This privacy policy explains how Broadview ("we", "us", "our") collects, uses, stores, and shares personal data when you visit broadviewltd.co.uk, contact us, or engage us as a service provider. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
If you have any questions about this policy or how your personal data is handled, contact us at privacy@broadviewltd.co.uk.
01.Our role
Broadview is the data controller in respect of personal data we collect about visitors to our website, prospective clients, our own customers, and people who contact us. We are a data processor in respect of personal data we process on behalf of clients under a written services agreement (for example, end-user data flowing through a website or platform we host, or Google Ads data we access on a client's behalf). In our processor capacity, the client is the data controller and instructs us in writing.
For data-protection enquiries or to exercise your rights under UK GDPR, contact us at privacy@broadviewltd.co.uk.
02.What personal data we collect
Website visitors
- Technical data your browser sends automatically: IP address (truncated where possible), browser type and version, operating system, device type, referrer URL, pages viewed, and timestamps.
- Cookie and analytics data, subject to your consent. See our cookie policy.
People who contact us
- Contact details you provide: name, email address, company name, telephone number where given.
- Content of your message and any attachments.
- Records of correspondence, call notes, and meeting notes once a conversation begins.
Clients and prospective clients
- Business and billing details: company name, registered address, VAT number, billing contact, bank or payment-gateway references.
- Project information you share with us, including access credentials and account information necessary for delivering the agreed services.
- Personal data of named contacts within your organisation.
End users of client systems we operate
Where we process personal data of your end users (for example, leads who fill in a form on a website we host, patients who book through a clinic system we manage, or data accessed via the Google Ads API), we do so as a data processor under a written agreement with you. You remain the data controller. Such processing is governed by the relevant Data Processing Agreement (DPA), not by this policy.
03.Why we use your data and our lawful bases
Under UK GDPR, we must have a lawful basis for processing personal data. Our purposes and lawful bases are:
- To respond to enquiries. Lawful basis: legitimate interests, or steps at your request to enter into a contract.
- To provide the services you have engaged us for. Lawful basis: performance of a contract.
- To invoice, take payment, and keep accounting records. Lawful basis: performance of contract and compliance with legal obligation (UK tax law).
- To run our website, monitor performance, and protect it from abuse. Lawful basis: legitimate interests.
- To send service-related and account communications. Lawful basis: performance of contract and legitimate interests.
- To comply with legal and regulatory obligations. Lawful basis: legal obligation.
- To establish, exercise, or defend legal claims. Lawful basis: legitimate interests.
We do not send marketing emails to people who have not specifically asked to receive them.
04.How we handle Google Ads data
This section describes how Broadview handles data when providing its Google Ads management service, including any use of the Google Ads API.
Our role
When we manage Google Ads for a client, the client is the account owner and remains in control of their Google Ads account at all times. We act on the client's behalf under a written services agreement that includes a Data Processing Agreement (DPA) where applicable. We do not own the data; we process it on instruction.
How we access client data
- Access is granted via Google's standard MCC (manager account) linking mechanism, which the client explicitly authorises within their Google Ads account.
- Where we use the Google Ads API, authentication uses OAuth 2.0 credentials issued by the client. OAuth tokens are stored encrypted at rest within our infrastructure.
- The client may revoke access at any time by removing the MCC link in Google Ads or by revoking OAuth permission.
What we use the data for
- Pulling campaign performance metrics into client-facing dashboards and reports;
- Generating monthly performance reports and ad-hoc analyses;
- Running automated optimisation routines (such as bid adjustments and search-term review) within the scope authorised by the client;
- Providing audit and account review services with the client's permission.
Limited Use commitment
In accordance with Google's API Services User Data Policy, our use of information received through the Google Ads API adheres to the Limited Use requirements:
- We use Google Ads API data only to provide or improve the user-facing features of our service that are clearly visible from the requesting client's user interface.
- We do not transfer Google Ads API data to others except as necessary to provide or improve the user-facing features of the service, in compliance with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
- We do not use Google Ads API data to serve advertisements, including retargeting, personalised, or interest-based advertising.
- We do not allow humans to read Google Ads API data, except: (a) with the client's affirmative agreement for specific data; (b) as necessary for security purposes such as investigating abuse; (c) to comply with applicable law; or (d) where the data has been aggregated and anonymised for internal operations.
Storage and retention
- OAuth credentials and account-linking metadata are retained only for the duration of the engagement plus the period required to complete final reporting and invoicing.
- Performance data extracted via the API is retained for the duration of the engagement and for up to 24 months afterwards for historical reporting and trend comparison, unless the client requests earlier deletion.
- On termination, OAuth credentials are revoked and any client-specific data held in our reporting systems is deleted within 30 days, on request.
05.Cookies and similar technologies
Our website uses a small number of cookies. Non-essential cookies are not loaded until you give consent. Full details are in our cookie policy.
06.Who we share your data with
We share personal data only where necessary to deliver our service, comply with the law, or pursue legitimate interests. Categories of recipient include:
- Service providers and processors we rely on to operate, including: email and productivity (e.g. Google Workspace), accounting and invoicing, payment processors (e.g. Stripe), project management, code repositories, transactional email delivery (e.g. Brevo), contact-form handlers (e.g. Formspree), hosting providers, CDN and security providers (e.g. Cloudflare), analytics providers (where you consent).
- Professional advisers such as accountants, auditors, and legal advisers, where engagement requires.
- Public authorities where required by law (e.g. HMRC, ICO, law enforcement on lawful request).
- Successor entities in the event of a sale, merger, restructuring, or incorporation of the business. Any such transfer is subject to equivalent data-protection commitments.
We do not sell personal data to anyone, under any circumstances. We do not share personal data with third parties for their own marketing purposes.
07.Sub-processors
Where we act as a data processor for a client, we may engage sub-processors (the service providers listed above and similar) to assist in delivering the service. We carry out due diligence on our sub-processors and ensure they are bound by written contractual terms equivalent to those in our agreement with the client. A list of current sub-processors is available on request. We will give clients reasonable prior notice of any intended changes concerning the addition or replacement of sub-processors, allowing the client to object.
08.International transfers
Some service providers we use are based outside the United Kingdom. Where we transfer personal data outside the UK, we rely on either:
- An adequacy regulation recognising the country as providing an adequate level of data protection (for example, the UK-US Data Bridge for participating US organisations); or
- An appropriate safeguard such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or another mechanism permitted under UK GDPR.
Details of the safeguards used for any specific transfer are available on request.
09.How long we keep data
- Enquiry correspondence not leading to engagement: up to 24 months.
- Client records (correspondence, contracts, project data): for the duration of the engagement and for 7 years afterwards (HMRC record-keeping requirements).
- Invoicing and accounting: 7 years.
- Website analytics: per the retention period configured in the relevant tool, typically not longer than 26 months.
- Google Ads API data: as set out in section 04.
- Anything held for legal-claim purposes: until the relevant limitation period expires (typically 6 years).
10.How we protect your data
- Encryption in transit (TLS) for all data sent to and from our systems.
- Encryption at rest for OAuth credentials, password vaults, and other sensitive material.
- Access controls and multi-factor authentication on all critical systems.
- Principle of least privilege: access is limited to what is needed for the task at hand.
- Vendor due diligence on service providers and sub-processors.
- A written incident-response process.
No system is perfectly secure. If a personal-data breach occurs that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours where required, and notify affected individuals without undue delay where the law requires. In our capacity as a data processor, we will notify the client (as data controller) without undue delay after becoming aware of a personal-data breach.
11.Your rights under UK GDPR
You have the following rights in respect of personal data we hold about you. To exercise any of them, contact privacy@broadviewltd.co.uk:
- Right of access: confirm whether we hold data about you and receive a copy.
- Right of rectification: correct inaccurate or incomplete data.
- Right of erasure ("right to be forgotten"), subject to certain exemptions.
- Right to restriction of processing in certain circumstances.
- Right to data portability: receive your data in a structured, machine-readable format.
- Right to object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent at any time, where we rely on consent.
- We do not currently make decisions about you using solely automated processing that produces legal or similarly significant effects.
We will respond within one calendar month. There is no fee for a normal request; we may charge a reasonable fee, or refuse, in the case of manifestly unfounded or excessive requests, as permitted by UK GDPR.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. Contact details for the ICO:
We would appreciate the opportunity to address your concern first.
12.Marketing communications
We do not send marketing emails to people who have not specifically requested to receive them. Where you have consented to marketing communications, you can opt out at any time using the unsubscribe link in any such email, or by emailing privacy@broadviewltd.co.uk. Opting out of marketing does not affect service-related communications about an active engagement.
13.Children
Our website and services are not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe we have collected such data, contact us and we will delete it.
14.Changes to this policy
We may update this policy from time to time to reflect changes in our practices, technology, or applicable law. The "last reviewed" date at the top of this page indicates when it was last updated. Material changes will be notified through the website or by email to existing clients where appropriate.
15.No legal advice
This policy describes how Broadview handles personal data. It does not constitute legal advice, and nothing in this policy should be relied on by clients as a substitute for their own data-protection compliance obligations or independent legal counsel.