Brief & Bright.

1. Introduction

HB Advocates LLP ("HB Advocates", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect when you visit the Brief & Bright legal intelligence platform (the "Service"), how we use it, and your rights with respect to that information.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

a) Information You Provide Voluntarily

• Display name: When you post a comment on the Bright Question, Perspectives Debate, or Legal Tracker discussion threads, you may optionally provide a name. If you leave the field blank, your comment is attributed to "Anonymous".
• Email address: If you subscribe to our newsletter, your email address is submitted to our notification worker (Cloudflare Worker) and used solely to send you Brief & Bright updates. We do not share it with third parties for marketing purposes.

b) Automatically Collected Information

• User-generated content: Comments, poll responses, perspective-debate votes, brief endorsements, article likes, "deeper dive" requests, and tracker discussion posts are stored in our Firebase Realtime Database (Google LLC) along with a timestamp. Comments are publicly visible to all readers.
• IP addresses & request metadata: Firebase and Cloudflare may log IP addresses and request metadata for security and abuse-prevention purposes. We do not actively query or export these logs.

c) Push Notification Tokens

If you enable push notifications, your browser generates a unique FCM device token (via Firebase Cloud Messaging). This token is transmitted to and stored by our Cloudflare Worker so that we can deliver legal-update notifications to your device. The token identifies your browser or device but does not by itself reveal your identity. You may revoke this at any time by disabling notifications in the Service settings or in your browser.

d) Local Browser Storage

To remember your preferences without requiring a login, we store the following data locally in your browser using localStorage:

• Poll and debate vote choices (to prevent duplicate voting)
• Bookmarked articles and brief endorsements
• Read-receipt and UI-state flags (e.g., last-seen content timestamp)
• A random anonymous session ID used to track your single vote in debates

This data never leaves your device unless you explicitly submit an action (e.g., posting a comment), at which point only the submitted content is sent to our servers.

3. How We Use Your Information

• Display & interaction: Comments and poll results are displayed publicly as you intend when you submit them.
• Newsletters: Your email address is used to send you Brief & Bright issues and legal-update notifications. Each email includes an unsubscribe mechanism.
• Push notifications: Your FCM token is used exclusively to send you push notifications when new content is published, provided you have opted in.
• Analytics & improvement: We use Firebase Analytics to understand aggregate reader engagement (e.g., which sections are most visited). Analytics data is not linked to individual identities.
• Deeper analysis requests: If you request a full analysis of a brief, your request is counted anonymously. If our team follows up, they will do so via publicly available contact channels.

4. Cookies and Similar Technologies

We do not use tracking cookies for advertising or profiling. Firebase SDKs may use localStorage and IndexedDB for SDK-internal state (e.g., authentication tokens and offline caching). These are functional in nature and are not used to serve targeted advertisements.

If you use the Service through a browser that restricts these storage mechanisms, some interactive features (such as real-time poll updates) may not function correctly.

5. Data Sharing and Third-Party Services

We do not sell, rent, or trade your personal data. Data is shared only with the following service providers, strictly for the purposes described above:

• Google LLC (Firebase): Realtime Database, Cloud Messaging, and Analytics. Governed by Google's Privacy Policy and the Firebase Data Processing Terms. Data may be processed in the United States or other regions where Google operates servers.
• Cloudflare, Inc.: Our Cloudflare Worker handles email subscription registrations and FCM token storage. Cloudflare may process data through its global network. Governed by Cloudflare's Privacy Policy.
• Email delivery: Newsletter emails may be routed through a transactional email provider. Recipient email addresses are shared only to the extent necessary to deliver the message.

We require all third-party providers to handle data securely and in accordance with applicable law.

6. Your Rights Under Kenyan Data Protection Law

Under the Data Protection Act, 2019 (Kenya) and the Data Protection (General) Regulations, 2021, you have the following rights with respect to your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data where we have no lawful basis to retain it.
• Right to object: Object to processing of your data for certain purposes (e.g., direct marketing).
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to withdraw consent: Where processing is based on consent (e.g., push notifications, newsletter), you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at info@hbadvocatesllp.com. We will respond within the timescales required by applicable law (generally 21 days).

7. Data Retention

• Comments, votes, and likes: Retained indefinitely as part of the public engagement record of each edition, unless you request deletion.
• Email addresses: Retained until you unsubscribe or request deletion. Unsubscribing removes your address from future sends; to request permanent deletion of your record, contact us at the address below.
• Push notification tokens: Retained until you disable push notifications via the Service (which triggers deletion from our Cloudflare Worker), the token is invalidated by your browser, or you request manual deletion.
• Local storage data: Retained in your browser until you clear your browser data or uninstall the application. We have no server-side copy of this data.

8. Data Security

We implement industry-standard technical measures to protect your data, including TLS encryption in transit, Firebase Security Rules to restrict database access to intended operations, and Cloudflare's security infrastructure. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

9. Children's Privacy

The Service is intended for legal professionals, business leaders, and adults with an interest in legal affairs. It is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has submitted personal data to us, please contact us immediately so we can delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we do, we will update the "Effective date" at the top of this page. We encourage you to review this policy periodically. Continued use of the Service after changes are posted constitutes acceptance of the revised policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact our Data Protection contact at:

• Email: info@hbadvocatesllp.com
• Postal address: HB Advocates LLP, P.O. Box 23912-00100 Nairobi, Kenya

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (Kenya) if you believe your rights have been infringed.