Privacy Policy

1. Introduction

Brigaly (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our platform, and sets out your rights under the General Data Protection Regulation (EU GDPR / UK GDPR) and any other applicable data protection laws.

Please read this policy carefully. By using Brigaly, you acknowledge that you have read and understood this policy. For questions, see Section 14.

2. Data Controller

Brigaly is the data controller responsible for your personal data. You can contact us at:

3. Personal Data We Collect

Data you provide directly

• Account information: name, email address, username, and password (hashed)
• Profile information: bio, interests, education details, profile picture
• User Content: posts, comments, articles, and other content you create
• Communications: enquiries to institutions, support requests, and feedback
• Verification data: where required for institute accounts

Data collected automatically

• Technical data: IP address, browser type and version, device type, operating system
• Usage data: pages visited, features used, clicks, session duration, and referral source
• Analytics data: aggregate usage patterns collected via Google Analytics 4 (subject to your cookie consent)
• Log data: server logs including request timestamps and error reports

Data from third parties

• OAuth sign-in providers (e.g. Google) may share your name, email, and profile picture when you choose to sign in with them

4. Legal Bases for Processing (GDPR Art. 6)

We process your personal data only where we have a valid legal basis to do so:

5. How We Use Your Data

• Create, manage, and authenticate your account
• Provide the core platform features (feed, enquiries, profiles, notifications)
• Send transactional communications (account verification, password reset, enquiry receipts)
• Send service updates and, where consented, promotional communications
• Analyse usage patterns to improve performance, fix bugs, and develop new features
• Detect, investigate, and prevent fraudulent or harmful activity
• Comply with applicable legal and regulatory obligations

6. Sharing Your Data

We do not sell your personal data. We may share data only in the following circumstances:

• Educational Institutions: When you submit an enquiry or interact with an institute profile, the relevant institution receives your contact details and enquiry content
• Other Users: Information you choose to make public on your profile is visible to other registered users
• Service Providers: Trusted third-party processors (e.g. cloud hosting, email delivery, analytics — always under data processing agreements)
• Legal Requirements: Where required by law, court order, or to protect the rights, property, or safety of Brigaly or others
• Business Transfers: In connection with a merger, acquisition, or sale of assets, where the acquirer will be bound by this policy

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA) or UK. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions. You may request a copy of the relevant safeguards by contacting us.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. Key retention periods:

• Account data: Retained while your account is active. Deleted within 30 days of account deletion, except where retention is required by law
• Enquiry data: Retained for 2 years from submission to support dispute resolution
• Server logs: Retained for up to 90 days for security and debugging purposes
• Analytics data: Google Analytics data retained per your GA4 data retention settings (default 14 months)
• Legal compliance data: Retained as required by applicable law (typically up to 7 years)

9. Cookies and Tracking Technologies

We use essential cookies required for the platform to function, and optional analytics and functional cookies that require your consent. For full details of the cookies we use, how to manage them, and how to withdraw consent, please see our Cookie Policy.

10. Your Rights Under GDPR

If you are in the EEA or UK, you have the following rights under the GDPR (Arts. 15–22):

• Right of access (Art. 15): Request a copy of the personal data we hold about you
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to erasure (Art. 17): Request deletion of your data in certain circumstances (“right to be forgotten”)
• Right to restrict processing (Art. 18): Request that we limit how we use your data in certain circumstances
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing
• Rights related to automated decision-making (Art. 22): We do not make solely automated decisions that significantly affect you
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@brigaly.com. We will respond within one month. We may need to verify your identity before processing your request.

11. Children's Privacy

Brigaly is not directed to children under 13. We do not knowingly collect personal data from children under 13 without verifiable parental consent. Users aged 13–17 require parental or guardian consent to register. If you believe we have inadvertently collected data about a child under 13, please contact us immediately and we will delete it.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS), hashed passwords, access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by a prominent notice on the Service, and update the “Last updated” date at the top of this page. We encourage you to review this page periodically.

14. Contact Us and Right to Complain

If you have questions, requests, or concerns about this Privacy Policy or how we handle your data, please contact us:

You also have the right to lodge a complaint with a data protection supervisory authority. In the UK this is the Information Commissioner's Office (ICO). In the EU, contact your local supervisory authority.