BrightRule UK GDPR · DPA 2018 · ICO guidance

Privacy notice

Last updated: 12 June 2026

Who we are

BrightRule (brightrule.co.uk) generates AI governance documents for UK small businesses. For anything in this notice, contact hello@brightrule.co.uk.

What we process, and why

When you complete the assessment, your answers — company name, sector, employee band, the AI tools you use, the categories of data they touch, and three yes/no questions about your practices — are sent to our server to score your risk profile and generate your documents. That is the only purpose. The lawful basis is legitimate interests: providing the service you have asked for.

What we don't do

  • We don't store your answers or your documents. They are processed in memory and returned to your browser; when the response is sent, they are gone.
  • We don't require an account, and we don't set cookies.
  • We don't sell or share your information with anyone for marketing.

Sub-processors

  • Anthropic — your assessment answers are sent to Anthropic's Claude API to draft your documents, under Anthropic's commercial terms and data processing addendum. API inputs are not used to train models.
  • Vercel — hosts this site and processes standard request data (such as IP addresses) to serve it, including privacy-friendly, cookie-less aggregate analytics.

Your rights

Because we keep no record of your assessment, there is normally nothing for us to access, correct or erase. You retain all rights under UK GDPR, and you can complain to the Information Commissioner's Office (ico.org.uk) if you believe we have handled your data improperly — though we'd appreciate the chance to put it right first.

Changes

If we add features that change what we process (for example, accounts or document storage), this notice will be updated before they launch.

← Back to BrightRule