Broadpin Group Privacy Policy

Broadpin B.V. is the primary data controller for this corporate website and for global corporate operations. Broadpin B.V. determines the purposes and means of processing Personal Data in connection with the website, global communications, marketing activities, and group-level services.

Subsidiaries within the Broadpin Group may act as independent data controllers for local activities, or as joint controllers with Broadpin B.V. where activities are coordinated at group level. Additional details on roles and responsibilities can be provided upon request.

This Privacy Policy applies to the Personal Data we process when you visit our website, interact with us online or offline, or engage with Broadpin Group services. Region‑specific rights apply depending on your location, including GDPR/UK GDPR for users in the EU/EEA/UK and applicable state privacy laws for residents of the United States.

This Privacy Policy is provided in accordance with Articles 13 and 14 GDPR.

We may collect and process the following categories of Personal Data:

Identity & Contact Details

• First and last name

• Business address

• Email address

• Telephone number

• Job title

• Company name

Account, Transaction & Commercial Information

• Purchase history

• Billing details

• Payment information

• Contract records

Technical & Usage Data

• IP address

• Browser type and version

• Device information

• Website navigation behavior

• Cookies and tracking technologies

Marketing & Communication Preferences

• Subscription settings

• Lead generation data

• Engagement analytics

Personal Data Received from Other Parties

We may receive Personal Data from the following external sources:

• Storyblok – a content management platform acting as a processor, providing hosting, content delivery and limited analytics or interaction data related to content engagement.

• ZoomInfo – a business intelligence and B2B contact data provider acting as independent data source, supplying publicly available or commercially acquired business contact information.

• Eloqua (Oracle Eloqua) – a marketing automation platform acting as a processor, used to manage campaigns, lead scoring, and interaction analytics.

• Cookiebot – a consent management platform acting as a processor, recording user cookie consent choices and offering compliance ‑related data under ePrivacy/GDPR.

• Netlify – a web hosting and deployment platform acting as a processor, supplying technical logs, access records, and performance analytics for sites hosted on its infrastructure.

• LinkedIn, Facebook, Twitter/X, YouTube – social networking platforms acting as an independent controller providing limited engagement, interaction, or profile data according to users’ privacy settings.

• Dun & Bradstreet – a commercial data and business intelligence provider acting as an independent data source for business contact information and company-level insights.

• Leadinfo – a B2B visitor identification services acting as an independent data source, temporarily processing IP addresses (without storing them) to identify visiting companies.

• Joint marketing partners and event organizers – acting as independent controllers or joint controllers, depending on the context, providing business contact details and interaction data gathered through jointly organized events or initiatives.

When Personal Data is obtained from third‑party sources, Broadpin provides the information required under GDPR Article 14 within one month or at the time of first communication.

We may receive the following categories of data:

• First and last name

• Business address

• Email address

• Telephone number

• Job title

• Company affiliation

• Interaction and engagement data (depending on the service)

We process Personal Data for:

Service Delivery & Contract Fulfillment

• Managing customer accounts

• Providing services, support, and maintenance

• Processing orders and payments

• Managing project engagements

Business Operations

• Internal administration

• Financial recordkeeping

• Security and fraud prevention

• IT system management

Sales, Marketing & Communications

• Sending product updates, newsletters, and offers

• Conducting customer satisfaction surveys

• Personalizing digital experiences

• Improving website functionality and relevance

• In the EU/EEA, analytics cookies and tracking technologies are used only after obtaining consent where required under the ePrivacy Directive.

Regulatory & Legal Compliance

• Complying with tax, audit, and legal obligations

• Responding to lawful requests from authorities

• Complying with data protection and privacy laws, including GDPR/UK GDPR for users in the EU/EEA/UK and applicable state privacy laws in the United States.

• Handling data subject requests, including access, correction, deletion, objection, and opt‑out rights as required by applicable law.

• Managing security incidents and fulfilling breach notification obligations in accordance with applicable laws.

• Maintaining records of processing activities and retention schedules as required under applicable regulations.

AI, Analytics & Profiling

We may use Personal Data for the following purposes, in accordance with applicable data protection laws:

• Business analytics and forecasting (performed on aggregated or pseudonymized data where possible).

• Improving services and customer experience (based on interaction data, support history, or product usage metrics).

• Automated decision-making with safeguards (no decisions with legal or similarly significant effects are taken without human involvement, in line with GDPR Article 22).

• High-level profiling for marketing segmentation (limited segmentation such as categorizing users by industry, region, or interests; individuals may object to this processing at any time).

No decisions are made solely by automated means that produce legal or similarly significant effects without human oversight. Any automated tools used by Broadpin include human review and safeguards to ensure fairness, accuracy, and non-discrimination.

Individuals in the EU/EEA/UK have the right to object to profiling or automated processing based on legitimate interest and the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects (GDPR Article 22).

Residents of the United States may have the right to opt out of profiling or automated decision-making under the CCPA/CPRA and other applicable state privacy laws.

We process Personal Data under:

A. Consent

We rely on consent for certain types of processing, including optional marketing communications, optional product updates, and the placement of non‑essential cookies.

In the EU/EEA, analytics and marketing cookies are processed only on the basis of user consent, in accordance with the ePrivacy Directive.

Consent may be withdrawn at any time, without affecting the lawfulness of processing prior to withdrawal.

B. Contractual Necessity

We process Personal Data where necessary to enter into or perform a contract with an individual or organization. Processing is carried out only to the extent necessary to provide the services or information requested by the individual.

C. Legal Obligations

We process Personal Data where necessary to comply with applicable laws and regulatory requirements. This includes obligations arising under data protection laws (such as GDPR/UK GDPR), financial regulations, corporate recordkeeping requirements, and applicable U.S. state privacy laws.

D. Legitimate Interests

We rely on legitimate interest for certain processing activities, including improving our operations, ensuring network and information security, conducting B2B marketing, and processing business contact data.

Individuals have the right to object to processing based on legitimate interest at any time, including objection to profiling for direct marketing purposes.

For existing customers, certain marketing communications may be sent based on legitimate interest (soft opt‑in), where permitted by applicable law.

E. Processing Based on Publicly Available or Commercially Obtained Data

We may process publicly available business contact information or commercially obtained data (e.g., from ZoomInfo, Dun & Bradstreet, or Leadinfo) based on our legitimate interest in conducting B2B sales and marketing activities. Individuals may object to this processing at any time.Where we rely on legitimate interest, we conduct a balancing test to ensure that our interests do not override the rights and freedoms of individuals. More information on these assessments can be provided upon request.

A. Broadpin Group Companies

We may share Personal Data among Broadpin Group entities for internal administration, service delivery, internal reporting, and group-level coordination.

Such sharing occurs to ensure consistent operations across Broadpin entities. When subsidiaries act as independent or joint controllers, data is shared only to the extent permitted by applicable law.

B. Service Providers (Processors)

We share data with trusted service providers that perform services on our behalf, including cloud hosting providers, CRM and marketing automation platforms, analytics services, IT support, and professional advisers.

All service providers act under strict contractual Data Processing Agreements (“DPAs”) that require confidentiality, implement appropriate security measures, and prohibit any use of Personal Data beyond providing services to Broadpin.

Where service providers are located outside the EU/EEA/UK/Switzerland, we implement appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs).

C. Legal and Governmental Authorities

We disclose Personal Data to authorities only when required by applicable law or valid legal process, and only to the extent strictly necessary.

D. Business Transfers

If Broadpin undergoes a merger, acquisition, or restructuring, Personal Data may be transferred as part of that transaction.

Where required by law, individuals will be informed of such transfers, and Broadpin will ensure that any successor continues to protect Personal Data in line with this Privacy Policy.

E. Joint Marketing Partners and Social Platforms

We may share limited business contact information or engagement data with joint marketing partners, event organizers, or social media platforms when coordinating co-branded events, webinars, or marketing activities.

These parties typically act as independent controllers. Any such sharing is limited, purpose-specific, and carried out in accordance with applicable law. Individuals may object to such sharing at any time.

F. No Sale or Sharing of Personal Data (United States)

We do not sell or share Personal Data as defined under the CCPA/CPRA or other applicable U.S. state privacy laws. If our practices change, we will provide clear notice and an opportunity to opt out.

As a global organization, Broadpin may transfer Personal Data to countries outside the EU/EEA, the United Kingdom, or Switzerland. These transfers occur when Broadpin Group entities or third‑party service providers are located in jurisdictions with different data protection frameworks.

International transfers may occur in connection with:

• Cloud hosting and infrastructure services (e.g., Netlify)

• Marketing automation tools (e.g., Oracle Eloqua)

• Commercial data sources (e.g., ZoomInfo, Dun & Bradstreet, Leadinfo)

• Content hosting and delivery (e.g., Storyblok)

• Group‑level operations between Broadpin entities

Where required, we rely on:

• EU Standard Contractual Clauses (“SCCs”) for transfers from the EU/EEA

Broadpin conducts assessments of international transfers and implements additional technical and organizational measures when necessary to ensure a consistent level of protection.

Some of our service providers are located in the United States, and we work with them under contractual and technical safeguards designed to meet European data protection requirements.

For U.S. residents, Personal Data may be stored or processed in any country where Broadpin or its service providers operate, in line with applicable state privacy laws.

Broadpin retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal and regulatory requirements, to resolve disputes, and to enforce agreements.

Retention periods vary based on the nature of the data, the context in which it is processed, and applicable legal requirements. Where exact retention periods cannot be specified, Broadpin applies criteria such as contractual necessity, statutory retention obligations, and the relevance of the data to ongoing operations.

Examples include:

• Financial and tax records: retained in accordance with statutory requirements

• Contractual documentation: retained for the duration of the contract and an appropriate limitation period thereafter

• Marketing data: typically retained for up to 24 months of inactivity

• Cookie consent logs: retained for 12–36 months, depending on jurisdiction

Broadpin periodically reviews the Personal Data it holds and securely deletes or anonymizes information that is no longer required.

For residents of the United States, retention practices are aligned with applicable state privacy laws, which may require that Personal Data be retained only for as long as reasonably necessary for the disclosed purposes.

Broadpin implements appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, loss, misuse, alteration, or disclosure, in line with applicable data protection laws and industry standards.

These measures include:

• Encryption of data in transit and at rest, where appropriate

• Identity and access management controls, including role‑based access and multi‑factor authentication

• Continuous monitoring of networks and systems to detect and respond to potential threats

• Secure development and change‑management practices in line with industry standards

• Vendor risk assessments and contractual safeguards for third‑party service providers

• Incident detection and response procedures designed to contain and remediate security events

Access to Personal Data is limited to personnel and service providers who require it to perform their roles and are subject to confidentiality obligations.

Broadpin periodically reviews its security controls through internal assessments, audits, and testing to ensure their continued effectiveness.

In the unlikely event of a security incident involving Personal Data, Broadpin follows applicable legal requirements regarding investigation, mitigation, and notification.

Individuals have different privacy rights depending on their location. Broadpin will respond to all requests in accordance with the data protection laws that apply to each individual.

A. EU / EEA / DACH / Switzerland / UK (GDPR & UK GDPR)

Individuals located in the EU/EEA or the United Kingdom have the following rights:

• Right of Access – to obtain confirmation of whether we process Personal Data and to receive a copy.

• Right to Rectification – to correct inaccurate or incomplete Personal Data.

• Right to Erasure – to request deletion of Personal Data in certain circumstances.

• Right to Restriction – to request limited processing during specific periods or conditions.

• Right to Data Portability – to receive Personal Data in a structured, commonly used format.

• Right to Object – to object to processing based on legitimate interest, including profiling for direct marketing purposes.

• Right to Withdraw Consent – to withdraw consent at any time, without affecting prior processing.

• Rights Related to Automated Decision-Making – to not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (GDPR Article 22).

• Right to Lodge a Complaint – with a supervisory authority, such as the Dutch AP, the UK ICO, or a local authority in the EEA.

B. U.S Residents (CCPA/CPRA and other state privacy laws)

Residents of California and other U.S. states with privacy laws may have the following rights:

• Right to Know / Access – to request information about the categories and specific pieces of Personal Data collected.

• Right to Correction – to request correction of inaccurate Personal Data.

• Right to Deletion – to request deletion of Personal Data, subject to legal exceptions.

• Right to Opt Out of Sale or Sharing – Broadpin does not sell or share Personal Data as defined under U.S. state privacy laws.

• Right to Opt Out of Targeted Advertising – to prevent use of Personal Data for cross‑context behavioral advertising.

• Right to Opt Out of Profiling or Automated Decision-Making – where applicable under state law.

• Right to Non‑Discrimination – for exercising privacy rights.

• Recognition of Global Privacy Control (GPC) – opt‑out signals sent by browsers or devices are honored where required by law.

Broadpin may need to verify an individual’s identity before responding to certain requests. We respond to all valid requests within the timeframes required by applicable law.

C. Canada (PIPEDA and Provincial Laws)

Residents of Canada may have the following rights under PIPEDA and applicable provincial privacy laws:

• Access – to request access to the Personal Data held about them.

• Correction – to request corrections to inaccurate or incomplete Personal Data.

• Withdrawal of Consent – to withdraw consent to processing, subject to legal or contractual restrictions.

• Explanations of Automated Decisions – to request information about automated decision‑making that has a significant impact, as required under Quebec Law 25.

Broadpin will respond to requests from Canadian residents in accordance with applicable federal and provincial privacy laws.

Individuals may exercise their privacy rights by contacting Broadpin through the channels listed below. We will handle all requests in accordance with applicable data protection laws.

To submit a request, individuals may contact us at:

Email: privacypolicy@broadpin.com

Postal: Broadpin B.V., Steenbergsestraat 49, 4611TD Bergen op Zoom

We may need to verify an individual’s identity before responding to certain requests, to ensure that Personal Data is not disclosed to an unauthorized party.

We aim to respond to all valid requests within one month, or within the timeframe required by applicable law. If a request is complex or we receive multiple requests from the same individual, we may extend the response period as permitted by law and will inform the individual accordingly.

Individuals in the EU/EEA/UK may also lodge a complaint with their local supervisory authority if they believe their rights have been violated.

U.S. residents may authorize an agent to submit certain requests on their behalf, subject to applicable verification requirements.

If you have questions about how to exercise your privacy rights, please contact us using the details above.

Broadpin uses cookies and similar tracking technologies to operate and improve the website, understand usage patterns, personalize content, and support analytics and marketing activities.

In the EU/EEA and the United Kingdom, non‑essential cookies (including analytics and marketing cookies) are used only after obtaining consent through our Consent Management Platform (CMP), in accordance with the ePrivacy Directive and GDPR. Users may withdraw or change their cookie preferences at any time via the CMP.

For U.S. residents in states with applicable privacy laws, individuals may opt out of certain types of tracking or targeted advertising. Broadpin also honors Global Privacy Control (GPC) signals where required.

Broadpin uses the following categories of cookies:

• Strictly necessary cookies – required for basic site functionality

• Functional cookies – enhance usability and remember preferences

• Analytics cookies – measure website usage and performance

• Marketing cookies – support advertising and campaign measurement

More detailed information about the cookies we use, including their purposes, duration, and providers, is available in our Cookie Policy and within our CMP.

Some cookies and tracking technologies are set by third‑party providers. These providers may process Personal Data in accordance with their own privacy policies, which can be viewed through the CMP.

Broadpin’s website and services are intended for use by business professionals and are not directed to children. We do not knowingly collect Personal Data from individuals under the age required by the laws of their jurisdiction (for example, under 13 in the United States and up to 16 in certain EU/EEA countries).

If we become aware that Personal Data has been collected from a child contrary to these requirements, we will take steps to delete the information promptly and, where appropriate, notify the parent or guardian.

Parents or guardians who believe that a child has provided Personal Data to Broadpin may contact us using the details provided in the “Exercising Your Rights” section.

Broadpin may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other operational needs.

If we make material changes that affect how we handle Personal Data, we will provide clear notice in advance of the changes taking effect. Notice may be provided through our website, by email, or through other appropriate channels, depending on the significance of the changes and applicable legal requirements.

We encourage individuals to review this Privacy Policy periodically to stay informed about how we protect Personal Data.