You saved 0

B2B PRIVACY NOTICE

for Customers, Prospects, Business Contacts, and Website Visitors

of the SPD Technology

 

Version: 1.0 | Effective Date: 1 June 2026

 

This Privacy Notice explains how the SPD Technology processes personal data of business contacts — representatives, signatories, project managers, billing contacts, and other individuals — at the SPD’s Customers, prospective customers, business partners, and suppliers, as well as visitors to our public website.

This Notice is provided in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (“EU GDPR”), the UK GDPR, the Law of Ukraine No. 2297-VI “On Personal Data Protection”, and equivalent national implementing laws.

1. About this Notice

This B2B Privacy Notice (the “Notice”) describes how the SPD Technology (“SPD”, “we”, “us”, “our”, “Company”) collects, uses, shares, and protects personal data of:

  • Representatives, signatories, project managers, billing contacts, and other individuals of the Customers under Master Services Agreements (“MSAs”) or other commercial arrangements;
  • Prospective customers and the individuals representing them during pre-contract discussions, due diligence, and negotiations;
  • Business contacts at the SPD’s suppliers, business partners, and channel partners;
  • Visitors to our public website at https://spd.tech (in conjunction with our Cookie Notice).

Relationship with the MSA:

Where you and your employer have entered into an MSA with an SPD Company (the “Contractor” under the MSA), this Notice operates in conjunction with the MSA and, in particular, Sections 15 (Personal Data Protection) and 16 (AI Compliance) thereof. The MSA governs the commercial and contractual obligations between SPD and your employer; this Notice describes how SPD processes the personal data of you, as an individual representative, in connection with the MSA. In case of any inconsistency between this Notice and the MSA on data protection matters relating to your personal data as an individual representative, this Notice prevails.

2. Definitions

Capitalised terms used in this Notice have the meanings set out below or, where not defined here, the meanings given to them in the MSA, the EU GDPR, the UK GDPR, or the Law of Ukraine on Personal Data Protection. The following definitions are aligned with the MSA (see “Definitions” section of the MSA):

Personal Data — any information relating to an identified or identifiable natural person.

Processing — any operation or set of operations performed on Personal Data, whether or not by automated means.

Controller / Processor — as defined in the EU GDPR / UK GDPR / Law of Ukraine.

Customer — the legal entity that has entered into, or is negotiating, an MSA or other commercial arrangement with an SPD Company, as such term is used in the MSA.

Customer Representative — any individual acting on behalf of the Customer in connection with the MSA, including (without limitation) signatories, project managers, technical leads, procurement officers, finance / billing contacts, security and privacy contacts, and other authorised representatives. Customer Representatives are natural persons and the data subjects to whom this Notice applies.

SPD Technology — SPD Companies listed in Section 3.

MSA — a Master Services Agreement entered into between a Customer and an SPD Company acting as Contractor; the MSA describes the legal and commercial framework for the provision of software development and related Services.

SOW — a Statement of Work issued under an MSA, as defined in the MSA.

AI System — has the meaning given to it in the MSA (Section “Definitions”). For information about AI-related processing, see Section 12 of this Notice.

AI Laws — has the meaning given to it in Section 16 of the MSA (i.e., laws and regulations governing artificial intelligence, including Regulation (EU) 2024/1689 — the EU AI Act).

Sanctions — any official government or international sanctions list, including but not limited to the EU Consolidated Sanctions List (EEAS), UK Sanctions List, OFAC Specially Designated Nationals List, or UN Security Council Consolidated List.

3. Who is the controller of your Personal Data

The SPD Company that has signed (or is negotiating) the MSA with your employer is the Controller of your personal data. Depending on the engagement, this is one of:

SPD EntityRegistered AddressApplicable Law
SPD TECHNOLOGY RO S.R.L.
(Romania, VAT RO51276524)		Bucharest, District 4, 41 George Bacovia Street, RomaniaEU GDPR; Romanian Law 190/2018
SOFTWARE PRODUCT DEVELOPMENT GLOBAL LTD
(UK, Co. No. 11015150)		20 Birchin Court, Birchin Lane, London, EC3V 9DJ, UKUK GDPR; Data Protection Act 2018
LLC “SOFTWARE PRODUCT DEVELOPMENT”
(Ukraine, Reg. 39000453)		18002, Cherkasy region, Cherkasy, Shevchenko bldg. 266, office 213, UkraineLaw of Ukraine 2297-VI
LLC “SPD-GROUP UKRAINE”
(Ukraine, Reg. 38843066)		18005, Cherkasy region, Cherkasy city, Kryvalivska str. 7, UkraineLaw of Ukraine 2297-VI
LLC “VALLEY-SOFTWARE”
(Ukraine, Reg. 38668362)		18005, Cherkaska oblast, Cherkasy, Kryvalivska str. 7, office 6, UkraineLaw of Ukraine 2297-VI

For the avoidance of doubt — and consistent with the Definitions section of the MSA — the SPD Company that acts as “Contractor” under the relevant MSA is the primary Controller of your personal data. Other SPD entities may receive your personal data as recipients for the limited intra-group purposes set out in Section 8 below, governed by the Master Intra-Group Data Transfer & Processing Agreement (Version 2.0).

SPD privacy contact: [email protected]

Data Protection Coordinator: Head of Legal of SPD Technology, reachable via the above email.

4. Whose Personal Data this Notice covers

This Notice covers SPD’s processing of personal data about the following categories of natural persons (data subjects):

  • Customer Representatives (as defined in Section 2) — individuals representing the Customer in connection with an MSA, including signatories, project managers, technical leads, procurement and finance contacts, privacy/security contacts, and other authorised representatives;
  • Prospects — individuals at prospective customers during pre-contract discussions, due diligence, and contract negotiations;
  • Business partner contacts — individuals at the SPD’s suppliers, vendors, channel partners, and other business counterparties (where this Notice has been provided to them or made available);
  • Marketing recipients — individuals who have given consent (or are otherwise lawfully reachable) to receive SPD’s marketing communications, case studies, newsletters, and event invitations;
  • Website visitors — individuals visiting our public website https://spd.tech (in conjunction with the Cookie Notice).

This Notice does NOT cover personal data of the Customer’s end-users, end-customers, employees, or other individuals processed by SPD on behalf of the Customer under an MSA or SOW. That processing is governed by the underlying MSA, any separate Data Processing Agreement, and the Customer’s own privacy notices to its end-users. Section 15 of the MSA addresses certain aspects of that data flow.

5. Categories of Personal Data we collect

We collect and process the following categories of personal data about Customer Representatives and other B2B data subjects:

(a) Identification and contact information:

  • full name, salutation;
  • job title and role;
  • employer (i.e., the Customer or prospective customer);
  • business email and phone number;
  • business postal address (city/country at minimum);
  • professional social media handles (e.g., LinkedIn, where publicly available);
  • language preferences.

(b) Identification of signatories and authorised representatives:

  • for individuals signing an MSA, SOW, NDA, or other contractual document — full name, capacity (e.g., “Director”, “CEO”, “Procurement Manager”), signature, date and place of signing, and where required for authentication, a copy of authorisation documents (e.g., power of attorney) or extracts from corporate registers;
  • for natural-person Customers (rare in B2B but possible) — additional identification details, including tax / VAT identifiers, bank account details, residency/citizenship as required for tax compliance and AML.

(c) Engagement and relationship data:

  • history of interactions (meetings, calls, emails, messages on Slack/Google Workspace);
  • project assignment, technical scope of work, role in the engagement;
  • project documentation, deliverables, code review notes, and other work-product data (where it contains personal data about you);
  • performance, satisfaction, and feedback data;
  • references to you in case studies, testimonials, or marketing materials (only with separate consent).

(d) Financial and commercial data:

  • billing contact details (name, email, role);
  • references to you in invoices, purchase orders, payment records (where you are named as the authorising or receiving party);
  • credit and AML checks where applicable (for natural-person Customers or signatories under high-value contracts).

(e) Marketing and communications data:

  • consent records (opt-in/opt-out status, date, mechanism);
  • email engagement metrics (opens, clicks — where lawfully collected via marketing automation);
  • event registration and attendance records;
  • subscription preferences.

(f) Technical and IT-security data (when you interact with SPD systems):

  • IP address, device identifiers, user-agent string when accessing SPD applications or platforms;
  • authentication credentials and access logs;
  • security telemetry and audit trails.

(g) Website-visitor data (in conjunction with the Cookie Notice):

  • Browser type, IP address, referring URL, pages visited, time on site;
  • Cookie-managed data (analytics, marketing, preferences) subject to your cookie consent.

Special categories of personal data: We do NOT routinely process special categories of personal data (Article 9 EU/UK GDPR — racial/ethnic origin, political opinions, religion, trade union membership, genetic/biometric data, health, sex life or sexual orientation) or criminal-conviction data (Article 10) about B2B data subjects. Where exceptionally required (for example, accessibility accommodations at events), we will rely on a specific lawful basis and inform you in advance.

6. Where we obtain your Personal Data

We obtain your personal data from the following sources:

(a) Directly from you:

  • during pre-contract discussions, RFPs, due diligence, and contract negotiations;
  • when you sign or are named in an MSA, SOW, NDA, or other contractual document;
  • during the performance of the MSA — communications, meetings, project artefacts, and deliverables;
  • when you subscribe to our newsletter, register for an event, or fill in a contact form on our website;
  • when you reach out to us through our website or by other channels.

(b) From the Customer (your employer):

  • contact details and role information provided in the course of contract setup or project staffing;
  • designation of you as an authorised contact, signatory, or billing recipient.

(c) From publicly available sources:

  • company websites and your public professional profile (e.g., LinkedIn);
  • public business registers (Companies House (UK), ONRC (Romania), Ukrainian USR);
  • trade publications, conferences, and industry events;
  • publicly available sanctions lists (EEAS, UK FCDO, OFAC, UN) as part of sanctions screening.

(d) From third-party providers:

  • marketing and lead-enrichment services (where lawfully permitted);
  • sanctions, AML, and KYC screening providers (where the Customer or the Customer’s signatories require such checks).

(e) From other SPD entities:

  • intra-group sharing for engagement coordination, where you interact with multiple entities.

7. Purposes of processing and legal bases

We process your personal data for the following purposes, on the legal bases set out in the table below. The legal bases used are Article 6 of the EU GDPR / UK GDPR and Article 11 of the Law of Ukraine on Personal Data Protection.

PurposeWhy we do itLegal basis
Pre-contract communications, RFP / RFI participation, due diligence, contract negotiation, NDA managementTo explore and prepare a possible commercial relationship between SPD and your employer (the Customer)Art. 6(1)(b) — pre-contractual measures at the request of (or in the interest of) the Customer that you represent;
Art. 6(1)(f) — legitimate interests in pursuing commercial relationships
MSA / SOW execution and contract administration: signing, project staffing, communications, status reporting, change management, billing and paymentTo perform the MSA / SOW between SPD and the Customer, in which you act as a representativeArt. 6(1)(b) — performance of a contract to which the Customer is a party;
Art. 6(1)(c) — compliance with legal obligations such as accounting, tax, contract retention
Customer relationship management (CRM)Internal record of who-knows-whom; account history; renewal management; conflict-of-interest checksArt. 6(1)(f) — legitimate interest in efficient B2B relationship management
Billing, invoicing, payment, tax, and accountingStatutory obligations under Romanian, UK, and Ukrainian tax / accounting lawArt. 6(1)(c) — compliance with legal obligations; Art. 6(1)(b) — performance of contract
Anti-money-laundering / sanctions / KYC checks (where applicable)Compliance with EU 5th and 6th AML Directives (as transposed nationally), UK Money Laundering Regulations 2017, applicable international sanctions regimesArt. 6(1)(c) — legal obligations;
Art. 6(1)(f) — legitimate interest in fraud and sanctions risk management
Marketing and promotional communications (newsletters, case studies, event invitations, white papers)To keep you informed about our services and industry topics relevant to your roleArt. 6(1)(a) — your consent (where required); or
Art. 6(1)(f) — legitimate interest in B2B marketing to existing or recent contacts (subject to opt-out)
AI Compliance assistance under Section 16 of the MSA (where the SOW expressly provides that SPD shall assist the Customer with AI-related obligations)To assist the Customer (as the responsible party under Section 16 of the MSA and the EU AI Act) with technical documentation, traceability, post-market monitoring support, etc.Art. 6(1)(b) — performance of the SOW under the MSA. See Section 12 of this Notice for further details
Establishment, exercise, and defence of legal claims; audit and inspection rights under MSA Section 13Internal recordkeeping; preparation for or defence against claims; supporting audit / inspection rights of the Customer under the MSAArt. 6(1)(f) — legitimate interest in defending the SPD’s legal position; Art. 6(1)(c) — legal obligations to retain records
Website operation, security monitoring, fraud preventionTo keep our website and IT systems secure, available, and free from misuseArt. 6(1)(f) — legitimate interest in IT security

Where the legal basis is consent (Article 6(1)(a) GDPR), you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Where the legal basis is legitimate interest (Article 6(1)(f) GDPR), you have the right to object — see Section 13.

8. Recipients of your Personal Data

We share your personal data with the following categories of recipients, only as necessary for the purposes set out in Section 7 and in compliance with applicable law:

(a) Other SPD entities (intra-group):

SPD Companies listed in Section 3 may receive your personal data on a need-to-know basis for the purposes of intra-group coordination, including pre-sales support, project staffing across SPD Companies, finance / billing, IT support, legal, and audit. Intra-group transfers are governed by the Master Intra-Group Data Transfer & Processing Agreement (Version 2.0). For example, a Customer engaging SPD TECHNOLOGY RO S.R.L. (Romania) as Contractor may have its project staffed by personnel of LLC “VALLEY-SOFTWARE” (Ukraine), in which case your project-related contact data may be shared with the Ukrainian entity.

(b) Sub-processors (third-party service providers acting on our behalf as Processors under Article 28 GDPR / UK GDPR):

Sub-processors act as Processors of your personal data, NOT as independent Controllers. They are contractually bound by data protection obligations no less protective than this Notice. Categories include:

  • Cloud infrastructure: Amazon Web Services, Google Cloud Platform;
  • Productivity and collaboration: Slack, Atlassian (Jira, Confluence);
  • CRM, marketing, and event tools;
  • E-signature and contract management: DocuSign / Adobe Sign (or equivalents);
  • Security and observability: CrowdStrike, Cloudflare;
  • Accounting, billing, and tax service providers in Romania, the UK, and Ukraine.

A full Sub-processor Register (Annex 7 to the Master Intra-Group DPA) is available on request from [email protected].

(c) Independent Controllers (recipients acting on their own behalf):

  • Tax and government authorities (ANAF in Romania, UK HMRC, Ukrainian State Tax Service) as required by law;
  • Banks and payment service providers (for processing payments);
  • External auditors, accountants, lawyers, and other professional advisors, each bound by professional confidentiality;
  • Insurance providers, where applicable to the engagement.

(d) Recipients of marketing content:

Where you have given your separate consent to feature in a case study, testimonial, or marketing publication, your name, role, and quote (and, with further consent, your professional image) may be published on SPD’s website, social media channels, or marketing collateral. You can withdraw this consent at any time, after which we will remove your content from current SPD publications.

(e) Legal proceedings, supervisory authorities, courts, arbitral tribunals:

Where reasonably necessary for the establishment, exercise, or defence of legal claims, or where required by binding court order. Section 18 of the MSA (Arbitration) provides for ICC arbitration in case of disputes; where you are named as a representative or witness in such proceedings, your personal data may be processed in that context.

(f) Potential corporate successors:

In the event of a merger, acquisition, sale, or restructuring of part of the SPD’s business, your personal data may be disclosed to a potential or actual acquirer, subject to confidentiality undertakings.

We do NOT sell, rent, or otherwise commercialise your personal data, and we do NOT share your personal data with third parties for their own marketing purposes.

9. International Transfers

Because the SPD Technology operates across Romania, the United Kingdom, and Ukraine, and engages sub-processors in the EU/EEA, the UK, the United States, and other locations, your personal data may be transferred internationally.

9.1 Where your Personal Data may be transferred

  • Within the EU/EEA: Romania, Ireland, Germany, the Netherlands, and other Member States where SPD entities or sub-processors operate.
  • EU/EEA ↔ United Kingdom: covered by the European Commission’s adequacy decision for the UK (Commission Implementing Decision (EU) 2021/1772, as renewed in June 2025 and valid until 27 December 2031).
  • To Ukraine: where the project is staffed or supported by Ukrainian entities. Ukraine does not benefit from an adequacy decision under the EU GDPR or UK GDPR.
  • To the United States: certain cloud and SaaS providers (AWS, Google, Atlassian, GitHub, Slack etc.) — most provide EU/UK data residency, which we use where possible.
  • To other third countries: only where strictly necessary for the engagement.

9.2 Safeguards for transfers to non-adequate countries

Where personal data is transferred from the EU/EEA or the UK to a country without an adequacy decision (notably Ukraine and the United States), we apply one or more of the following safeguards:

  • EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 (the appropriate Module is selected for each flow);
  • UK International Data Transfer Addendum (Form B1.0, issued by the ICO under s.119A DPA 2018) for UK-originating transfers;
  • EU-US Data Privacy Framework (and the UK Extension to the DPF) for transfers to US-based sub-processors that are and remain DPF-certified;
  • Supplementary technical measures: end-to-end encryption (TLS 1.2+ in transit; AES-256 at rest), key management performed in EU/UK-based key management systems, multi-factor authentication, role-based access controls, centralised security monitoring;
  • Supplementary contractual measures: contractual obligation to challenge unlawful access requests from public authorities; transparency reporting where lawful;
  • A documented combined Transfer Impact Assessment (EU TIA) and UK Transfer Risk Assessment (UK TRA), available on request from [email protected].

For outbound transfers from Ukraine, we comply with Article 29 of the Law of Ukraine on Personal Data Protection and ensure appropriate safeguards as required by Ukrainian law.

10. How long we keep your Personal Data

We retain your personal data only for as long as necessary for the purposes set out in Section 7, taking into account legally mandated retention periods. The main retention periods are set out below; these periods reflect MSA Section 12 (Recordkeeping and Ownership) and applicable statutory requirements:

Category of dataRetention period and basis
Pre-contract data (prospects, RFP / RFI contacts, NDA signatories) — where no MSA was concluded12 months from the close of pre-contract discussions, unless you give explicit consent for longer retention (talent-pool/CRM-style).
MSA, SOW, NDA, and related contractual records (including your name and role as named representative or signatory)For the duration of the MSA and the longer of:
• 6 years after termination (UK Limitation Act 1980);
• 10 years after termination (Romanian Civil Code Art. 2517 long-tail for contractual claims);
• 3 years statute of limitations under Ukrainian Civil Code.

In all cases, no shorter than the longest applicable statute of limitations for any potential legal claim arising from the MSA. See also MSA Section 12 (Recordkeeping).

Accounting, financial, and tax records (invoices, payment records)• Romania: 10 years (Accounting Law 82/1991 Art. 25)
• UK: 6 years from end of accounting period; 7 years for VAT (VAT Act 1994)
• Ukraine: 1,095 days (Tax Code Art. 102) + statute of limitations
Confidentiality (NDA) records5 (five) years after the termination of the relevant agreement, consistent with MSA Section 8 (Non-Disclosure and Confidentiality).
Marketing and consent recordsUntil you withdraw consent or unsubscribe (with a reasonable buffer for log retention). Consent records (proof of opt-in) are retained for 3 years to demonstrate accountability.
IT access logs, security events, audit trailsTypically 12 months from generation; longer only for security-incident investigation.

After the applicable retention period, your personal data will be securely deleted or anonymised in accordance with the Data Retention & Deletion Policy.

Note on Section 15.2 of the MSA: Section 15.2 of the MSA obligates the Customer to delete certain personal data of the Contractor’s data subjects within 10 business days of MSA termination or a written request. That obligation is reciprocal in spirit: we equally undertake to delete personal data of Customer Representatives upon similar request, subject to legal retention obligations described above.

11. Security measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in accordance with Article 32 EU/UK GDPR and Article 24 of the Law of Ukraine on Personal Data Protection.

Personal Data Breach handling and MSA Section 15.2: If we become aware of a personal data breach involving Customer Representative data, we will notify the Customer in writing within twenty-four (24) hours, consistent with MSA Section 15.2 (which imposes a reciprocal 24-hour notification standard between the Parties). We will also notify the competent supervisory authority within 72 hours where required by Article 33 EU/UK GDPR.

12. AI compliance, AI systems, and automated processing

This Section describes how we approach AI systems and automated processing in connection with the personal data of Customer Representatives and other B2B data subjects. It is aligned with Section 16 (Artificial Intelligence (AI) Compliance) of the MSA.

12.1 SPD’s Role under AI Laws

Consistent with Section 16.1 of the MSA, unless explicitly agreed otherwise in writing, SPD does NOT act as a “Provider” or “Deployer” within the meaning of any applicable AI Laws (including Regulation (EU) 2024/1689 — the EU AI Act). Any assignment of such roles or obligations to SPD must be expressly agreed in writing in the relevant SOW.

Where the SOW expressly provides that SPD shall assist the Customer with AI compliance (per Section 16.4 of the MSA), SPD’s assistance may include preparing technical documentation, implementing functionality for logging, traceability, and human oversight, providing information about datasets used during development, and supporting post-market monitoring. Such assistance is provided on a time-and-materials basis and does not transfer statutory obligations or regulatory responsibility to SPD unless expressly agreed.

12.2 Automated decision-making concerning you

We do NOT make decisions about you (as a Customer Representative or other B2B data subject) based solely on automated processing of your personal data (including profiling) that produce legal effects on you or similarly significantly affect you, within the meaning of Article 22 EU/UK GDPR.

Where automated tools are used in our CRM, marketing, or sales operations (for example, automated lead scoring, email send-time optimisation, or AI-assisted email drafting), a human reviews any decision that materially affects the engagement with your employer (the Customer). You retain the right at any time to obtain human intervention, to express your point of view, and to contest any decision informed by such automated tools.

12.3 Prohibited AI practices

Consistent with Section 16.5 of the MSA, we will not knowingly engage in or support AI practices that constitute prohibited or unacceptable practices under applicable AI Laws (including social scoring, manipulative practices targeting vulnerable groups, or intrusive biometric surveillance), except where expressly permitted by law.

12.4 AI in the Deliverables (where applicable)

Where the Deliverables under an SOW include AI Systems or AI functionality (as defined in the MSA), Section 16 of the MSA governs the allocation of responsibility between the Customer and SPD. In summary (and without prejudice to the more detailed provisions of Section 16):

  • The Customer is solely responsible for determining whether the Deliverables qualify as an AI System and for classifying the applicable risk level under the EU AI Act and any successor instrument (Section 16.2 of the MSA).
  • The Customer assumes full regulatory risk for the AI Deliverables, including conformity assessments, certifications, registrations, and post-market monitoring (Section 16.2).
  • If the AI Deliverables are intended to be placed on, made available on, or otherwise used in the European Union market, the Customer shall promptly notify SPD in writing and assume full responsibility for EU AI Act compliance (Section 16.3).

Section 12 of this Notice applies only to processing of personal data of Customer Representatives and other B2B data subjects directly by SPD. It does not alter the allocation of AI compliance responsibility between the Customer and SPD set out in Section 16 of the MSA.

13. Your rights

Depending on the SPD Company that processes your personal data and the applicable law, you have one or more of the following rights:

13.1 Under the EU GDPR and the UK GDPR

  • Right of access (Article 15) — to obtain confirmation of whether we process your data and a copy of it.
  • Right to rectification (Article 16) — to have inaccurate or incomplete data corrected.
  • Right to erasure (Article 17, “right to be forgotten”) — to have your data deleted in certain circumstances. Does not apply where we are required to retain data by law or to defend legal claims.
  • Right to restriction of processing (Article 18) — to limit our processing in certain circumstances.
  • Right to data portability (Article 20) — to receive your data in a structured, commonly used, machine-readable format and to have it transferred to another controller where technically feasible.
  • Right to object (Article 21) — to processing based on legitimate interests, including profiling; you have an absolute right to object at any time to processing for direct marketing purposes.
  • Right not to be subject to solely automated decision-making (Article 22) — see Section 12.2 above.
  • Right to withdraw consent (Article 7(3)) — at any time, without affecting prior lawful processing.
  • Right to lodge a complaint with a supervisory authority (Article 77) — see Section 15 below.

13.2 Under the Law of Ukraine on Personal Data Protection

Article 8 of the Law of Ukraine grants you the following rights:

  • Right to be informed about the sources of collection, location of data, purpose of processing, and identity of the Controller / Processor;
  • Right to access — to obtain a response within 30 calendar days and a copy of your data;
  • Right to object to processing;
  • Right to rectification and deletion where data is unlawfully processed or inaccurate;
  • Right to data protection from unlawful processing, loss, destruction, or unauthorised disclosure;
  • Right to lodge complaints with the Ukrainian Parliament Commissioner for Human Rights or a court;
  • Right to restriction of processing when providing consent;
  • Right to withdraw consent at any time;
  • Right to information about automated decision-making and protection from automated decisions with legal consequences.

Where the EU GDPR or UK GDPR grants broader rights than Ukrainian law, the broader rights apply (to the extent reasonably and lawfully applicable).

13.3 How We respond

  • We respond within one (1) month of receipt, in accordance with Article 12 GDPR / Article 8 Law of Ukraine.
  • In complex cases, the period may be extended by a further two months; we will inform you within the first month.
  • Some rights may be subject to legal limitations (for example, we cannot delete records we are required to retain by law or that are needed for the defence of legal claims).
  • Our response is free of charge. Where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request, with written explanation.

14. How to exercise your rights

To exercise any of the rights in Section 13, please contact us:

  • Email: [email protected]
  • Postal address: write to the registered address of the relevant SPD Company (see Section 3), marked “FAO: Data Protection Coordinator — Privacy Request”.

We may ask for additional information to verify your identity before responding, to protect your personal data from unauthorised disclosure.

15. Right to lodge a complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the competent supervisory authority. We encourage you to contact us first (Section 14), to give us an opportunity to address your concerns.

  • Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), B-dul G-ral Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest; https://www.dataprotection.ro
  • United Kingdom: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; https://ico.org.uk; phone 0303 123 1113
  • Ukraine: Ukrainian Parliament Commissioner for Human Rights, Department for Monitoring Compliance with the Legislation on Personal Data Protection, 21/8 Instytutska Street, Kyiv 01008; https://www.ombudsman.gov.ua

You may also lodge a complaint with the supervisory authority of the EU Member State of your habitual residence or place of work.

16. Changes to this Notice

We may update this Privacy Notice from time to time to reflect changes in our processing, legal requirements, or business practices. The current version is always published on our website at https://spd.tech and available on request from [email protected].

Material changes will be communicated to active Customers (including their nominated privacy and legal contacts) by email at least 30 (thirty) calendar days before they take effect, or sooner where required by law. The version number and effective date are stated at the top of this Notice.

17. Contact Us

For all data protection enquiries, exercise of your rights, or general questions about this Notice:

Email: [email protected]

Data Protection Coordinator: Head of Legal of SPD Technology (reachable via the email above).

For postal correspondence — write to the registered address of the relevant SPD Company (see Section 3). If your enquiry relates to a specific MSA, SOW, or engagement, please include the MSA / SOW reference in your communication.

Allow Cookies and Related Technologies This site uses third party cookies and related technologies to achieve various functions. Click "Required Cookies" to allow a limited set of cookies (and related technologies) or "All Cookies" to allow the full set of cookies (and related technologies) to interact with your device. Choose "Manage Settings" for more options and information.