Privacy Policy

Last updated: April 2025

Exigy Ltd. (the “Company”, “we”, “us”, or “our”) is committed to protecting the privacy and security of personal data processed through our BrightSpark HR web application. This Privacy Policy explains our role in processing data on behalf of our clients and how we safeguard such information to ensure compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws within the EU, as well as any equivalent data protection laws applicable in jurisdictions outside the EU.

For the purpose of this Privacy Policy:

Personal Data” means any information relating to an identified or identifiable natural person as listed below.

Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller on that controller’s documented instructions.

Data Subject” means any living individual whose personal data are processed by the data processor.

Roles and Responsibilities

Data Controller: Our clients determine the purposes and means of processing Personal Data using the BrightSpark product. They define how their employees’ and users’ data are managed within our product.

Data Processor: We provide a platform for our clients to manage their employees’ and users’ data and are responsible for processing Personal Data solely on behalf of our clients in the BrightSpark HR web application and strictly adhering to their instructions.

Sub-Processors: Third-party service providers who may be engaged by us to assist in fulfilling processing obligations.

What Personal Data do we Process?

The types of data processed within the BrightSpark HR web application depend on the configuration set by our clients. These may include without limitation:

  • Identity Data: First name, last name, employee ID, maiden name, also known as names.
  • Contact Data: Work email, personal email, phone numbers (work, mobile, home).
  • Employment Data: Employee code, job title, job history, performance evaluations, employment type, hire date, work location, reporting manager, teams, status.
  • Security & Login Data: Username, password, authentication logs, and access history.
  • Demographic Data: Gender, marital status, nationality, date of birth.
  • Identification Data: National ID, tax ID, passport number.
  • Social Media: LinkedIn, Facebook, Skype (if provided).
  • Document & Compliance Data: Training, disciplinary records, job positions, equipment issued, additional info, and performance reviews. Contracts and any documents the client uploads and attaches to an employee record.
  • Usage Data: Information about how users interact with the application.
  • Health-Related Data: Medical certificates, fitness-for-work declarations, and other occupational health records.
  • Criminal Records Data: Police conduct reports, background check results, or criminal offence data.

Exigy Ltd. does not collect or use this Personal Data for its own purposes. The Company processes Personal Data exclusively under the instructions of the Data Controller and does not process Personal Data beyond the scope of these instructions.

Cookies and Access Information

We use only Essential Cookies that are necessary for authentication and security. However, the BrightSpark HR web application allows authentication through third-party providers such as Google and Microsoft. These providers may collect and process additional cookies and access information in accordance with their respective privacy policies. We recommend reviewing their policies for more details on their data collection and usage practices.

Why do we Process this Information?

As a Data Processor of the BrightSpark HR web application, Exigy Ltd. processes Personal Data only as instructed by our clients for purposes including but not limited to:

  • Facilitating HR-related processes such as recruitment, leave management, employee training, employee data storing and processing, performance reviews.
  • Enabling authentication and securing access to the application.
  • Enhancing user experience and maintaining platform functionality.
  • Supporting compliance with legal, regulatory ad contractual obligations as required by the Data Controller.

What do we do with your information?

Exigy Ltd. does not sell, share, or use Personal Data for any purpose other than providing services to our clients. Personal Data is processed strictly according to the agreement with the Data Controller.

How long do we retain Personal Data?

BrightSpark HR web application retains Personal Data for as long as is reasonably necessary to fulfil the purpose for which we have obtained it, and only for the duration specified by the Data Controller. The retention period may depend on:

  • The Data Controller’s policies and legal obligations.
  • Ongoing employee relationships.
  • Compliance with regulatory, auditing and security requirements.
  • BrightSpark offers every client the possibility to configure the number of years to retain data and when such is anonymised or purged.

Once the contractual period ends, Exigy follows the Data Controller’s instructions regarding data deletion or transfer, ensuring compliance with applicable data protection legislation and contractual obligations.

Who will have access to your Personal Data?

Personal Data will be accessed by out employees only when necessary to fulfil their job responsibilities. In case the need may arise, we may transfer your Personal Data to third parties in accordance with the purposes under this Privacy Policy. These third parties may be located in Malta or overseas. The destination countries may or may not have the same equivalent level of protection for Personal Data. We take steps and measures to ensure that your Personal Data is securely transferred and that the receiving parties have in place an appropriate level of data protection standards or other derogations as allowed by law. We will request your consent where consent to cross-border transfer is legally required.

This will be done in accordance with date protection legislation, and arrangements are in place in order to guarantee the security and lawfulness of these transfers.

Security Measures

We understand the importance of safeguarding your Personal Data. As such, we are committed to protecting it by implementing appropriate security measures in line with confidentiality standards, to prevent loss, unauthorized access, destruction, use, alteration, or disclosure. Furthermore, we ensure that the collection, storage, and processing of your Personal Data, including physical security measures, adhere to the Company’s information technology security policies and guidelines.

Your rights as a Data Subject

Subject to applicable data protection legislation and exceptions thereof, you may have the following rights to:

  1. Access: You may have the right to access or request a copy of the Personal Data that is being collected, used and disclosed about you.
  2. Rectification: You may have the right to have incomplete, inaccurate, misleading, or not up-to-date Personal Data that is collected, used and disclosed about you rectified;
  3. Data Portability: You may have the right to obtain and reuse Personal Data held about you for your own purposes across different services.
  4. Objection: You may have the right to object to certain collection, use and disclosure of your Personal Data;
  5. Restriction: You may have the right to restrict the use of your Personal Data in certain circumstances;
  6. Withdraw Consent: You have the right to withdraw your consent at any time in certain circumstances;
  7. Deletion: You may have the right to have your data erased, without undue delay, by the Data Controller if your Personal Data are no longer necessary in relation to the purpose for which it was collected or processed;
  8. Lodge a complaint: You may have the right to lodge a complaint to the competent authority where you believe the collection, use and disclosure of your Personal Data is unlawful or noncompliant with applicable data protection legislation.

As the Data Processor, Exigy does not have authority over data access, rectification, or deletion requests. Individuals seeking to exercise their rights under GDPR or any equivalent data protection laws should contact the respective Data Controller (their employer or organization).

Exigy will support Data Controllers in fulfilling these requests as required by applicable legislation.

Your rights to seek redress

If you believe your data protection rights have been violated, you should contact the Data Controller responsible for your data. The Data Controller may:

  • Address your concerns directly.
  • Escalate unresolved issues to the appropriate data protection authority within the relevant jurisdiction.
  • Request Exigy’s assistance in investigating and resolving the matter.

Changes to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our services or legal requirements. Any changes will be communicated via the application or email to our clients.

Contact Details

For any inquiries about your Personal Data under this Privacy Policy, please contact us at Compliance@exigy.com