{# Pre-built Tailwind bundle + project custom styles. Replaces the old cdn.tailwindcss.com script so we can drop 'unsafe-inline' from the CSP. Rebuild with `.venv/bin/tailwindcss -i tailwind_src/input.css -o static/css/app.css --minify`. #}
C

Privacy notice

How we handle your data

Effective: 2 June 2026

1. Who we are

This is a free, open-source compliance self-check operated as a community resource. Source: github.com/madjanorjedidiah/privacy-compliance.

2. What personal data we collect

We collect

Email address

Used solely to deliver your private report link. Never marketed, never sold, never shared.

We collect

Company / organisation name

Strictly speaking not personal data, but listed for transparency.

We do not ask for your name, phone, address, IP-based location, payment details, or any other identifier. The portal uses only strictly-necessary CSRF and session cookies. Optional cookieless analytics (Plausible or Umami) may be enabled by the operator — these never set cookies, never receive your IP in identifiable form, and are listed in the deployed instance's footer.

The toolkit pages (policy templates, DPIA wizard, comparison view, cookie-banner generator) are entirely stateless: anything you type into them is processed in your browser and never reaches our servers.

If a separate "law update" subscription is offered, that is a separate consent flow with its own clear notice — opting into it stores your email so we can email you when laws change. You can unsubscribe with one click from any email.

3. Lawful basis

Performance of pre-contractual measures at your request (GDPR Art. 6(1)(b) / Ghana DPA s.20 / Kenya DPA s.30 / NDPA s.25) — you ask us to compute and deliver your report, and we do.

4. Retention & deletion

The entire assessment record — email, company name, and every answer — is permanently deleted 90 days after creation. The unique link in your email stops working at the same point. We do not retain anonymised metrics, analytics, or any other derived record after deletion.

5. Security

HTTPS only · HSTS · CSP · same-origin referrer · no third-party trackers. The assessment URL contains a long random token; only someone holding the link can view the result.

6. Your rights

Under GDPR Arts. 15-22, Ghana DPA s.32-37, Kenya DPA s.26, NDPA s.34-39 and the CCPA, you have the right to access, rectify, erase, restrict, port, and object. Email support@spatialsusty.com with the link from your report email and we will respond within 30 days.

7. Sub-processors

The hosting provider for the live portal and the email-delivery provider. The current list is published on request.

8. Complaints

You may complain to the Ghana Data Protection Commission, your EU lead supervisory authority, the Kenya ODPC, the Nigeria Data Protection Commission, or the California Privacy Protection Agency.

9. Changes

Material changes are recorded with a new effective date.

Questions about this notice?

support@spatialsusty.com