GDPR

LAST UPDATED: 02-08-2024

The European Union General Data Protection Regulation (GDPR) is a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market. This page describes the GDPR compliance status of Spotzee.

If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. Spotzee) are also GDPR compliant. Spotzee is GDPR-compliant, and strictly enforces the regulation as to protect the user data we store. The list of our providers (ie. Data Processors) is available, and kept up to date, in our Data Processing Agreement (DPA).

Are you looking for a Data Processing Agreement (DPA)? Read how to sign a DPA between your company and Spotzee.

Spotzee and GDPR

The GDPR regulation can be reduced to 12 important points. For each point, we explain how Spotzee handles its compliance. If we did not answer your questions in this article, you can still contact us and drop us a chat or email.

Also, please note that all Spotzee data processor providers have been checked to be all GDPR-compliant (Cloudflare, DigitalOcean, Stripe). See the DPA we provide for a full list of our providers.

Spotzee is based in Australia and New Zealand. All Spotzee data is held on servers hosted in the European Union. Our data is stored in The Netherlands and in Germany. Servers are hosted by DigitalOcean (with a subsidiary in the EU subject to EU law).

We use relay servers outside EU to reduce latency for users connecting for terminals far from our EU servers. Those servers do not store any data except connection logs (IP address, date of connection, user-agent and source website). Those relay servers are hosted in The United States of America, United Kingdom and Singapore. We do not plan to store data outside the EU in the future.

1. Awareness

All employees responsible of software development & infrastructure maintenance of Jonah and Associates Pty Ltd, an Australian Incorporated company (the owner company of Spotzee) are fully aware of the GDPR requirements.

Also, code reviews are performed by the Data Protection Officers (as listed in this article), before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by eg. a third party temporary contractor or a Spotzee employee, even if aware of GDPR requirements (this plays as a double human safety check). You can check more about how we manage Spotzee security internally.

2. Information we hold

Spotzee stores data on 2 kinds of parties:

  • Our customers (ie. the marketers using the Spotzee Dashboard and its functionality)
  • Our customers end-users (ie. the users of our customers)
Spotzee does not share, or resell, any kind of user data (whether data described in point 1 or 2 above). The data is not used for advertising (both 1 and 2) or analytics (on 2). Our business model is solely based on paid subscriptions (ie. the user is not the product).

2.1. Information held on our users

Spotzee collects account information for each user (we refer to them as customers in this article), including:

  • User first and last name, and profile picture
  • User payment details (includes invoicing information, eg. company address and country — the credit card number is stored by Stripe)
We don’t log user activity, except for system logs including IP, user agents and time of connection. They are solely used for debugging and lawful purpose and retained maximum 1 year.

2.2. Information held on our users’ end-users

Information held on our users’ end-users include:

  • End-user email address
  • End-user phone number
  • End-user marketing campaigns sent/received
  • End-user last activity date and time
  • End-user profile information (resolved from public data shared by end-user on the Internet, see notice below)
  • End-user custom-field data (uploaded by customer with claimed consent provided by the end-user)
Spotzee resolves end-user identity information (first and last name, avatar, company) from external APIs. Those external APIs source this data from public information that the end-user consented to share on a third-party service (eg. on social networks such as LinkedIn or X). This end-user identity information is stored on Spotzee services, for as long as the Spotzee customer wishes them to be stored in their Spotzee CRM database. The service used to discover such user information is owned and operated by Spotzee.

The information help on our users’ end-users is solely the responsibility of our users (ie. the individual customer accounts using Spotzee). It is the responsibility of our users to manage the data they hold in their Spotzee CRM, ie. to remove sensitive data if someone may happen to share it with them (eg. Social Security Numbers, etc.). It is our responsibility to secure access to this data (ie. only website operators can access it and have a right to rectification and deletion).

3. Communicating privacy information

Spotzee customers and users privacy terms are clearly communicated in our Privacy information. Spotzee customers end-users privacy terms are the sole responsibility of Spotzee customers. They should be announced on Spotzee customers website.

4. Individuals’ rights

Spotzee customers rights regarding to GDPR are considered and enforced, including:

  • Right to be informed: we clearly inform our users about the use that will be made of their data
  • Right of access: our users can access all their data, without restriction, from the Spotzee apps
  • Right of rectification: it’s as simple as contacting us, we’ll process all your rectification queries
  • Right of erasure: it’s as simple as contacting us, we’ll process all your erasure queries
  • Right to restrict processing: we don’t process the data of our customers (and our customers end-users)
  • Right to data portability: our users may contact us anytime if they wish to get an export of their data (this may take time, however, as the data is fragmented amongst multiple isolated data-stores)
  • Right to object: we handle all requests on this matter from our users and users’ end-users (contact us)
  • Right not to be subject to automated decision-making including profiling: we don’t do that (and never will)

5. Subject access requests

Spotzee replies to all access requests (positively or negatively) under 2 week (the legal limit from GDPR is 1 month). We offer this free of charge for our customers (paid and free).

6. Lawful basis for processing personal data

Spotzee stores user data involving a consent (ie. a conversation both parties entered by will, and exchanged eg. emails).

It is the Spotzee customers responsibility to ensure user data is lawfully collected in the event they use our software features (Eg. CRM). For instance, if the emails that get collected from the Spotzee forms gets re-used for marketing campaign purposes either on Spotzee or an external system, the Spotzee customer has to ask for user consent upon collecting this email.

Consent is provided by our users explicitly when proceeding an action or task (eg. when they provide user data). Spotzee data must have been provided by the customer user in a consented way, as it will get propagated to Spotzee in an automatic way (if the customer implemented such API in their source code).

8. Children

Spotzee does not offer online services to children, due to the nature of the service provided (business-to-business). Thus, we do not identify it as relevant to control the age of users signing up for services. Children might still be able to use the Spotzee subscription services, from the website or apps of a Spotzee customer. To this extent, the Spotzee customer is responsible for checking against their own users and activities regarding children regulations.

9. Data breaches

Our team closely monitors any unauthorized system access, and has put in place multiple preventive measures to reduce the attack surface on our systems and services. In last few years, Spotzee has had 0 major security issues, with only a few minor ones, which we fixed the same day they were reported (those would not have allowed a hack or data breach).

Security researchers and users can submit a security report to the following email address (security@spotzee.com), for which we process reports in the same day. We also distribute bounties for valid security flaws that are reported to us. We already distributed such bounties to independent security researchers who reached to us and disclosed minor security flaws in a responsible way (ie. report was GPG/PGP-encrypted and not publicly disclosed before a fix was issued).

Here are a few measures we took to reduce any attack surface:

  • Aggressive use of firewalls and network isolation in our infrastructure
  • No access to our server systems is allowed from the public Internet, trusted administrators from the Spotzee team need to connect via a trusted VPN network
  • We monitor any security flaw in any library we may use in our running backends, and patch them as soon as an update is issued
  • Use of 2-Factor-Authentication on all our sensitive accounts (eg. hosting provider, etc.)
  • Isolate data stores and sensitive backends on different servers
  • All platform backups are GPG/PGP-encrypted and stored privately, retained for a maximum of 1 week

The points listed above help reduce the probability of a major data breach occurring. You can read more on how Spotzee manages security there.

Spotzee will notify their users of any data breach, 24h maximum after knowing about it and fixing the flaw. It is then the responsibility of our users to report this data-breach to their end-users in due time.

10. Data Protection by Design and Data Protection Impact Assessments

Whenever Spotzee develops a new system, security comes as a first when designing the architecture of such a system. Our first goal is to protect the integrity of the new production system, and second goal to protect the user data that’s being stored and used by that system. Spotzee developers are well educated to software and network security, which helped us build a secure by design software over time.

11. Data Protection Officers

Spotzee designated a Data Protection Officer, as required by GDPR:

Prabath Ariyapala
Role: Head of Customer Success
Email: dpo@spotzee.com
Location: One Melbourne Quarter, Level 8/699 Collins St, Docklands VIC - 3008, Australia

Note that, even as the DPO, Prabath is not answering to GDPR questions directly. Someone from our support team will answer to all your GDPR-related questions.

12. International

Spotzee may, via its users, processes data from individuals from all over EU member states. Spotzee main establishment is in Australia but its supervisory authority is based in Ireland. Spotzee is operated by Jonah and Associates Pty Ltd, an Australian private company, identified as:

Address: Jonah and Associates Pty Ltd, Level 8/699 Collins St, Docklands VIC - 3008, Australia
Email: contact@spotzee.com
Phone: +61742777773