Legal
GDPR & Data Processing
Last updated: March 15, 2026
This page serves two audiences: individual users exercising their GDPR rights, and B2B customers evaluating Broodnet’s data handling practices.
Your rights under GDPR
- Right of access (Art. 15) — request a copy of your personal data by emailing humans@broodnet.com
- Right to rectification (Art. 16) — update your account info via settings, or contact us
- Right to erasure (Art. 17) — delete your account from settings — see “Account deletion” below
- Right to data portability (Art. 20) — request an export of your data in a machine-readable format
- Right to restriction of processing (Art. 18) — request that we stop processing your data while a complaint is resolved
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent (e.g., marketing emails), withdraw it at any time without affecting the lawfulness of processing before withdrawal
- Right related to automated decision-making (Art. 22) — you have the right not to be subject to decisions based solely on automated processing. Broodnet does not engage in automated individual decision-making or profiling as described in GDPR Art. 22
We respond without undue delay and normally within one month. If your request is particularly complex or you make multiple requests, the GDPR allows us to extend that period by up to two additional months, in which case we will inform you of the delay and the reason for it. Contact: humans@broodnet.com
For disputes arising from online contracts, EU consumers may also use the European Commission’s consumer redress platform at https://consumer-redress.ec.europa.eu/.
Account deletion procedure
When you delete your account (via account settings or by request to humans@broodnet.com):
- All mailboxes are deprovisioned from the mail server — emails are permanently deleted
- Sole-member organisations and their related resources are deleted; if you are the owner of an organisation with other members, you must transfer ownership or remove those members before using self-service account deletion
- Sessions, linked OAuth accounts, organisation memberships, API keys tied to deleted organisations, and mailbox records are removed as part of the deletion flow
- Your user record is retained only in anonymised form for audit and legal purposes
- Polar customer data is deleted or anonymised through Polar where supported; billing and tax records are retained for a minimum of 10 years from the end of the fiscal year as required by Portuguese tax law
- Deleted data may persist in encrypted daily backups for up to 7 days before being rotated out. Backup data is used exclusively for disaster recovery.
- Once the eligibility checks pass, the self-service deletion flow completes immediately in the Service, while any legal retention exceptions and the backup rotation window continue to apply
You can request deletion from the Account Settings page in the Broodnet app at any time, subject to the ownership constraint above.
Data residency
- All user data, mailbox data, and email content is stored on Hetzner servers in the EU (Germany)
- No data is transferred outside the European Economic Area for primary operations
- Google (OAuth), GitHub (OAuth) and Polar (billing) operate under Standard Contractual Clauses (SCCs) for any data they process
Sub-processors
| Processor | Purpose | Safeguards |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting | Germany, DPA in place |
| Polar | Payment processing | Their DPA applies |
| OAuth authentication | Standard Contractual Clauses (Module 2, C-to-P) | |
| GitHub | OAuth authentication | Standard Contractual Clauses (Module 2, C-to-P) |
| Automattic (Gravatar) | Optional avatar lookup | Browser-initiated request; SHA-256 hash only; Automattic privacy policy applies |
Note on Gravatar: The Gravatar lookup is initiated by the user’s browser, not by our servers. Only a one-way SHA-256 hash of your email address is transmitted. We include Automattic here for transparency, even though no server-side data transfer occurs.
Breach notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority (CNPD) without undue delay and where feasible within 72 hours of becoming aware of the breach, as required by GDPR Art. 33
- Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Art. 34
- Document the breach, its effects, and the remedial actions taken
For B2B customers with a DPA in place, we will additionally notify you within the timeframe specified in your DPA.
Data Processing Agreement
For B2B customers who need a formal DPA, contact humans@broodnet.com. We can provide a signed DPA and, where relevant, EU Standard Contractual Clauses for international transfers.
Data Protection Officer
Although we are not required to appoint a Data Protection Officer under GDPR Art. 37, we have voluntarily appointed one to strengthen our compliance posture and provide a clear point of contact for data protection matters.
In accordance with GDPR Art. 37(4), our DPO can be reached at:
Jonathan Tavares — jonathan@wearesingular.com
The DPO monitors compliance with data protection obligations (Art. 39), advises on DPIAs, and acts as a contact point for the supervisory authority (CNPD).
Data Protection Impact Assessments
We assess new processing activities for risk as required by GDPR Art. 35. If we introduce high-risk processing beyond normal service operation (e.g., content scanning beyond spam filtering), we will conduct a Data Protection Impact Assessment before proceeding.