Legal

Privacy Policy

Last updated: July 4, 2026. This policy explains what personal data we process when you use SpotPeaks, why, and the rights you have under the GDPR.

1. Who is responsible

The data controller is SpotPeaks, a sole proprietorship registered in Denmark. Contact: hello@spotpeaks.com. For anything in this policy, including exercising your rights, that address is the way to reach us.

2. What we collect and why

Account data. When you create an account we process your email address, a hashed password, and the name you optionally provide. Legal basis: performance of our contract with you. Without this we cannot provide the service.

Product data you create. Your launches, saved products, settings, and store connection details (for example a Shopify token you add) are processed to provide the features you use. Legal basis: contract. Store credentials are used only to perform the actions you trigger, such as pushing a product you created.

Billing data. Payments are processed by Stripe. We receive your subscription status and invoice-level information, but we never see or store your full card number. Legal basis: contract and our legal obligations (bookkeeping and tax rules require us to keep transaction records). Stripe acts as its own controller for parts of payment processing; see Stripe’s privacy policy.

Usage analytics. We use first-party, cookieless page analytics (an anonymous events table we run ourselves) and Vercel Web Analytics, which is also cookieless and does not track you across sites. We use this to understand which pages are used and to improve the product. Legal basis: legitimate interest in understanding and improving our own service.

Newsletter. If you subscribe to the weekly email, we process your email address to send it. Legal basis: consent, which you can withdraw at any time with the unsubscribe link in every email or by writing to us.

Feedback and support. If you send feedback through the in-app widget or email us, we process what you write, the page it was sent from, and your email if you include it, in order to respond and improve the product. Legal basis: legitimate interest.

AI features. When you use AI features (for example the validation verdict or launch kit), the inputs needed for that feature are sent to our AI provider, Anthropic, to generate the result. We do not send more than the feature needs. Legal basis: contract.

3. Local storage on your device

SpotPeaks stores functional data in your browser’s local storage: your theme choice, recently viewed products, and drafts of your launches. This stays on your device, is not used for advertising, and is not shared with third parties. We do not use advertising cookies or cross-site tracking.

4. Who processes data for us

We use a small set of processors to run SpotPeaks: Supabase (database and authentication), Vercel (hosting and cookieless analytics), Stripe (payments), Anthropic (AI features), Cloudflare (DNS and media storage), and Zoho (email). Some of these providers are based in or process data in the United States; where that happens, transfers are covered by the EU-US Data Privacy Framework or EU standard contractual clauses. We do not sell personal data, and we do not share it with anyone for advertising.

5. How long we keep data

Account data is kept while your account exists and deleted or anonymized when you delete your account, except where the law requires longer retention (Danish bookkeeping rules require keeping transaction records for 5 years). Newsletter addresses are kept until you unsubscribe. Anonymous analytics events carry no identity to delete. Feedback is kept as long as it is useful for improving the product.

6. Your rights

Under the GDPR you can ask us for access to your data, correction, deletion, restriction of processing, a portable copy, and you can object to processing based on legitimate interest. Where processing is based on consent, you can withdraw it at any time without affecting past processing. Write to hello@spotpeaks.com and we will respond within a month. You also have the right to complain to a supervisory authority; in Denmark that is Datatilsynet (datatilsynet.dk), or the authority in your own EU country.

7. Children

SpotPeaks is a business tool and is not directed at children. You must be at least 18 to create an account, and we do not knowingly process children’s data.

8. Changes to this policy

If we change this policy in a material way, we will give notice in the app or by email before the change takes effect. The date at the top always shows the current version.

9. Contact

Privacy questions and rights requests: hello@spotpeaks.com. See also our Terms of Service.