What we do with your data — in plain language.

01Who we are

The data controller for personal data processed through the Fieldloop website and corporate communications is:

We are not legally required to appoint a Data Protection Officer (DPO), but a single named team member at Brighten Digital is responsible for handling privacy inquiries and reaches a qualified external advisor whenever needed.

02What this policy covers

This policy covers two distinct things:

• The Fieldloop website (fieldloop.ai and any subdomains). When you visit this site, fill in a form, or correspond with us by email — Brighten Digital is the data controller. We decide what we collect and what we do with it.
• The Fieldloop Market Insight module. When a customer organisation engages us to operate Fieldloop Market Insight on their behalf (as a managed service, including pilots), Brighten Digital acts as a data processor for that customer. The customer is the data controller of their own users' and contacts' data. The module section below describes how we handle data on the customer's behalf; the binding instructions are in the Data Processing Agreement (DPA) between Brighten Digital and that customer.

If you are using a Fieldloop Market Insight instance operated for your employer or a third party, please consult that organisation's privacy notice first. The information here describes the technical and organisational measures we apply when we operate the module on their behalf.

03The website

What we collect

We collect personal data only when you choose to give it to us through one of the contact forms on this site, or when you contact us directly by email or other channel. The fields we collect:

• Name and surname. To address you correctly.
• Company name. To understand the context of your inquiry.
• Role / job title. To route your inquiry to the right person on our side.
• Business email address. To respond to you.
• Phone number (optional). Only if you choose to provide it.
• The content of your message. What you wrote in the inquiry, including any context you chose to share about your organisation or markets.

We do not request, and we ask you not to provide, special categories of personal data (health, religion, political opinions, trade union membership, biometric data, etc.). If you accidentally include such data, we will delete it. We do not collect identifiers automatically beyond what is technically necessary to deliver the page (see Cookies).

Why we collect it (legal basis)

The legal basis for processing data submitted through our contact forms is our legitimate interest (GDPR Article 6(1)(f)) in answering business inquiries about our services. You can object to this processing at any time by writing to privacy@brighten.digital; we will then stop processing unless we have a compelling legitimate reason that overrides your objection (which, in practice, will almost never apply to a simple inquiry).

If you join a mailing list, sign up to be notified about a product launch, or otherwise consent to receive communications from us, the legal basis is your consent (GDPR Article 6(1)(a)). You can withdraw consent at any time using the unsubscribe link in any message or by writing to us.

How long we keep it

• Active inquiries: for as long as the conversation is open, plus a reasonable follow-up period (typically up to 6 months after the last exchange).
• Inquiries that turned into a commercial relationship: retained for the duration of the relationship plus the period required by Czech accounting and tax law (typically 10 years for accounting records).
• Mailing list / launch waitlist: until you unsubscribe or we close the list.
• Inquiries we did not respond to or that did not lead anywhere: deleted within 12 months.

Concretely: if you write to us about a pilot and we exchange three emails over a week, your data is in our inbox + our CRM for the duration of the conversation, then for up to 6 months in case you come back. After that, it is deleted unless we have a contractual relationship.

Who has access

Only Brighten Digital employees who need to see your inquiry to respond to it. We use industry-standard business tools (email, CRM, document storage) — those vendors are listed in Section 7: Sub-processors. We do not share your contact details with third parties for marketing purposes. We do not sell data.

04The Fieldloop Market Insight module

Fieldloop Market Insight is the module of the Fieldloop platform that produces weekly editorial intelligence from a customer's CRM data. We operate it as a managed service for customers under a Data Processing Agreement (DPA). The following describes how we handle personal data on customers' behalf. Other Fieldloop modules, when introduced, will be covered by an updated version of this policy.

Our role

When a customer organisation engages Brighten Digital to operate Fieldloop Market Insight, the customer is the data controller of all personal data processed in their tenant — that includes the personal data of their own employees (sales representatives, leadership readers) and any third parties referenced in CRM mention notes (account contacts, physicians, decision-makers, etc.). Brighten Digital is the data processor. We process personal data only on the documented instructions of the customer, under a Data Processing Agreement (DPA) signed before any data flows.

What personal data the module processes

On behalf of customers, Fieldloop Market Insight processes the following categories of personal data:

• Authorised users of the module (the customer's own employees): name, business contact details, role, employee identifier provided by the customer, authentication credentials.
• Field reports ingested from the customer's CRM, authored by their representatives: text content, timestamps, account context, and where the customer's deployment includes voice-to-text capture, the resulting transcription.
• Third parties referenced in field reports: names and roles of contacts at customer accounts (physicians, pharmacists, procurement leads, etc.), as recorded by the customer's representatives.
• Operational data about user activity (last-active timestamps, edition delivery confirmations), used to deliver the service.

Privacy-by-design measures

Several controls are baked into the application architecture, not added later:

• Pseudonymisation before analytical processing. Before personal data is embedded, clustered, or sent to any external language model, names of persons, organisations, and locations are replaced with stable hashed tokens. Cluster labels, topic descriptions, and generated editorial content are produced from pseudonymised text. Re-identification — the mapping of a token back to a real name — happens only at the final publication step, inside the customer's tenant.
• Data residency. Default infrastructure for Fieldloop Market Insight is hosted on Microsoft Azure, West Europe region. Customer-specific deployment in a single national jurisdiction (e.g. Germany, Switzerland) is supported where compliance requires it.
• Tenant isolation. Each customer's data is held in a logically isolated storage and processing environment. Data from one customer never appears in another customer's analytical run.
• External AI providers. When Fieldloop Market Insight relies on third-party large language models (currently Anthropic and OpenAI) for content generation, those providers receive only pseudonymised text under enterprise agreements that contractually restrict retention and prohibit use of the data for model training.
• Audit trail. Every analytical step is logged at the tenant level: which mentions entered a run, which entities were detected, which were used in generated output. Customers can inspect these logs.

The full technical detail is described in the published research paper From Campus to Company — Collaborative Innovation in the Age of AI (Pitner et al., IDIMT 2026) and in the privacy section of the science page.

Sub-processors used by Fieldloop Market Insight

To deliver Fieldloop Market Insight, we engage a small number of carefully selected sub-processors (see Section 7). The current list is maintained at fieldloop.ai/subprocessors and notified to customers under the DPA. Sub-processor changes are notified to customers in advance with the right to object.

Customer requests under GDPR

If you are a user of a Fieldloop Market Insight instance and you wish to exercise your data subject rights (access, rectification, erasure, etc.) for data held in that instance, please contact the organisation for which we operate it — they are the controller. We will support that organisation in responding to your request as required by our DPA.

05International data transfers

Our default infrastructure and storage are inside the European Economic Area. When data is processed by third-party services located outside the EEA (for example, certain language model providers based in the United States), the transfer is covered by either:

• Adequacy decisions by the European Commission for the destination country, or
• Standard Contractual Clauses (Commission Decision (EU) 2021/914) supplemented by technical measures, including the pseudonymisation described above.

We do not transfer personal data to any jurisdiction without an appropriate transfer mechanism in place.

06Security

We apply technical and organisational security measures appropriate to the nature of the data and the state of the art, including:

• Encryption in transit (TLS 1.2 or higher) for all network communication.
• Encryption at rest for stored data.
• Role-based access controls; access on a strict need-to-know basis.
• Logging and monitoring of access to systems holding personal data.
• Regular security review of code and infrastructure changes.
• Incident response procedures, including the obligation under GDPR Article 33 to notify a personal data breach to the supervisory authority within 72 hours where required.

No system is perfectly secure. If you believe you have observed a security issue, please contact us at security@brighten.digital (responses within 2 business days).

07Sub-processors

For the operation of the website, Fieldloop Market Insight, and the day-to-day business of Brighten Digital, we use the following categories of sub-processors:

• Hosting for the website and for Fieldloop Market Insight (Microsoft Azure, West Europe region — within the European Union).
• Email and document collaboration for internal handling of inquiries (currently Google Workspace, under Standard Contractual Clauses).
• Customer relationship management for inbound inquiries.
• External language model providers for Fieldloop Market Insight (currently Anthropic and OpenAI; see Section 4).

The current list of sub-processors is maintained at fieldloop.ai/subprocessors. You can also request the current list at privacy@brighten.digital.

08Your rights

Under GDPR, you have the following rights with respect to personal data we process about you:

• Access. A copy of the personal data we hold about you.
• Rectification. Correction of inaccurate or incomplete data.
• Erasure (right to be forgotten). Deletion of your data where the legal basis no longer applies.
• Restriction. Limit our processing while a dispute or correction is pending.
• Portability. Receive your data in a structured, commonly used machine-readable format and transmit it to another controller.
• Objection. Object to processing based on our legitimate interest, including at any time.
• Consent withdrawal. Where processing is based on your consent, you can withdraw it at any time without affecting lawfulness of processing before withdrawal.

To exercise any of these rights, write to privacy@brighten.digital. We answer within 30 days. We may extend the period by a further two months for complex requests, in which case we will inform you of the extension within the first 30 days.

You also have the right to lodge a complaint with the supervisory authority. In the Czech Republic, this is:

If you reside in another EU member state, you may contact the supervisory authority of your country of residence.

09Children

Our website and our application are intended for use by adult business users. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, please contact us and we will delete it.

10Changes to this policy

We will update this policy when we materially change how we handle personal data. The current version and last-updated date are always at the top of the page. For material changes, we will additionally notify active customers via email at least 30 days before the change takes effect.

11Contact

For anything related to this policy or your personal data:

For security disclosures: security@brighten.digital. For all other inquiries: see the Contact & Meet page.

What cookies are

A cookie is a small text file stored on your device by a website. Some cookies are strictly necessary for a website to work; others are used for analytics, personalisation, or advertising. The Fieldloop website currently uses only cookies in the strictly necessary category, as described below.

What we use today

That is the full list. We do not have a cookie banner because we do not place any cookie or storage item that would require consent under EU ePrivacy rules.

What we do not use

• No analytics cookies. No Google Analytics, no Plausible, no Matomo, no internal page-view tracking.
• No advertising cookies. No Meta Pixel, no LinkedIn Insight Tag, no remarketing.
• No third-party cookies. No embedded social-media widgets that load tracking cookies, no chat widgets that fingerprint visitors.
• No fingerprinting. No device fingerprinting, no behavioural profiling.

If this changes

If we add analytics or any other non-essential cookie or storage item in the future, we will: (1) update this policy and bump the version number; (2) add a consent banner that meets the EU ePrivacy / GDPR consent standard (opt-in, granular, easily revoked); (3) notify customers and waitlist subscribers where appropriate.

How to control cookies

Even though we do not place tracking cookies, you can control cookies and storage in your browser through its settings. All major browsers let you block or delete cookies:

• Chrome: Settings → Privacy and security → Cookies
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy
• Edge: Settings → Cookies and site permissions

Blocking strictly necessary cookies may prevent forms on this site from working correctly.

Contact

For questions about this policy: privacy@brighten.digital.