Privacy Policy
Last updated: [date]
This Privacy Policy explains how [Spondeo, Inc.] ("Spondeo," "we," "us," or "our") handles personal data in connection with the Spondeo website, the consumer affiliation-proof-link service, and the Spondeo developer API and related services (together, the "Service").
Spondeo is built as a privacy-by-design product. The short version is below; the rest of this policy gives the detail.
The short version — what we process, and what we do NOT
What we deliberately do NOT store:
- ❌ Raw email addresses. When you verify, your email is used transiently only to send a one-time
code and is held in keyed-hashed (HMAC'd) form for matching — never stored in plaintext.
- ❌ The institution. We do not store the school name or employer name behind your domain.
- ❌ Your name, date of birth, or any government identifier. We never ask for, receive, or store
these.
- ❌ Raw IP address or User-Agent. When a proof link is viewed, we derive only a coarse region and
device class locally, then discard the raw IP and User-Agent immediately.
- ❌ Identity documents / KYC. We do not perform document or biometric identity verification and
never custody such data.
What we DO process:
- ✅ A tier/status enum (e.g. "student," "accredited US university") — never the underlying
institution, email, or name.
- ✅ A keyed hash of your email (HMAC), used only to prevent abuse and link a credential to a
verification, and a transient one-time code during verification.
- ✅ A daily-salted viewer hash for proof-link analytics (so the same viewer can be counted once
per day without ever storing who they are), plus coarse region/device/referrer.
- ✅ Account data for registered users and developers: your account email, sessions, API keys
(stored hash-only), webhook configuration, and usage/metering counts.
- ✅ Announce-list email and consent record, if you opt in.
We do not sell personal information and do not use it for cross-site tracking or advertising.
1. Who we are
The data controller is [Spondeo, Inc.], [address]. For privacy questions or to exercise your rights, contact our privacy contact / Data Protection contact at [contact@…].
2. What we collect and why
2.1 Verification (consumer flow)
When a person verifies an affiliation:
- Email (transient + hashed): used only to send a 6-digit code and confirm control of the address.
The plaintext email is not persisted; a keyed HMAC is stored for matching and abuse prevention.
- Domain → tier classification: your email domain is classified against vendored, openly licensed
reference data into a tier/status enum. We store the enum, not the domain, school, or employer.
- Credential: the resulting SD-JWT credential is held in your browser (your private key never
leaves your device and is non-extractable). Our server cannot present on your behalf.
2.2 Proof links and analytics
When you mint a proof link and someone opens it, we log, per view: a timestamp, whether the view succeeded, a daily-salted viewer hash (sha256 of IP+User-Agent salted with a salt that rotates every day, so the value is not reversible and not stable across days), a coarse region, a device class, and a referrer domain. Raw IP and raw User-Agent are discarded and never stored in any column or log line.
2.3 Developer API
When you use the API, we process your account email, API keys (stored as hashes only — we cannot recover the secret), webhook endpoints and secrets, and usage/metering counts per account. Verification requests carry a presentation (vp_token) and a nonce; we process them to return { valid, claims, pid } and do not retain the underlying personal data they would otherwise reveal.
2.4 Account, billing, and support
- Account: email, authentication (magic-link) tokens, and sessions.
- Billing (paid plans): handled by our payment processor; we receive limited billing metadata
(e.g. plan, status, last-4) but do not store full card numbers.
- Support and announce list: the email you contact us from or opt in with, plus your message or
consent record.
3. Lawful bases (GDPR, where applicable)
- Consent (Art. 6(1)(a)): for verification you initiate and for the announce list (double opt-in).
- Contract (Art. 6(1)(b)): to provide the Service to account holders and process billing.
- Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent abuse and fraud, meter usage,
and produce coarse, privacy-preserving analytics — balanced against your rights by our minimization design (no raw PII).
We do not knowingly process special-category data. We do not perform solely-automated decisions that produce legal or similarly significant effects on a person within the meaning of Art. 22; the Service returns a tier/status enum that you decide how to use.
4. California privacy (CCPA/CPRA)
If you are a California resident: we do not sell, and have not sold, your personal information, and we do not "share" it for cross-context behavioral advertising. You have the right to know, delete, and correct your personal information, and to be free from discrimination for exercising these rights. To exercise them, use the self-serve deletion flow or contact [contact@…].
5. Retention
- Email plaintext: not retained (used transiently for the code only). The keyed email hash and
one-time codes are short-lived and used only for matching/abuse prevention.
- Credentials: held in your browser; the server-side credential record carries no claim values and
is subject to the credential TTL (default 90-day expiry) and revocation.
- Proof-view log: retained to power your link dashboard; contains only the daily-salted viewer hash
and coarse fields, never raw IP/UA.
- Account, API keys, usage, webhook config: retained while your account is active and for a limited
period afterward as needed for billing, security, and legal compliance, then deleted.
- Announce list: retained until you unsubscribe.
When you delete your account (Section 7), associated data is purged.
6. Your rights
Subject to applicable law (including GDPR Arts. 15–22 and the CCPA/CPRA), you may:
- Access the personal data we hold about you and obtain a copy;
- Rectify inaccurate data;
- Erase your data ("right to be forgotten");
- Restrict or object to certain processing;
- Port your data where applicable;
- Withdraw consent at any time (without affecting prior processing);
- Opt out of any sale/share (not applicable — we do not sell or share);
- Lodge a complaint with your supervisory authority.
You can delete your account and its data yourself, at any time, via /account/delete. For other requests, contact [contact@…]; we will respond within the time required by law (generally within one month under GDPR; 45 days under the CCPA). Because we store little personal data and no raw PII, some requests (e.g. "tell me my stored email/school") have no underlying data to return — that is by design.
7. Account deletion
You may delete your account at any time through the self-serve /account/delete flow, which purges your account and its associated data (links, credentials, API keys, webhooks, usage records). You can also email [contact@…]; we will verify ownership and complete the deletion.
8. International transfers and sub-processors
We are based in [jurisdiction] and may process data in countries other than yours. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for international transfers.
We use a small set of sub-processors to operate the Service:
| Sub-processor | Purpose | Data involved |
|---|---|---|
| [SMTP / email provider] | Sending verification codes, magic-link logins, announce-list and support email | Recipient email address (transient), message content |
| [Hosting / infrastructure provider] | Running the Service | Request data in transit; no raw PII at rest by design |
| [Stripe] (paid plans only) | Payment processing and subscription/metered billing | Billing email and payment metadata (handled by Stripe; we do not store card numbers) |
We also use vendored, openly licensed reference data (e.g. university-domain lists and free/ disposable-email lists under MIT/ISC/CC0/US-public-domain licenses) to classify organization domains locally. This reference data is static and contains no personal data about you.
We will keep this list current as our sub-processors change.
9. Cookies and tracking
- For logged-in accounts, we set a single first-party session cookie that is strictly necessary
to keep you signed in. That's it.
- For proof-link viewers, we set no cookies and perform no cross-site tracking. We do not
use advertising or analytics trackers, fingerprinting, or third-party pixels.
Because we use only a strictly necessary session cookie and no tracking technologies, no cookie consent banner is required in most jurisdictions. This minimal use is itself a privacy feature.
10. Children
The Service is not directed to children under 13, and we do not knowingly collect personal data from them. The consumer verification flow is intended for users aged 13 and over. If you believe a child has provided us personal data, contact [contact@…] and we will delete it.
11. Security and breach notification
We protect data with measures appropriate to its sensitivity, including HTTPS in transit, hash-only storage of API keys, keyed-hashing of emails, and our no-raw-PII server design. No system is perfectly secure. If a breach affecting personal data occurs, we will notify the relevant supervisory authority within 72 hours of becoming aware where required by GDPR, and affected individuals without undue delay, in line with applicable law.
12. Changes to this policy
We may update this policy. For material changes we will provide reasonable notice (e.g. by email to account holders and/or a notice on the site) before they take effect.
13. Contact
Privacy questions or data-rights requests: [contact@…], [Spondeo, Inc.], [address].