GDPR Compliance Policy

1. Introduction

This GDPR Compliance Policy outlines the principles and practices adopted by Bright on Analytics Ltd dba Trampolin.ai and Insights ("Company," "we," "us," or "our") to comply with the EU General Data Protection Regulation (GDPR) where it applies to our processing of personal data (e.g., when we offer services to, or monitor the behavior of, individuals in the EEA/UK). This Policy applies to all personal data we collect, process, or store in connection with Trampolin.ai and our product Insights.

2. Data Controller

Trampolin.ai acts as the data controller for the personal data described in this Policy.

3. Data Protection Officer

We have appointed a Data Protection Officer (DPO). You can contact the DPO at [email protected] for any inquiries or concerns related to data protection.

4. Legal Bases for Processing

We process personal data only where at least one of the following legal bases applies:

• Consent: You have given valid consent to the processing.
• Contract: Processing is necessary to enter into or perform a contract with you.
• Legal Obligation: Processing is necessary to comply with a legal obligation.
• Vital Interests: Processing is necessary to protect someone's vital interests.
• Public Interest/Official Authority: Processing is necessary for tasks carried out in the public interest or under official authority.
• Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, unless overridden by your interests or fundamental rights and freedoms.

5. Data Subject Rights

Subject to applicable law, you have the right to:

• Access your personal data;
• Rectify inaccurate or incomplete data;
• Erase your data (right to be forgotten);
• Restrict processing under certain conditions;
• Object to processing, including direct marketing and, where applicable, processing based on legitimate interests;
• Data Portability for certain data you provided to us;
• Withdraw Consent at any time where processing is based on consent (without affecting the lawfulness of processing before withdrawal).

We will facilitate the exercise of these rights in line with GDPR. Requests can be made via [email protected]. We may need to verify your identity before responding.

6. Data Security

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. No system is 100% secure; however, we continually assess and improve our safeguards.

7. Personal Data Breach Notification

If a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the appropriate supervisory authority without undue delay and, where required, affected individuals in accordance with GDPR Articles 33 and 34.

8. International Data Transfers

Where personal data is transferred outside the EEA/UK, we ensure an adequate level of protection through mechanisms such as:

• An adequacy decision for the destination country;
• Standard Contractual Clauses (SCCs) and, where relevant, additional safeguards;
• Other appropriate transfer tools permitted by GDPR.

We assess transfer risks and safeguards consistent with applicable guidance.

9. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting, or reporting requirements, resolve disputes, and enforce agreements. Retention periods are determined by the nature of the data, our operational needs, and applicable regulatory/limitation periods. When a retention basis no longer applies, we will delete or irreversibly anonymize the data.

Contact & Device Identifiers

To the extent permitted by applicable law, we may retain contact identifiers (e.g., email addresses, including hashed versions) and device/browser identifiers (including IP addresses and browser fingerprints) even after account closure or an erasure request, where retention is necessary for one or more of the following legitimate purposes:

• Security & fraud/abuse prevention (e.g., threat detection, account take-over prevention, rate-limit enforcement);
• Suppression/opt-out management (to ensure we do not send communications to users who have opted out);
• Compliance with legal obligations (e.g., tax/book-keeping) and establishment, exercise, or defense of legal claims;
• Audit, incident investigation, and service integrity.

Where feasible, we will minimize and pseudonymize (e.g., hash) such identifiers and periodically review whether retention remains necessary. Typical retention windows are:

• operational security/fraud logs: up to 24 months after the relevant event;
• suppression/opt-out records: as long as needed to honor the opt-out;
• legal/compliance records: for the applicable statutory period.

Nothing in this Section limits your statutory rights (e.g., access, objection, restriction, or erasure) where no overriding legal basis applies. Where we rely on the above legitimate purposes to retain limited identifiers, we will restrict processing to those purposes only.

10. Privacy by Design & by Default

We embed data protection principles into product and process design, ensuring data minimization, purpose limitation, access controls, and privacy-friendly defaults throughout the data lifecycle.

11. Training & Awareness

We provide periodic GDPR and privacy training to relevant personnel and maintain internal policies and procedures to support ongoing compliance and accountability.

12. Policy Review

We review and update this Policy regularly to reflect changes in laws, guidance, or our processing activities.

13. Contact Information

For inquiries, requests, or concerns related to GDPR compliance, please contact:

Email: [email protected]
Web: www.trampolin.ai

Address for notices:
Bright on Analytics Ltd
Unit 1603, 16th Floor, The L. Plaza, 367–375 Queen's Road Central,
Sheung Wan, Hong Kong

14. Governing Law & Jurisdiction

This GDPR Compliance Policy is governed by the laws of the Hong Kong Special Administrative Region (HKSAR), without regard to conflict-of-laws rules. The courts of Hong Kong SAR have exclusive jurisdiction over disputes arising from or related to this Policy, without limiting our commitments to comply with GDPR where it applies.