[ LEGAL ]
Privacy Policy
Effective: 2026-04-28 · Last reviewed: 2026-04-28
1. Who we are
Spinal Technologies GmbH ("Spinal", "we", "us", "our")
Hoppendorfer Straße 18A, 12555 Berlin, Germany
Privacy contact: privacy@getspinal.com
We are the data controller for personal data we collect from visitors to our website and from users who sign in to the Spinal product. For personal data contained in source code, pull requests, logs, and other engineering content that customer organisations connect to Spinal, we act as a data processor on behalf of those organisations — see our Data Processing Agreement.
2. Scope
This Policy covers:
- the public website at getspinal.com and its sub-domains;
- the Spinal SaaS application (the "Service");
- support, sales, and recruitment communications.
It does not displace the DPA, which governs Service Data we process on a customer's behalf. For cookies and similar technologies, see our Cookie & Tracking Notice.
3. Personal data we process
3.1 Public website
| Context | Categories | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Demo / contact form | Name, work e‑mail, company, message | Respond to enquiry | Art. 6 (1)(b) GDPR | 12 months after last contact |
| Job applications | CV, cover letter, contact details | Recruitment | Art. 6 (1)(b) and (c) | 6 months after position filled (longer with consent) |
| Website server logs | IP address (truncated where feasible), user agent | Site security and operation | Art. 6 (1)(f) — legitimate interest | 30 days |
3.2 Account data (Service)
| Source | Categories | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Google / Microsoft / GitHub OAuth | Name, work email, profile image, OAuth identifiers | Authenticate, provision workspace | Art. 6 (1)(b) — contract | Duration of account + 90 days |
| Email/password sign-in | Email, salted+hashed password | Authenticate | Art. 6 (1)(b) | As above |
| Workspace metadata you provide | Company name, allowed email domains, workspace settings | Operate the Service | Art. 6 (1)(b) | As above |
Reversible secrets you store in Spinal (integration API keys, OAuth tokens, model provider API keys) are encrypted before storage.
3.3 Service Data — Spinal acts as processor
When customer organisations connect repositories, CI systems, observability sources, or incident sources to the Service, we ingest content from those systems on the customer's instructions. This typically includes:
- pull request titles, descriptions, diffs, file contents, and review comments;
- source code and commit history;
- commit author identifiers (typically email + display name) — these are personal data under GDPR;
- CI logs, error messages, traces, and metric snapshots imported from connected sources;
- incident records and runbooks where the customer has connected an incident source.
We process Service Data only to deliver the Service to that customer. The customer is the controller; Spinal is the processor under Art. 28 GDPR. Retention, deletion, and data-subject requests for this category are governed by the DPA.
3.4 Telemetry from your use of the Service
We log how the Service is used — page views, feature events, application errors — to operate, secure, and improve it. Telemetry is collected via our own first-party endpoint and stored in Spinal's own infrastructure. We do not load Google Analytics, Mixpanel, Segment, PostHog, or similar third-party analytics inside the Service.
| Categories | Purpose | Legal basis | Retention |
|---|---|---|---|
| Event type, timestamp, anonymous browser id, session id, user id, workspace id, route, referrer, release, event properties | Product analytics, debugging | Art. 6 (1)(f) | 13 months |
| Request metadata attached to telemetry, including IP address and user agent | Reliability, abuse prevention, security | Art. 6 (1)(f) | 13 months |
| Application logs and audit events, including errors, stack traces, URL, user id, IP address, user agent, and related metadata | Reliability, security | Art. 6 (1)(f) | 90 days by default in the launch configuration |
4. AI processing
The Service analyses pull requests with large language models configured by the customer. For the launch configuration, workspace administrators provide their own Anthropic / Claude API key and choose the Claude model in Settings → Model.
- Spinal stores the customer-supplied model API key encrypted in the workspace secret store and uses it only on the customer's instructions to send prompts and receive outputs.
- The customer's relationship with Anthropic, including model-training, retention, and international-transfer terms, is governed by the customer's own Anthropic agreement unless an Order Form expressly states that Spinal supplies managed model access.
- The launch deployment enables server-side redaction of common PII categories before LLM submission. Customers may add custom regex patterns at Settings → Privacy for identifiers specific to their environment.
- Spinal does not perform automated decision-making with legal or similarly significant effects on individuals.
If Spinal later supplies managed model access through its own provider account, we will update this Policy and the Sub-processors page before that change applies.
5. Recipients (sub-processors)
We share personal data only with sub-processors who act on our documented instructions, and with customer-configured providers and integrations where the customer instructs us to connect them. The current list of Spinal sub-processors — including each sub-processor's purpose, location of processing, and transfer mechanism — is at Sub-processors. For enterprise customers we provide advance notice of material changes per the DPA.
6. International transfers
The Service is hosted in the European Economic Area (AWS eu-central-1, Frankfurt). Customer-configured integrations and model providers, including Anthropic when a customer supplies a Claude API key, may process data in other locations under the customer's own provider contracts. For Spinal sub-processors outside the EEA, we rely on the transfer mechanisms listed at Sub-processors.
7. How we protect your data
- TLS in transit; production infrastructure is hosted in AWS
eu-central-1. Infrastructure-level disk, snapshot, and backup encryption are controlled by the AWS deployment configuration. - Tenant isolation enforced at the database layer by Postgres row-level security, in addition to application-level scoping.
- Multi-factor authentication is available through the OAuth providers used to access Spinal (Google, Microsoft, and GitHub) and is required for Spinal employee access to production.
- Reversible secrets you provide (integration API keys, OAuth tokens, model provider API keys) are encrypted before storage.
- Server-side PII redaction before LLM submission in the launch deployment, with a customer-configurable pattern set.
For a full description of our security controls, see the Security Overview. Enterprise customers receive the formal Art. 32 GDPR description in Annex II of the DPA.
8. Your rights
You may request access, rectification, erasure, restriction, portability, or object to certain processing, and withdraw consent at any time.
- For your own account on Spinal: contact privacy@getspinal.com.
- For data appearing in customer Service Data (e.g., your commit-author email in code your employer uploaded): contact your employer first; we will assist them under Art. 28.
- You may complain to your supervisory authority. The competent authority for Spinal is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information).
We respond to data-subject requests within one month (Art. 12 (3) GDPR).
9. Retention summary
| Data | Retention |
|---|---|
| Account data | Duration of account + 90 days |
| Service Data (PRs, code, logs) | While account is active; 30 days after deletion (or per customer instruction in DPA) |
| Workspace settings | While account is active; 30 days after deletion |
| Product telemetry | 13 months |
| Application logs | 90 days |
| Marketing form submissions | 12 months after last contact |
| Job applications | 6 months after position filled (longer with consent) |
| Audit logs | 90 days by default in the launch configuration |
10. Children
The Service is not directed at individuals under 16. We do not knowingly collect their personal data.
11. Changes to this Policy
If we make material changes, we will post an updated version at getspinal.com/privacy-policy at least 14 days before it takes effect, update the "Last reviewed" date, and notify enterprise customers per the DPA.
12. Contact
- Privacy queries: privacy@getspinal.com
- Data-subject requests: privacy@getspinal.com
- Postal: Spinal Technologies GmbH, Hoppendorfer Straße 18A, 12555 Berlin, Germany