[ LEGAL ]
Privacy Policy
Last reviewed: 18 July 2025
1. Who we are
Spinal Technologies GmbH ("Spinal", "we", "us", "our")
Hoppendorfer Straße 18 A, 12555 Berlin, Germany
2. Scope
This Policy covers:
- the public website getspinal.com and its sub‑domains;
- our social‑media pages and marketing campaigns; and
- remote‑support interactions we provide to business customers of Spinal Enterprise Software.
3. What personal data we collect and why
| Context | Categories of data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Demo / contact form | Name, work e‑mail, company, message | Respond to enquiry | Art. 6 (1)(b) GDPR | 12 months after last contact |
| Job applications | CV, cover letter, contact details | Recruitment process | Art. 6 (1)(b) & (c) | 6 months after position filled (longer with consent) |
| Remote‑support artefacts | Log bundles, error snapshots, user IDs supplied by your organisation | Troubleshooting and quality assurance | Art. 6 (1)(b) and Art. 28 | Deleted ≤ 30 days after ticket closure |
Spinal does not intentionally collect special‑category data (Art. 9 GDPR) or carry out automated decision‑making that produces legal or similarly significant effects.
4. Recipients of personal data
We share data only with:
- Cloud‑infrastructure providers that host our website and support systems within the European Economic Area (EEA);
- Service providers who act on our documented instructions (e.g., e‑mail delivery or applicant‑tracking systems);
- authorities or courts if we are legally obliged to do so.
Enterprise customers receive a full list of authorised sub‑processors in our Data‑Processing Agreement (DPA). We will notify them in advance of any material change.
5. International transfers
Support artefacts and container images are processed exclusively in the EEA. If we exceptionally use a non‑EEA service (e.g., for marketing e‑mails), we rely on an adequacy decision or the European Commission's Standard Contractual Clauses to safeguard your data.
6. How we protect your data
Spinal implements appropriate technical and organisational measures in line with Article 32 GDPR, including industry‑standard encryption, multi‑factor access controls and regular security testing. More detailed controls for business customers are set out in our DPA, available on request.
7. Your rights
You may request access, rectification, erasure, restriction, portability or object to certain processing of your personal data. You can also withdraw consent at any time. Where Spinal acts only as a processor for your employer, please contact your employer first; we will assist them under Article 28.
You have the right to lodge a complaint with a supervisory authority. Our lead authority is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).
8. How to contact us
We respond to privacy requests within one month (Article 12 (3) GDPR).
9. Changes to this Policy
If we make material changes, we will post an updated version here at least 14 days before it takes effect and update the "Last reviewed" date above.