Privacy Policy- Business Clients

Privacy Policy – Business Clients & Marketing Integrations

Last Updated: July 20, 2025

1. Introduction

This Privacy Policy explains how BRILU collects, processes, stores, and protects marketing data when providing services to business clients, in compliance with GDPR (Regulation (EU) 2016/679), the Digital Services Act, and the ePrivacy Directive.

This policy applies specifically to business clients who integrate BRILU’s marketing analytics platform and API services.

By using BRILU’s business services, you agree to the terms of this Privacy Policy and acknowledge your responsibilities as a Data Controller.

Company Information:

Legal Entity: SC GEMSYA SRL
Registration Code: 47654397
Address: Bucharest, 122 Mihai Bravu, Romania
Data Protection Officer: [email protected]

2. GDPR Roles & Data Processing Relationship

2.1 BRILU as Data Processor (Article 28 GDPR)

BRILU acts as a Data Processor when processing marketing data on behalf of business clients. Our role includes:

Marketing Analytics Processing:

Processing marketing KPIs from integrated platforms (Facebook, Google, LinkedIn, TikTok, email)
Generating AI-powered analytics and insights
Creating automated reports and dashboards
Providing cross-platform attribution analysis
Audience segmentation and performance optimization

Technical Processing Services:

API data retrieval and synchronization
Data transformation and normalization
Real-time analytics processing
Automated report generation
Campaign performance monitoring

2.2 Client as Data Controller (Article 24 GDPR)

Business clients act as Data Controllers and are responsible for:

Legal Basis and Consent:

Determining purposes and means of End User data processing
Obtaining necessary consents from End Users for marketing tracking
Providing transparent privacy notices to End Users
Ensuring lawful basis for marketing data collection across all platforms

End User Rights Management:

Responding to End User data subject requests (access, deletion, rectification)
Managing consent withdrawal and opt-out requests
Providing End Users with clear information about BRILU’s role as Data Processor
Maintaining records of consent and legal basis documentation

Platform Compliance:

Ensuring compliance with Facebook/Meta, Google, LinkedIn, and TikTok policies
Managing platform-specific consent requirements
Coordinating cross-platform data usage permissions

2.3 End Users (Data Subjects)

End Users are individuals who interact with Client’s websites, apps, or marketing campaigns. BRILU processes their data only on behalf of and as instructed by the Client.

Important: End Users must contact the Client (Data Controller) directly for rights requests. BRILU assists Clients in fulfilling these requests as required under our Data Processing Agreement.

3. Marketing Data We Process

3.1 Business Client Account Data (BRILU as Controller)

Account Management:

Company information and authorized contact details
Account credentials and user access permissions
Platform integration settings and API configurations
Billing and subscription information
Support communications and technical assistance records

3.2 End User Marketing Data (BRILU as Processor)

BRILU processes the following End User data solely as a Data Processor on behalf of business clients:

Facebook/Meta Business Integration:

Campaign Performance Data:

Ad campaign metrics (impressions, clicks, conversions) – aggregated only
Ad spend and cost-per-result analytics
Campaign attribution and conversion tracking data
Custom audience performance metrics (no individual identifiers)
Instagram Business account analytics

Audience Insights:

Demographic data (age, gender, location) – aggregated and anonymized
Interest-based audience segments (no personal profiles)
Lookalike audience performance metrics
Conversion funnel analysis across Facebook and Instagram

Facebook Pixel Data:

Website conversion events (aggregated)
Custom conversion tracking
Dynamic product advertising performance
Cross-device attribution (anonymized)

Google Platform Integration:

Google Ads Performance:

Search advertising campaign metrics (aggregated)
Display and video campaign performance data
Shopping campaign analytics
Keyword performance and search term reports
Conversion tracking and attribution data

Google Analytics Data:

Website traffic and user behavior analytics (anonymized)
E-commerce conversion data (product performance only)
Audience segments and demographics (aggregated)
Goal completions and enhanced e-commerce metrics
Attribution modeling data

YouTube Analytics:

Video campaign performance metrics
Audience engagement and retention data (aggregated)
Channel performance analytics
Content performance insights

LinkedIn Campaign Manager Integration:

Professional Marketing Data:

Sponsored content performance metrics (aggregated)
Lead generation form analytics (when Client authorizes)
Professional audience insights (job title, industry, company size – aggregated)
Company page analytics and engagement metrics
InMail campaign performance (no message content)
Event promotion analytics

LinkedIn Audience Network:

Professional targeting performance
Industry benchmark comparisons (anonymized)
B2B conversion tracking
Professional demographic insights (aggregated)

TikTok Ads Manager Integration:

Video Marketing Analytics:

Video campaign performance metrics (aggregated)
Creative performance and engagement data
Hashtag and trend analytics
Audience demographics (age, gender, interests – aggregated)
Conversion tracking and attribution data
TikTok Spark Ads performance

Content Performance:

Video completion rates and engagement metrics
Trending content analysis
Audience behavior insights (anonymized)
Cross-platform content performance comparison

Email Marketing Platform Integration:

Campaign Analytics:

Email campaign performance (open rates, click rates, conversions – aggregated)
Automation workflow performance metrics
A/B testing results and optimization insights
Subscriber engagement analytics (no individual email addresses stored by BRILU)
Deliverability and reputation metrics

List Management Analytics:

Segmentation performance analysis
Engagement scoring and lifecycle tracking
Churn prediction and retention metrics
Cross-channel attribution with email touchpoints

3.3 Comprehensive Funnel Analytics

Top of Funnel (TOFU) Metrics, Middle of Funnel (MOFU) Metrics; Bottom of Funnel (BOFU) Metrics; Retention & Post-Purchase Analytics:

3.4 AI-Enhanced Marketing Intelligence

Predictive Analytics:

Campaign performance forecasting across all platforms
Budget optimization recommendations
Audience expansion predictions
Seasonal trend analysis and planning
Cross-platform performance modeling

Automated Insights:

Anomaly detection in campaign performance
Competitive intelligence and market analysis
Creative performance optimization suggestions
Attribution model recommendations
ROI optimization across marketing channels

3.5 Data We Explicitly DO NOT Collect

Prohibited Data Types:

Sensitive Personal Data (health, financial, biometric, racial, political, religious)
Private messages or communications between businesses and customers
Individual browsing behavior on external platforms (only aggregated metrics)
Personal social media content, posts, or friend connections
Financial transaction details beyond aggregated revenue metrics
Precise geolocation data (only city/region level for analytics)

4. Legal Basis for Data Processing

4.1 BRILU’s Processing of Client Account Data (As Controller)

Contract Performance (GDPR Art. 6(1)(b)):

Processing necessary to deliver contracted marketing analytics services
Account management and billing operations
Technical support and customer service
Platform integrations and API access management

Legitimate Interest (GDPR Art. 6(1)(f)):

Platform security and fraud prevention
Service improvement and feature development
Business analytics for service optimization
Compliance monitoring and audit procedures

4.2 End User Data Processing (BRILU as Processor)

BRILU processes End User data solely based on Client’s lawful basis and instructions:

Client’s Responsibility to Establish Legal Basis:

Consent (GDPR Art. 6(1)(a)):

Client must obtain explicit consent for marketing tracking and analytics
Platform-specific consent for Facebook Pixel, Google Analytics, LinkedIn Insight Tag, TikTok Pixel
Cross-platform attribution and audience building consent
Email marketing and automation consent

Legitimate Interest (GDPR Art. 6(1)(f)):

Client may rely on legitimate interest for business analytics (with proper balancing test)
Website performance optimization and user experience improvement
Fraud prevention and security monitoring
Business intelligence and market research

Contract Performance (GDPR Art. 6(1)(b)):

Processing necessary to fulfill services to End Users
E-commerce transaction completion and customer service
Subscription management and account services

Important: BRILU processes End User data only as instructed by the Client and does not determine the legal basis independently. Clients must ensure they have appropriate legal basis for all requested processing activities.

5. Data Subject Rights & Responsibilities

5.1 Business Client Rights (BRILU as Controller)

As a BRILU business client, you have the following rights regarding your account data:

Access Rights (Art. 15):

Request copies of your account data and processing activities
Understand what marketing integrations are active
Review API access permissions and data flows
Access billing and subscription information

Rectification Rights (Art. 16):

Correct incorrect account information or integration settings
Update contact details and user permissions
Modify platform integration configurations
Correct billing and company information

Erasure Rights (Art. 17):

Request deletion of your account and associated data
Terminate all platform integrations and API access
Remove historical analytics and performance data
Cancel subscriptions and delete billing records

Other Rights:

Right to Object (Art. 21): Opt out of processing for direct marketing or legitimate interests
Right to Data Portability (Art. 20): Export account data and analytics in structured formats
Right to Restriction (Art. 18): Temporarily limit processing while disputes are resolved

5.2 End User Rights (Data Subjects)

Client’s Primary Responsibility: As the Data Controller, you must handle all End User rights requests directly. This includes:

Providing clear privacy information about BRILU’s role as Data Processor
Managing consent for all platform integrations and tracking
Responding to End User requests within GDPR timelines (30 days)
Maintaining records of all End User rights requests and responses

BRILU’s Support Role: We assist you in responding to End User requests within 30 days by providing:

Access Requests:

Aggregated marketing data related to the specific End User
Platform-specific analytics and performance metrics
Attribution data showing marketing touchpoints
Conversion tracking information (anonymized where possible)

Rectification Requests:

Correcting inaccurate data in our marketing analytics systems
Updating customer segmentation and audience data
Modifying attribution models and conversion tracking

Erasure Requests (“Right to be Forgotten”):

Deleting End User data from all marketing analytics systems
Removing from custom audiences across all platforms
Stopping all tracking and data collection for the individual
Purging historical analytics data related to the End User

Objection Requests:

Stopping processing of specific End User data for analytics
Removing from targeted advertising audiences
Excluding from cross-platform attribution analysis
Opting out of predictive analytics and AI insights

Portability Requests:

Exporting End User’s marketing interaction data in structured format
Providing attribution history and touchpoint analysis
Delivering audience segment and preference data

Critical Process: End Users must contact you (the Client/Data Controller) directly for rights requests. BRILU cannot process direct requests from End Users as we are acting as a Data Processor on your behalf.

6. Data Retention Policies

6.1 Client Account Data Retention

Active Service Period:

Account data maintained during entire service relationship
Integration settings and API configurations preserved
Performance analytics available for real-time reporting
User permissions and access controls maintained

Post-Termination Retention:

Account data: 12 months after service termination (for potential reactivation)
Billing records: 7 years for tax and accounting compliance (Romanian/EU law)
Support communications: 3 years for service improvement and legal compliance
Integration configurations: 6 months (for potential service resumption)

6.2 End User Marketing Data Retention (On Client’s Behalf)

Active Campaign Data:

Maintained during Client’s active service period
Real-time analytics and performance data available
Attribution models updated continuously
Audience segments refreshed according to platform policies

Historical Analytics Retention:

Aggregated performance data: Up to 36 months for trend analysis (completely anonymized)
Individual End User data: Maximum 24 months or until consent withdrawal
Platform-specific data retention:

Facebook/Meta data: 25 months (per Meta’s data retention policy)
Google Analytics: 14 months before automatic anonymization
LinkedIn data: 24 months for professional insights
TikTok data: 18 months for video marketing analytics
Email marketing data: 12 months for engagement analytics

Consent-Based Retention:

End User data deleted immediately upon consent withdrawal (as directed by Client)
Opt-out requests processed within 7 days across all platforms
Anonymization applied where deletion would compromise historical analytics

Compliance Retention:

API access logs: 12 months for security and audit purposes
Data processing records: 3 years for GDPR compliance demonstration
Consent management logs: 7 years for legal compliance (maintained by Client)

7. Data Security & Protection Measures

7.1 Marketing API Security

Platform Integration Security:

OAuth 2.0 Authentication: Secure token-based access to all marketing platforms
API Rate Limiting: Prevents unauthorized access and ensures platform compliance
Token Rotation: Automatic refresh of API access tokens every 60 days
Encrypted Token Storage: AES-256 encryption for all stored API credentials
Access Logging: Complete audit trail of all API interactions with timestamps

Multi-Platform Security:

Separate security contexts for each platform integration
Cross-platform data correlation without security compromises
Platform-specific security compliance (Facebook, Google, LinkedIn, TikTok standards)
Real-time security monitoring across all API connections

7.2 Data Storage & Transit Security

Encryption Standards:

Data at Rest: AES-256 encryption for all stored marketing data
Data in Transit: TLS 1.3 encryption for all API communications
Database Encryption: Encrypted MySQL/PostgreSQL databases with column-level encryption
Backup Encryption: All backups encrypted with separate key management
Key Management: Hardware Security Modules (HSM) for encryption key storage

Access Controls:

Role-Based Access Control (RBAC): Granular permissions for Client data access
Multi-Factor Authentication (MFA): Required for all admin and API access
IP Whitelisting: Restricted access from authorized locations and VPNs only
Session Management: Automatic timeout and secure session handling
API Access Control: Client-specific API keys with limited scope permissions

7.3 Infrastructure & Cloud Security

EU-Based Cloud Security:

Microsoft Azure EU (Netherlands, Germany): Primary data centers with GDPR compliance Google Cloud EU (Belgium, Finland): AI/ML processing with privacy controls
ISO 27001 Certified: All infrastructure providers maintain security certifications
SOC 2 Type II: Annual security audits and continuous compliance monitoring

Network & Application Security:

VPC Isolation: Dedicated virtual private clouds for each Client’s data
DDoS Protection: Advanced protection against distributed attacks and API abuse
Intrusion Detection: Real-time monitoring and automated threat response
Vulnerability Scanning: Weekly security assessments and automated patching
Application Security: OWASP Top 10 compliance and secure coding practices

7.4 Organizational & Operational Security

Staff Security & Training:

GDPR Training: Mandatory quarterly data protection training for all staff
Platform-Specific Training: Specialized training for Facebook, Google, LinkedIn, TikTok APIs
Confidentiality Agreements: Binding NDAs for all employees and contractors
Background Checks: Security clearance for staff with data access
Access Reviews: Monthly review and update of staff access permissions

Incident Response & Business Continuity:

24/7 Security Operations Center: Continuous monitoring and threat detection
Incident Response Team: Dedicated team for security incident handling
Client Notification: Immediate notification within 4 hours of discovery
Platform Notification: Automatic breach reporting to Facebook, Google, LinkedIn, TikTok
Recovery Procedures: Tested disaster recovery with 99.9% uptime SLA

8. Third-Party Data Sharing & Sub-Processors

8.1 No Data Sales Policy

Absolute Prohibition: BRILU does NOT sell, rent, lease, or commercialize any data:

Client business data and account information
End User marketing data and analytics
Platform performance metrics and insights
Cross-platform attribution and audience data

8.2 Marketing Platform Data Flow

Data Received FROM Platforms (Authorized by Client):

Campaign performance metrics and analytics (processed as Data Processor)
Aggregated audience insights (no individual identifiers)
Attribution data and conversion tracking (anonymized where possible)
Platform-specific KPIs and benchmarking data

Data Shared TO Platforms (Client-Authorized Only):

Campaign optimization settings and bid adjustments
Custom audience updates and lookalike audience creation
Conversion tracking configuration and attribution modeling
Cross-platform measurement and analytics setup

Strict Platform Access Control:

Access limited exclusively to Client-authorized data
No cross-client data sharing or benchmarking with identifiable information
Platform-specific data governance policies rigorously followed
Regular audit of platform access permissions and data usage

8.3 Authorized Sub-Processors (GDPR Article 28)

BRILU engages the following EU-based sub-processors under strict GDPR compliance:

Cloud Infrastructure Providers:

Microsoft Azure EU (Ireland, Netherlands): Primary data storage and processing
Amazon Web Services EU (Germany, Ireland): Analytics processing and AI/ML services
Google Cloud EU (Belgium, Finland): Machine learning and predictive analytics (with enhanced GDPR controls)

Security & Monitoring Services:

EU Cybersecurity Providers: 24/7 threat detection and incident response
Data Loss Prevention Services: EU-based DLP and compliance monitoring
Security Audit Firms: Annual penetration testing and security assessments

Support & Operational Services:

EU Customer Support: Business client technical assistance and troubleshooting
Legal & Compliance Consultants: EU-based legal counsel for GDPR and platform compliance
Data Processing Specialists: EU-based technical staff for complex integrations

Sub-Processor Guarantees:

All sub-processors have signed comprehensive GDPR-compliant Data Processing Agreements
Regular security and compliance audits of all sub-processor relationships
30-day advance written notice to Clients for any sub-processor changes or additions
Client right to object to new sub-processors with alternative solutions provided
Immediate termination clauses for non-compliant sub-processors

8.4 Client Responsibilities for End User Data

Consent & Transparency Obligations:

Obtain explicit, informed consent for data sharing with BRILU for analytics purposes
Clearly inform End Users about BRILU’s role as Data Processor in privacy notices
Ensure End Users understand AI-powered marketing optimization and cross-platform tracking
Maintain comprehensive consent records and honor withdrawal requests immediately
Provide End Users with easy opt-out mechanisms for all tracking and analytics

Platform-Specific Consent Requirements:

Facebook/Meta: Explicit consent for Facebook Pixel, custom audiences, and conversion tracking
Google: Consent for Google Analytics, Google Ads conversion tracking, and remarketing
LinkedIn: Professional tracking consent and B2B marketing analytics
TikTok: Video marketing analytics and creative performance tracking
Email Platforms: Marketing automation and cross-channel attribution consent

Prohibited Data Sharing:

End User personal data outside of specifically authorized analytics purposes
Cross-client benchmarking with any identifiable information
Platform data sharing beyond Client’s explicitly authorized scope
Any data usage that violates specific platform terms of service or privacy policies

9. International Data Transfers

9.1 EU Data Residency Priority

Primary EU Processing:

Marketing data stored and processed primarily in EU data centers
GDPR-compliant cloud providers with data residency guarantees
EU-based staff and operations for sensitive data handling
Local data processing wherever technically feasible

9.2 Platform-Specific Transfer Safeguards

Meta/Facebook Transfers:

EU-US Data Privacy Framework: Compliance with latest adequacy framework
Standard Contractual Clauses (SCCs): Additional contractual protections
Technical Safeguards: Encryption, pseudonymization, and access controls
Facebook’s GDPR Commitments: Leveraging Meta’s EU data protection measures

Google Platform Transfers:

Google’s Data Processing Amendment: Comprehensive GDPR protections
Google EU Data Centers: Priority processing in European facilities
Enhanced Privacy Controls: Advanced analytics configuration for EU compliance
Adequacy Decisions: Utilizing approved transfer mechanisms

LinkedIn Professional Data:

EU Data Residency Options: Utilizing LinkedIn’s European data centers where available
Professional Data Protections: Additional safeguards for B2B marketing data
Standard Contractual Clauses: Comprehensive legal protections for transfers

TikTok Commercial Data:

European TikTok Operations: Leveraging EU-based TikTok infrastructure
Data Localization Measures: Processing in approved jurisdictions
Enhanced Privacy Controls: TikTok’s evolving privacy and data protection measures

9.3 Transfer Decision Framework

Risk Assessment Process:

Evaluate necessity of each international transfer
Assess adequacy of destination country protections
Implement additional technical and organizational measures
Regular review of transfer agreements and safeguards

Alternative Processing Options:

EU-only data processing where technically feasible
Pseudonymization and anonymization before transfers
Aggregated analytics to minimize personal data transfers
Client choice in data processing jurisdictions

10. Marketing Platform Compliance

10.1 Platform-Specific Privacy Compliance

Facebook/Meta Business Compliance:

Platform Terms & Policies:

Meta Business Tools Terms: Full compliance with business data processing requirements
Facebook Marketing API Terms: Adherence to developer platform policies
Instagram Business API Terms: Commercial use compliance and privacy protections
Custom Audience Terms: Proper handling of audience data and matching

Privacy & Data Protection:

Meta’s Data Processing Terms: GDPR-compliant data handling
Facebook Pixel Privacy: Consent management and user control mechanisms
Conversion API Compliance: Server-side tracking with privacy protections
Audience Network Privacy: Cross-platform data usage restrictions

Google Platform Compliance:

Advertising & Analytics Terms:

Google Ads Data Processing Terms: Customer data protection and usage limitations
Google Analytics Terms of Service: Website analytics privacy compliance
Google Marketing Platform Terms: Cross-platform measurement restrictions
YouTube Terms of Service: Video marketing compliance and content policies

Privacy & Consent Framework:

Google’s EU User Consent Policy: Consent mechanisms for EU users
Google Analytics 4 Privacy Controls: Enhanced privacy features and data retention
Google Ads Data Usage Policies: Restrictions on personal data usage
Google Measurement Controller-Controller DPA: Shared responsibility framework

LinkedIn Professional Platform Compliance:

Developer Program Compliance:

LinkedIn Marketing Developer Platform Terms: API usage and data restrictions
LinkedIn Campaign Manager Terms: Professional advertising compliance
LinkedIn Data Processing Agreement: B2B data handling requirements
Professional Community Policies: Content and engagement standards

Member Privacy Protection:

LinkedIn Member Data Portability Policy: User rights and data access
Professional Data Usage Guidelines: Appropriate use of professional information
Audience Network Privacy Terms: Cross-platform professional data usage
InMail Privacy Compliance: Direct messaging and communication privacy

TikTok Business Platform Compliance:

Commercial Terms & Privacy:

TikTok Business Data Processing Addendum: Commercial data handling requirements
TikTok Ads Manager Terms: Video advertising compliance and restrictions
TikTok Developer Terms: API usage and integration requirements
Privacy and Data Protection Terms: User privacy and consent management

Content & Community Standards:

TikTok Community Guidelines: Content compliance for business accounts
Commercial Content Policies: Advertising and promotional content standards
Creator and Business Account Terms: Professional use restrictions and guidelines

10.2 Cross-Platform Data Coordination

Unified Privacy Management:

Consistent consent management across all integrated platforms
Harmonized data retention policies aligned with the most restrictive platform requirements
Synchronized privacy controls for cross-platform marketing campaigns
Integrated opt-out mechanisms affecting all marketing channels simultaneously

Attribution & Measurement Compliance:

Cross-platform attribution respecting each platform’s data usage restrictions
Unified measurement frameworks compliant with all platform policies
Consistent user identification across platforms while respecting privacy boundaries
Integrated conversion tracking with platform-specific privacy protections

11. AI System Transparency & GDPR Article 22 Compliance

11.1 Marketing AI Transparency (EU AI Act Compliance)

AI Disclosure Requirements:

All marketing recommendations clearly labeled as AI-generated
Campaign optimization suggestions include confidence levels and methodology explanations
Performance predictions marked with accuracy estimates and data quality indicators
Automated marketing decisions subject to human review and override capabilities

Explainable AI Implementation:

Detailed explanations available for all AI-driven marketing insights
Clear documentation of data sources used in AI model training
Transparent methodology for cross-platform attribution and audience analysis
Regular AI model performance reporting and bias detection

11.2 Human Oversight Mechanisms (GDPR Article 22)

Automated Decision-Making Safeguards:

High-impact marketing recommendations (budget changes >20%) require manual confirmation
Campaign performance alerts validated by human marketing experts before automated actions
AI-driven audience targeting decisions subject to human review and approval
Cross-platform optimization suggestions reviewed for business logic and brand safety

User Rights Under Automated Processing:

Right to Human Intervention: Clients can request human review of any AI-generated marketing decision
Right to Contest Decision: Challenge automated marketing optimizations and campaign changes
Right to Explanation: Detailed explanations of AI logic used in marketing recommendations
Right to Opt-out: Exclude specific campaigns or data from automated AI processing

11.3 AI Training & Model Development

Training Data Privacy:

AI models trained exclusively on aggregated, anonymized marketing data
No individual personal data used in machine learning model development
Cross-platform insights generated from statistical patterns, not individual profiles
Regular auditing of training data to ensure privacy compliance

Model Transparency & Bias Prevention:

Regular testing for discriminatory bias in marketing recommendations
Diverse training datasets to prevent unfair targeting or exclusion
Documentation of AI model decision-making processes for regulatory compliance
Ongoing monitoring of AI outputs for accuracy and fairness

12. Data Breach Notification & Incident Response

12.1 Marketing Data Breach Response Procedures

Immediate Response (0-24 hours):

Discovery & Assessment: Immediate evaluation of breach scope and affected data
Containment: Isolate affected systems and revoke compromised API access
Platform Notification: Immediate notification to Facebook, Google, LinkedIn, TikTok of any data compromise
Client Notification: Emergency contact within 4 hours of confirmed breach
Authority Preparation: Begin preparation of GDPR breach notification documentation

Short-term Response (24-72 hours):

GDPR Authority Notification: File with Romanian ANSPDCP within 72 hours maximum
End User Risk Assessment: Evaluate risk to End Users and prepare notification if required
Client Detailed Briefing: Comprehensive briefing on breach scope, affected data, and remediation steps
Platform Coordination: Work with platforms to implement additional security measures
Legal & Compliance Review: Assessment of regulatory obligations and potential impacts

Long-term Response (72+ hours):

End User Notification: Direct notification if high risk to End Users (coordinated with Clients)
Remediation Implementation: Permanent security improvements and vulnerability patching
Regulatory Cooperation: Full cooperation with supervisory authority investigations
Client Support: Ongoing support for Client’s own breach notification obligations
Process Improvement: Update incident response procedures based on lessons learned

12.2 Marketing-Specific Breach Scenarios

API Security Compromises:

Unauthorized access to marketing platform APIs or credentials
Compromise of cross-platform attribution data
Exposure of campaign performance metrics or client strategies
Unauthorized access to custom audience data or targeting information

Data Processing Incidents:

Accidental cross-client data exposure in analytics reports
Incorrect data sharing between integrated marketing platforms
Unauthorized processing of End User data outside approved parameters
AI model exposure of patterns that could identify individual users

Third-Party Platform Incidents:

Security incidents at Facebook, Google, LinkedIn, or TikTok affecting client data
API vulnerabilities or unauthorized access to platform-specific data
Data exposure through platform integrations or measurement tools
Cross-platform data synchronization errors or unauthorized sharing

12.3 Client Breach Support Services

Immediate Support:

Emergency technical support for immediate data protection measures
Assistance with Client’s own GDPR breach notification obligations
Coordination with platforms to implement additional security controls
Legal and compliance consultation for regulatory requirements

Ongoing Support:

End User communication templates and support for Client notifications
Regulatory authority liaison and coordinated response to inquiries
Technical forensics and detailed incident analysis reports
Implementation of enhanced security measures and monitoring

13. Marketing Platform Data Deletion & User Rights

13.1 Comprehensive Data Deletion Process

Automated Deletion Triggers:

Immediate deletion when Client revokes platform API access
Automatic deletion upon End User consent withdrawal (when notified by Client)
Scheduled deletion based on data retention policies
Emergency deletion for security or compliance reasons

Platform-Specific Deletion Procedures:

Facebook/Meta Data Deletion:

Custom audience removal from all Facebook and Instagram campaigns
Facebook Pixel data deletion and event tracking cessation
Conversion API data purging and tracking termination
Instagram Business data removal and account unlinking

Google Platform Data Deletion:

Google Analytics data anonymization and user deletion
Google Ads conversion tracking removal and audience list deletion
YouTube Analytics data purging for specified users
Google Marketing Platform data deletion across all connected properties

LinkedIn Professional Data Deletion:

LinkedIn Campaign Manager audience removal and data deletion
Professional insight data purging for specified individuals
Company page analytics data removal for deleted accounts
B2B marketing data deletion and professional profile unlinking

TikTok Commercial Data Deletion:

TikTok Ads Manager data deletion and audience removal
Video campaign analytics purging for deleted users
Creative performance data deletion and account unlinking
Commercial audience insights removal and data anonymization

13.2 End User Rights Fulfillment Process

Client-Coordinated Rights Management: As BRILU operates as a Data Processor, Clients must coordinate all End User rights requests. We provide comprehensive support:

Access Right Support (Article 15):

Generate comprehensive reports of all End User data across platforms
Provide cross-platform attribution history and touchpoint analysis
Export marketing interaction data in structured, human-readable formats
Include platform-specific analytics and performance correlations

Rectification Right Support (Article 16):

Correct inaccurate audience segmentation and demographic data
Update customer journey mapping and attribution models
Rectify cross-platform user identification and matching errors
Adjust predictive models and AI-generated insights

Portability Right Support (Article 20):

Export End User marketing data in JSON, CSV, or XML formats
Provide cross-platform attribution data and campaign interaction history
Include audience segment membership and preference data
Generate comprehensive marketing profile summaries

Objection Right Support (Article 21):

Remove End Users from all marketing analytics and performance tracking
Exclude from predictive modeling and AI-driven insights
Stop cross-platform attribution and journey mapping
Implement permanent opt-out across all integrated platforms

13.3 Platform Integration Deletion Compliance

Coordinated Platform Deletion:

Simultaneous deletion across Facebook, Google, LinkedIn, and TikTok
Cross-platform user identification to ensure complete removal
Verification of deletion completion across all integrated systems
Documentation of deletion process for regulatory compliance

Deletion Verification & Confirmation:

Technical confirmation of data removal from all platforms
Audit trail documentation for regulatory and client records
Verification that all derived insights and AI models are updated
Final confirmation certificate provided to Client and End User (upon request)

14. Contact Information & Support

14.1 Business Client Support

Data Protection Officer (Primary Contact):

Email: [email protected]
Address: SC GEMSYA SRL, Bucharest, 122 Mihai Bravu, Romania
Response Time: 72 hours for urgent requests, 5 business days for standard GDPR requests

Technical & Platform Support:

Email: [email protected]

14.2 Legal & Compliance

Supervisory Authority: Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

Website: https://www.dataprotection.ro
Email: [email protected]
Phone: +40 318 059 211
Address: B-dul Magheru nr. 28-30, Sector 1, București, Romania

14.3 Platform-Specific Support

Meta/Facebook Issues:

Facebook Business Help: https://www.facebook.com/business/help
Instagram Business Support: https://business.instagram.com/support
BRILU Integration Support: [email protected]

Google Platform Issues:

Google Ads Support: https://support.google.com/google-ads
Google Analytics Help: https://support.google.com/analytics
BRILU Integration Support: [email protected]

LinkedIn Business Issues:

LinkedIn Marketing Solutions: https://business.linkedin.com/marketing-solutions/support
BRILU Integration Support: [email protected] @brilu.ai

TikTok Business Issues:

TikTok Ads Manager Help: https://ads.tiktok.com/help
BRILU Integration Support: [email protected] @brilu.ai

15. Document Control & Updates

15.1 Version Control

Current Version: 2.0
Effective Date: July 20, 2025
Next Scheduled Review: January 30, 2026
Document Owner: Data Protection Officer ([email protected])

15.2 Update Notification Process

Client Notification (30 days advance notice):

Email notification to all registered business clients
In-platform notification for active users
Detailed summary of changes affecting data processing
Option to review and accept changes or terminate service

Regulatory Updates:

Immediate updates for legal compliance requirements
Platform policy changes affecting data processing
GDPR or other privacy law modifications
Emergency updates for security or compliance issues

15.3 Document Availability

Archive: Previous versions maintained for 7 years
Languages: Available in English and Romanian
Accessibility: WCAG 2.1 AA compliant format available upon request

This Privacy Policy demonstrates BRILU’s commitment to GDPR compliance and responsible data processing as a trusted Data Processor for business clients using integrated marketing platforms.

For questions regarding this policy or data processing practices, contact our Data Protection Officer at [email protected]