GDPR policy

1. Who we are

Broccolli.xyz is a process automation consultancy for SMEs, based in Porto, Portugal. We act as data controller for the personal data provided to us in the course of our business activity.

2. Principles we follow

• —Lawfulness, fairness and transparency: we only process data on a legal basis and always inform data subjects.
• —Purpose limitation: data is collected for specific purposes and not used in ways incompatible with those purposes.
• —Data minimisation: we collect only the data strictly necessary.
• —Accuracy: we keep data up to date and correct errors when notified.
• —Storage limitation: data is deleted when no longer necessary.
• —Integrity and confidentiality: we apply appropriate technical and organisational measures to protect data.

3. Legal basis for processing

• —Contract or pre-contract: when you engage with us or request information about our services.
• —Consent (Art. 6(1)(a) GDPR): for website analytics via Google Analytics 4 — the user explicitly accepts via the cookie banner. Consent may be withdrawn at any time.
• —Legal obligation: where processing is required by law (e.g. tax and accounting obligations).

4. Consent and cookies

• —We use Google Analytics 4 for traffic analysis, based on your explicit consent.
• —On your first visit, a consent banner is displayed. Google Analytics is only activated after acceptance.
• —Consent is managed via Google Consent Mode v2, ensuring no analytics data is collected before acceptance.
• —You may withdraw consent at any time by clearing browser data or contacting us.
• —We do not use advertising, remarketing, or social media cookies.

5. Your rights as a data subject

• —Right of access (Art. 15 GDPR): to know what data we hold about you and obtain a copy.
• —Right to rectification (Art. 16 GDPR): to correct inaccurate data or complete incomplete data.
• —Right to erasure / 'right to be forgotten' (Art. 17 GDPR): to request deletion of your data when no longer necessary or when you withdraw consent.
• —Right to restriction of processing (Art. 18 GDPR): to suspend processing in certain circumstances.
• —Right to data portability (Art. 20 GDPR): to receive your data in a structured, commonly used, machine-readable format.
• —Right to object (Art. 21 GDPR): to object to processing based on legitimate interests or for direct marketing purposes.
• —Right to withdraw consent (Art. 7(3) GDPR): to withdraw analytics consent at any time, without affecting the lawfulness of prior processing.

6. How to exercise your rights

You can exercise any of the above rights by sending an email to sales@broccolli.xyz with the subject 'GDPR Rights Request', clearly identifying the right you wish to exercise. We will respond within a maximum of 30 days. We may request identity verification before processing the request.

7. Sub-processors and data transfers

• —We use a limited number of sub-processors with whom we have entered into appropriate data processing agreements.
• —Google LLC acts as a sub-processor for analytics purposes (Google Analytics 4). Data transfers to the US are carried out under Standard Contractual Clauses approved by the European Commission and the EU-US Data Privacy Framework.
• —Our email service (Resend) is hosted in the EU and complies with GDPR.

8. Security measures

• —Encrypted communications via HTTPS/TLS across the entire website.
• —Restricted access to personal data — only staff with operational need have access.
• —Periodic review of access controls and security practices.
• —In the event of a data breach that may affect your rights, we will notify the CNPD within 72 hours and, where required, notify affected data subjects.

9. Data Protection Officer (DPO)

Given the volume and nature of data processed, the appointment of a DPO is not mandatory for Broccolli.xyz. For privacy and data protection matters, please contact us directly at sales@broccolli.xyz.

10. Supervisory authority

The competent supervisory authority in Portugal is the Comissão Nacional de Protecção de Dados (CNPD), at Rua de São Bento, 148-3.º, 1200-821 Lisbon. Website: www.cnpd.pt. You have the right to lodge a complaint with the CNPD or with the supervisory authority in your country of residence.

11. Updates to this policy

This policy may be updated to reflect changes in law, our practices, or the services we provide. The most recent version is always available on this page, with the date of last update.