Skip links
Beta version
Login
Join
Schedule a demo
Beta version
Login
Schedule a demo
Join

Privacy Policy -General

 

Last Updated: 20.07.2025

1. Introduction

This Privacy Policy explains how we collect, use, store, and protect your personal information when you visit our website and use our AI assistant. We comply with strict European privacy legislation, including the General Data Protection Regulation (GDPR), Digital Services Act (DSA), and ePrivacy Directive.

BRILU is operated by SC GEMSYA SRL, a company based in Romania, and we take your privacy seriously. This policy applies specifically to individual users who visit our brilu.ai website and interact with our AI services.

By using our website and services, you agree to how we handle your personal information as described in this policy.

2. Who we are

SC GEMSYA SRL is the legal entity responsible for your personal data, making us the “Data Controller” under European law. This means we decide how and why your personal data is processed when you use our website and AI assistant.

Company details:

  • Name: SC GEMSYA SRL
  • Headquarters: Romania
  • Registration Code: 47654397
  • Address: Bucharest, 122 Mihai Bravu

Data Protection Officer (DPO):

3. What personal information we collect

We collect different types of information depending on how you interact with us:

a. Information you provide:

  • Contact forms: name, email, company, position, phone (optional), message content
  • Newsletter: email address, content preferences, subscription date (with consent)
  • AI Chat: name, email, company, questions asked + AI responses stored temporarily, voluntary feedback (with consent)
  • User account: if you create an account – name, email, encrypted password, registration date

b. Technical information collected automatically:

  • Browsing data: IP address, browser type and version, operating system, device used
  • Behavioral data: pages visited, time spent on each page, traffic source (search engine, direct link), clicks, scrolls, interactions
  • Cookies and similar technologies: essential, analytical, marketing (with consent)
  • Session data: session ID, timestamps, authentication status

c. Information from third parties:

  • Facebook/Meta: through Facebook Pixel and API integration, we collect data about your interactions with our ads, conversions, and social media behavior
  • Google Analytics: traffic metrics, traffic sources, site behavior
  • Marketing partners: campaign data, conversions, attributions

d. What we DO NOT collect:

  • Sensitive data (health, financial, biometric, political, religious)
  • Detailed profiles without consent
  • Information from children under 13
  • Precise location data (GPS)

4. How we use your personal data

We use data for clear and justified purposes:

Service operations:

  • AI Chat: to answer questions, maintain conversation context, and improve AI algorithms
  • Technical information: website functionality, security, session management, abuse prevention, technical diagnostics
  • Contact forms: to respond to you and maintain interaction records for future support

Marketing and communication:

  • Newsletter: sending educational content, AI news, new features, events
  • Facebook/Meta integration: we use Facebook Pixel and API for:
  • Tracking conversions and measuring ad effectiveness
  • Retargeting and creating similar audiences
  • Retrieving campaign KPIs (impressions, clicks, conversions)
  • Optimizing advertising campaigns on Facebook and Instagram
  • Behavioral analysis: improving website and content, A/B testing, user experience optimization

Funnel tracking and marketing KPIs:

We process data about visitor actions and behaviors within our marketing funnel to analyze performance at each stage:

  • Conversion rates at each funnel step
  • Cost per acquisition and ROI by channel
  • Average time to conversion
  • Content engagement
  • Identifying bottlenecks and optimizing user journey

Legal compliance: Meeting legal requirements in Romania and EU (fraud prevention, intellectual property protection, accounting and tax obligations)

5. Legal basis for data processing

For each processing activity we have a legal basis:

Your consent (Art. 6(1)(a) GDPR):

  • Newsletter subscription
  • Analytical and marketing cookies (including Facebook Pixel)
  • Optional surveys and feedback
  • Contest or event participation

Legitimate interest (Art. 6(1)(f) GDPR):

  • AI assistant operation and service improvement
  • Security and fraud prevention
  • Customer support and technical assistance
  • Anonymous analysis for improvements
  • Marketing KPI retrieval for service optimization

Legal obligation (Art. 6(1)(c) GDPR):

  • Compliance with tax and accounting legislation
  • Security regulation compliance
  • Responding to competent authority requests

Contract performance (Art. 6(1)(b) GDPR):

  • Providing requested AI services
  • User account management

Right to withdraw: You can withdraw consent or object to legitimate interest processing at any time by contacting: [email protected]

6. Data sharing with third parties

Partners and service providers:

  • Facebook/Meta: for Facebook Pixel operation, KPI retrieval through API, and advertising campaign management
  • Google (Analytics, Ads): for web analytics and search campaigns
  • Cloud providers: AWS, Microsoft Azure, Google Cloud (all with EU servers)
  • Email marketing providers: for newsletter delivery (with adequate protection measures)
  • Payment processors: if we offer paid services (with end-to-end encryption)

We do not sell personal data

We do not sell, rent, or commercialize your personal data to third parties for profit. All sharing is exclusively for service provision or with your explicit consent.

Transfers for legal compliance:

  • Law enforcement authorities (upon legal request)
  • Legal advisors and auditors
  • In case of merger or acquisition (with data protection maintained)

7. International data transfers

EU processing:

Most data is processed on servers within the European Union (Germany, Ireland, Netherlands).

Transfers to third countries:

For certain services (Google Analytics, Facebook), data may be transferred to the USA with the following protections:

  • Facebook/Meta: Standard Contractual Clauses (SCCs) and additional technical measures
  • Google: Data Processing Amendment and enhanced privacy configurations
  • Other providers: only with adequacy certifications or SCCs

Additional protection measures:

  • Data encryption in transit and at rest
  • Data pseudonymization and minimization
  • Strict contractual agreements with processors

8. How long we keep data

We keep data only as long as necessary for declared purposes:

Retention periods:

  • AI conversations: Anonymous patterns maximum 2 years for service improvement
  • Contact forms: maximum 2 years from last interaction
  • Active clients: data kept up to 1 year after relationship ends
  • Newsletter: until unsubscription or 3 years of inactivity
  • Facebook/KPI data: 25 months (according to Meta policy)
  • Google Analytics: data anonymized after 14 months
  • Aggregated statistics: kept indefinitely (completely anonymous)
  • Cookies: between 1 and 24 months (depending on cookie type)
  • Security logs: 1 year for investigations
  • Legal compliance: 5-10 years (tax and accounting obligations)

Automatic deletion:

We have automated systems that delete or anonymize data upon expiration of terms.

Read here the “Data Deletion Instructions for Brilu.ai Users“.

9. Your rights under GDPR

You have the following rights regarding personal data:

Right to information and access (Art. 13-15):

  • Know what data we have about you
  • Request a copy of personal data
  • Learn how data is processed

Right to rectification (Art. 16):

  • Correct incorrect or incomplete data
  • Update outdated information

Right to erasure – “right to be forgotten” (Art. 17):

  • Request data deletion when no longer necessary
  • Withdraw consent for consent-based processing
  • Object to legitimate interest-based processing

Right to restrict processing (Art. 18):

  • In cases of dispute regarding data accuracy
  • When processing is unlawful but you don’t want deletion
  • For exercising legal rights

Right to data portability (Art. 20):

  • Receive data in structured, easily readable format
  • Transfer data to another service provider

Right to object (Art. 21):

  • To legitimate interest-based processing
  • To direct marketing (including profiling)
  • To processing for scientific research

Right not to be subject to automated decision-making (Art. 22):

We do not use automated decision-making systems that have legal effects or significantly affect you.

To exercise rights contact: [email protected] with proof of identity.

10. Data security

We implement advanced security measures:

Technical measures:

  • Encryption: TLS 1.3 for connections, AES-256 for storage
  • Controlled access: multi-factor authentication and role-based systems
  • Monitoring: 24/7 incident detection and response systems
  • Backups: encrypted and regularly tested
  • Updates: security patches applied promptly

Organizational measures:

  • Training: staff trained in data protection
  • Internal policies: clear data handling procedures
  • Regular audits: security measure assessments
  • Incident procedures: security breach response plan

Breach notification:

  • Authorities: ANSPDCP notification within maximum 72 hours
  • Users: informed without undue delay if high risk exists
  • Documentation: all incidents recorded and analyzed

11. Cookies and online tracking

Types of cookies used:

Essential cookies (no consent required):

  • Session and authentication: maintaining login status
  • Security: CSRF protection, rate limiting
  • Functionality: language preferences, interface settings

Analytical cookies (consent required):

  • Google Analytics 4: traffic measurement, sources, behavior (anonymized)
  • Internal analytics: site performance metrics

Marketing cookies (consent required):

  • Facebook Pixel: conversion tracking, retargeting, ad optimization
  • Google Ads: search campaign performance measurement
  • Newsletter tracking: opens, clicks in emails

Cookie control:

  • Consent banner: on first visit, with granular options
  • Browser settings: blocking or deleting cookies
  • Opt-out tools: Google Analytics Opt-out, Facebook Ad Preferences
  • Settings page: modify preferences anytime

Opt-out instructions:

  • Facebook: Facebook.com → Settings → Ads → Ad Preferences
  • Google: myaccount.google.com → Data & privacy → Ad personalization
  • Browser: privacy and cookie settings

12. Facebook/Meta integration and KPI retrieval

What data we share with Facebook:

Through Facebook Pixel and API, the following information is transmitted to Meta:

  • Browsing data: pages visited, site actions (with encrypted hashes)
  • Conversion data: form completions, newsletter subscriptions
  • Identifiers: email address in hash format for matching
  • Technical data: IP, browser, device (for fraud prevention)

What KPIs we retrieve from Facebook:

  • Campaign metrics: impressions, reach, clicks, CTR
  • Conversion data: number and value of conversions
  • Audience demographics: age, gender, location (aggregated level)
  • Creative performance: which ads perform best
  • Attribution data: Facebook’s contribution to conversions

Purpose of integration:

  • Measuring advertising effectiveness on Facebook and Instagram
  • Optimizing campaigns for better results
  • Retargeting users who visited the website
  • Creating similar audiences based on existing users

Your Facebook-related rights:

  • Opt-out of tracking: through Facebook Ad Preferences settings
  • View data: what information Facebook has about interactions with us
  • Deletion: request removal of data from Facebook about you related to brilu.ai

Important: Your activity on Facebook/Instagram itself is governed by Facebook’s Privacy Policy, not this policy.

13. Children’s privacy

Age restrictions:

  • Under 13: we do not knowingly collect data from children under 13
  • 13-16 years: requires parental consent for processing (per GDPR)
  • Over 16: can independently consent to data processing

Enhanced protection:

  • Additional checks to identify minor users
  • Special procedures for handling deletion requests
  • Restrictions on profiling and marketing to minors

If we discover children’s data:

  • Immediately delete the information
  • Notify parents if possible
  • Implement measures to prevent future collection

14. Policy updates

When we update:

  • Service changes affecting data processing
  • Changes in applicable legislation
  • Security measure improvements
  • User or authority feedback

How we inform you:

  • Email: notification to all registered users 30 days in advance
  • Website: banner on brilu.ai with new version
  • Effective date: clearly mentioned at top of policy

Version history:

We maintain a record of all previous versions for transparency and compliance.

15. Contact and complaints

Primary contact:

Data Protection Officer (DPO):

  • Email: [email protected]
  • Address: SC GEMSYA SRL, Address: Bucharest, 122 Mihai Bravu
  • Response time: 5 business days for GDPR requests

Authority complaints:

If you believe we don’t respect your data protection rights, you can file a complaint with:

Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

  • Website: https://www.dataprotection.ro
  • Email: [email protected]
  • Phone: +40 318 059 211
  • Address: B-dul Magheru nr. 28-30, Sector 1, București, Romania

Alternative contact:

16. Explanatory terms

For clarity, here are explanations of technical terms:

  • Personal data: any information that can identify you directly or indirectly
  • Data processing: any operation on data (collection, storage, use, deletion)
  • Data controller: SC GEMSYA SRL – entity that decides purpose and means of processing
  • Data subject: you, the user whose data is processed
  • Consent: free, specific, informed, and unambiguous agreement to processing
  • Legitimate interest: justified business reason that doesn’t override your rights
  • Pseudonymization: replacing identifying data with artificial identifiers
  • Anonymization: irreversible removal of any identification possibility

17. Useful resources for data protection

GDPR information:

  • Official GDPR text: https://gdpr-info.eu/
  • European Commission guide: https://ec.europa.eu/info/law/law-topic/data-protection_en

Protection authorities:

  • Romania – ANSPDCP: https://www.dataprotection.ro/
  • European Data Protection Board: https://edpb.europa.eu/

User tools:

  • Google My Activity: myactivity.google.com
  • Facebook Ad Preferences: facebook.com/adpreferences
  • Cookie management: browser settings for cookie control

18. For Privacy Policy Business Clients click here.

This policy is effective from July 20, 2025 and applies to all brilu.ai users. For questions or clarifications, don’t hesitate to contact us at [email protected].