Privacy Policy - SPS

SPS App Ltd respects your privacy. This policy describes how we collect, use, and protect your personal data in connection with our website and services, in compliance with GDPR, the Israeli Privacy Protection Law 5741-1981, and applicable amendments.

Data Controller

SPS App Ltd (company number 515890556), 7 HaPelech St., Tel Aviv, Israel ('SPS', 'we', 'us') is the data controller for personal data collected through the SPS website (sps-app.com) and related services. Contact: office@sps-app.com

Data We Collect

We collect the following categories of personal data: (1) Account data — name, email address, company name, phone number, and billing information when you register or use our dashboard; (2) Visitor arrival data (ERTM) — name, email address, and/or phone number voluntarily submitted by visitors when using arrival or queue features on a business's navigation page; all ERTM fields are optional and may be skipped; (3) Usage and analytics data — IP address, browser type, device information, and page interaction events when you visit our website or navigation pages; (4) Contact and enquiry data — name, email address, and message content when you submit a contact or demo request form.

Legal Basis for Processing

We process your data on the following legal grounds (GDPR Article 6): (a) Contractual necessity — account registration data, billing, and service delivery (Art. 6(1)(b)); (b) Legitimate interests — website analytics, navigation page visit tracking (you can opt out via cookie settings), and responding to contact enquiries (Art. 6(1)(f)); (c) Consent — ERTM visitor arrival data submitted voluntarily; submission constitutes consent and you may skip any field (Art. 6(1)(a)); (d) Legal obligation — where required by applicable law (Art. 6(1)(c)).

Visitor Arrival Data (ERTM)

Our platform includes an optional arrival and queue feature (ERTM) on business navigation pages. Visitors may voluntarily provide their name, email address, or phone number to notify a business of their arrival or join a queue. All fields are optional — visitors may skip any or all fields. This data is collected on behalf of the business, which is the independent data controller for all visitor data it receives. SPS processes this data solely as a data processor under the business's instruction. Businesses may optionally provide a link to their own privacy policy, which will be displayed on their navigation page.

Purpose of Processing

We use your personal data to: provide, operate, and improve the SPS platform and services; create and manage your account; respond to your enquiries and support requests; send service communications and, where you have agreed, marketing communications; analyse website and platform usage to improve our services; fulfil legal and contractual obligations.

Retention Periods

Account data: retained for the duration of your account and for 3 years after deletion to meet legal obligations. Analytics event data: automatically deleted after 90 days (enforced by database TTL index). ERTM visitor data: retained at the business's discretion; businesses should define their own retention policy. Contact and demo enquiries: retained for 2 years from the date of submission. Billing and payment records: retained for 7 years as required by Israeli tax law.

Sharing and Recipients

We may share personal data with: hosting and infrastructure providers (Amazon Web Services, Frankfurt, EU); email delivery services (Mailjet, France/EU); website content management (Sanity, Norway/EU); navigation map services (HERE Technologies, Netherlands/EU); payment processors (Stripe, PayPal) where applicable. All third-party processors are bound by data processing agreements. We do not sell personal data. We may disclose data to law enforcement or regulators where required by applicable law.

International Transfers

Our primary hosting is on Amazon Web Services in Frankfurt, Germany (EU/EEA), which is subject to European data protection law. Email (Mailjet) and maps (HERE) are EU-based. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as EU Standard Contractual Clauses. We do not transfer personal data to countries without adequate data protection without appropriate safeguards.

Cookies

We use two categories: (1) Essential — required for the website and platform to function (session management, authentication, security); these cannot be disabled. (2) Analytics — used to understand how visitors use our site and navigation pages; only activated with your consent. You can withdraw analytics consent at any time by choosing 'Essential Only' in our cookie banner, or by managing cookies in your browser settings.

Your Rights

Under applicable data protection law you have the right to: (a) Access — request a copy of the data we hold about you; (b) Rectification — correct inaccurate or incomplete data; (c) Erasure — request deletion where there is no compelling reason for continued processing; (d) Restriction — limit how we use your data in certain circumstances; (e) Portability — receive your data in a structured, machine-readable format; (f) Objection — object to processing based on legitimate interests. Contact office@sps-app.com. We respond within 30 days. Account holders can also use the self-service export and deletion tools in platform settings.

Withdrawing Consent

Where we rely on consent (analytics cookies, ERTM arrival data), you may withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing before withdrawal. To withdraw analytics consent, choose 'Essential Only' in our cookie banner. To withdraw ERTM consent, contact the business whose navigation page you used.

Supervisory Authority

If you believe we have not handled your data lawfully, you may lodge a complaint with a supervisory authority. In Israel: Privacy Protection Authority (PPA) at www.gov.il/en/departments/the_privacy_protection_authority. EU/EEA residents may also contact their local supervisory authority.

Automated Decision-Making

SPS does not engage in solely automated decision-making, including profiling, that produces legal effects or similarly significant effects on individuals (GDPR Article 22).

Security

We implement appropriate technical and organisational security measures including: AES-256 encryption for sensitive data fields at rest; TLS 1.3 for data in transit; role-based access controls; audit logging of data access and modifications; regular security reviews. No internet transmission is completely secure and we cannot guarantee absolute security.

Contact Us

For privacy-related requests, questions, or complaints: office@sps-app.com. We acknowledge within 3 business days and respond fully within 30 days. SPS App Ltd, 7 HaPelech St., Tel Aviv, Israel.