, Austria.
Unique Prime GmbH
Vienna, Austria
Email: hello@brighterworks.ai
We are not required to appoint a Data Protection Officer under GDPR (Article 37) because our core activity does not involve large-scale regular and systematic monitoring of individuals, nor large-scale processing of special categories of data. Our privacy contact for all data protection inquiries is hello@brighterworks.ai.
2. Controller vs Processor
We are the controller for data we process for our own operational purposes: account data (email, authentication), security logs, analytics, and any future billing data. We decide how and why this data is processed.
We are the processor for Workspace content (posts, comments, votes) that you and your team create. We process this data on your organization's (the Customer's) behalf, according to the Customer's instructions. The Customer determines the legal basis for this processing. When account data such as email or display name appears within Workspace content (for example, as the author of a post), we process it in our capacity as processor on behalf of the Customer.
If you have questions about content within your Workspace, contact your Workspace Admin first. They control what happens with your team's content. For account-level requests (your email, authentication, or account deletion), contact us directly.
A Data Processing Agreement (DPA) in accordance with Article 28 GDPR is available on request. Email hello@brighterworks.ai.
3. What We Collect
- Account data - Email address, display name, bio (if you choose to add one). This data is required to create and maintain your account. Without it, we cannot provide the Service.
- Authentication data - If you sign in via Google or Microsoft, we receive a limited profile (email, name) from the provider. We do not receive or store your password from these providers.
- Content data - Posts, comments, votes, and other materials you create within your Workspace.
- Technical data - IP addresses in server logs, browser type, and operating system.
- Session data - Authentication cookies required to keep you logged in.
- Consent records - When you interact with our cookie notice, we record your response (accepted/declined, timestamp, user ID or anonymous identifier) for compliance purposes.
- Analytics data - Page views and referral sources collected by Plausible (self-hosted). Plausible operates without cookies and uses a daily-rotating hash of IP and User-Agent to count unique visitors. This hash is never stored and cannot be used to identify individuals. No personal identifiers are retained.
- Error reports - When errors occur, GlitchTip (self-hosted) captures technical details such as browser info, URL, and error stack traces to help us diagnose issues.
4. Why We Process and Legal Basis
The following table covers data we process as controller. For Workspace content where we act as processor, the Customer (your organization) determines the legal basis.
| Purpose | Legal basis |
|---|---|
| Account management and authentication | Contract - Art. 6(1)(b) GDPR |
| Transactional emails (magic links, invitations) | Contract - Art. 6(1)(b) GDPR |
| Security and abuse prevention | Legitimate interest - Art. 6(1)(f) GDPR |
| Error monitoring (GlitchTip, self-hosted) | Legitimate interest - Art. 6(1)(f) GDPR |
| Analytics (Plausible, self-hosted, cookieless, aggregated) | Legitimate interest - Art. 6(1)(f) GDPR |
| Consent record-keeping | Legal obligation - Art. 6(1)(c) GDPR |
| Legal compliance | Legal obligation - Art. 6(1)(c) GDPR |
5. Cookies
We use essential cookies only. No tracking cookies. No third-party advertising cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| sb-*-auth-token | Authentication session (Supabase). May be split into multiple numbered chunks (sb-*-auth-token.0, sb-*-auth-token.1, etc.) | Session / up to 7 days |
| bw_consent | Records whether you have acknowledged the cookie notice | 1 year |
Plausible, our analytics tool, does not use cookies. It counts unique visitors using a daily-rotating hash of IP and User-Agent that is never stored or shared.
6. Who We Share Data With
We use a small number of subprocessors and recipients to operate the Service.
Infrastructure subprocessors
| Provider | Purpose | Location | Data |
|---|---|---|---|
| Hetzner Online GmbH | Dedicated server hosting | Helsinki, Finland (EU) | All data (all services run on this server) |
| Supabase, Inc. | Authentication and database (self-hosted on Hetzner) | Helsinki, Finland (EU) - self-hosted instance | Account data, content data, auth tokens |
Self-hosted software (runs on our Hetzner infrastructure, no external data sharing)
| Software | Purpose | Data |
|---|---|---|
| Plausible CE | Privacy-focused web analytics | Aggregated page views (no personal data retained) |
| GlitchTip | Error tracking and monitoring | Error reports, browser info, request URLs |
Third-party authentication providers (if you choose to use them)
| Provider | Purpose | Data | Transfer safeguards |
|---|---|---|---|
| Google Ireland Ltd / Google LLC | OAuth sign-in | Email, name (received from Google) | EU-US Data Privacy Framework |
| Microsoft Ireland Operations Ltd / Microsoft Corp. | OAuth sign-in | Email, name (received from Microsoft) | EU-US Data Privacy Framework |
OAuth sign-in is optional. If you use email magic links instead, no data is shared with Google or Microsoft.
7. International Transfers
Core application hosting, database storage, analytics, and error tracking are all located within the European Union (Hetzner, Helsinki, Finland). We do not transfer this data outside the EEA.
If you choose to sign in via Google or Microsoft, those providers may process authentication data in the United States or other countries. These transfers are covered by the EU-US Data Privacy Framework. If the adequacy framework is invalidated, we will evaluate alternative safeguards such as Standard Contractual Clauses (SCCs).
8. Data Retention
- Active account - Data is retained while your account exists and you use the Service.
- Deleted account - All personal data identifiable to you is purged or irrevocably anonymized within 30 days. Backups may retain encrypted copies for up to 90 days, after which they are permanently removed.
- Server logs - Retained for up to 90 days, then deleted.
- Error reports - Retained for up to 90 days, then deleted.
- Consent records - Retained for the duration of the consent (up to 1 year for the cookie, database records retained for up to 3 years for compliance audit purposes).
- Analytics - Plausible retains only aggregated, non-personal data. No personal data is stored.
- Authentication provider metadata - OAuth tokens from Google/Microsoft are used transiently during sign-in and are not stored long-term by us. Supabase stores a session reference.
9. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access (Art. 15) - Request a copy of the personal data we hold about you.
- Rectification (Art. 16) - Correct inaccurate personal data.
- Erasure (Art. 17) - Request deletion of your personal data.
- Restriction (Art. 18) - Request that we restrict processing of your data.
- Portability (Art. 20) - Receive your data in a structured, machine-readable format.
- Object (Art. 21) - Object to processing based on legitimate interest.
For account-level data (where we are the controller), exercise these rights by emailing hello@brighterworks.ai. We will respond without undue delay and in any event within one month. This period may be extended by up to two additional months where necessary, taking into account the complexity and number of requests (Art. 12(3) GDPR).
For Workspace content (where we are the processor), please direct your request to your Workspace Admin first, as they are the controller for that data. If you contact us directly, we will forward your request to the relevant controller or assist as required by law.
You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Austrian Data Protection Authority (dsb.gv.at).
10. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
11. Children
BrighterWorks is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it promptly.
12. Security
We take reasonable technical and organizational measures to protect your data, including encryption in transit and at rest, logical data isolation, and restricted access to production systems.
For full details on our security practices, see our Security page.
13. Changes
We may update this policy from time to time. For material changes, we will notify registered users via email before the changes take effect.
14. Contact
Unique Prime GmbH
Vienna, Austria
Email: hello@brighterworks.ai