Privacy Policy.
Last updated: July 2026
What we collect
Spot Cloud B.V. ("Spot Cloud", "we") processes personal data when you use VendorGuard. This
includes account data (name, work email, tenant, role) created when your organisation is
provisioned, and the vendor risk data you enter — vendor records, assessment answers,
incidents, contracts, tasks, and any documents you upload. We also process technical data
needed to operate the Service: IP address, request logs, and the session identifier stored
in the vg_session cookie.
How we use it
We use this data to provide the Service, authenticate sessions, enforce tenant isolation, respond to support requests, and secure the platform. We do not sell personal data, and we do not run analytics, advertising, or tracking scripts on VendorGuard. Vendor risk data you enter is processed on behalf of your organisation and is not used for any purpose beyond operating the Service for you.
Legal basis
Under the GDPR, we rely on: (a) contract — processing necessary to deliver VendorGuard to the organisation you represent; (b) legitimate interests — security monitoring and abuse prevention, balanced against your rights; and (c) legal obligation — tax, accounting, and regulatory record-keeping where applicable. Your organisation acts as controller for the vendor risk data it stores in VendorGuard; Spot Cloud acts as processor for that data.
Where data is stored
VendorGuard runs on Cloudflare — Cloudflare D1 for structured records and Cloudflare R2 for uploaded documents — under Spot Suite's platform policy of running infrastructure in EU jurisdiction. We do not move Customer Data outside that jurisdiction without a documented legal requirement.
Cookies
VendorGuard sets one cookie, vg_session, strictly necessary to keep you signed in.
It is not used for tracking or advertising, and no consent banner is shown because it is
exempt as strictly necessary under the ePrivacy rules.
Retention
Sessions expire automatically after a fixed lifetime. Vendor risk data, account data, and documents are retained for the duration of your organisation's subscription and deleted or returned according to the terms agreed with your organisation upon termination, subject to any legal hold communicated in writing.
Your rights
If you are in the European Economic Area, United Kingdom, or another jurisdiction with comparable rights, you may request access, correction, deletion, restriction, or portability of your personal data, and object to certain processing. To exercise these rights, contact privacy@spot-cloud.com. You may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.
Contact
Spot Cloud B.V. is the data controller for personal data described in this policy. Privacy enquiries: privacy@spot-cloud.com, or see the contact page.