Privacy Policy

SpamKiller respects your privacy and is committed to protecting your personal data in compliance with GDPR and applicable privacy laws.

1. Data Controller

Company: Cavallini.NET

VAT Number: IT02438610392

Address: Via Madonna, 10 - 48123 Ravenna (RA) - Italy

Email: privacy@spamkiller.io

The Data Controller has not appointed a Data Protection Officer (DPO) as the mandatory requirements under Art. 37 GDPR do not apply.

2. Legal Basis for Processing

Your personal data is processed based on the following legal grounds (Art. 6 GDPR):

Contract performance (Art. 6.1.b): to provide the spam detection API service
Legal obligation (Art. 6.1.c): to comply with tax and accounting requirements (invoicing, document retention)
Consent (Art. 6.1.a): for sending promotional communications (if requested)
Legitimate interest (Art. 6.1.f): to improve the service through aggregate data analysis

3. Personal Data Collected

3.1 Data provided directly by the user

Registration data: name, email, password (hashed with bcrypt)
Billing data: company name, address, VAT number or Tax ID
Project data: project name, domain, API keys

3.2 Data collected automatically

Technical data: IP address, user agent, access timestamps
API usage data: number of validations, endpoints called, response time
Technical cookies: Laravel session (XSRF-TOKEN, laravel_session)

3.3 Data submitted via API for spam analysis

Emails, messages, and form fields submitted for spam validation
Purpose: spam detection using artificial intelligence
Retention: 90 days (then automatically deleted)

4. Purposes of Processing

Your data is processed for the following purposes:

Purpose	Legal Basis
Providing API spam detection service	Contract performance
Payment and invoicing management	Legal obligation
Technical assistance and support	Contract performance
Improving AI algorithms	Legitimate interest
Sending newsletter (optional)	Consent

5. Data Retention Period

User account: until account deletion or 2 years of inactivity
Billing data: 10 years (legal fiscal requirement)
Spam validations: 90 days (then automatically deleted)
Access logs: 12 months (security and debugging)
Payment data: not stored (managed by PCI-DSS compliant Stripe)

6. Data Recipients (Data Processors)

Your data may be shared with the following data processors (Art. 28 GDPR):

6.1 Cloud service providers

Google Cloud Platform (Vertex AI - Gemini) - AI spam analysis
Transfer outside EU (USA) - Standard Contractual Clauses approved by EU Commission
Hetzner Online GmbH - Server hosting (Germany)
EU Server - No transfer outside EU

6.2 Payment processors

Stripe Inc. - Card payment processing
Transfer outside EU (USA) - PCI-DSS Certification + Standard Contractual Clauses

All data processors are bound by written agreements ensuring GDPR compliance.

7. Data Transfers Outside the EU

Some data is transferred to non-EU countries for the following services:

Google Cloud Platform (USA): We use Vertex AI for spam analysis. Google applies Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914).
Stripe (USA): PCI-DSS certified payment processor applying SCC and appropriate security measures.

All transfers outside the EU comply with Art. 44-50 GDPR.

8. Your Rights (Art. 15-22 GDPR)

As a data subject, you have the following rights:

How to exercise your rights:

Send a request to: privacy@spamkiller.io

We will respond within 30 days of your request (Art. 12 GDPR)

8.1 Right of Access (Art. 15)

You have the right to obtain confirmation of whether your personal data is being processed and, if so, to receive a copy of that data.

8.2 Right to Rectification (Art. 16)

You may request correction of inaccurate personal data or completion of incomplete data.

8.3 Right to Erasure (Art. 17 - "Right to be Forgotten")

You may request deletion of your data, subject to legal obligations (e.g., invoice retention for 10 years).

8.4 Right to Restriction (Art. 18)

You may request restriction of processing when contesting data accuracy or opposing erasure.

8.5 Right to Data Portability (Art. 20)

You may receive your data in a structured, commonly used, machine-readable format (JSON, CSV, XML).

8.6 Right to Object (Art. 21)

You may object to processing based on legitimate interest (e.g., direct marketing).

8.7 Right to Withdraw Consent (Art. 7.3)

When processing is based on consent, you may withdraw it at any time.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local Data Protection Authority. For EU residents:

Find your local DPA: https://edpb.europa.eu/

9. Data Security

We implement appropriate technical and organizational measures to protect your data (Art. 32 GDPR):

TLS 1.3 encryption for all HTTPS communications
Bcrypt hashing for passwords (irreversible)
API Key encryption for sensitive API keys
Firewall and WAF for attack protection
Daily backups with encryption at-rest
Limited access to data for authorized personnel only
Log monitoring to detect unauthorized access

10. Data Breach Notification

In case of a personal data breach posing a risk to your rights and freedoms:

We will notify the Data Protection Authority within 72 hours (Art. 33 GDPR)
We will inform you without undue delay if the risk is high (Art. 34 GDPR)
We will provide instructions on how to protect your data

11. Cookies and Tracking Technologies

This website uses cookies. For more information, please see our Cookie Policy.

12. Changes to this Policy

This policy may be updated periodically. Substantial changes will be communicated via email. We encourage you to check this page regularly.

Current version: 1.0 - Updated on 01/07/2026

13. Privacy Contact

For privacy-related inquiries: