Legal

Privacy Policy

Last updated: March 15, 2026

We Are Singular, Lda, incorporated in Portugal (NIPC: PT513858512), is the data controller for personal data collected through Broodnet. Contact: humans@broodnet.com

Data we collect

  • Account and Organisation Information: Such as your email address, display name, organisation name, chosen subdomains, and records of terms acceptance or optional marketing consent.
  • Service and Mailbox Data: Details of the mailboxes and related resources you provision, including their addresses, display names, token hashes, and associated configuration.
  • Email Content and Metadata: The headers, body (text/HTML), and routing metadata of the emails received by your mailboxes. This content is stored on our EU infrastructure and protected at rest.
  • Authentication and Technical Data: Session identifiers, authentication provider identifiers, and technical data needed to authenticate users, secure the service, and troubleshoot issues.
  • Profile Image Lookup Data: When you register or update your profile, your browser may query Gravatar using a one-way SHA-256 hash of your email address to check whether a profile image exists.
  • Usage Data: We use self-hosted, cookie-less analytics (Umami) to understand traffic and improve the service in aggregate. We also use self-hosted infrastructure monitoring (Beszel) to track server health metrics such as CPU, memory, and disk usage. Neither tool sets cookies, neither shares data with third parties, and all data remains within our private Hetzner infrastructure in the EU.
  • Billing Data: We store your current subscription plan and status. Actual payment processing and payment credential storage are handled securely by our provider (Polar) under their own privacy policy.

Our role: controller and processor

Broodnet acts as the data controller (GDPR Art. 4(7)) for your personal account data — your email address, display name, authentication details, and organisation information. We determine the purposes and means of processing this data to provide and secure the service.

When handling email content that flows through your mailboxes, Broodnet acts as a data processor (GDPR Art. 4(8)) on your behalf. You (or your organisation) are the controller of that content, and we process it solely according to our service terms and your instructions. For B2B customers requiring a formal Data Processing Agreement, contact humans@broodnet.com.

Lawful basis for processing

  • Consent (GDPR Art. 6(1)(a)) — optional marketing emails where you explicitly opt in. Promotional emails are only sent with your explicit consent, which is separate from your acceptance of these service terms. You may withdraw consent at any time (see “Your rights” below), after which we will stop sending marketing communications without affecting the lawfulness of processing before withdrawal
  • Contract (GDPR Art. 6(1)(b)) — account data, organisation data, mailbox data — necessary to provide the service
  • Legitimate interest (GDPR Art. 6(1)(f)) — security, abuse prevention, service reliability, and privacy-friendly self-hosted analytics
  • Legal obligation (GDPR Art. 6(1)(c)) — billing record retention (10 years from the end of the fiscal year, Portuguese tax law)

How we treat email content

We treat stored message content and related metadata as confidential. We make the following binding commitments under GDPR Art. 5(1)(b) (purpose limitation):

  • No secondary use. We will never use your email content to train machine-learning models, algorithms, or artificial intelligence systems — whether ours or anyone else’s.
  • No sale or monetisation. We will never sell, license, or otherwise monetise your email content or metadata. This is not something we plan to avoid — it is something we will never do.
  • No third-party access. Email content is processed exclusively on our own infrastructure (Hetzner, EU). It is never transmitted to, shared with, or made accessible to any third party for any purpose other than delivering the service.
  • Automated processing only. The only processing that occurs on email content is performed by automated systems as part of normal service operation — spam filtering, antivirus scanning, message routing, storage, and delivery. No human at Broodnet has access to the content of your emails. Our systems are designed so that operational staff can see metadata (sender, recipient, timestamps, delivery status) but not message bodies or attachments.
  • Purpose-limited. We process email content solely for the purpose of providing, securing, and maintaining the Broodnet service. Any processing beyond this narrow scope would require your explicit, informed consent.

These commitments apply regardless of the lawful basis under which processing occurs.

Security

We implement technical and organisational measures to protect your data:

  • Encryption in transit: All connections to our mail server use strict TLS. IMAP access requires TLS — plaintext connections are rejected. SMTP transport between mail servers uses opportunistic TLS with strict enforcement where supported.
  • Encryption at rest: Email content and attachments are stored on encrypted volumes on our Hetzner infrastructure in the EU. See data residency for geographic guarantees and our Hetzner DPA.
  • Access controls: Administrative access to mail infrastructure is restricted to authorised personnel via key-based SSH authentication. No Broodnet staff has access to the content of your emails — only automated systems process message bodies and attachments. See How we treat email content for the full commitment.
  • Infrastructure monitoring: We use self-hosted monitoring (Beszel) to track server health and detect anomalies. All monitoring data remains within our private infrastructure. See our breach notification policy for how we respond to incidents.

Service providers and third parties

  • Hetzner Online GmbH — infrastructure hosting (Germany, DPA in place)
  • Polar — payment and billing processing (their privacy policy and DPA apply)
  • Google — OAuth authentication (Standard Contractual Clauses)
  • GitHub — OAuth authentication (Standard Contractual Clauses)
  • Gravatar — optional avatar lookup operated by Automattic (USA), performed from your browser using a one-way SHA-256 hash of your email address

We also run self-hosted tools (Umami for analytics, Beszel for infrastructure monitoring) entirely within our Hetzner infrastructure. These are not sub-processors — we operate them ourselves, no data leaves our private network, and no third party has access.

For the complete list with applicable safeguards and data transfer mechanisms, see our sub-processors table.

Data retention

  • Account and organisation data: retained until account deletion, after which data is deleted or anonymised as appropriate
  • Mailbox and related service data: retained until the mailbox or organisation is deleted
  • Email content: retained until the mailbox or organisation is deleted, unless earlier removal is requested or required. Upon mailbox deletion, all email content is permanently erased from live systems. We do not retain email content beyond deletion without a specific legal requirement (GDPR Art. 5(1)(e))
  • Backups: We maintain encrypted daily backups of our infrastructure with a rolling 7-day retention window. When you delete data from the live service, that data may persist in backups for up to 7 days before being rotated out. Backup data is used exclusively for disaster recovery
  • Session and authentication data: retained according to the session lifecycle and removed on expiry, sign-out, or account deletion
  • Usage analytics and technical logs: retained only for as long as reasonably necessary to operate, secure, and improve the service
  • Billing and tax records: retained for as long as required by applicable law, with a minimum 10-year retention from the end of the fiscal year as mandated by Portuguese tax law

Your rights

Because we are based in the EU, the GDPR governs our data processing. We extend these rights to all our users, regardless of your country of residence.

You have the right to access, rectify, erase, and port your personal data; to restrict or object to processing; to withdraw consent for marketing at any time; and to lodge a complaint with a supervisory authority. For the full list with applicable GDPR articles and exercise procedures, see GDPR & Data Processing.

Submit requests to humans@broodnet.com. We respond within one month (GDPR Art. 12(3)).

Law enforcement requests

We may disclose data we hold if required by applicable Portuguese, EU, or other binding law, regulation, court order, or lawful request from a competent authority. Any such disclosure is limited to what is legally required and technically possible within our systems.

We will proactively report to relevant authorities — without waiting for a formal request — any evidence of child sexual abuse material (CSAM) or other content that constitutes a serious criminal offence under applicable law. Account data and all available metadata will be provided in full in such cases. This is not discretionary.

Broodnet is not an anonymity service. Accounts are associated with the identity information provided at registration — such as an email address or OAuth provider account — and we maintain the link between an account, its organisation, and its mailboxes. We do not verify identity beyond what authentication providers supply, but we are required by applicable law to respond to lawful requests with the data we hold.

Supervisory authority

Because we are incorporated in Portugal, our Lead Supervisory Authority is the CNPD (Comissão Nacional de Proteção de Dados). However, you have the right to lodge a complaint regarding the processing of your personal data with the CNPD or the relevant national data protection authority in your country of residence within the EU.

International transfers

All primary data is stored on Hetzner servers in the EU (Germany) — see data residency for details. No data is transferred outside the European Economic Area for primary operations.

Some supporting services we use, such as Google and GitHub for OAuth, Polar for billing, and Gravatar (operated by Automattic, USA) for optional avatar lookups, may involve processing outside the European Economic Area under their own terms, safeguards, and privacy policies. The Gravatar lookup is initiated by your browser and sends only a one-way SHA-256 hash of your email address — no other personal data is transmitted.

Cookies

We set strictly necessary authentication cookies. See our Cookie Policy for details.

Children

Broodnet is not directed at individuals under 16. We do not knowingly collect personal data from children.

Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect.