Privacy Policy

Last updated: March 21, 2026

1. Who We Are

PartsBroadcast is a B2B email broadcast platform for the IT Asset Disposition (ITAD) industry, operated by PartsBroadcast, 25422 Trabuco Rd STE 184, Lake Forest, CA 92630, United States. For privacy inquiries, contact admin@partsbroadcast.com.

2. Information We Collect

2.1 Registered Users (Senders, Buyers, and Receivers)

When you create an account, we collect:

  • Account information: email address, company name, password (hashed), and role (sender, buyer, or receiver).
  • Preferences: commodity category selections, brand selections, delivery mode (real-time, daily digest, or weekly digest), and email notification preferences.
  • Billing information (senders and buyers only): payment details are collected and processed directly by Stripe, Inc. We store only your Stripe customer ID and subscription status — never your card number or banking details.
  • Two-factor authentication: if enabled, a TOTP secret key is stored to generate verification codes.

2.2 Blast and Message Content

  • Blast content: when senders or buyers submit blasts (WTS or WTB), we store the email subject, body (text and HTML), assigned commodity categories, and delivery metadata.
  • Reply proxy data: when a recipient replies to a blast, the reply is forwarded through our anonymous relay. We process the message headers and content in transit to rewrite sender information and deliver the reply. We do not store the content of forwarded replies.

2.3 Open Tracking

Blast emails contain a small transparent tracking pixel. When you open a blast email, we record:

  • Which blast was opened
  • Your IP address
  • Your email client's user agent string
  • The date and time of the open

This data is used to provide senders and buyers with aggregate open-rate statistics. Open tracking data is recorded once per unique blast-recipient combination.

2.4 Prospect Data (Pre-Registration Outreach)

We maintain a list of business email addresses of professionals in the ITAD industry for the purpose of B2B outreach. These addresses are collected from publicly available industry sources. As an ITAD industry professional, our outreach emails are directly relevant to your business interests and are sent under the lawful basis of legitimate interest (see Section 3). We collect and store:

  • Email address
  • Outreach status (pending, sent, or unsubscribed)
  • Date the outreach email was sent

We send a maximum of one welcome email and one follow-up reminder per prospect. Every outreach email includes a one-click unsubscribe link. If you unsubscribe, we retain only your email address and unsubscribed status to ensure we never contact you again. All other prospect data is deleted 90 days after the outreach email was sent, unless you create an account.

2.5 Cookies and Analytics

  • Essential cookies: we use session cookies required for authentication and site functionality. These are strictly necessary and do not require consent.
  • Analytics (optional): with your explicit consent, we load privacy-focused analytics via Umami (self-hosted at analytics.ai-signed.com). Umami does not use cookies, does not collect personal information, and does not track users across sites. Analytics data is used solely to understand aggregate site usage. You can opt in or out at any time via the cookie consent banner.

3. Lawful Basis for Processing (GDPR Article 6)

We process personal data under the following lawful bases:

  • Consent (Article 6(1)(a)): receiver registration (explicit GDPR consent at signup), analytics cookies (opt-in via cookie banner).
  • Contract (Article 6(1)(b)): processing necessary to deliver the service to registered senders, buyers, and receivers — including blast delivery, preference filtering, billing, and account management.
  • Legitimate interest (Article 6(1)(f)): B2B outreach to ITAD industry professionals whose business interests are directly served by our platform. Our outreach is limited in scope (one email plus one follow-up), relevant to the recipient's professional activity, and includes an immediate opt-out mechanism. We have assessed that the minimal impact on recipients does not override their interests or rights.

4. How We Use Your Information

  • Service delivery: routing blasts to receivers based on commodity and brand preferences, processing WTB requests, managing digest delivery schedules.
  • Anonymous reply proxy: forwarding replies between parties without exposing personal email addresses. Sender and buyer identities are hidden behind a tokenized reply address until they choose to reveal themselves by responding.
  • Billing: managing sender and buyer subscriptions through Stripe.
  • Open tracking: providing senders and buyers with aggregate delivery analytics (open counts and open rates).
  • Outreach: contacting ITAD industry professionals about the platform.
  • Service communications: account confirmations, system notifications, and service updates.
  • Moderation: reviewing blast content before delivery to maintain quality and prevent abuse.

5. Data Sharing

We do not sell, rent, or trade your personal information.

  • Blast delivery: blast content (subject, body, categories) is delivered to receivers who have opted in to matching categories. Sender and buyer email addresses are not included in blasts — all replies are routed through our anonymous reply proxy.
  • Public inventory archive: approved blast summaries (subject, body preview, categories, and date) are displayed on our public inventory page. No sender, buyer, or receiver identifying information is included.
  • Stripe, Inc.: payment processing for sender and buyer subscriptions. Stripe's privacy policy is available at stripe.com/privacy.

We do not share data with any other third parties, advertising networks, or data brokers.

6. Data Retention

We retain data for the minimum period necessary for each purpose:

  • Active accounts: data is retained for the lifetime of the account. You can delete your account at any time (see Section 7).
  • Blast content and delivery records: retained for 2 years after sending, then permanently deleted.
  • Open tracking data: retained for 1 year after the open event, then permanently deleted.
  • Prospect data (non-subscribers): deleted 90 days after the outreach email was sent, unless you create an account. Unsubscribe records are retained indefinitely to prevent re-contact.
  • Deleted accounts: upon account deletion, all personal data, preferences, and association with blast records is permanently removed within 30 days. Anonymized aggregate statistics (delivery counts, open counts) may be retained.
  • Billing records: retained for 3 years as required by tax law.
  • Cookie consent records: retained for 2 years as evidence of consent.
  • Unsubscribe audit logs: retained for 3 years as evidence of CAN-SPAM and GDPR compliance.

7. Your Rights

Under GDPR, CCPA, and applicable data protection laws, you have the following rights:

  • Right to access: view all your data in your dashboard, or request a full export by emailing admin@partsbroadcast.com.
  • Right to rectification: update your preferences, company name, and profile at any time through your dashboard.
  • Right to erasure ("right to be forgotten"): delete your account and all associated personal data from your dashboard at any time. Deletion is processed within 30 days. Certain records may be retained where required by law (see Section 6).
  • Right to data portability: request a machine-readable export of your data by contacting admin@partsbroadcast.com.
  • Right to object: you can unsubscribe from blast delivery at any time while maintaining your account. You can object to prospect outreach by clicking the unsubscribe link in any outreach email. You can object to processing based on legitimate interest by contacting us.
  • Right to restrict processing: contact us to request that we limit how we process your data while a complaint or objection is resolved.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time. For analytics, use the cookie consent banner. For blast delivery, use your dashboard preferences or the unsubscribe link in any email.

To exercise any right, email admin@partsbroadcast.com. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All data in transit is encrypted via TLS (HTTPS, SMTPS, IMAPS).
  • Passwords are salted and hashed — we never store plaintext passwords.
  • Two-factor authentication (TOTP) is available for all accounts.
  • Infrastructure is self-hosted on dedicated servers with firewall rules, fail2ban intrusion prevention, and regular security updates.
  • Email authentication (SPF, DKIM, DMARC) is enforced on all outgoing mail.
  • HTML content in blasts is sanitized on ingest and rendered in sandboxed iframes.

9. International Data Transfers

Our servers are located in the United States and Germany (mail relay). If you are located outside of these countries, your data will be transferred to and processed in these jurisdictions. By using PartsBroadcast, you consent to this transfer. We ensure appropriate safeguards are in place for all data transfers.

10. Children's Privacy

PartsBroadcast is a B2B platform for industry professionals. We do not knowingly collect data from individuals under 18. If we learn that we have collected data from a minor, we will delete it immediately.

11. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used (see Sections 2 and 4).
  • Request deletion of your personal information.
  • Opt out of the sale of personal information — we do not sell your data.
  • Non-discrimination for exercising your rights.

12. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to registered users. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of PartsBroadcast after changes constitutes acceptance.

13. Data Processors

The following third parties process data on our behalf:

  • Stripe, Inc. (San Francisco, CA) — payment processing for sender and buyer subscriptions.
  • Contabo GmbH (Munich, Germany) — mail relay server hosting. Emails in transit pass through our dedicated Contabo VPS. No data is shared with Contabo beyond what is necessary for server hosting.

We do not use any other third-party data processors, advertising platforms, or tracking services. Analytics are self-hosted.

14. Contact

For privacy inquiries, data requests, or complaints:
Email: admin@partsbroadcast.com
Mail: PartsBroadcast, 25422 Trabuco Rd STE 184, Lake Forest, CA 92630
If you are unsatisfied with our response, you have the right to lodge a complaint with a supervisory authority in your jurisdiction.