Privacy Policy

Last updated: May 31, 2026

This Privacy Policy explains what personal data Spiglo collects, why we collect it, how we use it, and the rights you have. It applies to spiglo.com and the Spiglo service.

Who is responsible (data controller)

The data controller responsible for your personal data is:

Name
bam.sk s. r. o.
Registered address
Vyšný koniec 113/44, 044 43 Budimír, Slovakia
Email
info@spiglo.com

What data we collect

Depending on how you use Spiglo, we may process:

  • Account information you provide: your email address, your name, and a securely hashed password.
  • Poll content you create: titles, descriptions, options, dates, locations and settings.
  • Voting data: responses, optional participant name and email address, and comments submitted to polls.
  • Technical data: your IP address and browser information, used to prevent duplicate votes, apply rate limits and protect against abuse.
  • Security data: if you enable two-factor authentication, a TOTP secret and hashed backup codes; and audit logs of important account and organization actions.
  • Cookies and local storage: see the Cookies section below.

Why we process your data (legal bases)

We rely on the following legal bases under the GDPR:

  • Performance of a contract (Art. 6(1)(b)) — to create and operate your account and provide the service.
  • Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent fraud and abuse, de-duplicate votes and maintain audit logs.
  • Consent (Art. 6(1)(a)) — for analytics cookies, which are only set if you accept them; you can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — where we must retain certain information to comply with the law.

Cookies

We use a small number of strictly necessary cookies to keep you signed in (spiglo_auth) and to protect forms against cross-site request forgery (spiglo_csrf), plus local storage to remember your language and cookie choices. Analytics cookies (Google Analytics 4) are only set if you accept them. You can review or change your choice at any time:

Who we share data with

We do not sell your personal data. We use a small number of trusted service providers (processors) who act on our behalf:

  • Hetzner Online GmbH (Germany) — hosting and data storage.
  • Resend — delivery of transactional emails such as verification, password reset and poll notifications.
  • Cloudflare, Inc. (Turnstile) — bot and abuse protection on forms; processes your IP address.
  • Google (Google Analytics 4) — website analytics, only when you consent.

International data transfers

Most processing takes place within the EU/EEA (our hosting is in Germany). Some processors (for example Google and Resend) may process data outside the EEA. Where that happens, the transfer is protected by appropriate safeguards such as the European Commission's Standard Contractual Clauses.

How long we keep your data

We keep account data for as long as your account exists. Polls, votes and comments are kept until you or the poll creator delete them. Encrypted database backups are retained for up to 30 days. Audit logs are kept for a limited period for security purposes. When you delete your account, we delete or anonymize your personal data, except where we must keep it to comply with a legal obligation.

Your rights

Under the GDPR you have the right to:

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — ask us to delete your personal data (the 'right to be forgotten').
  • Restriction — ask us to limit how we process your data.
  • Portability — receive your data in a structured, commonly used, machine-readable format.
  • Objection — object to processing based on our legitimate interests.
  • Withdraw consent — withdraw analytics consent at any time, without affecting prior processing.

To exercise any of these rights, contact us at info@spiglo.com.

You also have the right to lodge a complaint with a data protection supervisory authority — in Slovakia, the Úrad na ochranu osobných údajov Slovenskej republiky (dataprotection.gov.sk), or the authority in your own EU/EEA country.

Children

Spiglo is not directed at children. We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the new version on this page and update the 'Last updated' date above. Significant changes will be communicated where appropriate.