Personal Data

1. What Personal Data We Hold

• Identity data — first name, last name, username or similar identifier.
• Contact data — email address, telephone number, postal address.
• Account data — login credentials (stored as hashed passwords), account preferences, subscription tier.
• Technical data — IP address, browser type and version, device type, operating system, referring URLs, pages visited, time and date of access.
• Usage data — information about how you use our platform, features accessed, and interactions with our services.
• Communications data — messages you send us via contact forms, support tickets, or email.
• Job applicant data — CV/resume, cover letter, employment history, qualifications, and interview notes (if you apply for a role at Spakto).
• Payment data — billing address, last four digits of card. Full card numbers are processed by our payment provider (Stripe) and are never stored by Spakto.

2. Why We Hold Your Data (Legal Basis)

• Contract performance — to provide, manage, and support the services you have contracted with us.
• Legal obligation — to comply with applicable laws including tax, accounting, and anti-money-laundering requirements.
• Legitimate interests — to improve our platform, prevent fraud, and maintain security of our systems.
• Consent — to send you marketing communications and use non-essential cookies. You may withdraw consent at any time.

3. How Long We Keep Your Data

• Account data — retained for the duration of your account plus 2 years after closure for legal and audit purposes.
• Transaction records — 7 years to comply with financial record-keeping requirements.
• Support and communications — 3 years from the date of last contact.
• Job applicant data — 6 months after the recruitment process concludes (unless you consent to longer retention for future roles).
• Technical / log data — 90 days for security monitoring purposes.
• Marketing data — until you withdraw consent or unsubscribe.

4. Who We Share Your Data With

• Service providers — cloud hosting (AWS), payment processing (Stripe), email delivery (SendGrid), analytics (Google Analytics). All bound by data processing agreements.
• Professional advisors — lawyers, auditors, insurers who require access under confidentiality obligations.
• Regulators and law enforcement — when required by applicable law or a court order.
• Business transfers — in connection with a merger, acquisition, or sale of assets, subject to standard confidentiality protections.
• We never sell your personal data to third parties.

5. International Transfers

Some of our service providers are located outside the European Economic Area (EEA). When we transfer personal data internationally, we rely on the European Commission's Standard Contractual Clauses or adequacy decisions to ensure an equivalent level of protection.

6. Your Rights Under GDPR

• Right of access — request a copy of the personal data we hold about you (Subject Access Request).
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure ('right to be forgotten') — request deletion of your data where there is no compelling reason for us to continue holding it.
• Right to restrict processing — ask us to pause processing of your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format and transfer it to another controller.
• Right to object — object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making — we do not make solely automated decisions with significant effects on individuals.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

7. How to Exercise Your Rights

Submit a request by emailing privacy@spakto.com with the subject line 'Data Subject Request'. Please include your name, email address registered with Spakto, and the specific right you wish to exercise. We will respond within 30 days. We may request proof of identity before processing your request.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, or destruction. These include AES-256 encryption at rest, TLS 1.2+ in transit, role-based access controls, multi-factor authentication for staff, and regular penetration testing.

9. Complaints

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with your local data protection supervisory authority. In India, this is the Data Protection Board of India. In the EU/UK, contact your national supervisory authority (e.g. ICO in the UK, CNIL in France). We would appreciate the opportunity to address your concerns directly first — please contact privacy@spakto.com.

10. Contact Our Data Protection Officer

For any questions about your personal data, contact our Data Protection Officer: privacy@spakto.com | Spakto Technologies, Legal & Compliance Team, Bengaluru, Karnataka, India.