Privacy Policy
Last updated: april 13 2026
⚠️ This is a STUB. The content below is a structural skeleton, not a finished legal document. Replace every section with actual policy content before public launch. Consider using an EU SaaS template, iubenda, Termly, or a Dutch legal professional.
1. Who we are
SPALT is a service provided by Restruct web & apps, registered in the Netherlands under KvK number 24452058. Our registered address is Oude Singel 14 Leiden NL. For privacy questions, contact us at privacy@spalt.app or write to the address above.
2. What data we collect
When you use SPALT, we collect:
- Account information: your name, email address, and password (stored as a one-way hash)
- Organization content: the projects, items, documents, comments, and files you create or upload
- Usage data: we do not use analytics, tracking pixels, or any third-party monitoring tools. We do collect standard server logs (IP address, request timestamps, browser user agent) as part of normal web server operation, and an in-app activity log that records which user created, updated, or completed items and when (this is a product feature visible to you, not hidden tracking). Error logs are collected for debugging purposes.
- Billing data: subscription state, plan, and invoice metadata (payment details themselves are handled by Mollie — we never see your card)
- Communication: emails you send us for support, bug reports, or feedback
3. Why we process your data
- To provide the service you signed up for (contractual necessity, GDPR Article 6(1)(b))
- To process payments and issue invoices (legal obligation + contractual necessity)
- To send transactional emails — account verification, trial reminders, billing confirmations, notifications you've enabled (contractual necessity)
- To improve the service based on usage patterns (legitimate interest)
- To comply with Dutch tax law (legal obligation — 7-year retention of invoice records)
4. Who we share your data with
We use these third-party processors:
- Mollie — payment processing (your card details go to Mollie, never to us)
- Moneybird — invoicing and accounting (retains billing contact information per Dutch tax law)
- Resend — transactional email delivery
- Anthropic (Claude API) — AI assistant features, if you use them. Only the content you explicitly send to the AI is shared. See section 9.
- OpenAI (Whisper API) — voice transcription, if you use the voice recording features. Audio is sent for transcription and not retained by OpenAI beyond processing.
- Hetzner — infrastructure. The servers that run SPALT are hosted by Hetzner Online in Germany.
We do not sell your data, share it with advertising networks, or use it for profiling.
5. Where your data is stored
SPALT's servers are located in Germany. Backups are stored in Germany. Some sub-processors (Anthropic, OpenAI) operate in the United States — when you use those features, the relevant content is transferred internationally under the Standard Contractual Clauses.
6. How long we keep it
- Active account data: as long as your organization is active
- Deleted organization: the content is permanently deleted after a 30-day grace period. A compressed backup is retained for 90 days after deletion, then also deleted.
- Invoice records: retained for 7 years in Moneybird per Dutch tax law (Art. 52 AWR)
- Support emails: retained for 1 year then deleted
7. Your rights under GDPR
You have the right to:
- Access your data (download a full export from Settings → Data)
- Rectify inaccurate data (edit directly in the app, or email us)
- Erasure — delete your organization from Settings → Billing → Danger Zone (30-day grace, then permanent)
- Portability — the data export includes a lossless JSON file, Trello-compatible JSON, and markdown files you can import anywhere
- Restriction and objection — email us at privacy@spalt.app to restrict processing
- Complain — you can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl
8. Cookies
SPALT uses a small number of essential cookies to keep you signed in and to remember your preferences. We do not currently use analytics cookies, tracking pixels, or advertising cookies.
9. AI features
When you use the AI assistant features:
- The content you send to the AI (items, comments, prompts, attached files) is transmitted to Anthropic's Claude API for processing
- Anthropic's data handling policy applies — see anthropic.com/legal/privacy
- Voice recordings are transcribed via OpenAI's Whisper API and the audio is not retained beyond the transcription operation
- AI conversations are per-user and private — your teammates cannot see your AI chat history, and clients never see AI interactions at all
10. Changes to this policy
We'll update this policy as needed. If we make material changes, we'll notify you in the app and via email before they take effect. The Last updated date at the top reflects the most recent revision.
11. Contact
- Privacy questions: privacy@spalt.app
- General support: support@spalt.app
- Postal mail: SPALT by Restruct, Oude Singel 14, 2312RA Leiden NL