GDPR Compliance — broadable™
Legal

Your GDPR rights, clearly explained.

If you are based in the European Economic Area, United Kingdom, or Switzerland, the GDPR gives you specific rights over your personal data. This page explains how Broadable meets those obligations and exactly how to exercise your rights.

Last updated: 1 June 2025 · Applies to: EEA, UK, and Swiss residents using any Broadable product · GDPR queries: [email protected]
🇪🇺
GDPR compliant
We process EEA, UK, and Swiss personal data in accordance with the General Data Protection Regulation and applicable national laws.
⚖️
Lawful basis for everything
Every category of data we process has a documented lawful basis under Article 6 GDPR. Nothing is processed without a legal ground.
✉️
Rights exercised in 30 days
We respond to all data subject requests within 30 days as required. Email [email protected] with the subject "GDPR Request."
Plain-language summary

If you are in the EEA, UK, or Switzerland, the GDPR gives you eight specific rights over your personal data including the right to access it, correct it, delete it, and take it elsewhere. Broadable honours all eight. We only process your data when we have a lawful reason to do so. We use standard contractual clauses when transferring your data outside the EEA. You can contact us at [email protected] to exercise any right. You can also complain to your national data protection authority if you are not satisfied with our response.

Section 1

Scope and applicability

This GDPR Compliance Statement applies to the processing of personal data of individuals located in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland who use any Broadable product or service, visit broadable.com, or whose data is processed by Broadable on behalf of a Broadable customer.

It supplements our Privacy Policy, which applies to all users globally. If you are not based in the EEA, UK, or Switzerland, the Privacy Policy governs your data rights. If you are based in those regions, both documents apply and this GDPR statement takes precedence on any point of conflict.

ℹ️
References in this document: "GDPR" refers to the EU General Data Protection Regulation (2016/679). "UK GDPR" refers to the retained version of the GDPR as it applies in the United Kingdom following Brexit. Both impose substantially the same obligations on us and substantially the same rights on you.
Section 2

Data controller identity

For personal data collected directly from users of the Broadable platform (your account information, usage data, billing records, and communications), the data controller is:

Data controller details

Company name: CodEye Technologies Pvt Ltd

Trading as: Broadable™

Country of incorporation: India

Contact for data matters: [email protected]

Subject line for GDPR requests: GDPR Request

Broadable does not currently have a formally designated Data Protection Officer (DPO) as we fall below the thresholds that require mandatory DPO appointment under Article 37 GDPR. All data protection queries are handled directly by our privacy team at the contact above.

Where you use Broadable tools to collect personal data from your own customers, subscribers, or leads, you are the data controller for that customer data, and Broadable acts as a data processor on your instructions. This distinction is explained further in Section 7.

Section 3

Lawful basis for processing

Under Article 6 GDPR, every processing activity requires a lawful basis. The following table documents the lawful basis we rely on for each category of processing:

Processing activity Lawful basis GDPR article
Creating and managing your account Contract — necessary to provide the Services you signed up for Art. 6(1)(b)
Processing subscription payments and issuing receipts Contract and Legal obligation — tax and financial record-keeping Art. 6(1)(b) and 6(1)(c)
Sending transactional emails (receipts, renewal reminders, account alerts) Contract — necessary to fulfil the service agreement Art. 6(1)(b)
Sending marketing and promotional emails Consent — you opted in at sign-up. Withdraw via the unsubscribe link in any email. Art. 6(1)(a)
Platform analytics and usage improvement Legitimate interests — improving our products in a way that does not override your privacy rights Art. 6(1)(f)
Fraud detection, security, and abuse prevention Legitimate interests — protecting the platform, other users, and our infrastructure Art. 6(1)(f)
Responding to legal requests and court orders Legal obligation — compliance with applicable Indian law and international cooperation obligations Art. 6(1)(c)
Retaining financial records after account closure Legal obligation — Indian tax regulations require 7-year retention of financial records Art. 6(1)(c)
ℹ️
Legitimate interests assessment: where we rely on legitimate interests, we have conducted a balancing test confirming that our interests do not override your fundamental privacy rights and freedoms. You have the right to object to processing based on legitimate interests at any time — see Section 4.
Section 4

Your eight GDPR rights

The GDPR grants you eight specific rights over your personal data. Broadable honours all of them. Here is exactly what each right means and what applies in your situation:

👁️
Article 15
Right of Access
You can request a copy of all personal data we hold about you, including what it is, where it came from, how we use it, who we share it with, and how long we keep it. We provide this within 30 days at no cost.
✏️
Article 16
Right to Rectification
If any personal data we hold is inaccurate or incomplete, you can correct it directly in your account settings or ask us to update it. We action corrections within 30 days.
🗑️
Article 17
Right to Erasure
You can request the deletion of your personal data. We will comply unless we are required to retain it by law (such as financial records). Account closure triggers automatic deletion after 30 days.
⏸️
Article 18
Right to Restriction
You can ask us to restrict how we process your data while a dispute or accuracy concern is being resolved, rather than having it deleted immediately. During restriction, we store but do not actively use your data.
📦
Article 20
Right to Data Portability
You can request your personal data in a structured, machine-readable format (JSON or CSV) and transfer it to another service. You can also export directly from your dashboard at any time without contacting us.
🚫
Article 21
Right to Object
You can object to processing based on legitimate interests or for direct marketing at any time. For direct marketing, we will stop immediately. For other legitimate interests processing, we will stop unless we can demonstrate compelling grounds that override your rights.
🤖
Article 22
Rights on Automated Decisions
Broadable does not make solely automated decisions that produce significant legal or similarly significant effects on individuals. Our AI features assist you in creating content but do not make binding decisions about you without human review.
↩️
Article 7(3)
Right to Withdraw Consent
Where processing is based on your consent (such as marketing emails or analytics cookies), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing that occurred before you withdrew consent.
Section 5

How to exercise your rights

To exercise any of the rights described in Section 4, email us at [email protected] with the subject line "GDPR Request". Include the following in your email:

  • Your full name and the email address associated with your Broadable account.
  • The specific right you are exercising (e.g. "I would like to exercise my right to access my personal data" or "I am requesting erasure of my account data").
  • Any additional context that helps us locate the correct data.

How we handle your request

  • Verification: we may ask you to verify your identity before we action your request to prevent unauthorised access to another person's data. This typically means confirming details that only the account holder would know.
  • Response time: we respond to all requests within 30 days of receipt. For complex requests we may extend this by a further 60 days, in which case we will inform you within the first 30 days and explain the reason.
  • No fee: there is no charge for exercising your rights. If a request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse to act, in which case we will explain our reasoning.
⚠️
Limitations on erasure: we are legally required to retain certain financial records for 7 years under Indian tax regulations. If you request erasure, we will delete all data we are not legally required to keep and will inform you of anything we are retaining and the reason why.
Section 6

International data transfers

Broadable is operated from India. When we process the personal data of EEA, UK, or Swiss residents, this constitutes a transfer of personal data to a third country (India) under Chapter V of the GDPR.

India is not currently the subject of an EU adequacy decision. We therefore rely on the following transfer mechanisms to legitimise transfers of EEA personal data to India and to other countries where our sub-processors are located:

  • Standard Contractual Clauses (SCCs): we use the EU Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision 2021/914) as the primary transfer mechanism for transfers from the EEA to India and other non-adequate countries. These contractual safeguards bind us to GDPR-equivalent data protection standards.
  • UK International Data Transfer Agreement (IDTA): for transfers from the UK, we rely on the UK IDTA as approved by the UK Information Commissioner's Office, which provides equivalent protections for UK residents' data.
  • Supplementary measures: in addition to contractual safeguards, we implement technical measures including encryption in transit and at rest, access controls, and data minimisation to further protect transferred data.

You may request a copy of the applicable Standard Contractual Clauses by emailing [email protected] with the subject line "SCC Request."

ℹ️
Sub-processor locations: our key sub-processors include Stripe (US), Razorpay (India), Paddle (UK/US), Amazon Web Services (multiple regions), and Cloudflare (US). Each sub-processor is either in an adequate country, covered by SCCs, or covered by their own approved transfer mechanism. See Section 9 for the full sub-processor list.
Section 7

Broadable as a data processor

When you use Broadable tools to collect, store, or process the personal data of your own customers, leads, or subscribers (for example, through contact forms, funnel opt-in pages, email lists, or testimonial collection forms), you are the data controller for that customer data. Broadable processes that data solely on your instructions and acts as your data processor under Article 28 GDPR.

As data controller, you are responsible for:

  • Having a lawful basis for collecting and processing your customers' personal data.
  • Providing your customers with a compliant privacy notice that covers data processed through Broadable tools.
  • Responding to data subject requests from your own customers relating to data you have collected through Broadable.
  • Ensuring that any personal data you import into or store within Broadable was collected lawfully and with appropriate consent where required.
  • Maintaining your own records of processing activities as required under Article 30 GDPR.

Broadable's obligations as your data processor are set out in our Data Processing Agreement (DPA), described in Section 8 below.

⚠️
If your customers make GDPR requests to you relating to data processed through Broadable (such as a request to delete their email address from your list), you can fulfil those requests directly within your Broadable account. If you need our assistance, contact [email protected] and we will help within 5 business days.
Section 8

Data Processing Agreement

If you are subject to GDPR as a data controller and use Broadable as a data processor for your customers' personal data, Article 28 GDPR requires that a Data Processing Agreement (DPA) is in place between us.

DPA availability

Broadable's Data Processing Agreement is available to all customers who require it for GDPR compliance purposes. The DPA covers:

The subject matter, duration, nature, and purpose of the processing. The type of personal data and categories of data subjects. Our obligations as processor including technical and organisational security measures, sub-processor management, assistance with data subject requests, and breach notification. Your rights as controller to audit and instruct us.

To request a copy of our DPA or to have one executed for your account, email [email protected] with the subject line "DPA Request" and your company name. We will respond within 3 business days.

For business customers in the EEA or UK who require a DPA but have not yet requested one, our standard Terms of Service and this GDPR statement together set out the processor obligations we commit to. A formal executed DPA is available on request at no charge.

Section 9

Authorised sub-processors

As a data processor, we are permitted to use sub-processors only with your prior general or specific authorisation under Article 28(2) GDPR. By accepting our Terms of Service, you provide general authorisation for us to engage the sub-processors listed below.

We impose GDPR-equivalent contractual obligations on all sub-processors and remain fully liable to you for their performance. We will notify you of any material changes to our sub-processor list with at least 30 days advance notice so you can object if needed.

Sub-processor Role Location Transfer mechanism
Amazon Web Services (AWS) Cloud hosting, storage, and database infrastructure for the Broadable platform India, Singapore, US SCCs / AWS DPA
Cloudflare Inc. CDN, DDoS protection, bot mitigation, and DNS for all Broadable properties US (global network) SCCs / Cloudflare DPA
Stripe, Inc. Payment processing for international transactions US / Ireland (EEA) SCCs / Stripe DPA
Razorpay Software Pvt Ltd Payment processing for Indian transactions India Contractual safeguards
Paddle.com Market Ltd Merchant of Record for select Broadable products UK UK IDTA / SCCs
Email delivery provider Transactional and marketing email delivery US SCCs / provider DPA

You may request an up-to-date sub-processor list at any time by emailing [email protected].

Section 10

Data breach protocol

We take data security seriously. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we follow a structured response process in compliance with Articles 33 and 34 GDPR.

Our breach response obligations

  • Internal detection: we maintain security monitoring to detect breaches as quickly as possible. Our incident response process is initiated immediately upon suspected breach detection.
  • Supervisory authority notification: where we act as data controller and a breach meets the threshold under Article 33, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.
  • Individual notification: where a breach is likely to result in a high risk to affected individuals' rights and freedoms, we will notify those individuals directly without undue delay, as required by Article 34.
  • Processor notification to controller: where Broadable acts as your data processor and a breach involves your customers' data, we will notify you without undue delay and in any case within 48 hours of becoming aware, providing all information necessary for you to meet your own notification obligations.
🚨
If you suspect a breach involving your Broadable account, contact us immediately at [email protected] with the subject line "Security Incident." We treat all security reports as urgent and will respond within 4 hours during business hours.
Section 11

Complaints and supervisory authorities

If you are not satisfied with how we have handled your personal data or a data subject request, you have the right to lodge a complaint with the relevant supervisory authority in your country of residence under Article 77 GDPR. You do not need to contact us first, but we encourage you to do so and give us the opportunity to resolve your concern directly.

Key supervisory authorities

  • European Union: contact the data protection authority in the EU member state where you live or work. A full list of EU DPAs is available at edpb.europa.eu.
  • United Kingdom: the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.
  • Switzerland: the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.
ℹ️
We prefer to resolve issues directly. Before filing a complaint with a supervisory authority, please contact us at [email protected] with the subject line "GDPR Complaint." We will acknowledge your complaint within 2 business days and provide a substantive response within 30 days. Most concerns can be resolved quickly and informally.
Section 12

Contact us about GDPR

For all GDPR-related queries including data subject requests, DPA requests, sub-processor information, SCC copies, or complaints, contact us directly. We treat all GDPR correspondence as a priority.

📬
CodEye Technologies Pvt Ltd, trading as Broadable™
GDPR and data protection queries: [email protected]
Subject line: GDPR Request, DPA Request, SCC Request, or GDPR Complaint
Response time: 2 business days for acknowledgement, 30 days for substantive response.

This GDPR Compliance Statement forms part of the Broadable legal framework alongside our Privacy Policy, Terms of Service, and Cookie Policy. We review this statement at least annually and update it when our processing activities, transfer mechanisms, or sub-processors change materially.

Privacy by design. Trust built in from day one.

Broadable is built to respect your rights and your customers' rights. GDPR compliant. Transparent by default.

Explore the Ecosystem Talk to Our Team

GDPR queries? Email [email protected]