SecureSpellsSecureSpells

    Privacy Policy

    Privacy Policy Last updated: 16/02/2026

    Effective Date: February 16, 2026
    Entity: SecureSpells OÜ ("Company", "We", "Us", or "Our")
    This Privacy Policy describes how SecureSpells collects, uses, and discloses your information when you use our GDPR compliance auditing service (the "Service").

    By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

    1. Interpretation and Definitions

    • Account: A unique account created for You to access our Service.
    • Personal Data: Any information that relates to an identified or identifiable individual.
    • Service: The website and compliance auditing tools provided by SecureSpells.
    • You: The individual accessing or using the Service, or the company on behalf of which such individual is accessing the Service.

    2. Collecting and Using Your Personal Data

    Types of Data Collected

    A. Personal Data

    While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. This includes:

    • Email Address: Used for authentication and service notifications. We store your email in an encrypted format.
    • Name: Used for account personalization (Optional).
    • Billing Information: We do not store credit card numbers. We store your Stripe Customer ID and Billing Email for invoicing purposes.

    B. Usage Data

    Usage Data is collected automatically when using the Service. This may include:

    • Your device's Internet Protocol address (IP address) (Used for rate limiting and security, generally ephemeral and not permanently stored).
    • Browser type and version.
    • The pages of our Service that You visit, the time and date of Your visit, and the time spent on those pages.

    C. Authentication Data (OAuth)

    You may choose to create an account and log in using the following Third-party Social Media Services:

    • Google
    • LinkedIn
    • GitHub
    • Apple

    If You decide to register through these services, We collect Personal Data associated with that account, specifically your name and email address, to create your User profile.

    D. Scan Data (Website Audits)

    When you submit a URL for auditing, we process that URL and generate a compliance report.

    • Public Scans: Scan results are retained a defined and limited period for approximately 4 hours.
    • Registered Accounts: Scan results are retained for up to 90 days, after which they are automatically deleted or anonymized.

    E. Optional Product Improvement Survey

    We may ask optional questions about your role, business type, and goals (e.g. after you add your first domain). This information is used solely to improve the product and is not used for marketing or shared with third parties. You can skip the survey at any time and request deletion of your survey responses via Settings or by contacting us.

    F. Web Analytics (Server-Side)

    We use a self-hosted instance of Umami Analytics to measure website trends and performance.

    • No Cookies: This tool does not use cookies or local storage identifiers.
    • Data Minimization: It collects anonymized metrics (e.g., pages visited, browser type, country). IP addresses are anonymized (hashed) immediately and are not stored in raw format.
    • Data Sovereignty: This analytics data is hosted entirely on our own infrastructure in Germany (EU) and is never shared with third-party analytics providers.

    Cookies and Tracking Technologies

    We use Session Cookies which are strictly necessary for the operation of the Service (e.g., to keep you logged in). We do not use third-party advertising cookies on our platform.

    • Essential Cookies: These are stored in Redis to manage your active session and prevent fraudulent use of user accounts.

    3. Lawful Basis for Processing (GDPR)

    We process Personal Data under the following lawful bases:

    • Performance of a Contract: To provide the auditing services, create your account, and process payments.
    • Legal Obligation: To comply with tax and accounting laws (retaining invoices and billing data).
    • Legitimate Interest: To maintain the security of our Service (rate limiting, fraud prevention) and improve our products (analytics).
    • Consent: Where you have explicitly opted in (e.g., marketing newsletters). You may withdraw consent at any time.

    4. Use of Your Personal Data

    The Company may use Personal Data for the following purposes:

    • To provide and maintain our Service: Including monitoring the usage of our Service.
    • To manage Your Account: To manage Your registration as a user of the Service.
    • To contact You: By email regarding updates, security alerts, or informative communications related to the functionalities (e.g., "Magic Link" logins, audit completion reports).
    • To manage Your requests: To attend and manage Your requests to Us.

    5. Disclosure of Your Personal Data

    We do not sell your Personal Data. We share data only with the following categories of Service Providers (Sub-processors) required to operate the Service:

    • Hosting & Infrastructure: Hetzner Online GmbH. Used to host the Service and database (located in Germany).
    • Email Delivery: Postmark. Used to send magic links, invoices, and reports.
    • Payment Processing: Stripe. Used to process payments and manage subscriptions. We transmit your billing email and Customer ID to Stripe.
    • Authentication: Google, Apple, LinkedIn, GitHub. Used only if you choose to sign in via these providers.

    6. Data Retention

    The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy.

    • Account Data: Retained until you request deletion. If you delete your account, we maintain a 30-day "soft delete" grace period before permanent erasure, unless immediate deletion is requested.
    • Scan Results: Retained for a defined and limited period (approximately 4 hours for public scans and up to 90 days for registered accounts), after which they are automatically deleted or anonymized.
    • Legal Obligations: We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, keeping invoice records for accounting).

    7. International Transfer of Your Personal Data

    Your information, including Personal Data, is processed at the Company's operating offices (Estonia) and our hosting servers in Germany.

    Some of our Service Providers (e.g., Stripe, Postmark) may process data outside the European Economic Area (EEA). When we transfer data to countries not deemed to provide an adequate level of protection, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or reliance on the EU-U.S. Data Privacy Framework where applicable.

    8. Security of Your Personal Data

    The security of Your Personal Data is important to Us. We implement the following technical measures:

    • Encryption at Rest: Sensitive PII (Names, Emails) is encrypted in our database.
    • Encryption in Transit: All data is transmitted over HTTPS.
    • End-to-End Encrypted Exports: We offer a feature allowing you to export your data in an encrypted format using a client-side secret.

    However, no method of transmission over the Internet is 100% secure. While We strive to protect Your Personal Data, We cannot guarantee its absolute security.

    9. Your GDPR Rights

    You have the right to:

    • Access: Request a copy of the Personal Data we hold about you. You can download a full data export directly from your account settings.
    • Rectification: Correct incomplete or inaccurate data.
    • Erasure (Right to be Forgotten): Request that we delete your Personal Data. You can trigger account deletion within the application.
    • Portability: Request the transfer of your data to another controller.
    • Object/Restrict: Object to processing based on legitimate interest or restrict processing in certain scenarios.

    To exercise these rights, please contact us or use the settings available within your account.

    10. Children's Privacy

    Our Service does not address anyone under the age of 16. We do not knowingly collect personally identifiable information from anyone under the age of 16. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us.

    11. Links to Other Websites

    Our Service performs compliance audits on third-party websites. Our reports may contain links to those websites. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

    12. Changes to this Privacy Policy

    We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

    13. Contact Us

    If you have any questions about this Privacy Policy, You can contact us:

    SecureSpells OÜ

    • Email: privacy@securespells.com
    • Address: Toompuiestee 21, Tallinn 10137, Estonia
    • Registry Code: 17318386
    • VAT Number (KMKR): EE102940165