Privacy Policy

Last updated: September 2025

1. Controller

The controller responsible for processing your personal data on this website is:

Brightroom UG (haftungsbeschränkt)
Hagelberger Str. 52, 10965 Berlin
Email: irina@thebrightroom.de

2. Data We Collect

We process the following categories of personal data when you use our website, book services, or subscribe to our newsletter:

  • Identification data: name, company name, email address.

  • Contract and billing data: address, payment information, VAT details (when applicable).

  • Communication data: booking preferences, messages submitted via forms.

  • Usage data: IP address, browser type, usage patterns (via cookies/analytics).

We do not process special categories of personal data (e.g., health data).

3. Purposes and Legal Bases

We process your data for the following purposes and legal bases under Art. 6 GDPR:

  • To provide services, process bookings, and manage contracts (Art. 6(1)(b)).

  • To issue invoices and comply with tax obligations (Art. 6(1)(c)).

  • To send newsletters and marketing communications, if you consent (Art. 6(1)(a)).

  • To improve our website and services through analytics (Art. 6(1)(f) legitimate interest).

  • To respond to inquiries and maintain business relationships (Art. 6(1)(f)).

4. Service Providers (Processors)

We use the following service providers who process personal data on our behalf:

  • Squarespace (website hosting, content management). Provider: Squarespace Inc., New York, USA. Data may be transferred to the USA under Standard Contractual Clauses (SCCs).

  • Supabase (backend database hosting).

  • Stripe Payments Europe Ltd. (payment processing).

  • Mailchimp (email marketing). Provider: Intuit Inc., USA. Transfers secured via SCCs.

  • SendGrid (Twilio Inc.) (transactional emails). Transfers secured via SCCs.

  • Google Analytics (website analytics, anonymized IP). Provider: Google Ireland Ltd., with transfers to USA under SCCs.

  • Calendly (meeting scheduling). Provider: Calendly LLC, USA. Transfers secured via SCCs.

  • Fillout (form submissions).

All providers are bound by data processing agreements and GDPR-compliant safeguards.

5. International Data Transfers

Some providers (Squarespace, Mailchimp, SendGrid, Google, Calendly) are based in the USA. For these cases, data is transferred under the EU Standard Contractual Clauses (SCCs) approved by the European Commission.

6. Retention Periods

  • Contract and billing data: 10 years (statutory tax retention).

  • General inquiries and unused leads: deleted after 12 months.

  • Newsletter data: deleted upon withdrawal of consent.

  • Analytics data: anonymized or deleted within 26 months.

7. Cookies & Tracking

We use cookies and similar technologies for analytics and marketing. You can manage preferences via your browser or consent banner.

8. Your Rights

You have the following rights under the GDPR:

  • Access to your data (Art. 15).

  • Rectification (Art. 16).

  • Erasure ("right to be forgotten," Art. 17).

  • Restriction of processing (Art. 18).

  • Data portability (Art. 20).

  • Objection to processing (Art. 21).

  • Withdrawal of consent (Art. 7(3)).

To exercise these rights, contact us at [Your Email].

9. Complaints

You have the right to lodge a complaint with the competent supervisory authority:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219
10969 Berlin
https://www.datenschutz-berlin.de/