Plain-English summary
What your DPO actually needs to know.
- You are the controller, we are the processor for the data you put into SpotRivals on behalf of your business: account roster, competitor URLs, and the AI analyses generated from them. We only act on your instructions.
- Five sub-processors: Stripe, Anthropic, Resend, Sentry, and our hosting provider. Listed below with what each one touches. 30 days notice before any change.
- EU-first residency. Application, database, and backups in the EU. Transfers to the US are covered by Standard Contractual Clauses with each sub-processor.
- Breach notification within 72 hours of becoming aware, with a follow-up incident report within 14 days.
- Click-through is enough. By using SpotRivals you accept this DPA. If you need a counter-signed PDF for procurement, email legal@spotrivals.com and we will turn one around within 5 business days.
This Data Processing Agreement (DPA) forms part of the agreement between you (Controller) and SpotRivals (Processor) for the SpotRivals service. It governs how SpotRivals processes personal data on your behalf in connection with that service. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails on data protection matters.
Parties#
Processor: the besloten vennootschap (BV) trading as SpotRivals, KvK 77807049, registered in the Netherlands. Full entity identification is on the Legal information page.
Controller: the natural or legal person identified as the account owner in the SpotRivals dashboard, on whose behalf personal data is processed under this DPA.
Scope and roles#
For personal data that you submit to SpotRivals or that SpotRivals processes on your behalf as part of providing the service, you are the Controller and SpotRivals is the Processor within the meaning of Articles 4(7) and 4(8) of the GDPR.
For personal data that SpotRivals collects directly from you and your end users about how you use the service (e.g. account creation, billing, login telemetry), SpotRivals is the Controller; that processing is governed by the Privacy policy, not this DPA.
Subject matter and duration#
Subject matter: Provision of the SpotRivals competitor-monitoring service to the Controller.
Nature and purpose: Hosting the Controller’s account, monitoring the URLs the Controller adds, generating AI analyses of changes detected, and delivering the weekly digest and dashboard.
Duration: For as long as the Controller has an active SpotRivals account, plus the deletion windows in the return-and-deletion section.
Categories of data and data subjects#
Data subjects whose personal data is processed under this DPA are limited to the Controller’s account owner, billing contact, and (on Pro plans) invited team members.
SpotRivals does not knowingly process personal data of the Controller’s competitors’ end users.
Categories of personal data:
- Identification and contact data: name, work email, display name, company name.
- Authentication data: hashed password, login session tokens.
- Billing data: limited Stripe metadata (last 4 digits of card, brand, country, billing address).
- Usage data: IP address, user-agent, action timestamps.
Special categories of data: None. SpotRivals is not designed to process special-category data and the Controller agrees not to submit any.
Processor obligations#
SpotRivals will:
- Process personal data only on documented instructions from the Controller.
- Ensure that personnel authorised to process personal data have committed to confidentiality.
- Implement the technical and organisational measures described in the Security overview.
- Engage sub-processors only on the terms below.
- Assist the Controller in fulfilling data-subject rights under Articles 12-23 GDPR.
- Notify the Controller of personal-data breaches within 72 hours.
- Make available all information necessary to demonstrate compliance and allow audits.
Sub-processors#
The Controller provides general authorisation for SpotRivals to engage the sub-processors listed below. SpotRivals will give at least 30 days prior notice of any addition or replacement, allowing the Controller to object on reasonable data-protection grounds.
| Sub-processor | What it does | Data touched | Region |
|---|---|---|---|
|
Stripe
Stripe Payments Europe, Ltd.
|
Subscription billing, card processing, invoicing, VAT IDs. | Email, name, billing address, card details (we never see the full card). | EU US |
|
Anthropic
Anthropic PBC
|
Claude AI analysis of detected page changes (zero-retention contract). | Public competitor page diff text. No account identifiers. Not retained for training. | US |
|
Resend
Resend, Inc.
|
Sending the weekly Monday digest, instant alerts, and transactional emails (login, receipts). | Email, display name, message body. | US |
|
Sentry
Functional Software, Inc.
|
Error monitoring. Captures stack traces and request context when something breaks server-side. | IP address, user-agent, the URL where the error happened, optionally the user ID. No request bodies. | EU |
|
Hetzner
Hetzner Online GmbH
|
Application hosting, database, file storage, scheduled scrapers. Single VPS in the EU. | Everything in the Privacy policy categories: account, product, operational. | EU |
SpotRivals remains liable to the Controller for the acts and omissions of its sub-processors as if they were SpotRivals’ own.
International transfers#
Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, SpotRivals relies on:
- EU Standard Contractual Clauses incorporated by reference between SpotRivals and each US-based sub-processor.
- EU-US Data Privacy Framework certifications held by Stripe, Resend, and Anthropic.
- UK Addendum to the EU SCCs, where the Controller is established in the United Kingdom.
The relevant SCC packs are available on request from legal@spotrivals.com.
Security measures#
SpotRivals implements the technical and organisational measures described in the Security overview, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, daily backups with 35-day retention, monitoring via Sentry, and a documented incident-response plan.
Breach notification#
In the event of a personal-data breach, SpotRivals will:
- Notify the Controller without undue delay and, in any event, within 72 hours of becoming aware.
- Provide an initial summary including the nature of the breach, categories and approximate number of data subjects, likely consequences, and measures taken.
- Provide a follow-up incident report within 14 days, including root cause and remediation.
- Reasonably cooperate with the Controller’s notifications to data subjects and supervisory authorities.
Audit rights#
SpotRivals will make available to the Controller, on request, the information necessary to demonstrate compliance with this DPA. Where the Controller reasonably considers that this information is insufficient, the Controller may audit SpotRivals’ processing activities once per year on at least 30 days written notice, during normal business hours, at the Controller’s expense.
Return and deletion#
On termination of the service, the Controller can export all personal data via Settings → Data → Export (JSON or CSV). At the Controller’s option, SpotRivals will return or delete the personal data, except where law requires further storage. On request, SpotRivals will provide written confirmation of deletion within 30 days of completion.
Need a counter-signed PDF?
Email legal@spotrivals.com with your entity name and signatory. Turnaround under 5 business days.