GDPR Compliance

Last updated : 26/02/2026

Our GDPR Commitment

Spectalya is committed to complying with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and to ensuring the protection of your personal data.

This page details our commitments and the measures implemented to ensure your compliance when using our service to process your clients' data.

Your Rights Under the GDPR

Right of Access (Article 15)

You can request a copy of all personal data we hold about you.

Right to Rectification (Article 16)

You can correct inaccurate or incomplete data directly in your account or by contacting us.

Right to Erasure (Article 17)

You can request the deletion of your personal data, subject to our legal retention obligations.

Right to Portability (Article 20)

You can receive your data in a structured, machine-readable format.

Right to Object (Article 21)

You can object to the processing of your data for certain purposes.

Right to Restriction (Article 18)

You can request the restriction of processing of your data in certain circumstances.

Technical and Organisational Measures

In accordance with Article 32 of the GDPR, we have implemented the following measures:

Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
Pseudonymisation: Sensitive data is pseudonymised where possible
Access control: Data access limited to authorised personnel only
Logging: Complete traceability of data access
Backups: Regular and tested backups
Security testing: Regular security audits

Sub-processors and Data Transfers

We use the following sub-processors, all GDPR compliant:

Stripe (United States) — Payments — SCCs certified
OpenAI (United States) — Audio transcription — SCCs in place
Cloud hosting (EU) — Data storage — Servers in the European Union

Spectalya as a Data Processor

When you use Spectalya to create files containing your clients' personal data (photos, information), you are the data controller and Spectalya acts as the data processor.

As such, we commit to:

Process data only on your documented instructions
Ensure data confidentiality
Implement appropriate security measures
Assist you in meeting your GDPR obligations
Delete or return data at the end of the contract
Inform you of any data breach

Data Breach Notification

In accordance with Article 33 of the GDPR, in the event of a personal data breach, we commit to:

Notify you within 72 hours of discovering the breach
Provide you with all information necessary for your own notification to authorities
Document all breaches and corrective measures taken

Data Protection Officer

For any questions regarding data protection or to exercise your rights, you may contact our Data Protection Officer:

Email: [email protected]

Supervisory Authority

You have the right to lodge a complaint with your country's data protection authority:

Belgium: Data Protection Authority (APD) — www.autoriteprotectiondonnees.be
France: Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr
Netherlands: Autoriteit Persoonsgegevens — www.autoriteitpersoonsgegevens.nl

Exercise Your Rights

For any request concerning your personal data, contact us. We respond within a maximum of 30 days.

Contact the DPO