Back to Home

Spyral — Privacy Policy (EU/EEA)

Version 1.8.0 | Last Updated: February 2026

This Privacy Policy explains how Spyral (“Spyral”, “we”, “us”) collects, uses, discloses and protects personal data when providing the Spyral knowledge management platform and related services to consulting firms.

Who We Are and How to Contact Us

Company Information

  • Legal Name: Spyral
  • Registered Office: Rotterdam, Netherlands
  • Type: AI-Powered, Cloud-based, multi-tenant SaaS platform for consulting firms

Privacy and Data Protection Contacts

Lead Supervisory Authority in The Netherlands (Data Protection Authority)

  • Name: Autoriteit Persoonsgegevens (Dutch DPA)
  • Address: Postbus 93374, 2509 AJ Den Haag, Netherlands
  • Website: autoriteitpersoonsgegevens.nl
  • Phone: (+31) - (0)70 - 888 85 00

Scope and Role Under GDPR

This Privacy Policy applies to:

  • Visitors to www.spyral.nl and related websites
  • Representatives, employees, contractors and end-users of Spyral's business customers who access the platform
  • Other individuals who contact Spyral by email, support channels, or whose personal data are processed in connection with our services

Spyral's Role Under GDPR

  • As Data Processor: For the core Spyral platform, Spyral acts as a data processor, processing personal data on documented instructions from consulting firms (the data controllers) who are responsible for their own employee, contractor, and client data.
  • As Data Controller: For website analytics, marketing communications, sales inquiries, support records, vendor management and security purposes, Spyral acts as an independent data controller.

Categories of Personal Data Processed

Depending on how you interact with Spyral, we may process the following categories of personal data:

1. Account and Identification Data (Platform Users)

  • Name, business email address, business phone number
  • Firm name, office location, job title, role (e.g., junior consultant, senior consultant, project manager, partner)
  • Authentication data (hashed password), role-based permissions and project memberships
  • User profile preferences and settings

2. Usage and Log Data

  • Login times, session identifiers, IP address, device/browser information, language preferences
  • Actions performed in the platform (searches, document views, content generation), with timestamps and technical metadata
  • Error logs and debugging information for troubleshooting
  • Performance metrics and usage patterns (aggregated)

3. Customer Content and Documents (Knowledge Base)

  • Documents, presentations, spreadsheets, notes, emails and other content uploaded or integrated by the customer's firm
  • Such documents may contain personal data about employees, contractors, clients and other individuals
  • AI-generated metadata: summaries, classifications, citations and other derived insights linked to source documents
  • Query transcripts and interaction logs (limited retention)

4. Google Drive Data (via Google API Integration)

When a customer connects their Google Drive account to Spyral via Google OAuth, Spyral accesses and processes the following Google user data through the Google Drive API:

  • File content: The content of documents, spreadsheets, presentations, and other files stored in the customer's Google Drive that are selected for synchronisation with Spyral's knowledge base
  • File metadata: File names, file types, creation dates, modification dates, file sizes, and folder structure
  • Sharing permissions: Information about who has access to files within the customer's Google Drive, used to enforce access control within Spyral
  • User profile information: Basic Google account information (name, email address) obtained during the OAuth authentication process, used solely for account linking and identity verification

Spyral accesses only the minimum Google Drive data necessary to provide its knowledge management features. Customers control which files and folders are synchronised with Spyral.

5. Support, Training and Communication Data

  • Content of support requests sent to frank@spyral.nl
  • Records of issues raised, resolutions provided, training attendance and feedback
  • Ticketing system data and communication history

6. Website and Cookie Data

  • Standard server logs and security logs for www.spyral.nl
  • Basic analytics about visits, page views and referrers
  • Non-essential cookies and similar tracking technologies (only with prior consent, per ePrivacy rules and GDPR)

7. Marketing and Business Development Data

  • Contact information of prospective customers and partners
  • Engagement data (emails opened, content downloads, webinar attendance)
  • Feedback and communication preferences

Special Categories of Personal Data

Spyral does not intend to process special category data (such as health information, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or data concerning sex life or sexual orientation) in the normal course of business. Customers are contractually instructed not to upload or use the platform for storing such sensitive data unless expressly permitted and warranted by law. If such data are inadvertently processed, Spyral will implement appropriate enhanced safeguards under GDPR Article 9.

Google API Services — Data Collection, Use, and Disclosure

Google Drive Integration Overview

Spyral integrates with Google Drive to allow consulting firms to synchronise their existing Google Drive documents with Spyral's AI-powered knowledge management platform. This integration uses the Google Drive API and requires users to authenticate via Google OAuth 2.0.

Google API Scopes Requested

Spyral requests the following Google API scopes during the OAuth consent process:

  • https://www.googleapis.com/auth/drive.readonly— Used to read and synchronise file content and metadata from the customer's Google Drive into Spyral's knowledge base. This scope is necessary because Spyral needs to access existing files across the customer's Drive to populate the knowledge management system, rather than only files created through Spyral.
  • https://www.googleapis.com/auth/userinfo.email— Used to identify the authenticated user's email address for account linking and access control purposes.
  • https://www.googleapis.com/auth/userinfo.profile— Used to retrieve the user's name for display within the Spyral platform.

Spyral requests only the minimum scopes necessary to provide its knowledge management features. Spyral does not request write access to Google Drive.

How Spyral Uses Google Drive Data

Google Drive data accessed through the Google API is used exclusively for the following Spyral platform features:

  • Knowledge Retrieval: File content and metadata are indexed to enable users to search and surface relevant past projects, methodologies, and insights from their firm's knowledge base.
  • Document Intelligence: File content is processed by Spyral's AI models to analyse and synthesise consulting deliverables, extract key information, and identify patterns across documents.
  • Project Onboarding: File content is used to guide new consultants through project context, enabling them to get up to speed on projects quickly.
  • Duplicate Prevention: File metadata and content are compared against existing knowledge base entries to identify existing work before new analysis begins.
  • Content Generation: File content provides context for Spyral's AI-assisted content creation features, including generating presentations, reports, and summaries grounded in the firm's own data.

Google Drive data is not used for any purpose other than providing and improving the user-facing features described above.

Google API Services User Data Policy Compliance

Spyral's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Limited Use Requirements

In compliance with Google's Limited Use requirements, Spyral adheres to the following restrictions regarding Google user data:

  • 1. Limited to user-facing features: Spyral uses Google Drive data only to provide and improve user-facing features that are prominent in Spyral's platform interface (knowledge retrieval, document intelligence, content generation, project onboarding, and duplicate prevention).
  • 2. No unauthorised transfers: Spyral does not transfer Google user data to third parties except: (a) as necessary to provide or improve user-facing features with user consent; (b) for security purposes (e.g., investigating abuse); (c) to comply with applicable laws; or (d) as part of a merger, acquisition, or asset sale, with explicit prior user consent.
  • 3. No human access without consent: Spyral does not allow humans to read Google user data unless: (a) the user has affirmatively agreed to view specific content; (b) it is necessary for security purposes (e.g., investigating abuse); (c) it is required to comply with applicable law; or (d) the data is aggregated and anonymised for internal operations.
  • 4. Binding on all parties: All employees, agents, contractors, and successors of Spyral are bound by these Limited Use requirements.

Explicit Prohibitions Regarding Google User Data

Spyral explicitly does not:

  • Sell Google user data to any third party
  • Use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising
  • Use Google user data to determine credit-worthiness or for lending purposes
  • Provide Google user data to data brokers or information resellers
  • Use Google user data to build user profiles for advertising or marketing purposes unrelated to Spyral's core knowledge management features
  • Use Google user data to train general-purpose AI or machine learning models (Spyral's AI models are fine-tuned only on non-customer, de-identified datasets in a separate, air-gapped environment — see ‘AI Processing’ section below)

Google Drive Data Sharing

Google Drive data accessed through the Google API is processed exclusively within Spyral's own secure infrastructure. Specifically:

  • Google Drive file content is processed by Spyral's in-house, self-hosted AI models. No Google user data is sent to third-party AI providers (e.g., OpenAI, Anthropic, Google AI).
  • Google Drive data is stored in Spyral's EU-hosted databases (Frankfurt, Germany) with the same multi-tenant isolation, encryption, and access controls applied to all customer data.
  • Google Drive data may be processed by Spyral's infrastructure sub-processors (cloud hosting providers) solely for the purpose of hosting and delivering the Spyral platform. These sub-processors are bound by Data Processing Agreements and are located within the EU.
  • Google Drive data is not shared with any other third parties, advertising networks, data brokers, or analytics providers.

Google Drive Data Retention and Deletion

Google Drive data synchronised to Spyral is retained for as long as the customer's Google Drive integration remains active and the customer's subscription is in force.

Revoking Google Drive Access

Users and firm administrators can disconnect Spyral's Google Drive integration at any time through:

  • The Spyral platform: Navigate to Settings > Integrations > Google Drive > Disconnect
  • Google's security settings: Visit myaccount.google.com/permissions and remove Spyral's access

Upon revocation of Google Drive access:

  • Spyral's OAuth tokens for the user's Google account are immediately invalidated and deleted
  • Google Drive file content previously synchronised to Spyral is deleted from active systems within 24 hours
  • Google Drive data is removed from backup systems within 30 days
  • AI-generated metadata derived from Google Drive content (summaries, classifications, citations) is deleted alongside the source content

Users may also request deletion of specific Google-sourced content at any time by contacting frank@spyral.nl.

User Help Documentation

Spyral provides documentation within the platform and on www.spyral.nl explaining how users can:

  • View which Google Drive files are synchronised with Spyral
  • Disconnect their Google Drive integration
  • Request deletion of Google-sourced data
  • Revoke Spyral's access via Google's security settings (myaccount.google.com/permissions)

Purposes and Legal Bases

Spyral processes personal data only for specified, explicit and legitimate purposes and does not further process them in a manner incompatible with those purposes (GDPR Article 5(1)(b)).

1. Provision of the Spyral Platform (Processor Role)

Purpose: To provide, operate, maintain and support the AI-powered knowledge management platform, including core features such as:

  • Knowledge retrieval from the firm's knowledge base
  • Document intelligence and analysis
  • Project onboarding automation
  • Duplicate work prevention
  • Methodology guidance from past projects
  • AI-assisted content creation (emails, summaries, outlines)
  • Synchronisation and indexing of files from connected third-party services, including Google Drive

Legal Basis: Performance of the service contract with the customer (controller) and the controller's documented legitimate interests in efficient knowledge management and operational efficiency; Spyral acts under the customer's lawful instructions as processor.

2. User Account Management and Access Control

Purpose: Creating and managing user accounts, enforcing multi-tenant isolation, applying role-based access control (firm-wide, project team, restricted, personal levels), and enabling security controls (optional MFA, session management).

Legal Basis: Legitimate interests in secure and reliable operation of the service; performance of contract with the customer.

3. Support, Incident Handling and Service Communications

Purpose: Responding to support requests, incident notifications, security alerts, platform updates, service announcements, training materials, and customer inquiries.

Legal Basis: Legitimate interests in providing high-quality customer support; performance of contract where applicable.

4. Sales, Marketing and Business Development

Purpose: Communicating with prospective customers about pilot programs, product demos, free trials, subscription plans, and service features; sending marketing communications to business contacts; understanding market needs.

Legal Basis: Legitimate interests in growing the business and acquiring customers, balanced against reasonable expectations of recipients; consent where required under law (e.g., email marketing).

Opt-Out: Individuals can opt out of non-essential marketing communications at any time using unsubscribe links in emails or by contacting frank@spyral.nl

5. Website Operation, Security and Analytics

Purpose: Operating and maintaining websites (www.spyral.nl), monitoring availability, preventing fraud and abuse, detecting and responding to security threats, improving website performance and user experience.

Legal Basis: Legitimate interests in ensuring network and information security and operational reliability, subject to privacy-protective safeguards; consent for non-essential cookies and similar tracking technologies.

6. Legal, Compliance and Risk Management

Purpose: Complying with legal obligations (tax, accounting, data protection, anti-money laundering laws), handling disputes and legal claims, conducting audits, and demonstrating GDPR accountability through documentation.

Legal Basis: Compliance with legal obligations; legitimate interests in establishing, exercising or defending legal claims; ensuring regulatory compliance.

Note: Spyral does not rely on consent as the primary legal basis for core platform processing performed as a processor on behalf of its customers.

Database Security and Data Isolation Architecture

Spyral's platform architecture is built on a foundation of strict multi-tenant isolation at the database level, ensuring that customer data is protected through multiple overlapping security boundaries.

Multi-Tenant Database Isolation

Spyral uses a multi-tenant architecture with firm-level data isolation implemented through:

  • Database-Level Partitioning: Each consulting firm's data is logically separated using database partitioning or separate schemas, ensuring that one firm's data is stored separately from all other firms' data.
  • Application-Level Access Control: Role-based access control (RBAC) enforces firm-scoped permissions at the application layer, ensuring that even if a database breach were to occur, users can only access data to which they have explicit authorization within their firm.
  • Cryptographic Separation: Customer content is encrypted using AES-256 at rest, with encryption keys managed separately for each tenant.
  • Query Filtering: All database queries are scoped to the authenticated user's firm context, with mandatory filtering at both the ORM and SQL levels.

Guarantee: Due to this architectural design, it is mathematically and architecturally impossible for Firm A to access Firm B's data through normal application channels. Spyral's database security model treats cross-firm data access as an attack scenario, not a feature.

Access Control Levels Within Each Firm

Within each consulting firm, Spyral administrators configure access using the following hierarchical levels:

  • Firm-Wide: Public documents accessible to all employees (e.g., methodologies, templates, training materials)
  • Project Team: Project-specific documents accessible only to designated team members
  • Restricted: Confidential documents accessible only to partners, leads, or designated executives
  • Personal: Individual user's private documents and draft content

Each access level is enforced by role-based permissions configured by the firm's administrators and strictly enforced by Spyral's access control layer.

Zero-Knowledge Principle for Spyral Staff

Spyral operates under a zero-knowledge principle: Spyral staff do not access customer content except where strictly necessary for:

  • Critical security incident response
  • Customer support (upon explicit request or audit investigation)
  • Legal or regulatory compliance

Access to customer content by Spyral personnel is logged and audited, restricted to authorized personnel with explicit justification, and covered by strict confidentiality obligations.

AI Processing, Retrieval-Augmented Generation (RAG) and Use of Large Language Models

Spyral's platform utilizes proprietary Large Language Models (LLMs) hosted and managed entirely within Spyral's own secure, multi-tenant cloud environment located within the European Union (EU). Unlike traditional AI implementations that rely on external API-based sub-processors, all data processing for AI-powered features occurs in-house.

How RAG Works: Data Boundaries

Spyral's RAG implementation follows this secure data flow:

  • Query Submission: A user submits a search query or request within the Spyral platform
  • Local Search: Spyral's system retrieves relevant document excerpts exclusively from the requesting user's firm-specific partition
  • In-House Processing: These excerpts and the query are processed by Spyral's proprietary AI models on infrastructure managed by Spyral. No data is transmitted to third-party AI providers.
  • Response Generation: The response is generated and delivered to the user within the Spyral interface.
  • Zero External Exposure: Because the AI models are hosted internally, no customer content ever leaves Spyral's controlled environment for AI processing purposes.

Security Benefit: Because of this RAG architecture, Spyral's customers' data never train or improve third-party AI provider's foundation models, and customer data is never stored in external AI provider's systems.

Key AI-Related Data Protection Safeguards

1. Elimination of Third-Party AI Sub-Processing

Spyral has eliminated the use of third-party AI sub-processors for core platform features. By utilizing in-house, proprietary models, Spyral ensures that no customer data, prompts, or generated outputs are ever shared with external AI providers.

2. Absolute Training Prohibition

Customer content is never used to train or improve Spyral's proprietary foundation models. The models are static in production or fine-tuned only on non-customer, de-identified datasets in a separate, air-gapped environment.

3. Data Residency and Sovereignty

All AI processing is conducted on servers located within the European Union (EU). This ensures that processing remains under the jurisdiction of EU data protection laws (GDPR) without the need for international data transfers to third-country AI providers.

4. Internal Firm-Scoped Data Isolation

Spyral utilizes a multi-tenant architecture designed to ensure absolute data segregation between customer environments. Only the minimum data necessary from the requesting user's specific firm partition is processed by the in-house AI models. Customer data is never transmitted across firm boundaries.

5. Citation-First Transparency and Verifiability

To ensure the integrity of AI-generated insights, Spyral's platform implements a citation-first architecture that grounds all outputs in the customer's own verified data. Every AI-generated response is programmatically linked to specific source documents. Users can click through to original sources to verify accuracy and context.

Limitations of AI-Generated Content

Users are responsible for evaluating whether AI-generated outputs are appropriate for their use case. Spyral informs users that factual assertions in AI outputs should not be relied upon without independent verification, as they may be incomplete, misleading, or based on outdated information. Users should maintain human oversight, especially for sensitive deliverables or client-facing content.

Data Sharing and Sub-Processors

Spyral does not sell, trade, or otherwise commercially exploit personal data. Personal data may be shared with the following categories of recipients, strictly limited to what is necessary for the purposes described above:

Sub-Processors and Service Providers

  • Infrastructure and Hosting: Cloud service providers for platform hosting, storage, and proprietary AI model execution (all located within the EU).
  • Analytics and Monitoring: Analytics platforms for aggregated usage metrics and security monitoring
  • Email and Communications: Email delivery services for support tickets and notifications
  • Support Tooling: Help desk and ticketing systems for customer support
  • Database and Storage: Managed database and object storage services within the EU
  • Note on AI Providers: As of the current version of this policy, Spyral does not engage third-party AI sub-processors (e.g., OpenAI, Anthropic) for data processing within the platform.

Professional Advisers and Consultants

  • Auditors: External auditors conducting financial and compliance audits
  • Legal Counsel: External legal advisers for compliance, disputes, or regulatory matters
  • Security Consultants: Third-party security firms conducting penetration testing or security assessments

All professional advisers are bound by confidentiality obligations and legal professional privilege.

Authorities and Legal Disclosure

  • Mandatory Disclosure: Spyral may disclose personal data to authorities (law enforcement, regulatory bodies, courts) where required by law, valid court order, or administrative order
  • Careful Assessment: Spyral will assess the legality and proportionality of any such request
  • Notice to Customers: Where permitted by law and not expressly prohibited by the requesting authority, Spyral will notify the affected customer of legally required disclosures
  • Narrow Scope: Spyral will disclose only the minimum data necessary to comply with the legal obligation

A current list of sub-processors, including their names, locations, and roles, is maintained by Spyral and made available to customers upon request or through the customer portal.

International Data Transfers

No Default Third-Country Transfer: Spyral hosts its platform and proprietary AI models exclusively within the European Union (e.g., Frankfurt, Germany). Customer data is not transferred to the United States or other third countries for AI processing, storage, or retention.

If International Transfers Occur: In limited cases where a sub-processor (e.g. cloud hosting) may process data in a third country, Spyral ensures an adequate level of protection through Standard Contractual Clauses (SCCs) and conducts Transfer Impact Assessments (TIAs) to ensure a level of protection equivalent to the GDPR.

Database and Data Security Measures

Spyral implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage.

Encryption and Cryptographic Security

  • Encryption in Transit: TLS 1.3 (or higher) encryption for all data transmitted between users, the Spyral platform, and third-party services
  • Encryption at Rest: AES-256 encryption for all data stored in databases and object storage
  • Key Management: Encryption keys are securely generated, stored, and managed using industry-standard key management practices; keys are never stored with encrypted data
  • Database-Level Encryption: Encryption applied at the database partition level

Access Control and Authentication

  • Role-Based Access Control (RBAC): Users can only access documents and features for which they have explicit authorization within their firm
  • Multi-Factor Authentication (MFA): Optional MFA support using industry-standard protocols (TOTP, U2F)
  • Secure Password Storage: User passwords are hashed using cryptographically secure algorithms (e.g., bcrypt, Argon2) with individual salts
  • Session Management: Secure session tokens with automatic expiration and optional inactivity timeouts
  • Least Privilege Principle: Default-deny access; users receive only the minimum permissions necessary for their role

OAuth Token Security

Google OAuth tokens used for the Google Drive integration are:

  • Encrypted at rest using AES-256 encryption
  • Stored separately from customer content in a dedicated credentials store
  • Never logged, displayed, or exposed in API responses
  • Automatically refreshed using OAuth 2.0 refresh token flow
  • Immediately invalidated and deleted upon disconnection of the Google Drive integration

Audit Logging and Monitoring

  • Comprehensive Audit Logs: All platform access, data modifications, user actions, and administrative changes are logged
  • Security Monitoring: Continuous monitoring for suspicious patterns, failed authentication attempts, and potential security incidents
  • Anomaly Detection: Automated alerting on anomalies such as bulk data downloads or unusual access patterns
  • Log Retention and Protection: Audit logs are stored separately from customer data, encrypted, and retained in accordance with legal requirements

Network Security and Infrastructure

  • Firewalls and DDoS Protection
  • Intrusion Detection and Prevention
  • API Rate Limiting
  • Web Application Firewall (WAF)

Security Certifications and Compliance Standards

  • SOC 2 Type II attestation covering the Trust Services Criteria for security, availability, processing integrity, confidentiality and privacy.
  • ISO/IEC 27001 certification for our Information Security Management System (ISMS).

Spyral provides current certificates and relevant audit reports to customers under appropriate confidentiality terms upon request.

Data Retention and Deletion Policies

Retention periods are limited to what is necessary for the purposes of processing and to comply with legal obligations.

User Accounts and Profile Data

  • Retained for as long as the user account is active and the customer's subscription contract remains in force
  • Upon account cancellation or deletion: permanently deleted from active systems within 24 hours and from all backup systems within 30 days
  • No residual retention following the 30-day backup deletion window

Uploaded Documents and Customer Content

  • Customer content remains under the control of the customer firm
  • Deleted content is removed from active systems within 24 hours and from backup systems within 30 days
  • Upon account cancellation: all content permanently and irreversibly deleted within 30 days

Google Drive Data

  • Retained for as long as the Google Drive integration is active and the customer's subscription is in force
  • Upon disconnection of Google Drive integration: file content deleted from active systems within 24 hours, from backups within 30 days
  • Upon account cancellation: all Google-sourced data permanently deleted within 30 days
  • OAuth tokens: immediately invalidated and deleted upon disconnection or account cancellation

Usage Logs and Query Data

  • Typically retained between 30 and 90 days for security monitoring, troubleshooting, and analytics
  • After the retention period: aggregated into anonymised statistics or deleted entirely

Permanent Deletion Guarantee

Effective January 2026, Spyral guarantees permanent and irreversible deletion of all customer data upon account cancellation, including documents, user profiles, access logs, AI-generated metadata, and Google-sourced content. All backup copies are securely overwritten within 30 days. Tenant-specific encryption keys are immediately destroyed, rendering any residual encrypted data permanently unrecoverable. Upon request, Spyral will provide a formal certification of data destruction.

Data Subject Rights Under the GDPR

Under the GDPR, individuals whose personal data are processed by Spyral have the following rights:

  • Right of Access (Article 15): Obtain confirmation and a copy of your personal data
  • Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
  • Right to Erasure (Article 17): Request deletion of personal data under certain circumstances
  • Right to Restriction of Processing (Article 18): Request restriction while disputes are resolved
  • Right to Data Portability (Article 20): Receive data in a portable format
  • Right to Object (Article 21): Object to processing based on legitimate interests
  • Right to Automated Decision-Making (Article 22): Not be subject to solely automated decisions

Exercising Your Rights

For data processed as Processor: Contact the relevant consulting firm (data controller), who can instruct Spyral to fulfil the request.

For data processed as Controller: Contact frank@spyral.nl. Spyral will respond within 30 days.

Right to Lodge a Complaint: With the Dutch DPA (Autoriteit Persoonsgegevens) or your local supervisory authority.

Cookies and Similar Tracking Technologies

Essential Cookies (No Consent Required)

  • Session management, security (CSRF, DDoS), load balancing, preference storage

Non-Essential Cookies (Consent Required)

  • Analytics, advertising (if used), tracking across sessions

Non-essential cookies are only placed after affirmative consent via a cookie consent banner. Users can withdraw consent at any time.

Children's Data

Spyral's services are designed for business use by consulting firms and are not intended for children. Spyral does not knowingly collect personal data from children.

Data Processing Agreements (DPA) and Customer Responsibilities

For all EU/EEA customers, Spyral enters into a formal Data Processing Agreement covering subject-matter, duration, types of data, processor obligations, controller rights, international transfers, and sub-processors.

Customers (as data controllers) remain responsible for: lawful data collection, privacy notifications to data subjects, data accuracy, access control configuration, content moderation, DPIAs, breach notification, vendor management, and retention schedules.

Information Security and Incident Response

Spyral maintains a documented incident-response plan. In the event of a security incident involving customer personal data:

  • Detection and assessment: continuous monitoring with automated alerting
  • Customer notification: within 72 hours (GDPR Article 33)
  • Preliminary impact assessment: within 48 hours of confirmation
  • Dedicated incident coordinator: assigned within 24 hours
  • Post-incident review: within 14 days of closure
  • Final incident report: within 30 days of closure

Security incidents should be reported to arber@spyral.nl.

Third-Party Links and Services

Spyral's websites may contain links to third-party services. This Privacy Policy does not apply to third-party services, and Spyral is not responsible for their privacy practices.

Changes to This Privacy Policy

Spyral may update this Privacy Policy to reflect changes in laws, practices, or services. Material changes will be communicated via email, website banner, and in-app notifications. Continued use after material updates will be deemed acceptance.

Applicable Law and Jurisdiction

This Privacy Policy is governed by the laws of the Netherlands, without regard to its conflict-of-law provisions. For EU/EEA customers, disputes may be governed by the laws of Ireland as specified in Spyral's service agreements.

Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Data Controller: The entity that determines the purposes and means of processing
  • Data Processor: The entity that processes personal data on behalf of the controller
  • Firm / Customer: A consulting firm that subscribes to Spyral's services
  • Tenant: A separate logical partition within Spyral's multi-tenant architecture
  • Knowledge Base: The collection of documents, projects, and content uploaded or connected by a customer firm
  • LLM: Large Language Model
  • RAG: Retrieval-Augmented Generation
  • DPA: Data Processing Agreement / Dutch Data Protection Authority (context-dependent)
  • Google User Data: Data accessed, collected, or processed through Google APIs, including file content, file metadata, and user profile information obtained via the Google Drive API and Google OAuth 2.0

Contacts and Escalation

Compliance and Data Protection: frank@spyral.nl

Security Incidents: arber@spyral.nl

This Privacy Policy was last updated in February 2026 (Version 1.8.0) and reflects Spyral's commitment to transparency, data protection, and partnership with consulting firms across the EU/EEA region.