Privacy Policy
Last Updated: May 10, 2025
1. Controller Information
Company: brokenREF Oy
Business ID (Y-tunnus): 3522266-6
Address: Porarinkatu 2 G 17, 02650 Espoo, Finland
Email:
2. Introduction
brokenREF Oy ("We", "Us", "Our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how personal information is collected, processed, and safeguarded in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
3. Personal Data Collected
We process the following categories of personal data:
3.1 General Categories
- Contact Information: Email addresses collected automatically from your Google Workspace account when an Add-on is activated (including free or trial use) and addresses supplied via forms or direct communication.
- Subscription Data: Payment details processed by Stripe (card type, last four digits, expiry), subscription type, plan metadata, and associated email addresses.
- Technical Data: Internal account identifier, feature usage metrics, subscription status, quota consumption, timestamps, and user-defined settings required for technical operation.
3.2 Google API Data
We handle all Google user data in accordance with the Google API Services User Data Policy, including its Limited Use requirements.
3.2.1 VAT Checker Add-on
| OAuth scope | Purpose | Stored? |
|---|---|---|
| https://www.googleapis.com/auth/spreadsheets.currentonly | Read/write cells in the current spreadsheet only | No |
| https://www.googleapis.com/auth/script.external_request | Query EU VIES API for validation | No |
| https://www.googleapis.com/auth/script.container.ui | Show dialogs in Google Sheets | No |
| https://www.googleapis.com/auth/userinfo.email | Email used as defined in sections 3.1 and 4 | Yes |
4. Purpose and Legal Basis for Processing
We process the collected personal data for the following processing purposes and under the following legal basis:
Performance of contract: Delivering and managing services, processing payments, and performing financial or administrative tasks;
Compliance with a legal obligation: Meeting statutory requirements (e.g., accounting and tax); and
Legitimate Interests: Providing support, communicating updates, improving products and services, and carrying out direct marketing or customer-reactivation activities.
5. Data Processed on Behalf of Users
Please note that when an Add-on accesses content in your Google Workspace, We act as a data processor (as defined in the GDPR) instead of a data controller. In such case we process personal data on your behalf and under your instructions whereas you remain the data controller. When we act as your data processor, the DPA included in our Terms of Service applies instead of this Privacy Policy.
6. To whom do We disclose personal data?
We may disclose personal data to data recipients who are processing data on our behalf. As an example these include cloud-hosting providers, payment processors, analytics, CRM and marketing platforms that store and handle the data on their protected servers.
7. Data Storage and Security
Personal data is hosted exclusively with reputable cloud service providers that apply industry-standard security controls, including encryption in transit and at rest. Access to that data is restricted to authorised personnel on a least-privilege basis.
8. Data Transfers Outside the EU/EEA
We may transfer personal data outside the EU/EEA to our data processors. When transferring personal data, We ensure that transfers are safeguarded through GDPR-compliant mechanisms (E.g. EU Commission's Standard Contractual Clauses).
9. Data Retention
Personal data is retained only as long as necessary for the purposes stated or to meet legal obligations. Subscription and payment records are kept in accordance with applicable financial and accounting laws.
10. Your Rights
Subject to the GDPR you may request to:
- Access your personal data;
- Correct inaccurate data;
- Delete your personal data;
- Restrict or object to processing;
- Receive your data in portable format; and
- Withdraw consent where processing is consent-based.
All data subject requests must be sent via email to .
You may also lodge a complaint with the Finnish Data-Protection Ombudsman (tietosuoja.fi).
11. Cookies and Tracking
Our website may use cookies and analytics tools (e.g., Google Analytics) to enhance user experience and analyse usage. Cookie preferences can be managed via your browser. Details are provided in our Cookie Policy.
Note about third-party services: Detailed information on how Google processes data can be found in their Privacy Policy and partner site information. Website analytics use anonymized data where possible.
12. Changes to This Privacy Policy
This Privacy Policy may be updated from time to time. Any significant changes will be announced on our website or by email where appropriate.
13. Contact Information
For any questions or requests regarding this Privacy Policy or your personal data, please contact:
brokenREF Oy
Address: Porarinkatu 2 G 17, 02650 Espoo, Finland
Email: