Privacy Policy

This Privacy Policy explains how we collect, use, disclose, transfer, and store personal information when you use Spock, visit our websites, or interact with us. It is written to work together with:

• Our Terms and Conditions (the "Terms"), and
• Our Data Processing Agreement (the "DPA").

The Terms tell you what the service is. The DPA tells you what happens when we process personal information on your behalf. This Privacy Policy tells you how we process personal information as a controller, and what rights data subjects have under POPIA (South Africa) and GDPR (EU/EEA).

If anything in this Privacy Policy conflicts with the DPA about processor activities, the DPA wins.

• Responsible party / controller: Bookt Holdings Inc., a Delaware corporation, trading as "Spock".
• Product name: "Spock" (AI workspace / assistant platform).
• We provide AI features to business customers.

This is the part we must keep consistent with your Terms:

1. Storage in the EU (Germany): we host our application servers, databases, and core user data in Germany using DigitalOcean and Hetzner.
2. AI inference in the US: every prompt or file that must be processed by a model is sent to US-based AI sub-processors:
   • OpenAI
   • Google / Gemini
   • Anthropic / Claude
   • Groq
3. Transactional services: we use Resend (US) to send system emails, Stripe to process payments and Crisp to provide in-app support.

Data is stored in the EU, but AI processing is done in the US. This is why we must explain international transfers clearly (see section 11).

We collect the following categories of information:

1. Account and profile data – name, email, company, role, password hash, authentication tokens.
2. Workspace / organisation data – tenant name, members, roles, integration settings.
3. Customer Content – anything you or your users type or upload into Spock: prompts, chats, files, documents, instructions, and AI-generated outputs. This may contain personal information about your staff or customers.
   • When it does, you are usually the controller/responsible party, and we are the processor/operator → the DPA applies.
4. Usage and telemetry data – logs, device info, IP address, timestamps, feature usage, model used, error logs (we keep these to secure the service).
5. Payment and billing data – billing contact, company name, VAT number if supplied; Stripe processes card data directly.
6. Support and communication data – emails to support, feedback, incident reports.

We do not intentionally collect information from children and we do not market to children.

We process personal information for these purposes:

1. To provide the Service – create accounts, authenticate, route AI requests, return outputs.
2. To process Customer Content on your instruction – send your prompt/file to an LLM to generate an answer.
3. To secure and monitor the Service – logging, fraud/spam/abuse prevention, incident investigation.
4. To bill you – via Stripe.
5. To communicate with you – service emails via Resend, product updates.
6. To comply with law – especially POPIA, GDPR, and requests from competent authorities.
7. To improve the Spock product – we may analyse our own usage/telemetry in aggregated or de-identified form to understand performance and adoption. We do not use your Customer Content to train LLMs for our own purposes.

Because many of your customers and data subjects are South African, we must address both.

Under GDPR, we rely on:

• Art. 6(1)(b) – contract: to provide the Service to you.
• Art. 6(1)(f) – legitimate interests: to secure, monitor, prevent abuse, improve, and to send AI requests to our US LLM providers in order to fulfil what the Service does.
• Art. 6(1)(c) – legal obligation: to keep certain records.
• Art. 6(1)(a) – consent: only where we explicitly ask for it (e.g. certain marketing).

Under POPIA, we rely on:

• Section 11(1)(b) – processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party.
• Section 11(1)(f) – processing is necessary for pursuing our legitimate interests or of a third party to whom the information is supplied, balanced against the data subject's rights.
• Section 72 – for cross-border transfers to Sub-processors that are bound by a binding agreement (such as the SCCs) affording adequate protection under s72(1)(b), and where the transfer is necessary for contract performance.

Important: when you (our customer) upload personal information of your employees/clients, you must have your own lawful basis under POPIA/GDPR. Our DPA assumes that you do.

Spock is a general AI workspace. We do not want you to upload special personal information (POPIA s26–33) or special categories of data (GDPR Art. 9) such as health, religious, union, biometric, or children's data.

If you choose to upload it anyway:

1. You confirm you have a lawful basis (explicit consent, or a statutory ground), and
2. You warrant that you have obtained any necessary Prior Authorisation from the Information Regulator of South Africa (POPIA s.57) for the cross-border transfer of such data, and you acknowledge it will be transferred to the United States to the AI providers for inference, because there is no EU-only mode.

We share personal information only with:

1. AI inference sub-processors (US): OpenAI, Google/Gemini, Anthropic/Claude, Groq – for generating outputs. Each of these, per their current enterprise/API documentation, says they do not use customer/API data to train their models for their own purposes. We monitor these statements.
2. Hosting providers (EU/Germany): DigitalOcean, Hetzner – for storage and compute.
3. Email provider (US): Resend – to send account and system emails.
4. Payments (global/US): Stripe – to process payments.
5. Support: Crisp to provide an in-app communication platform to support each user.
6. Professional/technical service providers – only where needed, under confidentiality.
7. Authorities – if we are legally required to disclose.

Security

We implement appropriate technical and organisational measures, including:

• EU-only hosting for core data,
• Encryption in transit,
• Access controls and logging,
• Secure development practices,
• Vendor DPAs/SCCs for all sub-processors.

This matches what is stated in the Terms and will be further detailed in the DPA.

Retention

1. Application/account/workspace data – kept for as long as you have an account and for a reasonable period thereafter (typically 12 months) for audit, support, and to let you restore data.
2. Inference / model-call data sent to US LLMs – kept only as long as needed for abuse detection, troubleshooting, and service integrity, typically 7–30 days (some providers allow 0 days; a few may retain slightly longer – see Trust Center).
3. Logs and security events – kept for a limited period (commonly 90–180 days) to investigate incidents.
4. Billing and tax records – kept as long as tax law requires.
5. Backups – deleted on a rolling basis.

Where our Privacy Policy and DPA differ, the DPA will specify the processor-level retention, and this Policy will specify controller-level retention.

Under GDPR (EU/EEA/UK):

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction
• Right to data portability
• Right to object (especially to processing based on legitimate interests)
• Right not to be subject to a decision based solely on automated processing, where applicable.

Under POPIA (South Africa):

• Right to be informed that personal information is being collected
• Right of access to personal information
• Right to request correction or deletion
• Right to object to processing
• Right to complain to the Information Regulator
• Right to institute civil proceedings.

For South African juristic persons (companies, CCs, trusts), we apply the same POPIA transfer safeguards described in our DPA.

How to exercise: contact us at the email address in section 15. If you are an end-user of one of our business customers: we may have to forward your request to that customer, because they are the controller and must decide.

1. We store your account/workspace data in the EU (Germany).
2. We always transfer your prompts/uploads to our US AI sub-processors (OpenAI, Google/Gemini, Anthropic/Claude, Groq) to generate outputs.
3. We also transfer limited personal information to Resend (US), Stripe (US/EU) and Crisp (EU).
4. Our public TIA summary covers the US-based AI sub-processors. Other onward transfers (Resend, Stripe, Crisp, hosting in the EU) are governed by our DPA and sub-processor agreements.

To make this lawful:

• Under GDPR: we use the European Commission's Standard Contractual Clauses (2021/914), usually Module 3 (processor → sub-processor), as made available by our US vendors. All of them already bundle SCCs and pick Irish law/DPA. We also apply supplementary measures as per EDPB Recommendations 01/2020 (logging, access controls, data minimisation).
• Under POPIA: we rely on section 72(1)(b) (binding agreement affording adequate protection, namely the SCCs/DPAs provided by the vendors), and the necessity of the transfer for contract performance.

We will update this section if we add an EU-based LLM option in the future.

If you use Spock through the web or mobile, we use only strictly necessary cookies for the site to function. We do not use analytics, advertising, or third-party tracking cookies.

The Service is for business use. We do not knowingly collect personal information from children under the minimum age in their jurisdiction. If we learn that we have, we will delete it.

We may update this Privacy Policy from time to time to reflect changes to our Service, vendors, or legal requirements. If we make material changes, we will notify you via the Service or email.

Contact Spock (controller):

• Bookt Holdings Inc. (trading as Spock)
• Support@spock.chat

South Africa – Information Regulator:

• JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
• Complaints (general): complaints.IR@justice.gov.za
• Enquiries: inforeg@justice.gov.za

South Africa – Information Officer (POPIA s.55):

Louis-Neil Korsten, CEO of Spock, Email: Louis@spock.chat

EU representative (GDPR Art. 27):

Louis-Neil Korsten, CEO of Spock, Email: Louis@spock.chat