BROCO

Privacy Policy

This policy describes how BROCO collects, uses, shares, and protects the personal data of users of its platform. It is drafted in accordance with the Swiss Federal Data Protection Act (nFADP/revDSG, in force since 1 September 2023) and the EU General Data Protection Regulation (GDPR, EU 2016/679) for users established in the European Union.

1. Identity of the data controller

The controller of personal data collected via the Platform is BROCO.

No data protection officer (DPO) has been formally appointed. Any request relating to personal data or to this policy may be addressed to: jeremie@broco-app.com.

2. Data we collect

We collect different categories of data, exclusively for the purposes described in section 3.

2.1 Account and authentication data

Email address, password (stored as a scrypt hash and never in clear text), account creation date, account status (Registered User / Producer), locale (preferred language).

When the user signs up or signs in via Google OAuth, we receive the data strictly necessary provided by Google (Google identifier, email address, name, profile picture where applicable).

2.2 Profile data

Name or pseudonym, avatar (image hosted on Cloudinary), short bio or description, preferred language.

2.3 Data specific to Producers

Producer description, postal address, geographic coordinates (latitude / longitude), phone number, website, sectors of activity, photographs of premises or productions.

2.4 Consents

At registration, we collect three separate consents whose state is retained: `geoConsent` (use of geolocation), `marketingConsent` (receiving marketing communications), and `notificationConsent` (sending push notifications). Each consent may be withdrawn at any time from the Account settings.

2.5 Content posted by the user

Posts, messages exchanged with other users, comments, photos, reviews and ratings, expressions of interest in Activities, follow / unfollow relationships.

2.6 Data related to the Pro Subscription

Stripe customer ID, Stripe subscription ID, subscription status, period dates, billing history. BROCO does not store or have access to card data, which is handled exclusively by Stripe.

2.7 Technical data

IP address, browser type, operating system, session identifier, OneSignal identifier (player ID) for push notifications, technical logs (timestamps, URLs called, response codes).

2.8 Cookies and trackers

Essential cookies (session, authentication, language preference, consents); analytics cookies (PostHog EU). See section 9 for details.

3. Purposes and legal bases

Each processing operation is based on a specific purpose and an identified legal basis within the meaning of the GDPR and the nFADP/revDSG. The list below summarises the main processing activities:

  • Account creation and management → performance of the contract (art. 6.1.b GDPR; art. 31 para. 2 let. a nFADP).
  • Putting Registered Users in touch with Producers → performance of the contract.
  • Hosting and publishing Content → performance of the contract.
  • Management of the Pro Subscription and billing → performance of the contract.
  • Sending push notifications → consent (art. 6.1.a GDPR).
  • Geolocation for nearby Activity suggestions → consent.
  • Marketing communications (newsletter, BROCO promotions) → consent.
  • Audience measurement and product analytics (PostHog EU) → legitimate interest, service improvement (see section 9).
  • Security, fraud prevention, and dispute resolution → legitimate interest.
  • Compliance with legal obligations (accounting, requests from authorities) → legal obligation.

4. Recipients and processors

BROCO uses technical service providers (processors within the meaning of the GDPR / agents within the meaning of the nFADP) to operate the Platform. Each is bound by a data processing agreement ensuring an adequate level of protection for personal data.

  • Vercel Inc. — hosting of the web application (Next.js) — Frankfurt region, European Union.
  • Railway Corporation — hosting of the API server and the PostgreSQL database — European Union region.
  • Stripe Payments Europe Ltd. — processing of Pro Subscription payments — Dublin, Ireland (EU).
  • Cloudinary — CDN for images, photos, and avatars — United States (transfer outside the EU, see section 5).
  • OneSignal — delivery of push notifications — United States (transfer outside the EU, see section 5).
  • PostHog EU — audience measurement and product analytics — Frankfurt, European Union.
  • Brevo — synchronisation of marketing consents and sending of marketing emails — France, European Union.
  • Google LLC — OAuth authentication and Google Places services (address autocomplete) — United States (transfer outside the EU, see section 5).

5. Transfers outside the EU / Switzerland

Some of our processors are established outside the European Economic Area and outside Switzerland, in particular Cloudinary, OneSignal, and Google LLC (United States).

These transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission under article 46 GDPR, supplemented where appropriate by additional technical and organisational measures. For transfers from Switzerland, these clauses are recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC) as offering an adequate level of protection, in accordance with the requirements of the nFADP (art. 16 nFADP).

You may obtain a copy of the safeguards in place by writing to jeremie@broco-app.com.

6. Retention periods

The retention periods applied by BROCO are as follows:

  • Account data: throughout the active life of the Account. Upon Account deletion, identifying data is deleted or anonymised within thirty (30) days, with the exception of information required to comply with legal obligations (in particular accounting) which is kept for up to three (3) years after deletion.
  • Billing and subscription data: ten (10) years from issuance, in accordance with Swiss accounting obligations (art. 958f Swiss Code of Obligations).
  • Technical logs: twelve (12) months from generation.
  • Messages exchanged between Users: twenty-four (24) months from the last activity on the message thread.
  • Consents: until withdrawn; the withdrawal history is kept as evidence for three (3) years.
  • Audience measurement data (PostHog): thirteen (13) months maximum.

7. Your rights

In accordance with the nFADP and the GDPR, you have the following rights over your personal data:

  • Right of access: to obtain confirmation that data concerning you is being processed and to obtain a copy (art. 25 nFADP, art. 15 GDPR).
  • Right of rectification: to obtain correction of inaccurate data (art. 32 para. 1 nFADP, art. 16 GDPR).
  • Right to erasure ("right to be forgotten"): to obtain deletion of your data, subject to applicable legal obligations (art. 32 para. 2 nFADP, art. 17 GDPR).
  • Right to restriction of processing (art. 18 GDPR).
  • Right to data portability in a structured, commonly used, and machine-readable format (art. 28 nFADP, art. 20 GDPR).
  • Right to object to processing, in particular profiling and direct marketing (art. 30 nFADP, art. 21 GDPR).
  • Right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal (art. 7 GDPR).
  • Right to lodge a complaint with a supervisory authority: the Swiss Federal Data Protection and Information Commissioner (FDPIC, www.edoeb.admin.ch) for Switzerland, or the competent supervisory authority of your place of residence for the EU (CNIL in France, etc.).

Exercising your rights

To exercise these rights, send your request to jeremie@broco-app.com specifying the identifier of the Account concerned. BROCO undertakes to respond within thirty (30) days from receipt of the request, extendable by a further sixty (60) days in the case of a complex request (art. 12.3 GDPR).

BROCO may ask you for proof of identity in the event of reasonable doubt as to the identity of the requester, in order to avoid any improper disclosure of personal data to a third party.

8. Security

BROCO implements reasonable technical and organisational measures to protect personal data, in particular:

  • TLS (HTTPS) encryption for all communications between the Platform and users;
  • Cryptographic hashing of passwords using the scrypt algorithm (passwords are never stored in clear text);
  • Role-based access control on the server side (differentiated permissions for Registered User / Producer / administration);
  • Regular encrypted backups of the database;
  • Regular updates of software dependencies and security patches.

9. Cookies and trackers

The Platform uses a limited number of cookies and technical identifiers in order to function and improve the user experience.

  • Essential cookies (session, authentication, language preference): indispensable to the operation of the Platform; they do not require consent.
  • Analytics cookies and identifiers (PostHog EU): used to understand and improve use of the Platform. This data is hosted in Frankfurt (EU).

Technical transparency

PostHog instrumentation is enabled for every user of the Platform, upon acceptance of the Terms of Service and the present Policy. The collected data (usage events, session recordings) is used exclusively to understand use of the service, improve its quality, and fix defects. It is never used for marketing purposes nor shared with third parties for commercial purposes.

You may object to audience measurement by disabling third-party cookies in your browser or by contacting us at jeremie@broco-app.com.

10. Minors

The Platform is accessible to persons aged at least sixteen (16). BROCO does not knowingly collect personal data concerning children under the age of 16. If we become aware that an Account has been created by a minor under 16, we will delete it as soon as possible.

11. Automated decisions

BROCO does not carry out any automated decision-making, within the meaning of article 22 GDPR and article 21 nFADP, producing legal effects on users or similarly significantly affecting them.

12. Changes to this policy

BROCO reserves the right to amend this privacy policy at any time, in particular to reflect legislative, case-law, or technical developments.

Any material change will be notified to users by any appropriate means (in-Platform notification, email) before it takes effect.

13. Contact

For any question relating to the processing of your personal data or to this policy, you may write to us at: jeremie@broco-app.com.

Last updated: May 15, 2026