Privacy Policy

Last updated: March 2026

Effective date: March 2026

1. Who we are

Spronta ("Spronta", "we", "us", "our") is operated by Spronta Ltd, a company registered in England and Wales (Company number 16278102). Our registered address is 128 City Road, London, EC1V 2NX.

If you have any questions about this Privacy Policy or how we handle your data, contact us at hello@spronta.com.

Data Controller: Spronta Ltd is the data controller for the personal data we collect through our website (spronta.com), our dashboard (app.spronta.com), our CDN (cdn.spronta.com), and related services (collectively, the "Service").

2. What data we collect

2.1 Account data

When you create a Spronta account, we collect:

Name
Email address
Password (hashed — we never store plaintext passwords)
Organisation or project name (if provided)

2.2 Billing data

When you subscribe to a paid plan, our payment processor Stripe collects and processes:

Payment card details (card number, expiry, CVC)
Billing address

We do not store your full card number or CVC. Stripe handles all payment data in accordance with PCI DSS Level 1. We receive only a truncated card number (last 4 digits), card brand, and billing address from Stripe for record-keeping.

2.3 Usage data

We collect data about how you use the Service, including:

Number of images uploaded, stored, and transformed
Bandwidth consumed
API requests made
Features used within the dashboard

2.4 Technical data

When you access the Service, we automatically collect:

IP address
Browser type and version
Operating system
Referring URL
Pages visited and time spent
Device identifiers

2.5 Image data

When you upload images to Spronta, we store and process them on your behalf. Your images are your data. We do not access, analyse, sell, or use your images for any purpose other than providing the Service (storing, transforming, optimising, and delivering them as you instruct).

2.6 Communication data

If you contact us via email or support channels, we retain the content of those communications to resolve your query and improve the Service.

3. How we use your data

We use your personal data for the following purposes:

Purpose	Legal basis (UK GDPR)
Providing and operating the Service	Performance of a contract (Art. 6(1)(b))
Processing payments and managing subscriptions	Performance of a contract (Art. 6(1)(b))
Sending transactional emails (welcome, billing, security alerts)	Performance of a contract (Art. 6(1)(b))
Monitoring usage to enforce plan limits	Legitimate interests (Art. 6(1)(f))
Analysing usage patterns to improve the Service	Legitimate interests (Art. 6(1)(f))
Detecting and preventing abuse, fraud, or security threats	Legitimate interests (Art. 6(1)(f))
Sending product updates and changelog notifications	Legitimate interests (Art. 6(1)(f)) — you can opt out at any time
Complying with legal obligations	Legal obligation (Art. 6(1)(c))

We do not use your data for:

Selling to third parties
Advertising or ad targeting
Training AI or machine learning models
Profiling for automated decision-making

4. Who we share your data with

We share your personal data only with the following categories of processors, and only to the extent necessary to provide the Service:

Processor	Purpose	Location	Data shared
Cloudflare	Image storage, delivery, and edge computing	Global (edge network)	Images, technical/request data
Stripe	Payment processing	United States	Billing and payment data
Neon	Database hosting	Europe / United States	Account data, usage data
Resend	Transactional email delivery	United States	Email address, name
PostHog	Product analytics	Europe (EU Cloud)	Usage data, technical data (anonymised where possible)

Each processor is bound by a Data Processing Agreement (DPA) and processes data only on our instructions. Where data is transferred outside the UK, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and adequacy decisions.

We may also disclose your data if required by law, regulation, legal process, or enforceable governmental request.

5. Where your data is stored

Your account data and usage data are primarily stored in databases hosted by Neon, with servers located in Europe and/or the United States.

Your images are stored in Cloudflare's global infrastructure and cached across their edge network (300+ locations). This means copies of your images may exist in multiple jurisdictions to enable fast delivery.

We ensure that all international transfers of personal data are protected by appropriate safeguards under UK GDPR, including Standard Contractual Clauses and adequacy decisions where applicable.

6. How long we keep your data

Data type	Retention period
Account data	Duration of your account, plus 30 days after deletion
Billing data	7 years after the last transaction (UK tax requirements)
Images	Deleted within 30 days of you removing them, or within 30 days of account deletion
Usage data	Aggregated and anonymised after 12 months
Technical/analytics data	12 months
Support communications	2 years from resolution

When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are legally required to retain it (e.g. billing records for tax purposes).

7. Your rights

Under UK GDPR, you have the following rights:

Access — Request a copy of the personal data we hold about you.
Rectification — Request correction of inaccurate data.
Erasure — Request deletion of your data (subject to legal retention requirements).
Restriction — Request that we limit how we process your data.
Portability — Request your data in a structured, machine-readable format.
Objection — Object to processing based on legitimate interests.
Withdraw consent — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at hello@spronta.com. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113

8. Cookies and tracking

8.1 Essential cookies

We use strictly necessary cookies to:

Maintain your authenticated session
Remember your preferences (e.g. dark mode)
Protect against CSRF attacks

These cookies are required for the Service to function and cannot be disabled.

8.2 Analytics

We use PostHog for product analytics. PostHog is configured to:

Use EU-based hosting
Anonymise IP addresses where possible
Respect Do Not Track (DNT) browser signals

We do not use:

Google Analytics
Facebook Pixel
Any advertising trackers
Any third-party tracking cookies

8.3 Your choices

You can control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

9. Security

We take the security of your data seriously. Our measures include:

All data transmitted over HTTPS/TLS encryption
Images encrypted at rest in Cloudflare's storage infrastructure
Passwords hashed using industry-standard algorithms (bcrypt or Argon2)
API keys stored as hashed values
Access controls and audit logging on all internal systems
Regular security reviews of our infrastructure

No system is 100% secure. If you discover a security vulnerability, please report it to hello@spronta.com.

10. Children

Spronta is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at hello@spronta.com and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service at least 14 days before the changes take effect.

The "Last updated" date at the top of this page indicates when this policy was last revised.

12. Contact

For any questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: hello@spronta.com

Postal address:
Spronta Ltd
128 City Road
London
EC1V 2NX
England

ICO registration number: ZC017195