Privacy Policy
This Privacy Policy describes how LSports Data Ltd. ("Bringits", "we", "us"), a company organized under the laws of the State of Israel, processes personal data when you visit bringits.com, register for an account, or use the Bringits platform (the "Service"). It applies to processing for which Bringits is the controller.
For personal data that you submit to the Service or instruct the Service to process on your behalf (for example, content collected by the Service in response to your API requests), Bringits acts as your processor. That processing is governed by the Bringits Data Processing Addendum ("DPA"), incorporated by reference into the Terms of Service; this Privacy Policy does not describe it.
1. Personal data we collect
1.1 Account data
When you register for the Service, we collect:
- Email address — primary contact and login identifier.
- Company or team name — used as your tenant display name.
- Use-case selection — chosen from a fixed dropdown (e.g. e-commerce pricing, market research, SEO/SERP, ad verification, sports data, other) for product analytics and abuse prevention.
- Consent metadata — the version of the Terms of Service, AUP, and Privacy Policy you accepted, and the timestamp of acceptance.
- Authentication factors — password hash, optional TOTP secret, social-login identifiers (Google or GitHub) if you use single sign-on. Authentication is handled by our authentication provider (see Section 4).
1.2 Usage and operational data
While you use the Service, we automatically collect:
- Request metadata — tenant identifier, API token identifier (not the secret), timestamp, target hostname, response status code, request size, response size, geographic region.
- Dashboard activity — pages viewed, features used, errors encountered.
- Network identifiers — IP address, user agent, country derived from IP, for security and rate-limiting purposes.
- Server logs — diagnostic logs from our internal services for operational and security purposes.
We do not retain the content of API requests or responses beyond the time necessary to deliver them. Operational metadata (tenant ID, hostname, status, byte counts) is retained for billing, quota enforcement, and abuse investigation.
1.3 Billing data
Paid subscriptions are billed by Paddle.com Market Limited ("Paddle") as merchant of record. Paddle collects and processes your payment instrument, billing address, and tax-residency information directly. Bringits receives, from Paddle, limited billing identifiers (subscription ID, transaction ID, plan tier, last-four card digits, billing country) — never the full card number, CVV, or bank account number. See Paddle's privacy policy for details of their processing.
1.4 Marketing data (paid plans, post-Phase-1)
Once we enable our customer-relationship and product-analytics integrations (Phase 2), we will additionally process: lifecycle stage (Lead → Customer), email engagement (open/click on transactional and product emails you have not opted out of), in-product event data (signup, first API call, tier upgrade) for the purpose of measuring product activation and offering relevant assistance. These integrations are optional from your side: you can unsubscribe from non-transactional email at any time, and we will still deliver service-critical messages (billing, security, policy changes).
1.5 Cookies and similar technologies
On the public website (bringits.com) and the in-product dashboard, we set:
- Strictly necessary cookies — session, CSRF, and authentication tokens. These cannot be disabled without breaking the Service.
- Preference cookies — remember UI choices like theme.
- Analytics cookies (Phase 2 onwards) — first-party product analytics measured via Mixpanel, with IP-anonymisation applied.
We do not currently use third-party advertising or cross-site tracking cookies. A cookie banner is presented on first visit from EU/UK/Israel jurisdictions where legally required.
2. How and why we use personal data (purposes & legal bases)
For users in the European Economic Area, the United Kingdom, and jurisdictions with similar regimes, the following legal bases apply under Article 6 GDPR / UK GDPR. Where multiple bases could apply, we identify the primary one.
| Purpose | Categories used | Legal basis |
|---|---|---|
| Provide and operate the Service (authenticate you, route requests, enforce quotas) | Account, usage | Contract (Art. 6(1)(b)) |
| Bill you and collect payment | Account, billing | Contract (Art. 6(1)(b)) |
| Maintain security, prevent abuse, investigate suspected misuse | Account, usage, network | Legitimate interest (Art. 6(1)(f)) — protecting the Service and third parties |
| Comply with legal obligations (tax, law-enforcement requests, regulatory) | Account, billing | Legal obligation (Art. 6(1)(c)) |
| Send service-critical communications (billing, security, policy changes) | Account | Contract / legitimate interest |
| Send product updates and onboarding tips | Account, usage | Legitimate interest, with opt-out |
| Marketing emails to non-customers (Phase 2) | Contact form / waitlist data | Consent (Art. 6(1)(a)) |
| Product analytics on aggregated behaviour | Usage | Legitimate interest, IP-anonymised |
3. How we share personal data
We share personal data only with the following categories of recipients:
- Sub-processors — third-party service providers who process personal data on our instructions. The current list is in Section 4.
- Group companies — Bringits may share data internally with our parent and affiliated entities for shared administrative and security functions, under intra-group data transfer agreements.
- Professional advisers — accountants, auditors, lawyers, insurers, under appropriate confidentiality.
- Authorities — where we are legally required to respond to valid legal process from competent regulators or law-enforcement bodies. We push back on overbroad requests and, where permitted, notify the affected user.
- Successors — in connection with a merger, acquisition, financing, or sale of substantially all of our assets, on equivalent privacy terms.
We do not sell personal data within the meaning of the California Consumer Privacy Act, and we do not engage in "sharing" of personal data for cross-context behavioural advertising.
4. Sub-processors
We use the following sub-processors. Activating new sub-processors is treated as a material change to this Policy and triggers the notice procedure in Section 11.
4.1 Phase 1 (current)
| Sub-processor | Role | Hosting region |
|---|---|---|
| Frontegg Ltd. | Authentication, account management, M2M token issuance | EU (primary), US (DR) |
| Google Cloud Platform (Google LLC) | Service compute, storage, network | europe-west & israel-central |
| ClickHouse, Inc. (or self-hosted in GCP) | Operational analytics store for request metadata | europe-west / israel-central |
| Datadog, Inc. | Application logging, metrics, alerting | EU |
4.2 Phase 2 (planned)
| Sub-processor | Role | Hosting region |
|---|---|---|
| Paddle.com Market Limited | Merchant of record, billing, tax remittance | UK / EU / US (Paddle-managed) |
| HubSpot, Inc. | CRM, lifecycle marketing, customer-success workflows | EU |
| Mixpanel, Inc. | Product analytics | EU |
5. International transfers
Bringits is established in Israel, which the European Commission has recognized as providing an adequate level of data protection (Decision 2011/61/EU, reaffirmed). Transfers from the EEA to Israel therefore rely on this adequacy decision.
Where data is transferred to sub-processors located outside the EEA or the UK in jurisdictions without an adequacy decision (in particular, the United States for some Datadog and HubSpot facilities), we rely on the European Commission's Standard Contractual Clauses (2021/914) and, for UK transfers, the UK International Data Transfer Addendum, as the transfer mechanism. Where the recipient self-certifies under the EU–US Data Privacy Framework or its UK extension, that mechanism applies in addition.
Transfer-impact assessments are completed and refreshed for each sub-processor; the most recent assessment summary is available to our enterprise customers on request to privacy@bringits.com.
6. Retention
| Category | Retention |
|---|---|
| Account data | Lifetime of account, plus 90 days after deletion (for reactivation), then permanently deleted or anonymised. |
| Operational logs (request metadata) | 90 days rolling. After 90 days, only aggregated, non-identifying counts are retained. |
| Billing records | 7 years from the end of the relevant tax year, in line with Israeli and counterparty tax-record obligations. |
| Abuse-investigation records | 2 years from case closure. |
| Diagnostic application logs | 30 days rolling in Datadog. |
| Marketing engagement (Phase 2) | 3 years from last engagement, then deleted. |
7. Your rights
Depending on where you are located, you have some or all of the following rights in respect of personal data we hold about you as a controller:
- Access — confirm whether we process personal data about you and obtain a copy.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion, subject to retention obligations in Section 6 and our legitimate basis for continued processing.
- Restriction — limit processing in defined circumstances.
- Objection — object to processing based on our legitimate interests; we will weigh your objection against those interests.
- Portability — receive a structured, machine-readable copy of data you have provided.
- Withdraw consent — for any processing based on consent, without affecting prior lawful processing.
- Complaint — lodge a complaint with your local data-protection authority. EU residents may complain to their national supervisory authority; UK residents to the ICO; Israeli residents to the Privacy Protection Authority.
To exercise any of these rights, email privacy@bringits.com from the email address associated with your account, or use the in-product data-export and delete-account controls (available in the dashboard account-settings page once that surface ships in P2). We respond within thirty (30) days; complex requests may take up to ninety (90) days, in which case we will tell you within the first thirty.
We may need to verify your identity before responding (typically by confirming control of the account email). For requests directed at personal data we process as a processor on behalf of a customer, we will refer you to that customer, who is the controller for that data.
8. Security
We maintain administrative, technical, and organizational safeguards appropriate to the sensitivity of the data we process, including: encryption in transit (TLS 1.2+) and at rest, role-based access control with audit logging, principle-of-least-privilege for production access, regular vulnerability scanning, and an incident-response process aligned with industry practice. No internet-facing system is perfectly secure, and we do not warrant that our safeguards will defeat every attack.
If you believe you have discovered a security vulnerability in the Service, please report it to security@bringits.com. We follow coordinated-disclosure practice and do not pursue legal action against good-faith researchers.
9. Children
The Service is intended for use by individuals aged eighteen (18) and above and by organizations. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected personal data from a minor, contact privacy@bringits.com and we will delete it.
10. Region-specific notices
10.1 California (CCPA / CPRA)
California residents have the rights described in Section 7 plus the right to opt out of the "sale" or "sharing" of personal information. As stated in Section 3, we do not sell or share personal information as those terms are defined in the CCPA / CPRA, and we do not use sensitive personal information for purposes other than as permitted under the statute. Categories of personal information collected and disclosed are reflected in Sections 1 and 3 of this Policy.
10.2 EU / EEA / UK
The legal bases for processing are listed in Section 2. Our EU / UK representative for the purposes of GDPR Article 27, where applicable, will be designated by notice once we determine the appointment is required for the volume and nature of EU/UK data we process; until then, you may contact us directly at the addresses in Section 12.
10.3 Israel
We comply with the Protection of Privacy Law, 5741-1981, and the Privacy Protection Regulations (Data Security), 5777-2017. The Service does not currently fall within the registration thresholds for a database under §8 of the Law that would require registration with the Privacy Protection Authority; we re-evaluate this position periodically.
11. Changes to this Policy
We may update this Privacy Policy from time to time. The current version is identified by the "Version" string at the top of this page. For material changes (new categories of personal data, new sub-processors, new purposes outside the original scope), we will notify you by email at least thirty (30) days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the change; if you do not accept, you may close your account under the Terms of Service.
12. Contact us
Bringits / LSports Data Ltd.
Privacy and data-subject requests:
privacy@bringits.com
Security reports:
security@bringits.com
Abuse reports:
abuse@bringits.com
General legal inquiries:
legal@bringits.com
Postal address and registered company details to be inserted on publication.