Privacy Policy

Table of Contents

---

1. Introduction and Scope

Plain-English Summary: This policy explains what data SpyHuman collects, how we protect it, and your rights regarding that data. We build our tools primarily for parental control and authorized employee management.

At SpyHuman ("we," "our," or "us"), we prioritize your privacy and data security. This Privacy Policy outlines our practices regarding the collection, storage, processing, and deletion of personal data when you use our website, mobile applications, and cloud dashboard (collectively, the "Services").

SpyHuman acts primarily as a Data Processor on behalf of our users (the Account Administrators), who act as the Data Controllers or Data Fiduciaries. Administrators are solely responsible for ensuring they have the legal right and explicit consent to monitor the Target Device.

2. Information We Collect

Plain-English Summary: We collect your account details to manage your subscription, and we collect device data (like GPS, texts, and app usage) strictly based on how you configure the monitoring software.

We collect two primary categories of information:

• Account Information: When you register for SpyHuman, we collect your email address, billing information, and IP address to facilitate account creation, process payments, and provide customer support.
• Target Device Data (Payload Data): Depending on the features enabled by the Account Administrator, the Software may collect:
  • Real-time and historical geolocation data (GPS coordinates).
  • Communication logs, including SMS, MMS, and call metadata (timestamps, duration).
  • Application usage statistics and screen time metrics.
  • Web browsing history and search queries.
  • Media files stored locally on the device, such as photos or videos.

3. How We Use Your Information

Plain-English Summary: We use the collected data strictly to deliver the monitoring services you requested. We never sell your data to advertisers.

We process the collected information solely to provide, maintain, and improve the Services. Specific uses include:

• Delivering intercepted payload data to the Administrator's secure cloud dashboard for parental control or employee monitoring.
• Processing subscription payments and preventing chargeback fraud.
• Providing technical support and troubleshooting software functionality.
• Complying with valid legal obligations, subpoenas, or court orders.

Strict Prohibition: SpyHuman does not and will never sell, rent, or monetize Target Device Data or Account Information for targeted advertising or third-party marketing purposes.

4. Data Minimization and 90-Day Retention

Plain-English Summary: To protect your privacy, we automatically and permanently delete all monitored device data from our servers after 90 days. You must download any data you wish to keep before this deadline.

In strict adherence to global data minimization principles (including the GDPR and the DPDP Act), SpyHuman enforces a rigorous automated deletion protocol.

Payload Data: All Target Device Data (including GPS logs, messages, and media) transmitted to our servers is retained for a maximum of ninety (90) days. Upon expiration of this period, the data is automatically, irreversibly, and permanently expunged from all active databases and cloud storage environments. The Provider assumes no liability for data lost due to this automated retention cycle.

Audit Logs: Basic system audit logs (such as account login timestamps and IP addresses) may be retained for up to one (1) year to comply with forensic, legal, and statutory investigation requirements.

5. Data Security and Encryption

Plain-English Summary: We use bank-level encryption to secure your data while it is being transferred and while it is stored on our servers.

SpyHuman has implemented a Privacy-by-Design architecture aligned with ISO/IEC 27018 standards for the protection of Personally Identifiable Information (PII) in public clouds.

• Data in Transit: All data transmitted between the Target Device and our servers is secured using TLS 1.3 cryptographic protocols.
• Data at Rest: All payload data stored on our servers is encrypted utilizing Advanced Encryption Standard (AES-256).
• Access Control: We enforce the principle of least privilege. Our technical support staff cannot unilaterally access, view, or decrypt the payload contents (e.g., messages, photos) of an active user's account without explicit, time-bound authorization.

6. Data Sharing and Disclosures

Plain-English Summary: We only share data with essential service providers (like payment processors) or when legally forced to by a valid court order.

We do not share your personal data with third parties, except in the following limited circumstances:

• Sub-processors: We utilize trusted third-party cloud hosting providers and payment gateways necessary to operate the Service. These entities are bound by strict Standard Contractual Clauses (SCCs) and confidentiality agreements.
• Law Enforcement: We will disclose data to law enforcement or governmental agencies only when legally compelled to do so by a valid subpoena, court order, or equivalent legal process.

7. Jurisdiction-Specific Privacy Rights

Plain-English Summary: Depending on where you live, you have specific legal rights to access, delete, or manage your data.

7.1. European Union & UK (GDPR)

If you are located in the EEA or UK, you have the right to access, rectify, or erase your personal data (Right to be Forgotten), restrict processing, and request data portability. Account Administrators must establish a lawful basis (e.g., explicit consent or legitimate interest via an LIA) before processing a Monitored User's data. To execute a Data Subject Access Request (DSAR), please contact our DPO.

7.2. California Residents (CCPA/CPRA)

Under the California Privacy Rights Act, residents (including employees monitored on corporate devices) possess the right to know what personal information is collected, the right to delete such information, and the right to opt-out of data sharing. Notice at Collection: The categories of data we collect and our retention periods are explicitly detailed in Sections 2 and 4 of this Policy.

7.3. Republic of India (DPDP Act 2023)

In compliance with the Digital Personal Data Protection Act, 2023, the processing of data relies on the explicit, itemized, and verifiable consent of the Data Principal (or their lawful guardian, in the case of minors). SpyHuman does not track minors for behavioral advertising. Data Principals have the right to grievance redressal, with a mandated response window of 90 days.

8. Contact Us and Grievance Officer

Plain-English Summary: If you have privacy concerns, want to delete your data, or need to report abuse, you can contact our privacy team directly.

For questions regarding this Privacy Policy, to exercise your data subject rights, or to report unauthorized tracking (stalkerware abuse), please contact our privacy team:

• Email: [email protected]
• Data Protection Officer (DPO): [email protected]

Grievance Officer (India): Pursuant to the DPDP Act 2023, users in India may direct complaints to our designated Grievance Officer at [email protected]. We will acknowledge and resolve valid requests within the statutory timeframe.