privacy policy
what personal data Spirby collects, why, who we share it with, how long we keep it, and the rights you have over it.
last updated May 13, 2026
this policy explains how HEXELITY LABS S.R.L. ("Hexelity Labs", "we", "us"), the operator of Spirby, handles personal data. it covers two distinct situations:
- you as a Spirby customer or visitor. when you visit spirby.com, sign up for an account, or pay for a plan, we are the data controller for the personal data we collect from you. this whole policy applies.
- your end-users on boards you operate with Spirby. when someone visits a feedback board you run with Spirby and submits a post, comment, or vote, that personal data belongs to you contractually. you are the data controller; we are the data processor. our data processing agreement at spirby.com/dpa governs that processing. this policy does not replace that agreement, and you (the customer) are responsible for telling your end-users how their data is used on your boards.
if you have questions about anything below, email [email protected].
1. who we are
HEXELITY LABS S.R.L. is a company organized under the laws of Romania. our registered details are available on request.
2. what we collect
we collect different categories of personal data depending on how you interact with us.
account data. when you create a Spirby account: your name, email address, password (stored as a hash, never the plaintext), organization name, and the role you select. if you sign in with a third-party identity provider in the future, we collect the basic profile information that provider returns.
billing data. when you start a paid subscription, billing is handled by Polar (Polar Software, Inc.) acting as our Merchant of Record. Polar collects your billing address, country, tax identifier where required, and payment method information directly. we never see or store full card numbers, bank account details, or your full billing address. what we keep is the metadata we need to operate your subscription: a Polar customer identifier, the plan you're on, the subscription status (active, canceled, past due), the renewal date, and the country code of the purchase.
content you create. anything you post inside the product: organization settings, board configuration, custom branding, posts, comments, attachments, and replies to your end-users. we store this so we can serve it back to you and your end-users.
communications with us. if you email us at [email protected] or fill in a form, we keep the message, your email address, and any information you include, so we can reply and follow up.
technical data. when you use the service we automatically collect: IP address, browser user-agent, device type, operating system, language, referrer, the pages you load, the actions you take, request timestamps, and the response status. we use this data for security (rate limiting, abuse detection, fraud prevention), debugging, and aggregate product analytics.
logs and error reports. if the application throws an error in your session we collect a stack trace, the route involved, and a hash of your user identifier (we hash it so the report doesn't directly identify you in our error tool). these go to our self-hosted GlitchTip instance.
analytics. we use a self-hosted Plausible Community Edition instance. plausible records page views and basic device information without using cookies and without building a long-term profile of any individual visitor; it does not assign you a persistent identifier across visits.
marketing. if you sign up for our blog or changelog by email, we collect your email address and the subscription state (subscribed, unsubscribed, bounced).
3. what we don't collect
we don't collect special categories of personal data (data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health, or sexual orientation). don't put any of that in posts, support emails, or any other field where we would end up storing it.
we don't collect children's data knowingly. Spirby is not intended for use by children under 16. if you believe a child has given us their personal data, email [email protected] and we will delete it.
4. why we use it (and the legal basis)
we process the personal data above for the following purposes. for each, we identify the legal basis under the GDPR.
| purpose | legal basis |
|---|---|
| creating and operating your account, providing the service | performance of the contract with you (Art. 6(1)(b) GDPR) |
| matching your Polar subscription to your Spirby account, gating access by plan, suspending on non-payment | performance of the contract (Art. 6(1)(b)) |
| security, fraud prevention, abuse mitigation, rate limiting | legitimate interest in protecting the service, our customers, and ourselves from harm (Art. 6(1)(f)) |
| diagnosing errors, monitoring uptime, capacity planning | legitimate interest in keeping the service reliable (Art. 6(1)(f)) |
| product analytics in aggregate (which pages are popular, where signups come from) | legitimate interest in improving the product (Art. 6(1)(f)) |
| sending you product updates, transactional emails, security notices | performance of the contract |
| sending marketing emails (blog, changelog) | your consent (Art. 6(1)(a)), which you can withdraw at any time |
| creating a contact profile when an end-user submits a post, comment, or vote on a public board and explicitly ticks the "notify me of updates" opt-in | the end-user's consent (Art. 6(1)(a)). the row is stored with consent_basis = public_interaction_opt_in. unchecking the box means no profile is created. you can withdraw consent by deleting the contact in the admin UI, or as an end-user by contacting the workspace owner (we relay the request). |
storing historical anon-board contact rows imported before the opt-in checkbox shipped (consent_basis = legacy_inferred) | legitimate interest in operating the feedback service (Art. 6(1)(f)). these rows are treated as suppressed for marketing and are first-priority for DSAR processing. |
| responding to legal requests, complying with court orders | legal obligation (Art. 6(1)(c)) |
we do not engage in advertising profiling. we do not sell personal data. we do not use personal data for automated decision-making that produces legal or similarly significant effects.
5. how long we keep it
| category | retention |
|---|---|
| account data | for the life of your account, then deleted within 30 days after you delete the account |
| your content (posts, comments, boards) | until you delete it, or 30 days after you delete the account |
| Polar customer identifier and subscription metadata | for the life of the subscription, then deleted within 90 days after the subscription ends. Polar keeps the underlying invoices and payment records on its own retention schedule as the Merchant of Record. |
| support emails | up to 3 years from the last reply, then archived or deleted |
| technical logs | 30 days for application logs; 90 days for security and audit logs |
| error reports | 30 days |
| analytics page-view records | aggregated and trimmed beyond 24 months |
| marketing email lists | until you unsubscribe; suppression list kept indefinitely so we don't accidentally re-add you |
anon board interaction request rows (anon_post_request, anon_vote_request, anon_comment_request) that were never confirmed via the magic link | 30 days from creation, then purged. confirmed rows are consumed and the request row is retained only for idempotency. |
| backups | encrypted backups overwritten on a 35-day rolling cycle. data deleted from the live database persists in backups until that cycle completes. |
if you ask us to delete your data, we delete it from production within 30 days; backup expiry happens automatically as the backup cycle rolls forward. some data we are legally required to keep (fraud-prevention records, security logs) we keep for the periods stated above. data held by Polar in its capacity as Merchant of Record (invoices, payment records, tax records) is governed by Polar's own retention policy and the laws applicable to a merchant of record in your jurisdiction.
6. who we share it with
we share personal data only with the following categories of recipients, and only to the minimum extent needed.
sub-processors. vendors that process data on our behalf to operate the service. our current sub-processors are listed in Annex III of our data processing agreement at spirby.com/dpa. each is bound by a written contract requiring it to handle the data only on our instructions and with appropriate security. the same list applies to your end-users' data.
Merchant of Record. Polar (Polar Software, Inc.) acts as our Merchant of Record for paid subscriptions. Polar is the seller on the invoice and an independent data controller for the personal data it collects to process the payment, prevent fraud, and meet its tax and regulatory obligations. Polar is not our sub-processor. Polar's privacy policy is at https://polar.sh/legal/privacy.
professional advisors. lawyers, accountants, and auditors when needed to run the business or defend a claim. they are bound by confidentiality.
authorities. if we are legally required to disclose data to a public authority (court order, regulator, tax authority), we will do so to the extent the law requires. we will challenge requests we believe are overbroad and, where lawful, tell you about a request that affects you.
business transfer. if we sell, merge, or reorganize the business, your data may transfer to the acquirer. we will give you advance notice and a chance to delete your account if you don't want your data to move.
we do not share your personal data with anyone for advertising purposes. we never sell personal data.
7. international transfers
we and most of our sub-processors are based in the European Economic Area. some sub-processors are based in third countries (for example the United States). where personal data leaves the EEA, we rely on:
- adequacy decisions issued by the European Commission, where one applies (for example the EU-US Data Privacy Framework where the recipient is certified); or
- the European Commission's standard contractual clauses (2021/914) together with supplementary technical measures (encryption in transit and at rest) where adequacy doesn't apply.
a copy of the relevant safeguards for any specific transfer is available on request.
8. cookies
see our cookies policy for the cookies we set, why, and how to control them. the short version: we use a small number of essential cookies for sign-in and security. our analytics is cookieless. we don't use advertising cookies.
9. security
we apply commercially reasonable administrative, technical, and physical safeguards to protect personal data. our current measures are described in Annex II of the data processing agreement and include, among others:
- TLS 1.2+ for all data in transit;
- encryption at rest for the production database and for backups;
- session cookies marked HttpOnly, Secure, and SameSite=Lax;
- strict role-based access to production systems with mandatory multi-factor authentication;
- vulnerability scanning, dependency monitoring, and prompt patching;
- a defined incident response process and breach-notification procedure.
no system is perfectly secure. if we discover a personal data breach affecting you, we will notify you in line with the timelines required by the GDPR and applicable national law.
10. your rights
if your personal data is processed by us, you have the following rights under the GDPR:
- access. ask us for a copy of the personal data we hold about you.
- rectification. ask us to correct data that's inaccurate or incomplete.
- erasure. ask us to delete data, subject to the exceptions in the GDPR (we may need to keep some records for legal reasons).
- restriction. ask us to limit how we use data while a dispute about its accuracy or our legal basis is resolved.
- portability. ask us for a structured, commonly used, machine-readable copy of data you provided to us under the legal basis of consent or contract performance.
- objection. object to processing we carry out on the basis of legitimate interest, including for direct marketing.
- withdraw consent. where we process data based on your consent (for example marketing emails), you can withdraw that consent at any time. withdrawal does not affect processing that already happened.
to exercise any of these rights, email [email protected] from the email address on your account. we will respond within 30 days. if your request is complex we may extend that period by up to 60 days, with notice and reasons.
you also have the right to complain to a data protection supervisory authority. for Romania this is the National Supervisory Authority for Personal Data Processing (ANSPDCP) at https://www.dataprotection.ro. you can also complain to the supervisory authority of your EU member state of residence.
11. children
Spirby is not directed at children under 16. we do not knowingly collect personal data from anyone under 16. if you believe we have, contact [email protected] and we will delete it.
12. changes to this policy
we may update this policy from time to time. when we do, we update the "last updated" date at the top and, for material changes, give you notice by email or in-app notice at least 30 days before the change takes effect. prior versions are available on request.
13. how to reach us
email: [email protected]
postal mail and the registration details of HEXELITY LABS S.R.L. are available on request.
we don't currently have a designated Data Protection Officer. you can address all data protection matters, including requests under section 10 above, to [email protected].