Privacy Policy

Last updated: November 26, 2025

Effective date: 2025-11-26
Last updated: 2025-11-26

This Privacy Policy explains how Spy Startup (“we”, “us”, “our”) collects, uses and shares personal data when you use spystartup.com and related services (the “Service”).

We are committed to protecting your privacy and handling your personal data in a transparent and secure way.

If you have any questions, contact us at:

Controller: Spy Startup
Email: [email protected]

1. Who we are and scope

Spy Startup provides an OSINT-style research tool that, given an anonymous listing (for example from Acquire.com), generates a report with up to 3 likely startup candidates behind that listing, including scores and explanations.

This policy applies when you:

  • Visit spystartup.com
  • Create an account and use the Service
  • Communicate with us (e.g. by email)

2. What data we collect

2.1 Data you provide directly

  • Account data:

    • Email address
    • Password (hashed) or authentication data from a third-party identity provider (if you use OAuth)
    • Basic profile information you choose to provide (e.g. name)

  • Usage-related data you submit:

    • Listing URLs you paste into the Service
    • Any optional notes or labels you add to your reports

  • Support and communication data:

    • Emails you send us
    • Other information you voluntarily provide when you contact us

2.2 Data we collect automatically

When you use the Service, we may automatically collect:

  • IP address
  • Browser type and version
  • Operating system
  • Referring URLs
  • Date and time of access
  • Basic usage information (e.g. which pages you visit, basic events)

We use this information to operate, secure and improve the Service.

2.3 Payment and billing data

We use a third-party payment provider (such as Polar and its underlying processors) to handle payments and subscriptions.

  • We do not store your full payment card details on our own servers.
  • The payment provider processes your payment information in accordance with its own privacy policy.
  • We may receive limited billing information, such as:
    • Billing name
    • Partial payment details (e.g. last 4 digits of a card)
    • Transaction dates and status

We process your personal data for the following purposes and legal bases:

  1. To provide and operate the Service

    • Creating and managing your account
    • Generating reports based on the listing URLs you submit
    • Processing payments and managing subscriptions
      Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

  2. To secure and maintain the Service

    • Preventing abuse and misuse
    • Monitoring performance and availability
    • Detecting and investigating errors and incidents
      Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

  3. To improve the Service

    • Analyzing how the Service is used
    • Developing new features and workflows
      Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); where required for certain cookies/analytics, your consent (Art. 6(1)(a) GDPR)

  4. To communicate with you

    • Responding to support requests
    • Sending important service-related emails (e.g. billing, security, critical changes)
      Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR)

  5. To comply with legal obligations

    • Accounting, tax and regulatory requirements
    • Responding to lawful requests from authorities
      Legal basis: Legal obligation (Art. 6(1)(c) GDPR)

4. How we use report data and listings

When you paste an anonymous listing URL into Spy Startup, we:

  • Use the listing and other data sources to generate a report with up to 3 candidate startups.
  • Store the report so you can access it again from your account.

We may also use aggregated and anonymized information from reports to:

  • Improve our matching logic and scoring
  • Understand which types of listings are commonly analyzed

We do not sell individual reports or attach your identity to reports for third parties.

5. How we share personal data

We may share personal data with:

  1. Service providers / processors

    • Hosting and infrastructure providers
    • Payment processors and subscription management services
    • Analytics and logging providers
    • Customer support tools

    These providers process data on our behalf and only as instructed by us.

  2. Legal and regulatory authorities

    • Where required to comply with applicable laws or to respond to lawful requests.

  3. Business transfers

    • In connection with a merger, acquisition or sale of all or part of our business, personal data may be transferred as part of the transaction, subject to appropriate safeguards.

We do not sell your personal data.

6. International transfers

Our service providers may be located in countries outside your jurisdiction. When personal data is transferred outside the European Economic Area (EEA), we will take appropriate measures to ensure an adequate level of protection, such as:

  • Relying on adequacy decisions, or
  • Using standard contractual clauses approved by the European Commission.

7. Data retention

We keep personal data only for as long as necessary for the purposes described in this policy, including:

  • While you have an active account
  • For a reasonable period after account closure, for:
    • Legal obligations (e.g. tax, accounting)
    • Dispute resolution
    • Security and abuse prevention

We may retain aggregated, anonymized information that does not identify you for longer periods.

8. Your rights (GDPR)

If you are in the EU/EEA or a similar jurisdiction, you may have the following rights, subject to conditions and limitations:

  • Right of access – to know whether we process your data and obtain a copy
  • Right to rectification – to correct inaccurate or incomplete data
  • Right to erasure – to request deletion of your personal data
  • Right to restrict processing – to limit how we use your data in certain cases
  • Right to data portability – to receive your data in a structured, commonly used format
  • Right to object – to object to processing based on legitimate interests
  • Right to withdraw consent – where processing is based on consent, you may withdraw it at any time (this does not affect processing that took place before withdrawal)

To exercise your rights, contact us at [email protected].

You also have the right to lodge a complaint with your local data protection authority.

9. Security

We take reasonable technical and organizational measures to protect personal data, including:

  • Using encryption in transit where appropriate (HTTPS)
  • Limiting access to personal data to personnel and providers who need it
  • Using strong password hashing for user credentials

No system is completely secure, but we work to reduce the risk of unauthorized access or disclosure.

10. Children

The Service is not intended for children under 16 years of age, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, please contact us so we can delete it.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page indicates when it was last revised.

If we make significant changes, we may notify you via the Service or by email, where appropriate.

If you continue to use the Service after changes take effect, you accept the updated policy.

Built with goilerplate