Legal
Privacy Policy
This policy explains what we collect, why, who else sees it, and how to make us delete it. It names every third party we send data to, because a privacy policy that will not tell you that is not telling you anything.
- Effective
- Last updated
This policy applies to the Spottlo website and application, operated by TechSpark Development LLC, a New York limited liability company, doing business as CordTextSMS. For the purposes of the UK and EU GDPR, TechSpark Development LLC is the data controller for the personal data described here. (If you are wondering why a different name appears on your card statement, see the Terms — charges show as CORDTEXTSMS.)
The short version
- We collect the data we need to run your scans and bill you. Not more.
- We do not sell your personal information, and we never have.
- We do not use your data to train AI models, and we do not permit it to be used that way.
- Your prompts, brand names and competitor names are sent to third-party AI engines — that is literally the product. Your name, email and card details are not.
- You can delete your account and everything in it, yourself, at any time.
- The full list of companies that touch your data is in section 6.
1. What we collect
1.1 Account data
| Data | Why |
|---|---|
| Name and email address | To create and identify your account, and to email you about your account and scans. |
| Password (hashed) | To let you sign in. We store a bcrypt hash and never the password itself. If you sign in with Google, there is no password at all. |
| Google account ID, name, email and avatar URL | Only if you choose “Sign in with Google”. We never receive your Google password. |
| Slack webhook URL | Only if you set one up, so we can post movement alerts to your Slack. |
1.2 Billing data
Payments are processed by Stripe. Your full card number never reaches our servers — you enter it on a Stripe-hosted page. We store:
- your Stripe customer ID;
- your card brand (for example “visa”) and the last four digits, so we can show you which card is on file;
- your subscription status, plan, quantity and renewal dates.
1.3 Service data (the things you track)
- Brands you add: name, domain and any aliases.
- Prompts: the buyer questions you choose to track. These are free text — please do not put personal or confidential information in them.
- Competitors: the names, domains and aliases of other companies you want to be measured against.
- Scan results: for every prompt and every engine, we store the full verbatim answer the AI engine returned, plus whether your brand was mentioned or cited and at what position.
- Recommendations: AI-generated suggestions about how to improve your visibility.
1.4 Technical data
- IP address and browser user-agent, stored against your login session.
- Server and error logs, which may contain your IP address and the URL you requested.
- Aggregate, cookieless page-view counts on our public pages — no cookie, no identifier, no cross-site tracking (see Cookies).
- An anonymous landing-page A/B test record: which of two homepage variants was shown, and whether a report was requested. This contains no IP, no user ID and no domain.
1.5 The free report
You can run a free report without an account. When you do:
- We do not ask for or collect any personal information — no email, no name, no signup.
- The domain you enter is sent to the AI engines and to our AI Overviews provider so we can run the scan.
- The report is cached for about 24 hours and then expires. The domain is not saved to our database.
- The report is public while it is cached. It lives at a URL based on the domain, and anyone visiting that URL can see it. We do not verify that you own the domain you scan. Please do not enter a domain you would not want a report to exist for.
2. Why we process it, and our legal basis
Under the UK/EU GDPR we rely on the following legal bases:
| Purpose | Data | Legal basis |
|---|---|---|
| Creating your account and providing the Service | Account data, Service data | Contract — we cannot run your scans without it. |
| Taking payment and preventing failed billing | Billing data | Contract, and legal obligation for tax and accounting records. |
| Sending service emails (scan results, alerts, billing notices) | Email address | Contract. |
| Keeping the Service secure, preventing abuse and rate-limiting | IP address, session data, logs | Legitimate interests — running a service that is not being abused. |
| Cookieless analytics and landing-page A/B testing | Aggregate page-view counts, A/B variant cookie | Legitimate interests — knowing which pages people read, without tracking who they are. Our analytics sets no cookies and no identifier, so there is nothing here to consent to. |
| Complying with law and defending legal claims | As needed | Legal obligation / legitimate interests. |
3. What gets sent to the AI engines
This is the heart of the product, so it deserves its own section rather than a footnote.
To produce your report, we send to OpenAI (ChatGPT), Perplexity, Google (Gemini) and our Google AI Overviews data provider:
- the text of your tracked prompts;
- your brand name and domain;
- the names of the competitors you have added (when generating recommendations).
We do not send them your name, your email address, your password, your card details, your Stripe ID, your IP address, or your Slack webhook.
Because your prompts are free text, anything you type into a prompt will be sent to those third parties. Do not put personal data, customer names, or confidential information into a tracked prompt. Once we have sent it, it is governed by that provider's own privacy policy, linked in section 6.
We do not use your data to train models, and we do not sell it. We use these providers' standard APIs. Note that we cannot control a provider's own retention of API requests for abuse-monitoring purposes; their policies are linked below.
4. Who else we share with
We share personal data only with the service providers in section 6, and:
- If required by law — a valid subpoena, warrant or court order. Where we are legally permitted to tell you, we will.
- To protect rights and safety — to investigate fraud, abuse or a security incident.
- In a business transfer — if the company is acquired or merges, your data may transfer. We will tell you before it becomes subject to a different privacy policy.
We do not sell personal information, and we do not share it for cross-context behavioural advertising.
5. How long we keep it
| Data | Retention |
|---|---|
| Account, brands, prompts, competitors, scan results | For as long as your account is open. Deleted permanently when you delete your account or the brand. |
| Free report | About 24 hours (cache expiry). Not stored in the database. |
| Login sessions (IP, user-agent) | Sessions expire after 2 hours of inactivity and are cleared. |
| Billing and invoice records | Retained by Stripe and by us as required by tax and accounting law, typically 7 years, even after you delete your account. We cannot delete these on request — we are legally required to keep them. |
| Server and error logs | Rotated regularly; not used to build a profile of you. |
| Anonymous A/B events | Kept indefinitely. They contain no personal data. |
6. Subprocessors — everyone who touches your data
These are the companies we rely on to run Spottlo. The “personal data?” column answers the question you actually care about: does my name, email, IP or card go there.
| Provider | What it does | What we send | Personal data? |
|---|---|---|---|
|
Stripe, Inc.
United States |
Payment processing, subscription billing and invoicing | Your name, email address and payment card details. Card numbers are entered on Stripe-hosted pages and never touch our servers; we store only your Stripe customer ID, your card brand and the last four digits. | Yes |
|
OpenAI, L.L.C.
United States |
Running your tracked prompts through ChatGPT, and generating the AI visibility recommendations | The text of your tracked prompts, your brand name and domain, and the names of competitors you have added. No names, emails or payment data. | No |
|
Perplexity AI, Inc.
United States |
Running your tracked prompts through Perplexity | The text of your tracked prompts. No names, emails or payment data. | No |
|
Google LLC (Gemini API)
United States |
Running your tracked prompts through Gemini | The text of your tracked prompts. No names, emails or payment data. | No |
|
SerpApi, LLC
United States |
Retrieving Google AI Overviews results for your tracked prompts |
The search query derived from your tracked prompt. No names, emails or payment data.
We may switch the AI Overviews data provider (for example to SearchApi.io). This page is updated when we do. |
No |
|
Google LLC (Sign-in with Google)
United States |
Optional social login | If you choose to sign in with Google, we receive your Google account ID, name, email address and avatar URL. We never receive your Google password. | Yes |
|
Cloudflare Web Analytics
United States / global edge network |
Privacy-first website analytics on our public pages | Page views, referrer and general device type. It is cookieless: it sets no cookies, assigns you no identifier, and cannot follow you across other sites. We chose it over Google Analytics for exactly that reason. | No |
|
Slack Technologies, LLC
United States |
Delivering visibility-movement alerts, only if you configure a Slack webhook | Your brand name, its share-of-voice figures and a link back to the brand page. No names, emails, payment data or competitor names. | No |
|
Cloudflare, Inc.
United States / global edge network |
CDN, DNS and denial-of-service protection in front of the site | Request metadata including your IP address, as part of serving and protecting the site. | Yes |
|
DigitalOcean, LLC
United States |
Hosting the application and its database | All Service data, at rest on our server. | Yes |
We will update this list before adding a new subprocessor that handles personal data. If you want to be notified when it changes, email us and we will add you to that list.
7. Cookies
| Cookie | Purpose | Lifetime |
|---|---|---|
spottlo-session | Strictly necessary. Keeps you signed in. | 2 hours of inactivity |
XSRF-TOKEN | Strictly necessary. Protects against cross-site request forgery. | Session |
remember_web_* | Keeps you signed in between visits, if you asked us to. | Until you sign out |
lp_variant | Remembers which of two homepage designs you were shown, so the page does not change under you between visits. Contains only the letter a or b. First-party, no personal data, not used to track you anywhere else. | 30 days |
That is the whole list, and there is no cookie banner because there is nothing to ask you about. We do not set advertising cookies, tracking cookies, or any third-party cookie. We do not use Google Analytics.
We used to. GA4 sets _ga cookies that follow you across sites, which under EU and UK
rules means we owed you a consent banner before the script even loaded. Instead of adding a banner
and carrying on tracking you, we removed the tracking. Analytics is now
Cloudflare Web Analytics, which is cookieless: it counts page views without
setting a cookie, without giving you an identifier, and without the ability to follow you
anywhere else.
8. Your rights
8.1 Everyone
You can do most of this yourself, immediately, without emailing anyone:
- Access and correct your name and email on your profile page.
- Delete a brand, which permanently deletes its prompts, competitors and every scan result.
- Delete your entire account from the profile page. This immediately cancels any active subscription so you are not billed again, and permanently deletes your account, brands, prompts, competitors and scan history. It is not reversible.
- Turn off Slack alerts and remove your webhook at any time.
8.2 If you are in the EU or UK (GDPR)
You have the right to:
- Access a copy of the personal data we hold about you;
- Rectify data that is wrong;
- Erase your data (“right to be forgotten”), subject to records we must keep by law, such as invoices;
- Restrict or object to processing based on legitimate interests;
- Data portability — get your data in a structured, machine-readable format. We do not have a self-serve export button yet; email us and we will send you your data within 30 days;
- Withdraw consent at any time, where we relied on consent;
- Complain to your local supervisory authority. We would rather you told us first, but it is your right either way.
We will not charge you for exercising these rights, and we will not treat you differently for it.
8.3 If you are in California (CCPA/CPRA)
You have the right to:
- Know what personal information we collect, use and disclose — this policy is that disclosure;
- Delete your personal information, subject to legal retention;
- Correct inaccurate personal information;
- Opt out of sale or sharing — not applicable: we do not sell or share your personal information, and we have not in the preceding 12 months;
- Non-discrimination for exercising your rights.
Categories collected in the last 12 months: identifiers (name, email, IP), commercial information (subscription and payment records), internet activity (analytics), and your Service data. We do not collect sensitive personal information as defined by the CPRA.
8.4 How to exercise any of this
Email us using the address in section 12. We will verify your identity by confirming you control the account's email address, and we will respond within 30 days.
9. International transfers
We are a US company and our servers and providers are primarily in the United States. If you are in the EU, UK or elsewhere, your data is transferred to the United States. Where required, these transfers rely on the European Commission's Standard Contractual Clauses or an equivalent safeguard, which our providers incorporate into their terms.
10. Security
We take reasonable measures to protect your data:
- All traffic is encrypted in transit (HTTPS/TLS).
- Passwords are stored as bcrypt hashes, never in plain text.
- We never store full card numbers — card data is handled by Stripe, which is PCI-DSS Level 1 certified.
- Access to production data is limited to the people who need it to run the service.
No system is perfectly secure, and we will not pretend otherwise. If we discover a breach that affects your personal data, we will notify you and the relevant regulator without undue delay, and within 72 hours where GDPR requires it.
11. Children
Spottlo is a business tool and is not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has given us data, email us and we will delete it.
12. Contact and complaints
The data controller is
TechSpark Development LLC, a New York limited liability company, d/b/a CordTextSMS
Registered business address available on request — email us and we will provide it. We are a small company and do not publish a postal address on the site.
Privacy questions, data requests, or to exercise any right above:
A real person reads that inbox. If you are unhappy with how we handle a request, you can complain to your data protection authority — in the UK, the Information Commissioner's Office; in the EU, your national supervisory authority.
13. Changes to this policy
If we change this policy in a way that materially affects you — a new subprocessor handling personal data, a new purpose, a change to retention — we will email you and update the “last updated” date at the top. We will not quietly broaden what we do with your data and hope you do not notice.
See also: Terms of Service, Privacy Policy.