Spectacl
Privacy Policy
Last updated: April 14, 20261. Interpretation and Definitions
The words of which the initial letter is capitalized have meanings defined below. These definitions apply regardless of whether they appear in singular or plural.
- Account: A unique account created for you to access the Service.
- Company: Sinus Digital B.V., registered in the Netherlands (KVK: 99865416).
- Personal Data: Any information that relates to an identified or identifiable individual (Art. 4(1) GDPR).
- Service: The website at spectacl.org and app.spectacl.org, and all related analytical tools.
- Service Provider: Any natural or legal person who processes data on behalf of the Company (Art. 4(8) GDPR).
2. Collecting and Using Your Personal Data
2.1 Types of Data Collected
While using the Service, we may collect the following personal data:
- Account data: Email address, name, profile image
- Billing data: Company name, address, country, VAT ID (stored for invoicing and tax compliance)
- Usage data: IP address, browser type, device identifiers, pages visited, time on pages
- Session data: IP address and user agent string (stored for security and active session management)
- Activity data: Last-seen timestamp updated periodically while the app is open (used for admin online status indicators)
2.2 Internal Access to Content
To provide, maintain, and troubleshoot the Service, authorized personnel may have access to prompts, configurations, and analytical results associated with your account. We use this access strictly for operational purposes such as resolving technical issues, preventing abuse, and improving system performance. We do not use your specific content for marketing purposes without your explicit consent.
2.3 Aggregated and Anonymized Benchmarks
To provide platform-wide insights and comparative benchmarks, Spectacl may aggregate and anonymize data derived from usage across all users. This includes aggregated statistics on domain citation frequencies, model response patterns, and visibility trends.
Aggregated data is stripped of all user-identifying information and cannot be used to identify individual users, their organisations, or the specific prompts or entities they research.
By using the Services, you agree that Spectacl may include anonymized, aggregated derivatives of your usage data in platform-wide analyses and benchmarks.
3. GDPR Privacy (European Union)
Legal Basis for Processing
We process Personal Data under the following lawful bases (Art. 6(1) GDPR):
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the Services you subscribed to.
- Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, admin activity tracking.
- Legal obligation (Art. 6(1)(c)): Tax compliance, invoice retention, law enforcement requests.
- Consent (Art. 6(1)(a)): Optional marketing communications (opt-in only).
Your Rights under the GDPR
- Access (Art. 15): Request a copy of your personal data. You can download your data export from User Settings > Privacy & Data.
- Rectification (Art. 16): Request correction of inaccurate data.
- Erasure (Art. 17): Request deletion of your personal data. You can delete your account from User Settings > Danger Zone.
- Restriction (Art. 18): Request restriction of processing in certain circumstances.
- Portability (Art. 20): Receive your data in a machine-readable format (JSON export).
- Objection (Art. 21): Object to processing based on legitimate interests.
- Complaint (Art. 77): Lodge a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), The Hague, Netherlands — autoriteitpersoonsgegevens.nl.
Data Protection Officer
Given the nature and scale of our processing activities, we are not required to appoint a Data Protection Officer under Art. 37 GDPR. For privacy-related enquiries, contact us at info@sinusdigital.nl.
4. CCPA/CPRA Privacy Notice (California Residents)
This section applies solely to visitors and users who reside in the State of California.
Categories of Personal Information Collected
We collect identifiers (name, email), commercial information (subscription records), and internet activity (usage data).
Your Rights
- Right to Know: Disclosure of what data we collect and how we use it.
- Right to Delete: Deletion of personal information collected.
- Right to Opt-Out: We do not sell your personal data.
- Non-Discrimination: We will not discriminate against you for exercising your rights.
5. Cookies and Tracking Technologies
We use only strictly necessary cookies for the operation of the Service:
- Authentication: Session cookie to identify you when logged in (better-auth session token, SameSite, Secure in production).
- Workspace: Cookie to remember your selected workspace (Space ID).
We do not use marketing, advertising, or third-party tracking cookies. You can instruct your browser to refuse cookies, but some parts of the Service may not function correctly without them.
6. Third-Party Service Providers
We share personal data with the following categories of service providers to operate the Services:
- Hosting: Hetzner Online GmbH (Germany) — all infrastructure hosted in the EU.
- Payment processing: Mollie B.V. (Netherlands) — billing data for subscription payments.
- Email delivery: Resend Inc. (United States) — email addresses for transactional emails (magic links, invitations, invoices).
- Error tracking: Sentry (Functional Software Inc., United States, EU data region) — error traces and masked session replays for debugging. All text and inputs are masked; no readable user content is captured.
- LLM providers: OpenAI (US), Anthropic (US), Google (US), Mistral (France) — prompt text is sent to these providers to generate analysis results. No personal data beyond the prompt text is transmitted.
- Authentication: Google (US) — for optional Google SSO login. Email, name, and profile image are received.
- Favicons: Google (US) — domain names are sent to Google's favicon service to display website logos. No personal data is transmitted.
We do not sell personal data to any third party.
7. International Data Transfers
Our primary infrastructure is hosted in the European Union (Hetzner, Germany). However, some service providers are based in the United States (Resend, Sentry, OpenAI, Anthropic, Google). Data transferred to US-based processors is protected by:
- Standard Contractual Clauses (SCCs) where available;
- The EU-U.S. Data Privacy Framework, where the processor is certified;
- Contractual data protection obligations with each processor.
8. Error Tracking and Session Replay
We use Sentry for error tracking to diagnose and fix technical issues. Sentry's Session Replay feature may record anonymized DOM snapshots of user sessions when errors occur. All text content, form inputs, and media are masked — no readable user data is captured in recordings.
Sentry data is stored in the EU data region (Frankfurt, Germany). Session Replay runs on a small percentage of sessions (5%) and 100% of sessions where an error occurs. The legal basis for this processing is legitimate interest in maintaining service quality and security (Art. 6(1)(f) GDPR).
9. Data Retention
We retain personal data only as long as necessary for the purposes stated in this policy:
- Account data: Retained until you delete your account.
- Analysis results: Retained according to your plan's data retention period (90 days to 1 year).
- Invoices and billing records: Retained for 7 years as required by Dutch tax law.
- Session data: Deleted when sessions expire or you sign out.
- Audit logs: Retained indefinitely for security purposes. Personal identifiers are removed when a user account is deleted.
- Canceled workspaces: Data retained during a grace period, then permanently deleted.
10. Disclosure of Your Personal Data
Business Transactions
If the Company is involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
Legal Requirements
We may disclose your personal data if required to do so by law, in response to valid requests by public authorities (e.g. a court or government agency), or to protect the rights, property, or safety of Spectacl, our users, or the public.
11. Security
The security of your personal data is important to us. We implement appropriate technical and organisational measures including encryption in transit (TLS), access controls, rate limiting on authentication endpoints, CSRF protection, and audit logging. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
12. Children's Privacy
Our Service does not address anyone under the age of 16. We do not knowingly collect personally identifiable information from children. If we become aware that we have collected personal data from anyone under 16 without verification of parental consent, we take steps to remove that information.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' notice via email or in-app notification. Your continued use of the Services after the effective date constitutes acceptance of the revised policy.
14. Contact Us
For any questions about this Privacy Policy, to exercise your data protection rights, or to report a concern:
- Email: info@sinusdigital.nl
- Company: Sinus Digital B.V. (KVK: 99865416)
- Supervisory Authority: Autoriteit Persoonsgegevens, The Hague, Netherlands — autoriteitpersoonsgegevens.nl