Privacy Policy

Effective Date: May 6, 2026 · Last Updated: May 6, 2026

Broadimage ("we", "us", "our") respects your privacy. This Privacy Policy explains what information we collect when you use broadimage.com, why we collect it, how we use it, and the rights you have over your information.

1. Who we are

Data Controller: Broadimage, headquartered in Los Angeles, California, USA, with a bureau in New York, New York, USA.

Privacy contact: privacy@broadimage.com

Postal address for privacy correspondence: Available upon written request to legal@broadimage.com.

2. What we collect

2.1 Information you provide

• Account information. When you sign up for an editorial account, we collect: full name, company name, company type, job title, email address, phone number, and password (stored hashed and salted by AWS Cognito; we never see your plaintext password).
• Contact form submissions. When you contact us via our forms, we collect the name, email, subject, and message you provide.
• Licensing inquiries. When you request licensing terms, we collect the information you provide about the intended use, media, and territory.

2.2 Information collected automatically

• Technical log data. IP address, browser user-agent, referrer URL, pages visited, timestamps. Used for security, fraud prevention, and aggregate site analytics.
• Country/region inference. On first visit, we send your IP to ipapi.co to detect your country and serve the site in the appropriate language. We do not store the returned country in association with your IP.
• Device storage. See our Cookie Policy for the specific cookies, localStorage, and sessionStorage entries.

2.3 Information from third parties

• AWS Cognito. Authentication tokens and SMS multi-factor authentication codes pass through AWS Cognito. Cognito processes phone numbers for SMS delivery.

2.4 We do not collect

• Your government-issued identification documents (unless you voluntarily provide them for licensing-payment KYC, which is handled separately).
• Biometric data.
• Children's data — see Section 14.
• Sensitive personal information (race, religion, health, sexual orientation, political views, union membership) — we do not collect or process these categories.

3. Why we collect (legal basis under GDPR Art. 6)

For users in the EU/UK, our legal bases are:

• Contract performance (Art. 6(1)(b)) — to create and operate your account, deliver licensed photos, and respond to your inquiries.
• Legitimate interests (Art. 6(1)(f)) — to secure our site against abuse, prevent fraud, monitor service quality, and serve our editorial business model. Our legitimate interests do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c)) — to comply with applicable law, including responding to lawful requests from public authorities.
• Consent (Art. 6(1)(a)) — for any optional processing where consent is the appropriate basis (you may withdraw consent at any time).

4. How we use your information

• Provide, operate, and maintain broadimage.com
• Authenticate sign-in and manage editorial accounts
• Process licensing inquiries and deliver licensed media
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations and respond to lawful requests
• Send service-related communications (account changes, security alerts, license updates)
• Send opt-in marketing/news communications, only if you have consented and only with a clear opt-out in every message

5. Sharing and disclosure

We do not sell your personal information to third parties.

We share information only with:

• Service providers operating on our behalf under written contracts containing confidentiality, security, and data-protection obligations:
  • Amazon Web Services (AWS) — hosting, authentication (Cognito), storage (S3), database (DynamoDB)
  • ipapi.co — country detection (IP only, no other personal data sent)
  • Google — fonts (Poppins), reCAPTCHA (when present)
  • Email/SMS delivery infrastructure for transactional messages
• Legal authorities when required by law, valid legal process, or to defend our rights
• Successors in interest in connection with a merger, acquisition, financing, or sale of assets, where we will require continued protection of your information

6. International transfers

Personal information is transferred to and processed in the United States and other countries where our service providers operate. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK addendum where required. Where additional safeguards are needed, we apply supplementary technical and organizational measures consistent with current guidance from the European Data Protection Board.

7. Data retention

We retain personal information only as long as necessary for the purposes described in this policy or as required by law:

• Account information — for the duration of your active account, plus up to 24 months after account closure to address disputes or legal claims, then deleted or anonymized.
• Contact-form submissions — up to 24 months from receipt unless we need to retain longer to respond to active inquiries or legal matters.
• Technical log data — typically 12 months or less.
• Licensing transaction records — retained for the period required by tax, accounting, and copyright-enforcement law (typically 7 years in the U.S.).

8. Security

We implement industry-standard administrative, technical, and physical safeguards designed to protect personal information from loss, theft, misuse, and unauthorized access — including encrypted transport (HTTPS/TLS), encrypted storage at AWS, hashed-and-salted passwords (managed by AWS Cognito), multi-factor authentication, principle-of-least-privilege access controls, and audit logging. No internet transmission or storage system is 100% secure; we cannot guarantee absolute security.

9. Your rights — EU / UK (GDPR & UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights to:

• Access the personal information we hold about you
• Rectification — correct inaccurate or incomplete information
• Erasure ("right to be forgotten") — request deletion in qualifying circumstances
• Restriction of processing in qualifying circumstances
• Portability — receive your information in a structured, commonly used, machine-readable format
• Object to processing based on legitimate interests, including direct marketing
• Withdraw consent at any time where processing is based on consent
• Lodge a complaint with your local Data Protection Authority. A list of EU DPAs is available at edpb.europa.eu; the UK supervisory authority is the Information Commissioner's Office (ICO).

To exercise any right, contact privacy@broadimage.com. We will respond within 30 days (extendable to 90 days for complex requests).

10. Your rights — California (CCPA / CPRA)

If you are a California resident, you have the rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act) to:

• Right to Know — request the categories and specific pieces of personal information we have collected
• Right to Delete — request deletion of your personal information (subject to exceptions)
• Right to Correct — request correction of inaccurate personal information
• Right to Opt-Out of Sale or Sharing — Broadimage does not sell or share personal information for cross-context behavioral advertising; nonetheless this right is preserved
• Right to Limit Use of Sensitive Personal Information — we do not collect sensitive personal information as defined in CPRA
• Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact privacy@broadimage.com with the subject "California Privacy Rights Request". We may verify your identity before responding.

Categories of personal information collected (last 12 months): identifiers (name, email, phone), commercial information (account/license records), internet activity (logs, cookies), inferred geographic location (country only).

Categories sold or shared: none.

11. Your rights — other U.S. states

If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or other U.S. states with comparable comprehensive privacy laws, you have rights similar to those described in Section 10 (access, deletion, correction, opt-out of targeted advertising and sale). Contact privacy@broadimage.com to exercise these rights. We do not engage in targeted advertising or sale of personal information.

12. Your rights — Brazil (LGPD), Canada (PIPEDA), and other regions

If you reside in Brazil, Canada, Australia, Japan, South Korea, or another jurisdiction with comprehensive personal-information protection law, you may have rights to access, correct, delete, port, or restrict processing of your information. Contact privacy@broadimage.com with the relevant request and a description of your jurisdiction.

Brazilian users (LGPD): our processing of your personal data is based on contract performance, legitimate interest, and legal compliance. You may contact Brazil's data-protection authority (ANPD) at gov.br/anpd.

13. Cookies and similar technologies

See our dedicated Cookie Policy for details on what cookies and similar technologies (localStorage, sessionStorage) we use and how to control them.

14. Children's privacy

broadimage.com is not directed to children under the age of 13 (or under 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@broadimage.com and we will delete it.

15. Do Not Track

Broadimage does not currently respond to "Do Not Track" browser signals because no industry consensus exists on how to interpret them. We do not use cross-site tracking or behavioral advertising regardless of DNT status.

16. Changes to this policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top reflects the most recent change. Material changes will be highlighted on the site and, where required by law, communicated by email or notice in your account.

17. Contact

For privacy questions, requests, or complaints:

• Email: privacy@broadimage.com
• Phone: +1 310 697 2999
• Postal address (for privacy correspondence): provided upon written request to legal@broadimage.com

Nothing in this Privacy Policy waives any non-waivable rights you may have under the laws of your jurisdiction.