Home

Product

Solutions

Resources

About us

Request a demo

Back to homepage

Privacy Policy

Last updated: April 21, 2026

At Spaak, we take the protection of personal data seriously. This policy (the Privacy Policy) walks you through the personal data we handle, why we handle it, and how you can control it.

This Privacy Policy covers our treatment of personal data whenever you access or use Spaak’s products, services, features, and technologies — including Spaak’s website at spaak.ai (the Site), the Spaak application, and any plug-ins or integrations that exchange information with Spaak (together, the Services). The Site and the Services are referred to collectively as the Online Services. This Privacy Policy also applies to other interactions you have with us — for example, when you email our team, register for an event, or reply to one of our surveys.

Using the Online Services means you’ve read and accepted this Privacy Policy. Questions or requests can go to privacy@spaak.ai.

Our role, and what this policy does not cover

Spaak sells its Services to businesses and other organizations for professional use. We refer to those organizations as our Customers, and the written agreements under which they buy the Services — including any data processing addendum (DPA) — are the Customer Agreements.

This Privacy Policy applies when Spaak is the data controller responsible for processing personal data. It does not apply to any input you submit to, output generated through, or documents you upload into the Spaak application (together, Customer Content). Spaak processes Customer Content as a data processor on behalf of Customers (the data controllers), and our handling of Customer Content is governed by the relevant Customer Agreement and DPA. If your question concerns personal data included in Customer Content, please direct it to the relevant Customer; rights requests we receive in our processor capacity will be forwarded to the Customer.

Our Online Services may link to other websites, and other websites may link to ours. This Privacy Policy applies only to spaak.ai and app.spaak.ai. It does not cover third-party websites you reach through links on the Online Services or third-party sites you use to access Spaak — those have their own privacy practices.

This Privacy Policy also covers our processing of personal data about identifiable individuals who are publicly engaged in political, regulatory, and policy activity — for example, legislators, regulators, candidates, lobbyists, public officials, and other participants in the public policy process (Public Individuals). We process Public Individuals’ personal data as data controller, in connection with their public role, so that authorized users of the Spaak application can navigate and understand the EU policy landscape.

2- What personal data we process

Our guiding principle is to only collect what we need to deliver, secure, and improve the Services.

2.1 Information you give us

Account details. To use the Services you need an account. When you or your employer sets one up, we record your name, your work email, your job title or role, any language preference you set, an optional profile picture, and the credentials needed to sign you in.
Billing information. On paid plans we collect the information needed to invoice you or your employer, such as a billing contact, billing address, and tax identifier. Card data is handled directly by our payment processor.
Messages you send us. Anything you share when contacting support, sales, or our team generally — name, email, phone number, the contents of the message, attachments — is stored so we can reply, follow up, and keep a record of past interactions. We may record or transcribe calls and meetings with your prior notice, for quality, training, and documentation purposes. If you open or click links in emails we send, our email system may register that fact to help us tune what we send.
Surveys, research, testimonials, and events. If you fill out a survey, sit for a customer interview, enter a contest or raffle, submit a testimonial, or register for one of our events, we record the information you choose to provide (and, for recorded interviews, the recording itself — always with your consent). Testimonials are only published with your permission and can be withdrawn at any time.
Social-media interactions. Our accounts on platforms such as LinkedIn and X will show us any public information you share when you interact with our posts or profile, and those platforms may give us aggregated follower analytics.

2.2 Information we observe through the Online Services

When you visit, use, or interact with our Online Services, some data about the interaction is generated automatically. We refer to this collectively as Technical Information.

Network and browser signals. Our servers record the IP address of requests reaching us, the approximate location derived from it, the browser and operating system making the request, the pages or endpoints accessed, the language and time-zone the browser reports, referrers and exit pages, and the date and time of each request.
Device and environment signals. We record characteristics of the device used to access the Online Services — device type, OS name and version, browser version, screen or viewport size, and similar configuration details — so we can render the Online Services correctly and diagnose issues.
Product usage. We observe how the Online Services are used: pages and screens viewed, features and actions invoked, queries submitted, time spent, navigation paths, and errors encountered. We do not collect or store data directly related to Customer Content other than as described in the Customer Agreement and DPA.
Cookies. A cookie is a small piece of data stored by a website on your device. Some cookies are placed by Spaak; others by third parties such as our analytics providers. We use required cookies to keep the Online Services working (for example, signing you in and maintaining your session), functional cookies to remember preferences such as language and region, analytics cookies to understand how the Online Services are used so we can improve them, and marketing cookies to measure the effectiveness of our campaigns and, where permitted, support relevant advertising. You can adjust your browser settings to refuse or delete cookies; blocking cookies may limit how the Online Services work.

2.3 Information we receive from third parties

We sometimes receive information about you from sources other than you — for example, businesscontact and data-enrichment providers, security and fraud prevention partners, marketing platforms, event organizers who pass along attendee lists, and our own Customers (who may give us contact details for users they want provisioned on their Spaak account). We combine that data with what we already hold and use it as described in this Privacy Policy.

2.4 Information from public sources

Spaak also collects publicly available business contact information about Customers and prospects — including names, job titles, business email addresses, and phone numbers. You can opt out of outreach at any time by emailing privacy@spaak.ai.

The Spaak application also processes personal data about Public Individuals — including their public statements, voting records, affiliations, and posts they have made publicly available on social media or other public platforms — so that authorized users can navigate and understand the EU policy landscape. We process this information only in connection with these individuals’ public roles. Section 3 sets out the legal basis we rely on and the safeguards that apply.

2.5 Aggregated and de-identified information

We may produce aggregated or de-identified information from the personal data we hold — for example, statistics on how features are adopted or how quickly requests are answered. Once data has been aggregated or irreversibly de-identified so that it no longer identifies anyone, we may use, share, or publish it for any lawful purpose (such as benchmarking, product research, or marketing) without further notice. We do not attempt to re-identify such data

Why we use personal data, and the legal bases we rely on

In summary, we use personal data to:

run the Online Services and keep them available, reliable, and secure;
create and manage accounts, authenticate users, and support single sign-on;
charge for the Services, handle tax and accounting, and manage collections;
answer questions, resolve tickets, and keep a record of our correspondence;
send service announcements and, where permitted, marketing messages about Spaak;
measure how the Services are used and make them better over time;
detect, investigate, and respond to fraud, abuse, security incidents, and violations of our terms;
comply with laws, regulatory obligations, and lawful requests from authorities;
establish, exercise, or defend legal claims.

Under the GDPR and comparable privacy laws, we rely on the following bases:

At Spaak, we take the protection of personal data seriously. This policy (the Privacy Policy) walks you through the personal data we handle, why we handle it, and how you can control it.

Using the Online Services means you’ve read and accepted this Privacy Policy. Questions or requests can go to privacy@spaak.ai.Identity & Access

Our role, and what this policy does not cover

What personal data we process

Our guiding principle is to only collect what we need to deliver, secure, and improve the Services.

2.1 Information you give us

Account details. To use the Services you need an account. When you or your employer sets one up, we record your name, your work email, your job title or role, any language preference you set, an optional profile picture, and the credentials needed to sign you in.
Billing information. On paid plans we collect the information needed to invoice you or your employer, such as a billing contact, billing address, and tax identifier. Card data is handled directly by our payment processor.
Messages you send us. Anything you share when contacting support, sales, or our team generally — name, email, phone number, the contents of the message, attachments — is stored so we can reply, follow up, and keep a record of past interactions. We may record or transcribe calls and meetings with your prior notice, for quality, training, and documentation purposes. If you open or click links in emails we send, our email system may register that fact to help us tune what we send.
Surveys, research, testimonials, and events. If you fill out a survey, sit for a customer interview, enter a contest or raffle, submit a testimonial, or register for one of our events, we record the information you choose to provide (and, for recorded interviews, the recording itself — always with your consent). Testimonials are only published with your permission and can be withdrawn at any time.
Social-media interactions. Our accounts on platforms such as LinkedIn and X will show us any public information you share when you interact with our posts or profile, and those platforms may give us aggregated follower analytics.

2.2 Information we observe through the Online Services

When you visit, use, or interact with our Online Services, some data about the interaction is generated automatically. We refer to this collectively as Technical Information.

Network and browser signals. Our servers record the IP address of requests reaching us, the approximate location derived from it, the browser and operating system making the request, the pages or endpoints accessed, the language and time-zone the browser reports, referrers and exit pages, and the date and time of each request.
Device and environment signals. We record characteristics of the device used to access the Online Services — device type, OS name and version, browser version, screen or viewport size, and similar configuration details — so we can render the Online Services correctly and diagnose issues.
Product usage. We observe how the Online Services are used: pages and screens viewed, features and actions invoked, queries submitted, time spent, navigation paths, and errors encountered. We do not collect or store data directly related to Customer Content other than as described in the Customer Agreement and DPA.
Cookies. A cookie is a small piece of data stored by a website on your device. Some cookies are placed by Spaak; others by third parties such as our analytics providers. We use required cookies to keep the Online Services working (for example, signing you in and maintaining your session), functional cookies to remember preferences such as language and region, analytics cookies to understand how the Online Services are used so we can improve them, and marketing cookies to measure the effectiveness of our campaigns and, where permitted, support relevant advertising. You can adjust your browser settings to refuse or delete cookies; blocking cookies may limit how the Online Services work.

2.3 Information we receive from third parties

2.4 Information from public sources

2.5 Aggregated and de-identified information

Why we use personal data, and the legal bases we rely on

In summary, we use personal data to:

run the Online Services and keep them available, reliable, and secure;
create and manage accounts, authenticate users, and support single sign-on;
charge for the Services, handle tax and accounting, and manage collections;
answer questions, resolve tickets, and keep a record of our correspondence;
send service announcements and, where permitted, marketing messages about Spaak;
measure how the Services are used and make them better over time;
detect, investigate, and respond to fraud, abuse, security incidents, and violations of our terms;
comply with laws, regulatory obligations, and lawful requests from authorities;
establish, exercise, or defend legal claims.

Under the GDPR and comparable privacy laws, we rely on the following bases:

What we do
What we do
Legal basis (GDPR)
Setting up and running Customer accounts, authenticating users, processing payments, delivering the Services under a Customer Agreement
Art. 6(1)(b) – performance of a contract
Providing support, handling inquiries, running satisfaction surveys, and administering our customer relationships
Art. 6(1)(f) – legitimate interest in a responsive, wellrun service
Protecting the Services against fraud, abuse, and security threats, and enforcing our terms
Art. 6(1)(f) – legitimate interest (shared with users and Customers) in a secure service
Measuring product performance, understanding usage, and improving the Services
Art. 6(1)(f) – legitimate interest in improving the product
Charging, metering, and reconciling usage-based fees with Customers and suppliers (anonymized where practical)
Art. 6(1)(b) and Art. 6(1)(f)
Sending marketing about Spaak (newsletter, product updates, events)
Art. 6(1)(a) – consent where required; otherwise Art. 6(1)(f) legitimate interest, subject to an opt-out
Building and maintaining sales lead lists for B2B outreach to prospects
Art. 6(1)(f) – legitimate interest in identifying potential customers, subject to an opt-out (and consent where required by ePrivacy rules)
Processing personal data about Public Individuals so that authorized users of the Spaak application can navigate and understand the EU policy landscape
Art. 6(1)(f) – legitimate interest. We have weighed our interest, and that of our users and the public, in transparency around political, regulatory, and policy activity against the rights and freedoms of Public Individuals, and concluded our legitimate interest is not overridden when the data is publicly available and processed in connection with their public role. Public Individuals can object at any time at privacy@spaak.ai.
Meeting tax, accounting, sanctions, anti-moneylaundering, and other legal obligations
Art. 6(1)(c) – compliance with a legal obligation
Bringing or defending legal claims
Art. 6(1)(f) – legitimate interest

Whenever we rely on legitimate interests, we carry out a balancing test, document it, and make sure the processing is necessary for that interest and does not override the rights and freedoms of the people whose data we process. You can object to any processing that is based on legitimate interests on grounds related to your particular situation — see Section 6.

Who receives personal data

We do not sell personal data. We share it only in the situations listed below.

Information about Public Individuals. Through the Spaak application we make publicly known and publicly available information about Public Individuals — including their public statements, voting records, affiliations, and posts they have made publicly available — accessible to authorized users of the Services.
Within the Spaak group. Personal data may move between Spaak legal entities that share infrastructure or operating functions. Affiliates are bound to the same protections described here.
Processors and service providers. We rely on a set of vendors to run the Services, including cloud and hosting providers, model and AI-infrastructure providers, payment processors, identity and email providers, CRM and support tooling, analytics platforms, and event or webinar tools. These vendors process personal data only on our instructions, and only to the extent needed to perform the services they provide to Spaak.
Other users in your organization. The Services include collaboration features. Actions you take that are, by design, shared with your workspace (for example, creating or editing items visible to your team) will be seen by other authorized users in the Customer’s account.
Third-party apps you connect. If you link a Spaak account to an external service (say, a Microsoft 365 add-in, a Google Workspace integration, or a Slack app), information will be exchanged between Spaak and that service as needed for the integration to function. Once the data is in the third party’s systems, the third party’s terms and privacy policy govern it.
Corporate events. If Spaak is involved in a financing, merger, acquisition, reorganization, divestiture, or the transition of a service to another provider, personal data may be disclosed to counterparties and their advisers during diligence and transferred to a successor or affiliate. We’ll keep any such transfer consistent with this Privacy Policy, or give you notice of material changes.
Legal, safety, and public-interest reasons. We may disclose personal data where we believe in good faith that it’s necessary to (i) comply with a law, regulation, warrant, subpoena, or court order; (ii) respond to lawful government or law-enforcement requests; (iii) protect the rights, property, or safety of Spaak, our users, or the public; (iv) detect, prevent, or investigate fraud, abuse, or security issues; or (v) bring or defend a legal claim.

International data transfers

Spaak’s production infrastructure for the Services is hosted in the European Economic Area. Using the Online Services therefore normally means your personal data is processed on servers located in the EEA.

Some of our vendors, affiliates, or service providers operate outside the EEA, so personal data may be transferred to countries whose privacy laws differ from those in your home country. Whenever we send personal data outside the EEA or the United Kingdom, we put safeguards in place so the data keeps an essentially equivalent level of protection. Those safeguards may include:

Adequacy decisions from the European Commission (or, for UK data, from the UK authorities) covering the recipient country;
Standard Contractual Clauses adopted by the European Commission, together with the UK International Data Transfer Addendum where relevant, backed by any supplementary technical and organizational measures needed in the specific case;
Article 49 GDPR derogations, used only in limited situations — for example, where the transfer is necessary to perform a contract with you, to set up or defend legal claims, or where you have given explicit informed consent;
Approved cross-border transfer frameworks, such as the EU-U.S. Data Privacy Framework, where the recipient is certified.

You can ask us for a copy of the safeguards we use for a specific transfer by emailing privacy@spaak.ai.

Your rights

Subject to the conditions in applicable law, you have the following rights over your personal data.

To be informed and to get a copy. You can ask whether we process personal data about you and, if we do, receive a copy together with information about where the data came from, who we share it with, why we process it, and how long we keep it.
To have inaccurate data corrected. If something we hold about you is wrong or incomplete, tell us and we’ll fix it.
To have data deleted. In certain situations — for example, when we no longer need the data for the purpose it was collected, or when you withdraw the consent the processing was based on — you can ask us to erase personal data about you.
To restrict how we process data. You can ask us to pause processing in specific circumstances, including while we’re checking the accuracy of data you’ve challenged or evaluating an objection you’ve raised.
To object to processing. You can object at any time to processing we carry out on the basis of a legitimate interest (including any profiling that relies on that basis), on grounds relating to your specific situation. Unless we can show compelling legitimate grounds that override your interests, rights, and freedoms, we’ll stop that processing. You can also opt out of direct marketing at any time, no questions asked.
To take your data with you. Where the processing is based on your consent or a contract and is carried out by automated means, you can ask for a copy of the data you gave us in a structured, commonly used, machine-readable format, and — where technically feasible — ask us to send it straight to another controller.
To withdraw consent. Where a processing activity is based on your consent, you can withdraw it at any time. Withdrawing consent doesn’t affect anything we did lawfully before the withdrawal.
To complain to a regulator. If you think we’ve mishandled your personal data, you can lodge a complaint with your local data-protection supervisory authority — for example, the authority in the EU/EEA country where you live, where you work, or where you believe the issue arose.

Public Individuals have these same rights with respect to the personal data we process about them. In particular, a Public Individual can object at any time to our legitimate-interest-based processing described in Section 3 by emailing privacy@spaak.ai, and we will honor the objection where applicable law requires us to.

To exercise any of these rights, email privacy@spaak.ai. Many of these things can also be done directly in the Services — you can update your profile, export data, or change your marketing preferences from your account settings.

Before we act on a rights request, we may ask you to verify your identity to make sure we’re sharing or deleting personal data with the right person. If we are unable to verify your identity (and, where applicable, proof of residency) to our satisfaction, we will not provide or delete the data.

You can submit a request through an authorized agent. The agent will need to provide signed written authority to act on your behalf and must be able to verify your identity (and, where applicable, proof of residency) to our satisfaction. We may also decline or narrow a request where applicable law permits.

Security

We take protecting personal data seriously and apply appropriate technical and organizational measures to guard against loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Depending on the sensitivity of the data and the nature of the processing, those measures may include encryption in transit and at rest, access controls, network monitoring, vendor due diligence, and staff training.

For more info, please see: trust.spaak.ai

How long we keep personal data

We keep personal data only for as long as necessary to fulfil the purposes for which it was collected, or longer if applicable law requires us to.

If you use Spaak under a Customer Agreement, we delete or return your data in accordance with that Customer Agreement.
Personal data we are under a legal obligation to retain — for example under tax, accounting, anti-money-laundering, or bookkeeping rules — is retained for the periods required by applicable law (typically 5 to 10 years, depending on jurisdiction).
Personal data not covered by a contractual relationship or a legal retention obligation is kept only as long as necessary for the purpose for which it was collected.

In limited cases, we may need to retain personal data for longer to protect Spaak’s legal rights — for example, while a dispute is unresolved or a claim could foreseeably be made.

A legal obligation to store personal data does not give us permission to use it for any other purpose.

When we no longer need your personal data, we delete or anonymize it in line with our internal retention schedule and applicable law. Where immediate deletion isn’t possible, for example, because the data lives in a backup set — we securely isolate it and prevent any further processing until deletion is possible

Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in the Services, in our practices, or in the law. When we do, we’ll update the “Last updated” date at the top. If the change is material, we’ll also give you a heads-up through the Services, by email, or another appropriate channel. Continued use of the Online Services after an update means you accept the revised policy, to the extent that’s allowed under applicable law.