legal document
Privacy Policy
Last updated: 2026-05-30
This policy applies only to the Pulsar GRC landing page available at pulsar-grc.pl and pulsar-grc.com. It does not describe data processing inside the future Pulsar GRC application or the cooperating Crewshift app; those areas will be covered by separate implementation or contractual documents.
1. Data controller
The data controller is:
Brillnet - Piotr Adamski
ul. Sienkiewicza 73/6
90-057 Lodz, Poland
VAT ID/NIP: PL7321779060
REGON: 101551294
Contact for privacy matters: kontakt@brillnet-app.com.
2. Data we process
On the landing page we process only data needed for the website, contact handling, security, and analytics:
- data submitted through contact or early-access forms: full name, email address, organization name, subject, and message content,
- technical data related to form submission: IP address, request identifier, date and time, source host, page language, browser and device information,
- data needed to protect the form against abuse, including a Cloudflare Turnstile verification token when enabled,
- information about cookie preferences stored locally in the browser,
- Google Analytics 4 analytics data, only after analytics consent is granted,
- aggregated Vercel Web Analytics data, such as page views, referrers, country, operating system, browser, and device type, without Vercel Analytics cookies.
The landing page does not collect Pulsar GRC account data, payment data, your Organization's documents, audit data, risk registers, CAPA data, or data processed by the future application features.
3. Purposes and legal bases
| Purpose | Scope | Legal basis |
|---|---|---|
| Handling inquiries and early-access interest | Form data and technical submission data | Art. 6(1)(f) GDPR - legitimate interest in business correspondence; where an inquiry aims to enter into a contract: Art. 6(1)(b) GDPR |
| Protecting the website and forms against abuse | IP address, request data, Turnstile token, security logs | Art. 6(1)(f) GDPR - website security and anti-spam protection |
| Website traffic analytics | Google Analytics 4 identifiers and events | Art. 6(1)(a) GDPR - consent |
| Aggregated website traffic statistics | Anonymized or aggregated Vercel Web Analytics data without cookies | Art. 6(1)(f) GDPR - legitimate interest in measuring website performance and popularity |
| Remembering privacy choices | Cookie preference information in the browser | Art. 6(1)(f) GDPR - remembering the user's choice and demonstrating compliance |
| Establishing, pursuing, or defending claims | Correspondence and related technical data | Art. 6(1)(f) GDPR - protection of the controller's rights |
4. Recipients and processors
The list below applies only to the Pulsar GRC landing page. It is not the processor list for the future SaaS application.
| Entity | Landing-page role | Scope | Location / safeguards |
|---|---|---|---|
| Vercel Inc. | Website hosting, infrastructure, and privacy-friendly web analytics | Technical logs, HTTP request data, form function runtime, aggregated Vercel Web Analytics statistics | EU/USA; under the provider terms, including SCCs or other applicable transfer mechanisms |
| Cloudflare, Inc. | Form protection against spam and bots | Turnstile verification data, including token and request data | EU/USA; under the provider terms, including SCCs or EU-US Data Privacy Framework where applicable |
| Resend / Plus Five Five, Inc. | Contact form email delivery | Full name, email address, organization name, subject, message content, and technical delivery metadata | USA; Resend DPA, Standard Contractual Clauses, EU-US Data Privacy Framework or other applicable transfer mechanisms |
| Google LLC | Consent-based website analytics | Google Analytics 4 identifiers and events | EU/USA; EU-US Data Privacy Framework or other applicable transfer mechanisms |
Data may also be disclosed to public authorities or other entities where required by applicable law. A separate landing-page registry is available as the Processor List.
5. Transfers outside the European Economic Area
Some landing-page providers may process data outside the EEA. Where this happens, we rely on mechanisms allowed under GDPR, including adequacy decisions, the EU-US Data Privacy Framework, Standard Contractual Clauses, or other safeguards indicated by the providers.
Resend / Plus Five Five, Inc. is a US-based provider and acts as Brillnet's processor for form-message delivery and Brillnet-owned contact lists. We do not use open tracking or link-click tracking in those messages unless that feature is separately disclosed and has an appropriate legal basis.
6. Retention
| Category | Retention period |
|---|---|
| Form correspondence | Up to 24 months from the last contact, unless a longer period is needed to establish, pursue, or defend claims |
| Technical form data and security logs | For the period needed for security and diagnostics, usually no longer than 12 months |
| Cookie preferences in the browser | Until the user changes settings or the consent mechanism version changes |
| Google Analytics 4 data | According to GA4 retention settings; GA4 cookies may remain in the browser for up to 2 years unless deleted earlier |
| Aggregated Vercel Web Analytics data | According to Vercel's Web Analytics retention; the mechanism does not use cookies and identifies visitors through a short-lived request hash |
7. Your rights
You have the rights granted by GDPR, including:
- access to your data,
- rectification,
- erasure,
- restriction of processing,
- data portability where applicable,
- objection to processing based on legitimate interest,
- withdrawal of consent at any time where processing is based on consent.
Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Requests can be sent to kontakt@brillnet-app.com.
You have the right to lodge a complaint with the President of the Polish Data Protection Office: uodo.gov.pl.
8. Cookies and similar technologies
Details about cookies, localStorage, and analytics are available in the Cookie Policy. You can change analytics consent through Cookie settings in the footer. Google Analytics 4 runs only after consent, while Vercel Web Analytics is used for aggregated traffic statistics without cookies.
9. Automated decision-making
The Pulsar GRC landing page does not make decisions based solely on automated processing that would produce legal effects or similarly significantly affect a user.
10. Policy changes
This policy may be updated when the landing page, contact form, technical providers, or legal requirements change. The current version is published on this page. Website use is also governed by the Terms of Service.
11. Contact
For privacy matters, contact kontakt@brillnet-app.com.