Brainstorm IT logoBrainstorm IT

Privacy Policy

Last Updated: February 2026

1. Introduction

Brainstorm IT ("we," "us," or "our") is a software development consulting company based in Manila, Philippines. We provide software development consulting services and embedded product teams to businesses worldwide.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website (bstormit.com) or interact with us through our contact form and scheduling tools. It applies to all visitors, prospective clients, and business contacts.

Brainstorm IT is the data controller responsible for your personal information as described in this policy. If you have questions or concerns about how we handle your data, please contact us using the details provided in the "Contact Us" section below.

2. Information We Collect

We collect only the personal information necessary to respond to your inquiries and evaluate potential project engagements. The categories of information we collect are:

Contact Form Submissions

When you submit our contact form, we collect the following information:

  • Your name
  • Your email address
  • Budget range (selected from a dropdown)
  • Project description (free-text field)
  • File attachments (optional; up to 3 files, maximum 5 MB total; accepted formats include PDF, PNG, JPEG, GIF, WEBP, DOC, and DOCX)

Calendar Scheduling Data

When you schedule a consultation call through our embedded Google Calendar, we collect:

  • Your name
  • Your email address
  • Your selected meeting time

Server Logs

Our hosting provider automatically collects standard server log information, which may include:

  • IP address
  • Browser type and version
  • Timestamps of page requests

What We Do Not Collect

We do not use cookies, analytics tools, or tracking pixels on our website. We do not engage in behavioral tracking or profiling of visitors.

3. How We Use Your Information

We use the personal information we collect to:

  • Respond to your inquiries submitted through our contact form
  • Evaluate potential projects and determine whether our services are a good fit for your needs
  • Schedule and conduct consultation calls
  • Communicate with you about our services, including follow-up correspondence related to your inquiry
  • Comply with applicable legal obligations, including tax, accounting, and regulatory requirements

4. Lawful Basis for Processing (GDPR)

For individuals located in the European Economic Area (EEA) and the United Kingdom, we process personal information on the following legal bases under the General Data Protection Regulation (GDPR):

  • Legitimate Interest (Article 6(1)(f)): We have a legitimate business interest in processing inquiries from prospective clients in a business-to-business context. This includes reviewing contact form submissions, evaluating project requirements, and responding to inquiries. We have assessed that this processing does not override your rights and freedoms given its limited scope and business nature.
  • Pre-Contractual Steps (Article 6(1)(b)): When your inquiry relates to a potential engagement, we process your information as necessary to take steps at your request prior to entering into a contract. This includes evaluating project scope, scheduling discussions, and preparing proposals.
  • Legal Obligation (Article 6(1)(c)): We may process your information where required to comply with applicable legal obligations, such as tax or accounting requirements.

5. Third-Party Service Providers

We use a limited number of third-party service providers to operate our website and communicate with you. These providers act as data processors on our behalf and process your information only as necessary to provide their services.

  • Resend (email delivery): We use Resend, a US-based email delivery service, to send emails generated by our contact form. Resend is SOC 2 Type II compliant and maintains a Data Processing Agreement (available at resend.com/legal/dpa).
  • Google Calendar (scheduling): We use an embedded Google Calendar widget to allow you to schedule consultation calls. Google processes the scheduling data in accordance with Google's Privacy Policy and the Google Workspace Data Processing Agreement.
  • Hosting Provider: Our hosting provider processes server logs as part of standard website hosting operations.

We do not sell, rent, or trade your personal information to any third party for marketing purposes or any other reason.

6. International Data Transfers

Brainstorm IT is based in the Philippines. The Philippines does not currently hold an adequacy decision from the European Commission under the GDPR. When we transfer personal data from the EEA or UK to the Philippines, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the appropriate safeguard for such transfers.

For data processed by Resend in the United States, transfers are covered under the EU-US Data Privacy Framework, to which Resend adheres. For data processed by Google, transfers are governed by Google's standard data processing terms, which incorporate SCCs and other approved transfer mechanisms.

We ensure that all international transfers of personal data are accompanied by appropriate safeguards to protect your rights and freedoms in accordance with applicable data protection laws.

7. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this policy. Our retention periods are as follows:

  • Contact form submissions (no engagement): If your inquiry does not lead to a business engagement, we retain your information for 12 months from the date of submission, after which it is deleted.
  • Contact form submissions (leading to engagement): If your inquiry leads to a client relationship, we retain your information for the duration of the business relationship plus 6 years to comply with contractual and legal obligations.
  • Calendar scheduling data: We retain scheduling data for 90 days after the scheduled consultation call, after which it is deleted.
  • Server logs: Retention is determined by our hosting provider's standard policies.

We conduct an annual review of our retention periods to ensure they remain appropriate and that data is deleted when no longer needed.

8. Your Rights

Depending on your location, you may have specific rights regarding your personal information under applicable data protection laws.

European Economic Area and United Kingdom (GDPR)

If you are located in the EEA or UK, you have the right to:

  • Access the personal data we hold about you and receive a copy
  • Rectification of inaccurate or incomplete personal data
  • Erasure of your personal data ("right to be forgotten")
  • Restrict processing of your personal data in certain circumstances
  • Data portability to receive your data in a structured, commonly used, machine-readable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with a supervisory authority. For Germany, this is the Bundesbeauftragte fur den Datenschutz und die Informationsfreiheit (BfDI). For the UK, this is the Information Commissioner's Office (ICO).

Philippines (Data Privacy Act of 2012, RA 10173)

If you are located in the Philippines, you have the right to:

  • Access your personal information and be informed of how it is processed
  • Rectification of inaccurate or incomplete personal information
  • Erasure or blocking of personal information that is incomplete, outdated, false, or unlawfully obtained
  • Object to the processing of your personal information
  • Data portability to obtain your data in an electronic or structured format
  • Lodge a complaint with the National Privacy Commission (NPC) at privacy.gov.ph

California (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose about you
  • Delete personal information we have collected from you, subject to certain exceptions
  • Opt out of the sale of your personal information. We do not sell your personal information, so this right is already satisfied by default.
  • Non-discrimination for exercising your CCPA rights

To exercise any of these rights, please contact us at hello@bstormit.com. We will respond to your request within the timeframes required by applicable law (generally 30 days for GDPR requests and 45 days for CCPA requests). We may need to verify your identity before processing your request.

9. Children's Privacy

Our website and services are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take prompt steps to delete that information. If you believe we have collected information from a child, please contact us at hello@bstormit.com.

10. Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using HTTPS/TLS across our entire website
  • Access controls to limit who within our organization can access personal data
  • Use of third-party service providers that maintain recognized security certifications (such as SOC 2 Type II compliance)

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee the absolute security of your data, but we are committed to maintaining and improving our security practices.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable laws. When we make changes, we will update the "Last Updated" date at the top of this page and post the revised policy on our website.

For material changes that significantly affect how we process your personal information, we will make reasonable efforts to notify affected individuals where feasible, such as by posting a prominent notice on our website or sending an email to the address you provided.

We encourage you to review this policy periodically to stay informed about how we protect your information.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

To exercise your data subject rights (such as access, rectification, erasure, or portability), please send your request to the email address above. Include your full name and the email address associated with your inquiry so we can locate your data and verify your identity. We will acknowledge your request within 5 business days and provide a substantive response within the timeframes required by applicable law.

Book Your Free Strategy Call
Book Your Free Strategy Call

30 min • No commitment • Free