Privacy Policy.
Last updated: June 2026
What we collect
Spot Cloud B.V. ("Spot Cloud", "we") processes personal data when you visit spot-suite.com, request a demo, create an account, or use Spot Suite applications. Depending on your interaction, we may collect: name, work email address, company name, billing details, IP address, device and browser metadata, support correspondence, and usage events needed to operate and secure the Service. When you connect Microsoft Entra ID or another identity provider, we receive identifiers and group claims required for authentication and authorisation. Customer content uploaded to a Customer Environment is processed on behalf of the Customer as described in our Data Processing Addendum.
How we use it
We use personal data to provide and maintain the Service, authenticate users, process subscriptions and invoices, respond to support requests, send service-related notices, detect abuse, and improve reliability. We may send product updates or event invitations where permitted by law and subject to your marketing preferences. We do not sell personal data. Aggregated or de-identified statistics may be used for capacity planning and reporting without identifying individuals.
Legal basis
Under the General Data Protection Regulation (GDPR), we rely on: (a) contract — processing necessary to deliver the Service you or your organisation requested; (b) legitimate interests — security monitoring, fraud prevention, and limited product analytics, balanced against your rights; (c) legal obligation — tax, accounting, and regulatory record-keeping; and (d) consent — where required for optional marketing communications or non-essential cookies. Customers act as controllers for personal data they upload to their Environment; Spot Cloud acts as processor for that data under the DPA.
Sub-processors
We use carefully selected sub-processors to host infrastructure, deliver email, process payments, and provide customer support tooling. Primary infrastructure runs on Cloudflare within the European Union. Payment processing may involve Stripe or comparable providers bound by appropriate transfer safeguards. A current list of sub-processors is available on request and in the DPA annex. We require sub-processors to implement technical and organisational measures consistent with this policy and notify Customers of material changes where contractually required.
Data residency
Customer Environments and associated audit logs are hosted in EU data centres unless a written agreement specifies otherwise. Marketing site analytics and account metadata may be processed in the EU and, where necessary for support, in jurisdictions covered by Standard Contractual Clauses or an adequacy decision. We do not move Customer content outside the agreed region without prior instruction or a documented legal requirement.
Retention
Account and billing records are retained for the subscription term and thereafter for the period required by Dutch commercial and tax law, typically seven (7) years for financial records. Security and access logs are kept for a rolling window sufficient for incident investigation, generally ninety (90) to three hundred sixty-five (365) days depending on the log type. Customer Data in an Environment is deleted or returned according to the DPA upon termination, subject to legal holds communicated in writing.
Your rights
If you are in the European Economic Area, United Kingdom, or another jurisdiction with comparable rights, you may request access, correction, deletion, restriction, or portability of your personal data, and object to certain processing. You may withdraw consent for optional processing without affecting lawfulness prior to withdrawal. To exercise rights, contact privacy@spot-cloud.com. We respond within one month unless an extension is permitted. You may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.
Security
We apply access controls, encryption in transit and at rest where supported, tenant isolation for Customer Environments, vulnerability management, and logging of administrative actions. Personnel with access to production systems undergo background checks where appropriate and receive security training. No method of transmission or storage is completely free of risk; we notify Customers without undue delay when a personal data breach is likely to affect their Environment, consistent with Articles 33 and 34 GDPR.
Contact
Spot Cloud B.V. is the data controller for personal data described in this policy. Privacy enquiries: privacy@spot-cloud.com. Postal correspondence and registered office details are available on request to authenticated account holders.