Privacy Policy

Last updated: [DATE — replace with real date when content is finalized]

⚠️ This is a STUB. The content below is a structural skeleton, not a finished legal document. Replace every section with actual policy content before public launch. Consider using an EU SaaS template, iubenda, Termly, or a Dutch legal professional.

1. Who we are

SPALT is a service provided by [Restruct BV / freelance name — fill in], registered in the Netherlands under KvK number [NUMBER]. Our registered address is [ADDRESS]. For privacy questions, contact us at privacy@spalt.app or write to the address above.

2. What data we collect

When you use SPALT, we collect:

• Account information: your name, email address, and password (stored as a one-way hash)
• Organization content: the projects, items, documents, comments, and files you create or upload
• Usage data: [describe — e.g. page views, feature interactions, if analytics are enabled]
• Billing data: subscription state, plan, and invoice metadata (payment details themselves are handled by Mollie — we never see your card)
• Communication: emails you send us for support, bug reports, or feedback

3. Why we process your data

• To provide the service you signed up for (contractual necessity, GDPR Article 6(1)(b))
• To process payments and issue invoices (legal obligation + contractual necessity)
• To send transactional emails — account verification, trial reminders, billing confirmations, notifications you've enabled (contractual necessity)
• To improve the service based on usage patterns (legitimate interest)
• To comply with Dutch tax law (legal obligation — 7-year retention of invoice records)

4. Who we share your data with

We use these third-party processors:

• Mollie — payment processing (your card details go to Mollie, never to us)
• Moneybird — invoicing and accounting (retains billing contact information per Dutch tax law)
• Resend — transactional email delivery
• Anthropic (Claude API) — AI assistant features, if you use them. Only the content you explicitly send to the AI is shared. See section 9.
• OpenAI (Whisper API) — voice transcription, if you use the voice recording features. Audio is sent for transcription and not retained by OpenAI beyond processing.
• [Hosting provider] — infrastructure. The server that runs SPALT is hosted by [provider] in [region].

We do not sell your data, share it with advertising networks, or use it for profiling.

5. Where your data is stored

SPALT's servers are located in [region — fill in]. Backups are stored in [region]. Some sub-processors (Anthropic, OpenAI) operate in the United States — when you use those features, the relevant content is transferred internationally under the Standard Contractual Clauses.

6. How long we keep it

• Active account data: as long as your organization is active
• Deleted organization: the content is permanently deleted after a 30-day grace period. A compressed backup is retained for 90 days after deletion, then also deleted.
• Invoice records: retained for 7 years in Moneybird per Dutch tax law (Art. 52 AWR)
• Support emails: retained for [duration] then deleted

7. Your rights under GDPR

You have the right to:

• Access your data (download a full export from Settings → Data)
• Rectify inaccurate data (edit directly in the app, or email us)
• Erasure — delete your organization from Settings → Billing → Danger Zone (30-day grace, then permanent)
• Portability — the data export includes a lossless JSON file, Trello-compatible JSON, and markdown files you can import anywhere
• Restriction and objection — email us at privacy@spalt.app to restrict processing
• Complain — you can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl

8. Cookies

SPALT uses a small number of essential cookies to keep you signed in and to remember your preferences. We do not use analytics cookies, tracking pixels, or advertising cookies. [Update this section if that ever changes.]

9. AI features

When you use the AI assistant features:

• The content you send to the AI (items, comments, prompts, attached files) is transmitted to Anthropic's Claude API for processing
• Anthropic's data handling policy applies — see anthropic.com/legal/privacy
• Voice recordings are transcribed via OpenAI's Whisper API and the audio is not retained beyond the transcription operation
• AI conversations are per-user and private — your teammates cannot see your AI chat history, and clients never see AI interactions at all

10. Changes to this policy

We'll update this policy as needed. If we make material changes, we'll notify you in the app and via email before they take effect. The Last updated date at the top reflects the most recent revision.

11. Contact

• Privacy questions: privacy@spalt.app
• General support: support@spalt.app
• Postal mail: [ADDRESS]

---

[End of stub. Replace every bracketed section with real content before public launch. Consider professional legal review for the Dutch/EU context.]