Legal

Privacy Policy

Version 2026-04-24 · Last updated 24 April 2026

1. Who we are

This policy describes how Broomstick Creative Consultancy ("Broomstick", "we", "us") handles personal data you provide when you visit our website, register for the Broomstick Hub, or engage us as a client. We act as the data controller for information collected on this site and as a data processor for content, files, and deliverables you provide during a project.

For privacy questions or rights requests, contact privacy@broomstickcreative.com.

2. Scope — GDPR, PIPEDA, and applicable law

This policy is written to comply with the EU/UK General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and equivalent laws where we operate. Where regional law is stricter than this policy, the stricter rule prevails.

3. What we collect

  • Account data: name, email address, phone, password hash, role.
  • Business / creator data: company name, industry, size, website, platform, audience size, services you are interested in.
  • Project data: briefs, files, messages, milestones, approvals.
  • Authentication data: session tokens, login timestamps, approximate IP (hashed for consent proof), device/browser fingerprint as provided by the browser.
  • Communication: any message you send us via forms, email, or the portal.
  • Technical data: pages visited, referrers, and basic analytics. We do not set third-party tracking cookies.

We do not collect special-category data (health, race, religion, political opinions, biometric data) and ask that you do not submit such data to us.

4. Why we collect it — lawful bases

  • Performance of a contract — to deliver the creative services you engage us for.
  • Consent — for signup, optional marketing, and any cookies beyond what is strictly necessary. You may withdraw consent at any time from your profile.
  • Legitimate interests — for security monitoring, fraud prevention, and service improvement, balanced against your rights.
  • Legal obligation — for tax, accounting, and law-enforcement requests we are compelled to answer.

5. Who we share with

We share personal data only with the processors strictly needed to run the service:

  • Vercel — application hosting (USA / EU regions).
  • Supabase — database and file storage (ap-south-1 region).
  • Resend — transactional email delivery.
  • Google Workspace / Google Drive — final-deliverable storage for clients who opt in.
  • Stripe (once enabled) — payment processing for discovery fees and project invoices.
  • Cal.com (once enabled) — discovery-call scheduling.

Each of these processors is bound by a Data Processing Agreement (DPA) and is certified or has signed appropriate cross-border transfer safeguards (Standard Contractual Clauses or an adequacy decision where applicable).

6. International transfers

Your data may be processed in countries outside your own — primarily the USA, the EU, and ap-south-1 (Mumbai). Where this happens we rely on Standard Contractual Clauses or equivalent safeguards. On request we will share the relevant clauses.

7. How long we keep it

  • Active accounts: for as long as the account remains active.
  • Closed accounts: 30 days grace period for recovery, then anonymised. Financial records may be kept for up to 7 years where local tax law requires.
  • Declined applications: 90 days, then deleted.
  • Project deliverables: retained for the duration of the engagement plus 2 years, unless you request earlier deletion.

8. Your rights

Under GDPR / PIPEDA you have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectify inaccurate data.
  • Request erasure ("right to be forgotten") — subject to legal retention duties.
  • Restrict or object to processing.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent at any time, without affecting processing done before withdrawal.
  • Lodge a complaint with your local supervisory authority (e.g., ICO in the UK, Office of the Privacy Commissioner of Canada, CNIL in France).

Email privacy@broomstickcreative.com to exercise any of these rights. We respond within 30 days.

9. Security

We apply industry-standard controls: TLS in transit, at-rest encryption on database and file storage, role-based access controls, row-level security on client tables, bcrypt password hashing, rate limiting on authentication endpoints, and regular dependency scanning. Access to production data is limited to named Broomstick staff on need-to-know basis.

See our Security Overview for technical detail.

10. Cookies

We set only cookies that are strictly necessary for authentication and session management. We do not use advertising, analytics, or third-party tracking cookies. Cookies are HttpOnly, Secure, and SameSite=Lax in production.

11. Children

The Broomstick Hub is not directed to children under 16. We do not knowingly collect data from minors. If you believe we have, contact us and we will delete it.

12. Changes

When we change this policy in a material way we bump the version number, update the "Last updated" date, and email registered users at least 14 days before the change takes effect. Continued use after the effective date constitutes acceptance of the updated policy.

← Back to home