Brilbook and GDPR

Last modified: April 22, 2024

As personal data is integral part of working with any solution in Brilbook, we ensure complete compliance and alignment to GSPR. 

Brilbook as data processor

The people you store in Brilbook as contacts are your data subjects, and you are considered the data controller for this personal data. In our Terms of Service and Privacy Policy, we refer to this data as client data.

Using the Brilbook app to manage your customers means that you have engaged Brilbook as a data processor to carry out certain processing activities on your behalf.

According to article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same article).

This is where our Data Processing Addendum (DPA), Terms of Service and Privacy Policy come in. These three documents serve as your data processing contract, setting out the instructions that you’re giving to Brilbook about processing the personal data you control and establishing the rights and responsibilities of both parties. Brilbook will only process your client data based on your instructions as the data controller.

Lastly, it is crucial to check Section 14.1 of our Terms of Service to see which Brilbook entity is your contractual partner.

All EU customers have a contractual relationship with our UK entity, based in London.

Data transfers

One topic that often comes up with customers is data transfers outside the EEA.
The GDPR establishes strict requirements for moving data outside its protection scope. This is only natural – otherwise, it would be impossible for the law to fulfil its purpose.

Who is responsible for meeting these data transfer requirements? As our EU customers have a legal relationship with our EU entity, this data transfer remains within the EEA. However, if Brilbook subsequently engages sub-processors outside the EEA, it is our job to ensure that we transfer the data lawfully.

We’ll keep an up-to-date list of sub-processors in our Sub-processors page to be fully transparent about these transfers. This list will also explain what data is involved and how we have ensured that the data is adequately protected even after it leaves the EEA.
We do this by ensuring that our third-party service providers have either certified under the EU-US Data Privacy Framework or signed the EU Commission’s standard contractual clauses for data transfers with us.

Brilbook as the data controller

Additionally, Brilbook acts as the data controller for the personal data we collect about you, the user of our web app, mobile apps and website.

First and foremost, we process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b)).

Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)) – this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.
Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).

What are these “legitimate interests” we talk about?
•    Improving the app to help you reach new levels of productivity.
•    Making sure that your data and Brilbook’s systems are safe and secure.
•    Responsible marketing of our product and its features
Hopefully, this helps you to navigate the EU’s data protection requirements better. If you have any questions concerning the above, you’re welcome to reach out to us at, and we’ll do our best to explain things further.

What is Brilbook doing for the GDPR?

As a company with roots in UK, Brilbook is very much up to speed with the implications that the EU General Data Protection Regulation has for businesses.

We appreciate the privacy needs of Brilbook users as well as their customers and, as such, have implemented – and will continue to improve – technical and organizational measures in line with the GDPR to safeguard the personal data processed by Brilbook.

Internal processes, security, and data transfers

A large part of GDPR compliance is ensuring that procedures are in place and data processes are mapped and auditable. Therefore, we have added elements to our application development cycle to build features following the principles of Privacy by Design.

Any access to the client data that we process on your behalf is strictly limited. Our internal procedures and logs ensure that we meet the GDPR accountability requirements in this regard.

We have established a process for on-boarding third-party service providers and adopting tools that ensure that these third parties meet the high expectations that Brilbook and its customers have regarding privacy and security.

Readiness to comply with subject access requests

Data subjects’ ownership of their personal data is at the heart of the GDPR. We are therefore ready to respond to data subject requests to delete, modify, or transfer their data.

This means our customer support specialists and the engineers that assist them are well-prepared to help you in any matters involving your personal data, in addition to providing the fantastic customer support experience you’re accustomed to.


Our Terms of Service and Privacy Policy are constantly revised to increase transparency and ensure the documents meet GDPR requirements. As these are the basis for our relationship with you, we must comprehensively and openly explain our commitments and your rights in these documents.

Additionally, we’re constantly mapping all our data processing activities to be able to comply with the GDPR accountability requirements.


All of the above is supported by extensive training efforts within the company, ensuring the GDPR-compliant processes we’ve put in place are followed. For example, data privacy and security sessions are an integral part of our onboarding process, and each department receives training tailored to their work involving personal data.

Brilbook is firmly convinced that meeting GDPR requirements is much more than just checking off boxes in a list. For us, GDPR represents a lifestyle of respect for individuals' privacy and responsibility in handling personal data.