Data Processing
When you use Spamroot, we process personal data to provide the service. This document describes that processing in a structured, DPA-style way: who acts in which role, which providers we rely on, what data is involved, and how it is protected. It supplements our Privacy Policy and Security overview.
Last updated
In plain language
This overview explains how Spamroot processes personal data on your behalf: the roles involved, the providers (sub-processors) we use and why, the categories of data we handle, how we treat international transfers, and the security measures we apply. It is written in plain language and is meant to accompany our Privacy Policy.
Roles and responsibilities
For the personal data you provide so we can perform removals on your behalf, you determine the purpose - reducing your exposure - and we process that data to carry it out on your instructions.
For the data needed to operate your account and run our business, such as billing and security, Spamroot determines the purposes and means of processing. We act responsibly in both roles and apply this overview consistently.
Sub-processors
We rely on a small set of trusted providers (sub-processors) to deliver the service. Each is engaged for a specific purpose and is bound by contractual obligations to protect the data they handle.
- Clerk - authentication and account management. Processes account identifiers and sign-in data to keep your account secure.
- Convex - application database and backend platform. Stores and serves the application data needed to run the service.
- UniPile - planned inbox connectivity. When inbox connections launch, this provider will facilitate permissioned access to connected mailboxes.
- Payment and infrastructure providers - process billing details and host the service, as needed to operate it.
| Provider | Purpose | Data handled | Status |
|---|---|---|---|
| Clerk | Authentication & account management | Account identifiers, sign-in and session data | active |
| Convex | Application database & backend platform | Account, removal, and service data needed to run the product | active |
| UniPile | Inbox connectivity | Permissioned access to connected mailboxes (when launched) | planned |
| Payment & infrastructure providers | Billing and hosting | Billing details; hosting of the service | active |
Categories of personal data
We process only the categories of data needed to deliver and operate the service.
- Account data: name, work email, organization, and authentication identifiers.
- Removal data: the contact details you ask us to find and remove, such as work email and phone number.
- Service data: exposure findings, removal request status, and monitoring results tied to your account.
- Operational data: billing information, support communications, and usage and security logs.
Purposes of processing
We process the data above for clearly defined purposes, and not for unrelated ones.
- Identifying where your contact details are exposed across third-party databases.
- Submitting and tracking removal requests, and monitoring for reappearance.
- Operating your account, processing payments, and providing support.
- Securing the service and meeting legal obligations.
International transfers
Our providers may process data in countries other than your own. Where personal data is transferred across borders, we rely on appropriate safeguards offered by our providers, such as standard contractual clauses and equivalent mechanisms, so that the data remains protected to a comparable standard.
Security measures
We apply technical and organizational measures appropriate to the data we handle. These are described in more detail in our Security overview.
- Encryption of data in transit using industry-standard transport encryption.
- Access controls based on the principle of least privilege, with logging of access to sensitive systems.
- Careful selection and review of the providers we rely on.
- Retention of data only for as long as needed to provide the service and meet legal obligations.
Changes to sub-processors
As the service evolves, we may add or replace sub-processors. When we make a material change to the providers that handle personal data, we will update this overview and, where appropriate, notify affected customers so they are aware of who processes their data.
How to reach us
If you have questions about how we process data, or you wish to exercise your rights, contact us at privacy@spamroot.com.
Still have questions?
We'd rather explain it than make you guess. Reach out and a real person will get back to you.