There are three types of people who legitimately access those services—and the web pages and information related to those services.
The second type of person accesses Sites as a means to view, evaluate, or use some of the technological offerings, tools, systems, accounts, automated documents or automated workflows (the “Services”) that Brightleaf from time to time provides to its customers and prospective customers (or in some cases, to the general public). This policy refers to that second group as “Users,” regardless of whether those users are Brightleaf customers, prospective customers, or other persons who receive access to the Services. Users may be subject to additional terms and conditions and may be required to indicate individually their acknowledgement of and agreement to those additional terms and conditions.
Many of our Users are lawyers. When a User with appropriate Service permissions grants to a third party (for example, a when a law firm grants to a client or prospective client) access to any Site, Information, or Service, this policy refers to such third party as a “Client User”.
What Information Do We Collect?
Personal Information: The Website allows customers who are interested in Brightleaf products, services, and information to contact Brightleaf and to read, or receive downloads or transmissions of, our information. If you contact Brightleaf through the site or if you request any such information, we may collect your name and email address, any additional contact information (such as your employer, address or telephone number) that you choose to disclose to us, and the names and types of materials that you download or otherwise request from our site (together, “Personal Information”).
Aggregate Information: We may use generally-used web tracking technologies, such as cookies that collect anonymous traffic data, in order to collect information such as IP host address, pages viewed, and the manner in which you navigated through the Website, and may aggregate such information in a manner which does not identify any individual (“Aggregate Information”).
Contributed Information: We may from time to time allow Website users to post to the Site, or submit to us through the Site, their comments, suggestions, ideas, writings and views. Any rights to any information (“Contributed Information”) contained within such post, suggestion, idea, writing or view shall become the sole property of Brightleaf Solutions, Inc. upon submission. We shall have no obligation at law or equity to compensate the submitting user, nor shall we be required to post, keep posted, or remove all or any portion of this information.
How Do We Use the Information We Collect?
Personal Information: If you provide Personal Information to us, we may enter such information into our contact management database, and may use such database to send you our marketing materials and to contact you regarding your interest in Brightleaf products and services. In such event, we will offer you the option to opt out of similar contacts from us in the future. We do not re-sell your Personal Information nor do we re-use it for any purpose other than that described in this paragraph.
Aggregated Data: Brightleaf uses Aggregate Information only in an aggregate form that does not identify the individual user, and only for us to understand the performance of the Website. For example, we may develop Aggregate Information on Website and content usage, such as by keeping count of return visitors to the Website and assessing which pages of the Website are most popular. This allows us to determine which features visitors like best to help us improve our content and site, personalize your user experience, and measure overall site effectiveness. Brightleaf allows Google to use Aggregate Information pursuant to the Website’s use of Google Analytics, described above.
Legal Exception: Notwithstanding the above, Brightleaf may use Personal Information to the extent required by law or if in Brightleaf’s reasonable discretion use is necessary to investigate fraud or any threat to the safety of any individual, to protect Brightleaf’s legal rights or to protect the rights of third parties.
Privacy Terms for Services
There are five common information types that we collect from service users.
- Account-specific user information, such as user name, password, contact information, employer, user permission levels, and office location. We collect and store this information as a necessary component of providing services to users and maintain security for them. We do not re-sell any such information, nor do we use it for any purpose other than (a) providing services to that user, and (b) contacting that user about services.
- Anonymized usage pattern information or anonymized statistical comparison of documents. We may from time to time gross statistical information about the usage patterns within our services. We use such information in product refinement efforts. This information cannot be used to identify any person or entity nor can it interrelate any person or entity with any particular data. Our use of such information does not violate any user copyrights.
- User Audit Trail information that maintains a record of which users access which services, as well as when and how they use those services. We maintain this audit trail information for the purpose of fulfilling contractual obligations between us and our customers and to provide those Customers with usage information from the third parties with whom they share Services.
- Customer proprietary information. We consider the forms, templates, modules, and guides that our customers create within Brightleaf to be confidential and proprietary to those customers. We do not re-use, re-sell, transmit to third parties, copy, prepare derivative works from, or permit unauthorized access to them. Our personnel access them only when we need to in order to perform our obligations and provide the services contracted for in our customer agreements with those law firms.
- Most if not all of our Customers are attorneys or legal professionals who work for attorneys. We consider the client-specific and matter-specific information (which may include personal information) that those Customers, and the third-party users that those Customers share Services with, placed into our system to be highly confidential and proprietary to the firm and the firm’s client. We do not re-use, re-sell, or transmit them to third parties, nor do we condone unauthorized access to them. We do not permit use of this information for any purpose other than the conduct of business between the firm and its client. In accordance with our security policies, we restrict access to the sections of our systems where this information resides, so that only a small, select, pre-screened group of senior technical personnel, bound by confidentiality agreements, have the ability to access it, and may only access it (a) where necessary for the provision of services for the purpose of providing services to the Customer under our agreement with that Customer, (c) in compliance with applicable laws, and (d) in a manner that we can track and log.
How Do We Protect the Security of Your Information?
The security, integrity, and confidentiality of your information are extremely important to us. We have implemented technical, administrative, and physical security measures that are designed to protect guest information from unauthorized access, disclosure, use, and modification. From time to time, we review our security procedures to consider appropriate new technology and methods. If you are a user of Brightleaf Services and require additional information about our security measures, please contact our Privacy Officer, Samir Bhatia at email@example.com.
Data Breach and Security Incident Handling Procedure
Working in conjunction with other functions, the IS Coordinator is responsible for coordinating the generation, operation, and maintenance of documented incident response procedures setting out the actions to be taken when reported information security events are found to relate to security incidents, including for example the proper investigation and collection of forensic evidence and escalation to specialists and management as appropriate.
Any privacy data breach or security event should be reported to firstname.lastname@example.org as soon as practicable after they occur. To this end, employees, vendors, and users will be made aware of the correct procedure for noting and reporting security events as part of the standard information security induction training and security awareness processes
Depending on the severity of the security event notified, the Functional Owners/ IS Coordinator will initiate suitable incident responses processes and engage, call out or inform relevant parties (Steering Committee/Core Team).
Where customers, suppliers, partners, regulators, or other third parties are impacted by, or otherwise need to be informed, about breach/security incidents, the decision to notify them will be ratified by the most appropriate manager (e.g. the Steering Committee Coordinator) or management committee (Security Committee). Relevant internal functions listed above will normally be consulted beforehand, along with those responsible for external communications such as Public Relations.
Following serious security incidents, asset owners in conjunction with the IS Coordinator and others are responsible for reviewing their risk management requirements to identify whether further control improvements are justified. Asset owners are also responsible for reporting serious incidents promptly and accurately to Steering Committee detailing the severity of any losses, identifying the root cause/s, and describing the remedial actions taken or necessary to prevent recurrence.
What Information Do We Disclose to Third Parties?
Brightleaf’s Disclosure of Personal Information: Brightleaf reserves the right to share your Personal Information) with our third-party business partners who may provide goods or services that are related to our business or that form component of our Services. Notwithstanding the foregoing, Brightleaf reserves the right to disclose any information Brightleaf collects in connection with the Website, without further notice to you (a) to any successor to Brightleaf’s business as a result of any merger, acquisition or similar transaction; and (b) to any law enforcement or regulatory authority to the extent required by law or if, in Brightleaf’s reasonable discretion, such disclosure is necessary to investigate fraud or any threat to the safety of any individual, to protect Brightleaf’s legal rights or to protect the rights of third parties.
Anonymous, Aggregated Information: We may disclose Aggregate Information to third parties such as business partners to describe our business and operations, and otherwise to operate and develop Brightleaf’s business. Google has access to certain Aggregate Information pursuant to the Website’s use of Google Analytics, described above.
Privacy terms for services that our customers provide to you
Some of our customers (for example, law firms) use our Services to create pages that they distribute to their clients and prospective clients. In such instance, that customer may post on such page or in the space below additional privacy terms regarding how they will use any Personal Information, Aggregated Information, or Contributed Information.
How Can You Opt-Out of Use and Disclosure of Your Information?
If you would like your Personal Information removed from our mailing list or database, please contact our Privacy Officer, Samir Bhatia at [email@example.com]. In the event of any such removal, Brightleaf may retain copies of the information for its archives.
Access and Updating of Information
You can update your information by using the profile editing tools on the Website. Brightleaf will respond to any reasonable request by a user to review or amend his or her Personal Information held in our mailing list or database. Brightleaf reserves the right to verify your identity in order to provide such access. Please contact us by sending an email to our Privacy Office, Samir Bhatia at [firstname.lastname@example.org].
Effective Date of this policy: OCTOBER 1, 2014
Last Updated: May 11, 2021
Revision history: Added section for “Data Breach and Security Incident Handling Procedure”