1. Who We Are and What This Covers
SpiceFactory d.o.o. ("SpiceFactory," "we," "us") is a digital product studio that designs and engineers software products for partners in healthcare, automotive, logistics, and other high-stakes industries. Our offices are in Belgrade, Serbia and Boston, MA.
This Privacy Policy explains how we collect, use, disclose, and protect information when you engage us as a product partner, visit our websites (including trust.spicefactory.co), or interact with us in any capacity.
When we build software for partners, we typically act as a data processor on your behalf (you are the data controller). This policy covers both our processor activities and our own controller activities (our business operations, our websites, our hiring).
2. Information We Collect
2.1 Partnership Information
When you engage SpiceFactory as a product partner, we collect:
- Contact information: names, email addresses, phone numbers of your team members involved in the engagement
- Business information: company name, industry, product requirements, technical specifications, domain context
- Financial information: billing details and tax identification numbers for invoicing
- Communications: emails, messages, meeting notes, and design documents related to the engagement
2.2 Trust Portal Information
When you access our Trust & Security Portal:
- Admin users (SpiceFactory team): Google account email and display name for authentication
- Partner portal visitors: no personal information is collected — access is via password-protected secret links with no account creation
- Public visitors: no personal information is collected on the public trust page
2.3 Engagement Data
During product partnerships, we may have access to data within your systems. This data is governed by the engagement agreement and, where applicable, a Data Processing Agreement (DPA) or Business Associate Agreement (BAA). We do not use engagement data for any purpose other than delivering the product we are co-creating with you.
2.4 Automatically Collected Information
Our websites may collect standard server logs (IP addresses, browser type, access timestamps). We do not use third-party analytics, tracking pixels, or advertising cookies on trust.spicefactory.co.
3. How We Use Information
| Purpose | Information Used | Legal Basis |
|---|---|---|
| Deliver product partnership services | Contact info, engagement data, communications | Contract performance |
| Invoicing and payments | Billing details, tax IDs | Contract performance, legal obligation |
| Trust Portal access management | Email (admin), password hashes (partner links) | Legitimate interest |
| Security monitoring and incident response | Access logs, server logs | Legitimate interest |
| Legal and regulatory compliance | As required by applicable law | Legal obligation |
| Communication about our partnership | Contact information | Legitimate interest |
We do not sell personal information. We do not use personal information for automated decision-making or profiling. We do not use engagement data to train AI models or for any purpose outside the scope of our partnership.
4. How We Share Information
We share information only in these circumstances:
- With your direction: when you instruct us to share information with third parties as part of the engagement
- Service providers: with trusted providers who support our operations (cloud hosting, invoicing), bound by confidentiality and data processing agreements
- Legal requirements: when required by law, regulation, legal process, or governmental request
- Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to affected parties
- Protection of rights: to enforce our agreements or protect safety
We never share one partner's data with another partner. Engagement data stays within the boundaries of that partnership.
5. Data Security
We maintain administrative, technical, and physical safeguards aligned with SOC 2, ISO 27001, HIPAA, and FDA 21 CFR Part 11 requirements:
- Encryption: TLS 1.2+ in transit, AES-256 at rest, full-disk encryption on all devices
- Access controls: least-privilege access, MFA enforced everywhere, engagement-scoped permissions, quarterly reviews
- Personnel security: background checks, security awareness training, confidentiality agreements for all team members
- Secure development: peer code review, automated SAST/DAST, dependency scanning, OWASP compliance
- Incident response: documented procedures with defined severity levels and partner notification timelines
- Vendor management: security assessments and contractual obligations for all third-party providers
For details, visit our Trust & Security page.
6. Data Retention
We retain information only as long as necessary:
- Engagement data: deleted or returned within 30 days of partnership completion, unless retention is required by law or agreed in writing
- Business records: retained as required by applicable tax and business laws (typically 5-7 years for financial records)
- Trust Portal data: admin auth data retained while the account is active; partner link data retained while the link is active
- Server logs: retained for up to 90 days for security monitoring
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information
- Delete your personal information, subject to legal retention requirements
- Port your data in a structured, machine-readable format
- Object to processing based on legitimate interest
- Restrict processing of your information
- Withdraw consent where processing is based on consent
To exercise any of these rights, contact privacy@spicefactory.co. We respond within 30 days (or sooner where required by law).
If you are an end user of a product we built for a partner, please direct privacy requests to that partner (the data controller). We will assist them in fulfilling your request as required by our agreement.
8. International Data Transfers
SpiceFactory operates from Serbia and the United States. When we process data from the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable (Serbia has been recognized by the European Commission as providing adequate data protection)
- Contractual safeguards in our engagement agreements
9. Healthcare Data (HIPAA)
For product partnerships involving Protected Health Information (PHI):
- We execute a Business Associate Agreement (BAA) before any PHI access
- PHI is handled in accordance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule
- We use synthetic or de-identified data for development and testing wherever possible
- Our HIPAA Security Program documents all administrative, physical, and technical safeguards
- Breach notification follows 45 CFR Part 164, Subpart D timelines
10. Cookies and Tracking
trust.spicefactory.co uses minimal cookies:
- Authentication cookies: session cookies for admin portal login, set by Firebase Authentication. Essential — cannot be disabled.
- Session storage: the partner portal uses browser sessionStorage (not cookies) to maintain access within a single tab. Automatically cleared when the tab closes.
We do not use analytics cookies, advertising cookies, or third-party tracking on this site.
11. Children's Privacy
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn we have collected information from a child under 16, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes are communicated by updating the "Last Updated" date at the top and, for active partners, by direct notification. We encourage periodic review.
13. Contact Us
For privacy questions, requests, or concerns:
SpiceFactory d.o.o.
Privacy: privacy@spicefactory.co
Security: security@spicefactory.co
General: hello@spicefactory.co
Web: trust.spicefactory.co