spambounty
Version 0.2.0 · Effective 2026-04-21

DPIA and compliance

Download Full DPIA (PDF)

Transparency page. This page summarises how SpamBounty handles personal data, which lawful bases apply, and what the safeguards are. It is written in plain language and is maintained in parallel with the formal Data Protection Impact Assessment.

1. Summary

Block Ventures Sp. z o.o. has conducted a Data Protection Impact Assessment (DPIA) for the SpamBounty waitlist and, in draft form, for the beta platform opening in Q3 2026. The processing is classified as low-to-moderate risk. No automated decision-making within the meaning of Article 22 GDPR is performed. No special categories of data are processed. All data is stored inside the European Union.

The formal DPIA document is available for download:

2. Lawful basis register

Processing activity Lawful basis Retention
Waitlist registration Art 6(1)(a) GDPR, consent Until closure or user-initiated erasure
Email verification token Art 6(1)(b) GDPR, pre-contractual 14 days if unconfirmed, then purged
Rate-limit hashes Art 6(1)(f) GDPR, legitimate interest 1 hour active, 24-hour salt rollover
Accountability records Art 6(1)(c) GDPR, legal obligation Statutory minimum
Case records (beta, from Q3 2026) Art 6(1)(b) GDPR, performance of contract Duration of case plus audit period
Escrow fund movements (beta) Art 6(1)(c) GDPR, legal obligation Statutory minimum under Polish accounting law

3. Joint controllership

No joint controllership applies. Block Ventures Sp. z o.o. is the sole controller for all waitlist data and, once the beta opens, for all platform data collected for each user's own case.

4. Processors

Block Ventures engages the following processors, each under a signed Article 28 Data Processing Agreement:

  • Cloudflare, Inc. — edge hosting, DNS, Turnstile challenge verification, D1 storage, and KV in the EU region. Standard Contractual Clauses and a signed DPA on file.
  • GitHub, Inc. — source hosting and the private repository used by the content system. Metadata data residency in the EU where offered. Signed DPA on file.

Additional processors may be engaged when the beta opens. The current list is versioned with this document. Any material change triggers a notification to confirmed users.

5. Data Protection Contact

Block Ventures has not formally appointed a Data Protection Officer because neither the waitlist nor the beta meet the mandatory-DPO threshold under Article 37 GDPR (no large-scale systematic monitoring, no large-scale special-category processing). A dedicated contact is maintained for all data protection enquiries:

  • Email: dpo@spambounty.com
  • Response window: one month under Article 12(3) GDPR, faster in practice.

6. Retention and deletion

  • Unconfirmed waitlist entries are purged after 14 days if email verification is not completed.
  • Confirmed waitlist entries are kept until the beta opens, or until you ask us to erase your data, whichever comes first.
  • Salted IP hashes expire after the one-hour rate-limit window. The salt rotates every 24 hours.
  • Audit logs are retained for the statutory minimum under Polish accountancy law where applicable.
  • Erasure requests are fulfilled within 5 business days, subject to statutory retention obligations.

7. Automated decision-making

The platform performs no automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 GDPR.

  • Waitlist registration is a pure intake form. There is no scoring, no profiling, and no automated admission decision.
  • Rate-limiting uses ephemeral salted hashes. It does not profile individuals.
  • In the beta, all outgoing actions require explicit user approval case by case. The platform does not send any letter, accept any settlement, or file any court document on its own.

8. Security

  • Encryption in transit. TLS 1.3 is enforced across all surfaces via Cloudflare.
  • Encryption at rest. D1 and KV at-rest encryption is provided by Cloudflare.
  • Access control. IAM-scoped repository and production credentials. No shared secrets in the codebase.
  • Secret rotation. Daily salt rotation for IP hashes. Quarterly rotation for administrative tokens.
  • Incident response. 72-hour supervisory-authority notification under Article 33 GDPR, with affected-data-subject notification under Article 34 where the risk threshold is met.

9. International transfers

All personal data is stored inside the European Union. No transfers are made to the United States or any other third country without an adequacy decision under Article 45 GDPR.

10. Supervisory authority

Prezes Urzędu Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warszawa, Polska kancelaria@uodo.gov.pl

Subprocessor Register

Current subprocessors

Cloudflare, Inc.

Edge hosting, DNS, Turnstile challenge, D1 database, KV store

Jurisdiction: EU region (data residency locked) · DPA signed 2026-04-01 · DPA terms

Primary infrastructure processor. Provides TLS termination, request routing, bot challenge (Turnstile), SQLite-at-the-edge (D1) for waitlist persistence, and KV for ephemeral rate-limit hashes. All storage configured to EU region. Standard Contractual Clauses and signed Art 28 DPA on file.

GitHub, Inc.

Source hosting, DecapCMS commit sink (private repository)

Jurisdiction: Metadata EU-resident. Source hosted on GitHub's EU infrastructure where available. · DPA signed 2026-04-01 · DPA terms

Source-of-truth for code and Markdown content collections. DecapCMS admin commits directly to a private repository via git-gateway. No production user data flows through GitHub. Only editorial content authored by Block Ventures staff does. A signed Art 28 DPA is on file.