spambounty
Version 0.2.0 · Effective 2026-04-21

Privacy Policy

Plain language policy. This is how we handle your personal data for the SpamBounty waitlist and, from Q3 2026, for the beta platform.

1. Who we are

Block Ventures Sp. z o.o., Rudolfa Zaręby 50 / 70, 43-100 Tychy, Poland. KRS 0000810986, NIP 6462979837, REGON 384730063. Contact: info@spambounty.com. Data protection contact: dpo@spambounty.com. Supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa.

2. What we collect when you join the waitlist

When you sign up we record:

  • Your email address, normalised to lowercase.
  • Your preferred locale, and an optional jurisdiction.
  • The version of the Terms of Service in effect when you accepted, plus the attestations you ticked and a timestamp.
  • A salted hash of your IP address, built with SHA-256 and a salt that rotates daily. We never keep the plaintext IP.
  • A truncated User-Agent string, capped at 120 characters.

We do not set tracking cookies. No analytics beacons. No cross-site advertising identifiers. The only session state used is the Turnstile challenge token your browser needs to prove you are not a bot.

3. What we will collect when the beta opens

When the beta platform opens and you choose to use it, we will additionally process, for each case you open yourself:

  • The email you forwarded or flagged, for the sole purpose of identifying the sender and drafting your Article 15 request.
  • The drafts and outgoing copies of your letters to the sender.
  • The sender's responses, if any.
  • The status of your case, including any settlement amount held in escrow.

We will never send anything from your account or to a sender without your explicit, case-by-case approval.

4. What we use your data for

  • Running the waitlist: sending confirmation emails, rate-limiting abuse, and inviting confirmed registrants once the beta opens.
  • Running the platform, when you use it: drafting requests, tracking deadlines, generating filings, operating escrow.
  • Meeting the accountability obligations of Article 5(2) GDPR.

We do not sell your data. We do not share it with advertisers. We do not train AI models on it.

5. Lawful basis

  • Article 6(1)(a) GDPR — consent — for waitlist registration and for each case you open. Your consent is recorded at the point of action.
  • Article 6(1)(b) GDPR — performance of a contract — for operating the platform once you start using it.
  • Article 6(1)(c) GDPR — legal obligation — where we are required to retain records for audit or tax purposes.

6. Retention

  • Unconfirmed waitlist entries are purged after 14 days if email verification is not completed.
  • Confirmed waitlist entries are kept until the beta opens, or until you ask us to erase your data, whichever comes first.
  • Salted IP hashes expire after the one-hour rate-limit window. The salt itself rotates every 24 hours.
  • Case-level data, once the beta opens, will be retained for the duration of the case and for a period afterwards sufficient to meet audit and tax obligations. The retention schedule will be set out in detail before the beta opens.

7. Your rights

Under the GDPR you have the right to access, rectification, erasure, restriction, portability, objection, and withdrawal of consent at any time. You can also complain to a supervisory authority.

To exercise any of these rights, email info@spambounty.com. We respond within the statutory one-month window and, in practice, usually faster.

You can also delete your account and all associated data at any time, in one click, from the account page when the beta opens. No friction, no retention traps.

8. Where your data lives

All personal data is stored inside the European Union on Cloudflare infrastructure. There are no transfers to the United States or any other third country without an adequacy decision under Article 45 GDPR.

9. Third parties who process data for us

  • Cloudflare, Inc. — edge hosting, DNS, Turnstile challenge verification, and D1 / KV storage in the EU region. Article 28 GDPR Data Processing Addendum in force.
  • GitHub, Inc. — hosts our source code and the private repository used by our content system. Article 28 GDPR Data Processing Addendum in force.

Additional subprocessors may be added as the platform grows. The current subprocessor list is published and versioned on the DPIA page.

10. Security

We use industry-standard transport encryption (TLS 1.3) and at-rest encryption on all storage. We do not store plaintext IP addresses. We do not store unsalted user identifiers across sessions. Passwords, when we start using them in the beta, will be stored as salted hashes.

11. Changes to this policy

When we make material changes, we bump the version, update the effective date, and notify confirmed users. Material changes will be highlighted in the email we send.

12. Contact