Version 1.0 – 21 July 2025

Privacy policy

BrightHeart Privacy Policy

BrightHeart
Purpose
Definitions
Roles and Responsibilities of BrightHeart
BrightHeart as data controller
Terms and conditions for the retention of personal data
1. Hosting of collected personal data
2. Retention period for processed personal data
Sharing and communication of personal data
For EU Users: Data Transfers Outside EU
Cookies
Technical and organizational security measures
Your rights regarding your personal data
Privacy contact

1. BrightHeart

BrightHeart is a simplified joint stock company, registered with the Paris Trade and Companies Register under number 918 652 264, with its registered office at 7-11 BOULEVARD HAUSSMANN, 75009 PARIS.
BrightHeart’s B-Right AI Platform (BrightHeart’s Solution) empowers clinicians and sonographers, facilitating comprehensive and standardized fetal heart assessments during routine anatomy scans.

2. Purpose

The purpose of this Privacy Policy is to inform you of the means we have put in place to guarantee the security of your personal data when you use the BrightHeart Website (https://www.brightheart.ai/) and BrightHeart’s Solution provided by BrightHeart on the https://app.brightheart.ai/ website.
This Policy covers all personal data processing about your use of the Solution as a User, and does not cover the personal health data processing of patients.
This Policy is an integral part of the General Terms of Use of the Solution.
It may be revised when new features of the Solution or new activities are added, when personal data processing methods are modified, or when laws and regulations evolve affecting BrightHeart's activity, Services and Solution.
In the event of a revision to this Policy, we undertake to publish the changes on the Solution and to update the publication date of the Policy in order to keep you up to date with the changes made.

Any revised Policy will apply both to personal data already being processed at the time of the changes, and to any other personal data collected and processed after the revised Policy comes into force.

For your convenience, a version number of this Policy has been defined, including the month and year of its last revision. BrightHeart encourages Users to review this Policy regularly to check for any changes.

3. Definitions

"Privacy Regulations": shall mean the GDPR ((EU) 2016/679 of the European Parliament and of the Council of 27 April 2016), and all additional laws, regulations and rules in force in the relevant Member State(s) of the European Union applicable to the Processing and (ii) other applicable privacy and data protection laws and regulations of other countries, including, or the Health Insurance Portability & Accountability Act of 1996 (HIPAA) and the California Consumer Privacy Act of 2018 (CCPA) in the United States, and any other applicable data protection laws in any jurisdiction, as amended, updated or superseded from time to time and as applicable to the Processing of Personal Data under this Privacy Policy.

"Solution": refers to BrightHeart’s B-Right AI Platform. The solution empowers clinicians and sonographers facilitating comprehensive and standardized fetal heart assessments during routine anatomy scans. This platform is designed to import, analyze, store, distribute, display and manage information related to ultrasound devices.

"Controller" means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of processing of personal data; where the purposes and means of such processing are determined by Union law or by the law of a Member State, the controller or the specific criteria applicable to his designation may be provided for by Union law or by the law of a Member State.

"Processor" means the natural or legal person, public authority, department or other body that processes personal data on behalf of the controller.

"Customer" means the organization that signed a contract with BrightHeart to provide the Solution to its staff, and its healthcare professionals.

"User" or "Data Subject" means any visitor to the Solution whose personal data is processed after connection to the Solution. This includes professional users.

"Personal data" means any information relating to an identified or identifiable natural person; an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

"Processing" means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

4. Roles and Responsibilities of BrightHeart

As part of its activities, BrightHeart processes personal data relating to the data subject in accordance with the applicable Privacy Regulations, in particular with regard to lawfulness, transparency, and fairness.
The personal data collected is used in connection with the services provided by BrightHeart. The company undertakes to collect and process only personal data that is strictly necessary for the purposes of the processing and for the purposes determined, in accordance with the principle of data minimization.

5. BrightHeart as data controller

a. Purposes of processing

There are 2 main purposes for the data processing:
BrightHeart acts as Data Controller regarding your navigation on the website (before any authentication)
BrightHeart acts as Data Controller regarding the management of the User's account, specifically for the following objectives:

Creation and management of user accounts that are part of BrightHeart’s Customers staff;
Management of the Solution’s security, and then the accounts’ security;
Management of users’ support requests.

BrightHeart acts also as Data Controller regarding the production of usage statistics to improve the Solution.

b. Legal basis for data processing

Regarding the navigation on the Website (without any authentication), BrightHeart processes your personal data only through the “Request Demo” Form by collecting your name, email address and your position based on your consent to share it with us.

Regarding the use of the Solution, BrightHeart processes personal data in order to provide the Solution to Customers and their healthcare professionals.
The legal basis for the processing of personal data for the management of the User’s account is the contract signed between the Customer and BrightHeart, that imply then that the users (staff members of the Customer) will accept the Terms and Conditions of Use and the Policy at the first connection.
The legal basis for the processing of personal data in order to produce usage statistics of the Solution is the legitimate interests of BrightHeart to improve the quality and the security of the Solution.

c. Categories of data subjects

Healthcare professional users that are members of the Customer’s staff.

d. Personal data processed

Email address;
Organization (Customer) associated to his/her account
IP address;
Browser and OS;
Password;
Connection and action logs;
Information provided by the user within the support request.

6. Terms and conditions for the retention of personal data

a. Hosting of collected personal data

All personal data collected on our website is hosted by Amazon Web Services.
For European Customers and users: The data servers are located in Europe in Frankfurt (Germany).
For US Customers and users: The data servers are located in North Virginia (United States).

b. Retention period for processed personal data

The data is retained for the duration of the user account.
Regarding user support, data is retained for 12 months after the support request is closed.
Logs are kept for 12 months from the date of collection.

Within the limits of their respective responsibilities and for the purposes outlined above, the main people likely to have access to personal data collected on BrightHeart's Solution are primarily its own employees and authorized data processors.
The personal data of the data subjects will not be shared for commercial or advertising purposes.
BrightHeart may choose to share or transfer its Users' personal information as described below:

BrightHeart may disclose the personal data of the data subjects (a) to comply with a legal obligation, legal proceedings, a court order or a legal process served on BrightHeart, (b) in connection with a legal investigation, (c) to protect or defend the rights or property of the BrightHeart or Users of the Solution, and/or (d) to investigate or help prevent any potential violation of the law, this Policy, or our Terms of Use;
BrightHeart may share all or part of the personal data of the data subject in case of any merger, financing, acquisition or dissolution, or any other proceedings involving the sale, transfer, assignment or disclosure of all or part of our business or assets. In the event of insolvency, bankruptcy or receivership, personal information may also be transferred as a business asset. If another entity acquires BrightHeart or its assets, that entity will own the personal information collected by BrightHeart and will assume the rights and obligations regarding your personal information as described in this Policy;
BrightHeart may share all or part of the personal data of the data subject with entities belonging to or associated with our structure in accordance with the law and regulations. This personal data may only be processed for the purposes described in this Policy;
BrightHeart may share the personal data of the data subject with third-party service providers, subcontractors to provide the services offered, perform quality assurance tests, provide technical support, and/or provide other services (emailing, audience analysis) to BrightHeart. BrightHeart undertakes to require its subcontractors to provide a sufficient level of security for the processing of personal data that they carry out on its behalf. If these third-party service providers transfer personal data outside the European Union, BrightHeart enters into specific contracts with them and binding contractual clauses established by the European Commission to regulate and secure the transfer of such personal data to these service providers, if these transfers are not covered by any other adequation mechanism.

8. For EU Users: Data Transfers Outside EU

We use data processors located outside the European Union. BrightHeart therefore ensures that the necessary safeguards are in place to ensure an adequate and appropriate level of data protection:

Data Processor	Purpose	Safeguard
Amazon Web Services	Hosting	EU-U.S. Data Privacy Framework
Sinch (Mailjet)	Emailing	SCC
Datadog	Monitoring	EU-U.S. Data Privacy Framework
Sentry	Error tracking	EU-U.S. Data Privacy Framework
Atlassian (Jira)	Support	EU-U.S. Data Privacy Framework

9. Cookies

We do not use any cookies.

10. Technical and organizational security measures

BrightHeart is committed to protecting users' personal data by implementing technical and organizational security measures designed to prevent unauthorized disclosure, alteration, use, or destruction of the personal data processed.
BrightHeart implements all measures at its disposal to create an environment that preserves the quality, security, confidentiality, and integrity of the personal data processed.
BrightHeart also uses reasonable technologies to secure the processing of personal data processed for the purposes described in this policy, including:

Logical access control;
Authentication processes with secure access, confidential username and password policy, connection traceability and logging, encryption of personal data;
Physical protection of business premises (access control);
Regular evaluation and improvement of its information technology systems, facilities, and practices for collecting, storing, and processing personal data.

However, BrightHeart cannot insure or guarantee against all risks relating to the security of this personal data. BrightHeart does not guarantee that this data cannot be accessed, disclosed, modified or destroyed in the event of a personal data breach of one of our guarantees in the event of failure or negligence on the part of users of the website, in the event of failure of our data hosting provider or one of our data processors.

11. Your rights regarding your personal data

BrightHeart undertakes to guarantee respect for Users' rights with regard to the protection of personal data.
Except in cases of limitation, your rights regarding the processing of your personal data are as follows:

Right of access: the right to be informed and to request access to personal data processed by BrightHeart;
Right of rectification: the right to request that personal data be modified or updated when it is inaccurate or incomplete;
Right to erasure (right to be forgotten): the right to request the permanent deletion of personal data processed for the purposes described in this policy;
Right to restriction of processing: the right to request the temporary or permanent cessation of the processing of all or part of your personal data;
Right to object: the right to refuse the processing of your personal data at any time;
Right to data portability: the right to request a copy of personal data in electronic format and the right to transmit this personal data for use by a third-party service;
Right not to be subject to automated decision-making: the right not to be subject to a decision based solely on automated decision-making, including profiling, where the decision would have a legal effect on you or produce a similar significant effect.

The user may also inform BrightHeart of their wishes regarding the fate of their personal data after their death. In such cases, BrightHeart undertakes to comply with the terms and conditions for processing such personal data within the limits of the applicable legal obligations. In the absence of specific instructions from the data subject, BrightHeart undertakes to destroy the personal data concerned, unless its retention is necessary for evidentiary purposes or to comply with a legal obligation.

12. Privacy contact

If you have any questions or complaints about this Policy or our personal data collection or processing practices, if you wish to exercise your rights, or if you wish to report any security breach, please contact our Data Protection Officer (DPO) at the following coordinates:
By email: dpo@brightheart.fr
Or at the following address: BrightHeart, Data protection officer, 7-11, BOULEVARD HAUSSMANN, 75009 PARIS.

For US Users:
Users based in California (USA): In the event of a complaint, you may choose to refer to California Attorney General and the California Privacy Protection Agency (CPPA);
For all other users based in the USA: you may refer to the State Attorney General of your state.

For European Users: In the event of a complaint, you may choose to refer to the competent Supervisory which is the National Commission for Computing and Liberties (CNIL):
At the following address: CNIL, 3 Place du Fontenoy TSA 80715, 75334 Paris, Cedex 07
Or online: https://www.cnil.fr/fr/plaintes